I've been doing VM scanning for many years through different tools. This is my first time using Qualys. In other tools I've used there was an understanding that some checks were more apt to disrupt the target than others. Thus an evaluator could choose not to include those checks when performing the assessment if scanning production devices.
I have found that some of the Qualys web application test checks will torture web servers or generate lots of traffic on improperly established internal web mailing forms. We had an issue where the scanner found such a form and managed to send out hundreds of email in testing the form.
At this time due to VM maturity, web application testing is not a priority.... initially.
How do I create a dynamic full scan list excluding disruptive and web application checks?