Is it possible to scan a single Host or IP for a particular QID?
Yes but there are several steps involved.
First you need to create a search list from the Knowledge base; I suggest just a static since you know which QID your looking for.
Then create a new scan profile and in the scan section you should be to identify where to add that search list for the one QID.
Now if what your looking for is limited to a port say port 80 you can reduce the scan time further by restricting the ports in the scan section; not the discovery.
Let me know if you have issues and I will give you more precise directions.
Thank you very much for taking your time to respond.
yes i have created.
2. I have created new scan profile.
I had chanllenge to identify where to add that search list for the one QID?
I found it in Vulnerability detection->custom.
Please correct, i am wrong.
It may be easier to run a scan and just run a report looking for a certain QID, but I agree completely with Busby as I had to perform those same steps recently which is why I say the report method is a bit easier.
Agree but I use them for a different purposes. If I have a vulnerability I am really concerned and time to scan the entire environment is constrained then I first would pick a subnet or two that is likely to have that issue. Then I could construct a scan to look for that specific QID and be more aggressive on the scan and tuning etc...
But I generally recommend your better off scanning for everything and report what you need to focus on so you don't need to re-scan but sometimes you need an understanding of a new risk and time could be critical; think wanna cry.
You did not have the QID right away but you did know it was about SMBv1. So we constructed a TAG to look at things like the TCP Services QID and in the results look for smb_v1. Based on that we had identified a large set of devices. When the QID/Signature was published we could target the scan at those systems to verify our assessment of what system are effected and repeat after deploying fixes.
After that we did our normal scans after about a week of high intensity scans and report to give the board and everyone and their brother confidence that our remediation activity was working most of the time and then focus on those that were not working.
Usually they came down to things like broken patch management or not on the network long enough to get the patch deployed.
Let me know if you need more help.
Thank you for your time to respond my question.
My scenerio was only to scan particular machine for particular QID.
We do have scan schedules, that runs on weekly twice. But i would have not got the current result/report.
Hence my thought was to run a scan.
Let me know if you have any other questions. For "High Priority" scan I did some tuning but really only appropriate for a single IP scan.
Please share me steps For "High Priority" scan tuning for a single IP scan.
First, this should be tested in your environment I cannot guarantee the efficacy in another network.
This is what we are using for a SINGLE ip scan.
In our environment, we are doing a FULL scan of all 65535 TCP/UDP; if you don’t need this then you need to tune the discovery and then the ports tested for the scan.
Specifically, I made the most tuning in the performance area of the scan profile:
But you can really tune the Additional section under HOST Discovery.
I disabled Parallel Scaling (we are only scanning one ip so it is not going to split across appliances)
Looks like I have disabled some of this or just change other things around.
Change the Overall Performance to Custom
External I left alone
Then Processes per host you can try and bump this to 20 if you want to see what it will do. This could cause some hosts to fail so adjust with caution.
Change the packet Delay to be short.
But this is what we were doing. I recommend you review with your Qualys TAM/Engineer and maybe your network team.
Retrieving data ...