AnsweredAssumed Answered

Map Scan Accuracy

Question asked by Digvijay Shekhawat on Nov 19, 2014
Latest reply on Apr 1, 2016 by djprakash

I have aopened a case with support, still discussing this in community.

We performed a map scan to discover assets. The network is flat and doesnt have any firewall as such obstructing the scans. Qualys discovered a lot of IPs as "Linux 2.x/UPs/Net Vision". I used the initial option as well as the "Light weight Inventory v 1"from the Library. I checked the IPs and found that these are Windows 2008 R2 servers. Qualys reports that it saw 137,137, 139, 445 open. Now thats an obvious Windows. I dont need scanner to confirm that. I know discovery scans are approximations. Qualys could have mapped them as "Linux 2.x/ UPS/Net Vision/Windows". I have seen this behaviour with multiple Clients using different Qualys subscriptions and scanner appliances. These systems also have 3389 open on them. I configured Qualys to use 3389 as well as a port in the option profie, it found it open and still says "Linux/UPS/Net Vision"!!!

 

 

What is going wrong? Why is the detection so way wrong? Apart from Stack fingerprints Qualys should also consider other things like open  ports that are standard for that platform (atleast for Windows).

Outcomes