is it possible to have cloud agent installed on a linux machine and also run traditional scan on week ends? what are the highs and lows of this approach?
Cloud Agents and traditional scans are independent of each other. Both will run the same either with or without the other, and won't interfere with each other.
Looks like it is not.. Recently we ran a traditonal scan on a node where Qualys Cloud Agent is installed - during the traditional run authentication was successful due to issues with our network - it created the QID's related to authentication failures. During the next tradtional run even though the authentication issues were fixed those QID's didnt get a fixed record. Now we have around 3000 orphan records in our qualys database. how to remove those? any ideas.
As mentioned yes, there will be no problem. Only thing to keep in mind is that the scans may not 100% match as some QIDs might only supported by one of the two scanning methods
Thanks. Recently we ran a traditonal scan on a node where Qualys Cloud Agent is installed - during the traditional run authentication was successful due to issues with our network - it created the QID's related to authentication failures. During the next tradtional run even though the authentication issues were fixed those QID's didnt get a fixed record. Now we have around 3000 orphan records in our qualys database. how to remove those? any ideas.
I would probably purge all the data for that particular ip or ips and then start a fresh scan. Purging will clear all VM data related to that Host ID
Thanks . But we need the record of those id's and a fixed record for it rather than purging it to avoid the internal audit questions
My understanding is that Cloud Agents (CA) only tests for vulnerability with an authentication discovery type (the little blue key icon in the KB). Appliance scans test for All if authentication is enabled.
Yes. CloudAgent can gather data points similar to that of an authenticated scans.
In the CloudAgent architecture, the agent does not know what an QID as a whole is... the agent does NOT scan on the host.
The agent is supposed to gather a response to a manifest of commands, which is equivalent to the host state/snapshot.
It may so happen that a lot of host results goes beyond just being an auth scan equivalent. We have certain things for which we don't have a QID (either RED, YELLOW, BLUE) that the CloudAgent can detect.
The actual CloudAgent use case isn't about loosing the scanner in any way but to make your VM program more robust, repeatable and measurable.
- No credential management
- Accurate findings
- Scan window elimination
- Frequent scans (up to 6 times in a 24 hr period)
- Asset user logged on, location, boot info
- Always up to date inventory of ports, services, apps, software and hardware
- And really many many more.
Hi Deb J - we installed the Cloud Agent for the express purpose of your first mentioned use case 'No credential management', however, I am finding this to be problematic in the reporting where there are duplicate assets. I am told this data would be merged in reports with agentless tracking - however that requires an authentication record. How do you achieve no credentials and get an accurate report?
You will see duplicate assets as you may have CloudAgents running on the same assets that you used to scan remotely using the scanner device earlier.
You may choose to report for all assets with the "Cloud Agent" tag only and use the option in the report template that merges data from both scan and agent.
The CloudAgent technically can override the agentless tracking mechanism and the Qualys Host ID is unique.
Let us know.
What's the recommendation for an environment that has been running auth scanning but not using agentless tracking, and wants to start using Cloud Agent ?
Switch on agentless tracking for the auth scans to embed the cookie ? Would that help before installing agent ?
Also you mention using the report option to merge data - where is that please ?
Do we have a situation yet where requesting a traditional appliance-based scan for an IP that has registered cloud agent will cause that IP not to be scanned ? If it does scan it - how is the data merged ?
- That should not matter. Installing CloudAgent either overwrites the Agentless tracking key or uses it if its there.
- Merge is below
- IP's will be scanned regardless you have Agent or not. As long as that IP is in subscription, we are good.
- You can include the merge based data in report by modifying the report template-->Findings section.
Retrieving data ...