Reading and analyzing a Qualys scan is an underrated skill. Frankly, I see a lot of misuse and abuse surrounding Qualys scans. So let’s talk about how to read and analyze a Qualys scan for the purpose of understanding and solving problems.
You can read it in the user interface but I recommend exporting a CSV so you can sort and filter. The exact CSV format has changed a bit over the years so they may not be in this exact order. But this will get you started. The most important columns are all here.
Qualys CSV file columns explained
The data in a Qualys scan generally takes 29 columns in CSV format. Some of them are more useful than others. The columns useful to a vulnerability management professional may not be the most useful columns to a remediator/system administrator and also may not be the most useful ones to a penetration tester. The data is very similar to what you’ll find in a Nessus scan, but different enough to need a different cheatsheet.
I can often tell from the questions people ask me about Qualys data that they don’t understand what the data means. And when you don’t understand the data, it leads to other problems, some of which will catch you by surprise.
I’m a system administrator turned vulnerability management professional. Learning to read a Qualys scan changed my career for the better. So I’m happy to pass that along in hopes it helps someone else too.
This is the IP address of the system that had the finding. Depending on your environment, it may or may not be the best identifier, but that’s why they give you three others.
This is the DNS name of the host you scanned. This is not only excellent identification information, it’s also fantastic for troubleshooting. If you notice DNS names are inconsistent between scans, make sure all of your scanner appliances are using the same DNS servers. Vulnerability scanners are very good at finding problems in your network, and this column is one of the places they are likely to show up. My workaround is to use the same DNS servers in the same order on all of my scanner appliances, but ideally all of your DNS servers will return the same results all the time.
I also know that’s easier said than done, especially since my days as a DNS administrator ended in 2005. I was the administrator of evacationbibleschoolstudies.com, along with 200 other similar domains that weren’t my idea to register, so look upon my works and despair! In all seriousness though, 2005 was a long time ago so I can’t offer much help, other than to say it’s not trivial.
NetBios is a Windows networking protocol, so you will usually see a NetBios name on a Windows system. You may also see it on non-Windows systems. If you see it on a Mac or Unix like host, that tells you that system is configured to play nice with Windows systems, probably using a tool called Samba. This column is also a useful identifier, it’s just not as universal as DNS name.
Here’s another cool trick. When the DNS name and NetBios names don’t look anything alike, that is a good indicator that not everything is healthy on your network.
This is the operating system the computer in question is running. Pro tip: The more specific this is, the better. If you see slashes, or very generic names, that’s a good indication the scan didn’t authenticate, so the quality of the data is going to be much lower. Qualys needs to authenticate to examine the filesystem to positively confirm if a system that exhibits the possibility of being vulnerable actually is vulnerable.
This is Qualys’ tracking number for the vulnerability signature. Scanners use vulnerability signatures much like antivirus programs do. This is Qualys’ own tracking number and it can check for one or more CVEs, or it can check for vulnerabilities that aren’t CVEs, or it can check for data that’s purely informational.
This is the title of the vulnerability check. It should be fairly self explanatory. When it isn’t, the threat or impact columns can provide further enlightenment. If you’re not already familiar with the vulnerability in question, it’s a good idea to scroll over to the synopsis and description columns to familiarize yourself. I’ve seen people get in trouble by jumping to conclusions just based on the title. That’s like trying to speak intelligently about The Great Gatsby without even reading the Cliffs Notes. You mean it’s not a book about a magician?
About 20,000 of these things turn up every year so I don’t expect you to read 200 pages about every single one. But good security analysis requires more than highlighting the title column and making a pivot table.
I will sometimes filter on this column on certain keywords, like Adobe Reader, Google Chrome, and other things I’m used to seeing frequently, to get an idea of what percentage of the problem the usual suspects are contributing to any given report.
This column confuses everyone. There’s IG, which is Information Gathered. It’s not “el gee.” Or maybe I’m the only one who thought that’s what the column said.
There’s Vuln, which is a bread and butter vulnerability. It’s what everyone buys Qualys to find. so this one makes sense at least. But here’s a nuance. It means it’s a confirmed vulnerability. Qualys is 99.9996% certain it’s a vulnerability.
Then there’s Potential or Practice, which means it’s a potential vulnerability. Qualys couldn’t confirm it without causing unnecessary risk. The usual reaction is to ignore these because they have enough confirmed vulnerabilities to keep them busy, but if your scans authenticate and the account has sufficient permissions to examine the system, you shouldn’t see very many of these. Rather than ignore these, try to find out why your scans aren’t authenticating. That will reduce the number of potentials and also reduce the number of false positives.
Pro tip: If you’re seeing more than three false positives per million, you probably have authentication or permission issues.
Let’s talk about those informationals.
Years ago, someone asked Paul Asadorian, the former product Evangelist for Tenable, how you know if you’re really good at using the product. He said when you find malware on a system as a result of a Nessus scan. You can do the same thing with Qualys. Looking for suspicious entries in QIDs 45141, 90235 and 125007 is how you do it.
If you ignore those informational findings, you’re not going to unlock that achievement in your career.
Finding compensating controls
I’ll give you another pro tip. A former employer was desperate to secure a contract with a well-known restaurant chain. The CEO asked me to talk with them in a last ditch effort to sell them some business. The discussion was not going well. But at one point, one of their security analysts said it would be nice if they could know when a vulnerability is mitigated due to the environment. I spoke up. I said that kind of detail is usually in those informational findings. You can use those to track what systems are behind a firewall (QID 34011), what systems have antivirus or EDR tools installed, and other evidence you may need to determine how well protected a system is. They went from being completely uninterested to ready to sign a deal right after I said that. Being able to do this may sound less impressive than finding malware, but you’ll do this more often.
Explaining false positives
I will give you one more. There will be informational findings about authentication. It’s a fairly long list, but they have a knowledge base article about it, and another one about Windows authentication and permissions. I recommend you bookmark these, or print them out and hang them up in your cubicle. Anytime your scan results seem incomplete or wrong, the first thing you want to check is authentication.
Pro tip: If you’re finding more than three false positives per million findings, that’s a very good sign your authentication is failing or your scanner account doesn’t have enough permissions.
Troubleshooting slow scans
QID 45038 records how long it took for Qualys to scan a host. Filtering and sorting on QID 45038 helps you find the hosts that take the longest time to scan. Shifting those systems to agent scans instead of network scans or working with your sysadmins to find out why they go under duress during scanning helps to speed up your scans.
This is the severity on Qualys’ own proprietary scale, which predates the CVSS standard. It uses a scale of 1 to 5, with 1 being the least bad, and 5 being the worst. A common question is whether you can change this and make 1 the worst and 5 the best. The answer is no, you cannot.
This can be useful for categorization or making pivot tables.
This is the TCP or UDP port that Qualys found the vulnerability on. This can be useful information, especially for the system administrator trying to remediate the vulnerability. One good example is when you find an SSL or TLS related vulnerability. When we see SSL or TLS, our mind immediately goes to port 443. But SSL and TLS can live on other ports, so knowing what port is vital for fixing those vulnerabilities. I’ve gotten used to seeing these, because that seems to be something not everyone knows.
It doesn’t seem like I need this column very often, but when I need it, I need it badly. This, in combination with the protocol, can be useful for tuning your IDS or IPS if you’re into crossing silos.
This is the protocol Qualys used to find the vulnerability. In the right hands, this is useful information. I have also seen people come to weird conclusions based solely on this column. If you really know your ports and protocols, this can be a useful column. If you don’t know networking very well, this column can produce red herrings just as easily as it can help you.
This is the fully qualified domain name of the host Qualys scanned. If this mismatches the DNS or hostname, there should be a good reason for that. This is another one of those columns that isn’t always useful, but can be a good indicator of other problems.
This column tells you if Qualys used SSL in this particular check. When this column is blank, it’s not applicable, such as during local filesystem scans.
CVE is the universal industry standard tracking number for vulnerabilities. Not everything in these results has a CVE, and security professionals care more about the CVE than system administrators do, but this is a useful, vendor neutral tracking number. As opposed to the QID, which is completely specific to Qualys. One QID can (and frequently does) cover multiple CVEs.
From time to time someone will try to tell you to ignore anything that doesn’t have a CVE in it. That’s not good advice. You’ll miss valuable information when you do that.
This is the vendor’s tracking number for the fix. It could be just a number, or it may be a URL. This is a good place to look for a patch, especially when the vulnerability is from the current or a recent month.
If Bugtraq has any information on this vulnerability, this ID provides more information.
CVSS is the industry standard way to score vulnerability severity. It uses a scale of 0 to 10, with 10 being high. I’d rather not get into the pros and cons of this particular scoring system, because it tends to turn into religious debate. Suffice it to say people make a lot of incorrect assumptions about this scoring system, that it’s either a bell curve or an even distribution, and neither is true. It tends to be skewed towards sevens and above. If you want a weird world where 80% of vulnerabilities are above average, choose this hill to die on.
This column is the base score of the vulnerability, under version 2 of the model.
CVSS Temporal is the adjusted score after factoring in all of the temporal variables.
This column is the CVSS3 base score, under version 3 of the model. Version 4 promises to be better, but for now, v3 is what we have.
CVSS3 Temporal is the adjusted score after factoring in all of the temporal variables.
This column tries to describe how a threat actor might use the vulnerability. Read this and the impact column when the title isn’t enough to understand the vulnerability.
This column tries to describe the impact of exploiting the vulnerability. Read this and the threat column when the title isn’t enough to understand the vulnerability.
This tells you how to fix the problem. It may provide a vendor update, a workaround, a mitigation, or any number of things. This is another column that is absolutely essential. If all I have is a DNS name, results, and solution, I can function.
This column tells you if known exploits against the vulnerability exist. This is helpful for prioritization, especially if all you can afford is straight Qualys VM, without any threat intelligence.
This column tells you if malware kits are using the vulnerability. This is also helpful for prioritization, especially if all you can afford is straight Qualys VM, without any threat intelligence. Keep in mind some vulnerabilities are useful for malware or exploitation, not necessarily both. So this column can give you some useful nuance.
There are some columns in the output you can safely ignore. This column is not one of those. This column has the details of what the scanner found and where it found it.
Here’s how to read and analyze the Qualys results column.
If you see the name of an update here, with a vendor tracking number, that’s a good indication that the update the scanner is looking for was never applied to this specific computer. If it’s a path in the file system or the Windows registry, that is an indicator that an update was applied, but one or more parts of it did not take effect. It could be the system didn’t reboot after applying the update, and rebooting the system will clear the finding. It could also be that the file didn’t update, or some other process after the fact reverted the file. If a reboot doesn’t clear the issue, reapplying the update frequently will. Failing that, Windows stores logs in ETL files that are frequently helpful in troubleshooting. A good system administrator can use the information in those to fix the problem.
I know this because I was a system administrator who knew how to read vulnerability scans. I fixed 800,000 vulnerabilities in my career before moving to the security side of things.
This column tells you if the vulnerability is one that will cause you to fail PCI.
When the technology you scanned allows for multiple instances, this column will give you more information about what instance it found the vulnerability in.
This is the broad category of the vulnerability. There are four: Web Server, CGI, TCP/IP, and General Remote Services. I never paid much attention to this column as the categories are too broad to have ever been much use to me.
Analyzing Qualys scans for fun and profit
I hope that helps you. There’s a fair bit of analysis that can and should go into a Qualys scan. Otherwise it’s easy to miss what it is your scanner is asking you to do.