Qualys reports vulnerabilities in 2 categories:
- Actual Vulnerabilities (colored RED) which are based on active detection's. These are typically very accurate since we are seeing the vulnerable behavior from the target.
- Potential Vulnerabilities (colored YELLOW) which are commonly based on banner versions. Many times the CVE may have already been applied (i.e. backported) so the issue has been patched, but the banner is not updated, and so the Potential will continue to be reported. In these cases you can manually Ignore the Vulnerability per the below.
The easiest way to ignore a vulnerability is as follows:
- Log into Qualys and go to Assets>Asset Search
- Paste in the IP Address and click Search
- Click on the IP Address to view the details
- Click on Vulnerabilities
- Scroll down and click on the 'Vulnerabilities' or 'Potential Vulnerabilities' Link
- Hover the mouse over the Red Plus icon on the right hand side, and select Ignore Vulnerability
- You can then enter in comments such as "confirmed CVE-2005-xxxx has been applied"and click OK
This specific QID will now be Ignored on this specific IP Address & Port. Once Ignored it will no longer be reported on any Report (from the Report Section in Qualys) for this IP Address. Please note this QID will still show up for this IP on any Scan Results (from the Scan Section in Qualys) as the Scan Results is the Full Raw Scan Data and does not include any filtering.
An alternate method will allow you to to ignore a vulnerability from within the Report:
To ignore a vulnerability and prevent it from appearing on a report on a per host basis, see the steps provided below. Also note that for more information regarding this feature and steps to re-activate a previously ignored vulnerability; you can access the online help section from within your account and search for ignore vulnerability.
1. Select Report from the left menu.
2. Run any scan report template set to Status or Status with Trend (auto) source selection. For example, run the Technical Report.
3. In the host details, identify the vulnerability you want to ignore, and place your cursor over .
4. Select Ignore vulnerability from the drop-down menu.
The Ignore vulnerability pop-up appears with details about the vulnerability and the host.
5. Click OK.
6. Refresh the report to remove the ignored vulnerability.
Another method will allow you to Ignore Vulnerabilities in Bulk:
- Create a Remediation Rule for the QID you wish to Ignore, and select a list of Asset or an Asset Group for which you want to ignore.
- Upon the next scan/detection the Remediation Rule will be applied, and it will automatically 'close' all instances of that QID for those Assets selected.
*NOTE: you can also use the API to ignore in bulk
Report on Ignored Vulnerabilities
At times you may want to run an Ignored Report so that you can audit which items have been ignored for the year, or quarter, etc..
- Log into Qualys and go to Reports>Templates
- Click New>Scan Template
- Click on the Filter tab and scroll down to the Vulnerability Filters section, and check Ignored for both Confirmed & Potential Vulnerabilities (make sure Active & Disabled are unchecked)
- Additionally, on the Findings tab under Host Based Findings you can check "Include Trending" to select a time frame, such as the past 3 months for example.
- Then click Save or Test to run immediately.