Im wondering what kind of "new" host detection is done or availbale if you use subnets or ranges in a vulnerability/PCI scan. Will Qualys identify a new or changed host at an IP./
When performing a vulnerability scan, the scan engine doesn't make these kind of determinations - it bounces packets off of and runs detections against a given target, collects the data, and moves on to the next target.
When generating reports using the automatic (or 'status') data, you'll see a status for each vulnerability (new, active, etc). New indicates it's the first time the system has seen that specific QID on that particular host on that particular port. Active means it's been seen before, and so on. You will also see a 'First Detected' and a 'Last Detected' date in these types of reports.
So in this regard, a 'new' host will be identified in that all the vulnerabilities present will show as 'new' in a report using the automatic data.
If hosts change, you will need to purge the vulnerability data and then scan the target in order to have current and up-to-date accurate data on the target. Old vulnerability data will be associated with a given host until it is purged.
Qualys Support Engineer
Retrieving data ...