Hi everybody. I could really use some help on this one. We started scanning our DMZ with authenticated scans about 10 months ago. I didn't notice until recently that i was getting some inconsistent results in the vulnerabilities. In looking into it further, and working with Qualys, we found that we were getting very inconsistent results in QID 90195, which is what Qualys uses to check for a lot of patches etc. According to Qualys, there should only be 2 results in this QID for an authenticated scan. I believe it's 2 for W2K3 and 8 for W2K8, at least that's what I'm seeing on most of my servers. However, we are getting various ones of our servers that come back with results of like 1500+ or 2000+ and other numbers of registry keys that Qualys has been denied access to. This is extremely inconsistent though. For example, we had one server that we scanned in August that came back with 2 resulsts in 90195, but then that same exact server/IP came back with over 1K results in the scan in Sept.
We've had other servers with similar results. I think in many occasions, this doesn't have too large of any effect, but there can and are many times where this has a definite effect on the patches that Qualys sees as missing or not. Oh, and we are using an account that is specifically set for use with Qualys and is part of the Domain Admins group in our DMZ domain, which makes it a local administrator of every computer. If anyone can give me anything on this, i'd really appreciate it. Thanks.