AnsweredAssumed Answered

I think McAfee triggered Qualys aggressive scanning... what are my options?

Question asked by Joshua Hedlund on Mar 14, 2014
Latest reply on Mar 14, 2014 by Kiran Kumar

We have been using McAfee's vulnerability scanning for several years and recently got an email about changes in their system that included a "migrate" link to "activate the new and improved service".

 

Soon after, our server started getting inundated with thousands of injection attempts and other hacky requests from the 64.39.103 IP block. Unlike McAfee's previous scans the user agents of these requests did not identify themselves as belonging to any service, and I initially thought it was an actual hack attempt. Some of our defenses automatically banned them from some parts of the site and I then manually banned them completely.

 

However after doing reverse lookup on the IPs and realizing they pointed to Qualys, which looked like a legitimate service, and discovering links between McAfee and Qualys (example), and considering the timing of the scans, I'm guessing that our McAfee "update"/"migration" is what triggered this. The McAfee instructions on this seemed confusing but perhaps we did not read them closely enough before performing their recommended actions.

 

At any rate, the new Qualys scanning seems much more aggressive in terms of its impact on our server, and I'm wondering if I have any options such as slowing the number of hits per second, and how I would go about accessing that, as I do not know if I even have a Qualys login or how to connect it to the scanning that is already happening and cannot find anything on our McAfee login about it.

Outcomes