As per IBM the host server jobs are doing what is expected of them ..processing the bad SSL connections . IBM development has thoroughly investigated this issue and there is no code defect from OS400 perspective .
Scan has many meanings.Yes, Qualys can scan any host that has an IP stack on IPv4 or IPv6. What the scan finds depends on a bunch of things.
We may not have as many vulnerability audits for AS400 as we have for Windows and Unix etc but you will sure get some info about open ports and running services etc.
Can you try using a low intensity scan profile and see if that does not impact the CPU much.
I have used the default profile which scans less ports compared to another profile which scans all ports .
In both cases CPU utilization spiked nearly 400% for considerable amount of time and when profile which scans all the ports was used we had to recycle some of the applications on systems .
Trace data was collected during the time of scan and it was like more than 600 connections knocking on each port . It was more of DOS attack than Vulnerabilty scanning . Why would there be 600 or so connections trying to scan a port which in turn would cause high CPU util as as400 aka iSeries is doing what it is supposed to do based on OS design.
I am being told that Vulnerability scanning is just reading the ports which is really not the case for what I have seen .
I am not sure if you have used Qualys VM much but the default profile scans 1900 TCP and 180 UDP.... it's a lot of ports or a slow responding AS400. The default performance profile is set to "Medium", so I don't suggest scanning a AS400 with this profile.
Please create a new Option profile and choose a low intensity scan.
Vulnerability scanning is not just reading the ports... it more like looking for open ports, identifying running services and then run a security audit of identified services and the Host OS.
On this so called P8 slow responding as400 CPU utilization jumps to almost 12000 CPw when Qualys scans are running and once scan is over its back to around 4000 CPW.
why would there be 600 connections knocking on each port during scan ? Why not one 1 or 2 as its only testing for open ports . Each connection causes processing of bad SSL causing it to spike As this is design of OS400 .
As Debj is suggesting I would create a new profile and lower the settings down as far as you can to go very low and slow. If that works then you can ramp up the settings.
Additionally I have seen on occasion that the scan triggers a vulnerability that would cause HIGH cpu or service crashes and it took time to go through every signature to find the issue. In the end the vulnerability was identified on a server that caused denial of service but when the scanner looked for this it actually triggered this to occur before it got reported to the scanner.
So you also might try limiting all the signature. Maybe try creating a search list for the AS400 first and just scan for information and see if that causes you any issues.
If you still have issues let us know.
Qualys service looks for Open ports, looks for running services and then fires active tests on identified services....
Can you provide an evidence for "600 connections knocking on each port during scan ".
Have you filed a ticket with support to have a look and investigate?
Retrieving data ...