Bernie Weidel

QID 42432 - Possible Scan Interference

Discussion created by Bernie Weidel on Jun 6, 2014

QID 42432 Possible Scan Interference was recently added to Qualys due to increased focus by the PCI Council. The detection is usually triggered when no http services are identified on common web service ports, such as 80 & 443 (you can confirm by checking to see if service is listed as “Unknown” as part of QID 82023 Open TCP Services List in your scan results).

 

The goal is to ensure that Active Protection Systems are not blocking, filtering, dropping or modifying network packets from a PCI Certified Scan, as such behavior could affect an ASV’s ability to detect vulnerabilities. Active Protection Systems could include any of the following; IPS, WAF, Firewall, NGF, QoS Device, Spam Filter, etc… which are dynamically modifying their behavior based on info gathered from traffic patterns.

 

-If an Active Protection System is found to be preventing the scan from completing, Merchants should make the required changes (e.g. whitelist) so that the ASV scan can complete unimpeded.

 

-If the scan was not actively blocked, Merchants can submit a PCI False Positive/Exception Request with a statement asserting that No Active Protection System is present or blocking the scan.

 

Additionally, if there is no risk to the Cardholder Data Environment, such as no web service running, this can also be submitted as a PCI False Positive/Exception Request and reviewed per the standard PCI Workflow.

Outcomes