2 Replies Latest reply: Apr 9, 2013 12:18 PM by kp443 RSS

Definition of "Evaluation Date" in policy compliance report


In my policy compliance report, the "Evaluation date" value for each benchmark is the date of the first scan that was run but in the "Actual" sections, the "Last Updated" value is the date of the last time the scan was run. This leads me to believe that the report is in fact on the values detected on the latest scan, but I am being questioned as to why the "Evaluation date" value is of the first scan. I searched the documentation and no results came up for "evaluation date" so I cannot find the official definition of this value. How does Qualys define this value?

  • Definition of "Evaluation Date" in policy compliance report
    Jason Creech

    Hello kp443,


    When we added the feature "scan by policy" last year, we added two additional date stamps to the policy report for each control included in the report.


    Before this scan feature was released, we just had a "Last Scan Date" for the entire system because the PC scan gathered (almost) all configuration values at the same time.  But, with "Scan by Policy", a scenario often occurs where different configuration values for the same system can be gathered at different times.  So, we thought it pertinent to show the "currency" of the data for each configuration value gathered as well as when the evaluation state for that control was derrived.


    So, each control displayed in the report has an evaluation date for each control and a scan date for each configuration "actual" value gathered during the scan. 


    The Evaluation Date can be interpreted as the date when the control evalution state changed to pass, fail, or error.  So, the reason the evaluation date has not changed since your first scan is that control was assigned a state of Pass, Fail, or Error at that time and the state has not changed since then.  But, your Scan Date for the configuration is incrementing because we are refreshing that configuration data with new scans.


    We are actually planning on adding a third date so that customers can see that a "re-evaluation" did occur. 


    But, right now, this explains why you may see an evaluation date older than the scan date.  It does not mean an evaluation  of Pass/Fail did not occur, it just means that the control has been in that Pass/Fail state since the date specfied by the Evaluation Result.


    We felt that showing when a control first establish a Failed Value especially would be useful information.  But, controls with Passed Values tend to remain with an Evaluation Date that does not seem to update.


    Evaluation of Pass/Fail actually occurs at three different times:


    • When a scan is finished gathering data, an evaluation of pass or fail is performed. 
      • This is why the scan complete icon takes several minutes to turn green even though the scan says finished in the scan list window.
    • When a policy is saved, an evaluation takes place from that policy point of view for all relevant assets associated with that policy.
      • This is why it is better to edit policies with no or only a view assets assigned to the policy. 
      • The more assets in question, the longer the editing takes to save.
    • When an asset is added to an asset group that has applicable policies assigned to those asset groups.
      • Since the asset is now in scope of the policy, we need to establish pass/fail for all policies that asset is relevent to.


    With this approach, when you run a compliance report, the report is generated very fast because evaluation of pass/fail has already taken place and you are just reporting on the last known compliance posture of the assets in our database.


    Let me know if this adequately answers your question.


    Best regards,


    Jason Creech

  • Definition of "Evaluation Date" in policy compliance report

    Thanks, Jason! This answered my question and provided a lot of useful information.