Qualys asset tracking: All you need to know

I probably get more questions about Qualys asset tracking than I get about anything else in regards to Qualys. Many people misunderstand Qualys asset tracking. It’s really easy to mess it up, and things can go horribly wrong if you do.

By default, Qualys tracks assets by IP address. It can also track by NetBIOS name or DNS name. If your authentication is really solid and you enable Agentless Tracking, the Dissolvable Agent, and Unified View, you can also in effect force Qualys to track by a system-generated UUID as well.

What you need to know about Qualys asset tracking

Qualys can track assets by one of four methods, three of which are available via scanning. When you scan your network, you can track by IP address, NetBIOS name, or DNS name. The last option, agentless tracking, I’ll cover at the end.

Tracking by IP address is the default option since it’s the least common denominator. It’s also the worst option in a DHCP environment. When using DHCP, Qualys recommends using DNS name, as long as your DNS servers are fast and accurate. If your Active Directory works well, DNS is probably a great option. If your Active Directory is a mess, DNS may not be as good. How do you know if your Active Directory is a mess? If you have to ask, it probably isn’t.

NetBIOS works in Windows environments, with the caveat that some devices don’t have a NetBIOS name. It’s somewhat rare, given that not interacting with Microsoft stuff severely limits your market. Even most Macs have NetBIOS names in corporate environments so they can share files and print. After all, who wants a Mac that can’t print?

When you change the tracking to NetBIOS or DNS, it changes the key field in the backend database for that object. That way, when the machine moves around on the network, Qualys doesn’t create new records, and don’t get duplicate assets with duplicate vulnerabilities. Having duplicate assets with duplicate vulnerabilities in your scan results isn’t a good way to make friends.

Changing asset tracking from the user interface

Editing asset tracking from Asset Search used to be broken. It appears that if you search for assets in Asset Search and change the host tracking there, it works now. I was always told to change from the Host Assets tab, but the Asset Search functionality appears to work now, and it’s certainly more convenient.

Navigate to Vulnerability Management > Assets > Asset Search. Under Asset Groups, select All. Check the box next to Tracking Method and select (presumably) IP Address. You can fine-tune your search too. If you have a naming convension, select NetBIOS hostname and enter some search criteria. Failing that, you can select Operating System and select contains and type Windows 7 or Windows 10 to find workstation operating systems.

Click Search and you get a list of IP-tracked workstations. Scroll down to the results, check the select all box at the top, then from the actions menu at the top, select Edit and click Apply. From the resulting screen, select DNS or NetBIOS and click Save.

You can also change the tracking method from the Host Assets tab in the UI, but without any search or filtering capability. It’s a good idea to navigate to the Host Assets tab and spot check to make sure your IPs did indeed change tracking methods there.

Changing asset tracking via the API

You can also change asset tracking via the API, which is pretty fast. There’s an example API call on or around page 234 of the Qualys API Guide V2. Simply make a call with the IP addresses you want to change.

Unlike the user interface, there is no error checking. In the user interface, if you try to change an IP with a blank hostname to DNS or NetBIOS tracking, the user interface gives you an error. It also gives you an error if just one of many IPs you choose is blank, and doesn’t change the valid ones either. But the API doesn’t have the error checking. It just does it.

A weird error condition

If you scan an IP that’s being tracked by DNS or NetBIOS and the device on it doesn’t have a registered DNS or NetBIOS name, Qualys will skip it. It will note this in the scan results, but if you’re not familiar with this behavior, it can be unclear why. Qualys states a generic list of possible conditions: no data found for this host, no host alive, one or more hosts on the excluded hosts list, or no open port found.

If this happens to you and you’re pulling your hair out as to why the device won’t scan, check its asset tracking method and switch it back to IP for the time being.

What about existing scans?

There’s no need to change your existing scans. It’s best to still scan IP ranges. Scanning by hostname is less reliable than scanning by IP. Also, you really need to scan the unknown to see what’s out there. Only scanning known assets is a common thing vulnerability management programs get wrong.

Scanning by IP while tracking by NetBIOS or DNS name works well.

Configuring your scanner appliances

If you’re going to use NetBIOS name, it’s a good idea to configure your Qualys scanner appliances with a WINS server. Qualys won’t use WINS if it doesn’t need it, but if it needs WINS and doesn’t have it, that can cause it to not find NetBIOS names during scans.

What about Agentless Tracking?

The Qualys Cloud Agent writes a UUID to HKLM\Software\Qualys. Agentless Tracking permits Qualys scans to also write to this key, with or without the agent (hence the name). Enabling Unified View allows Qualys to merge any results it finds based on this ID, regardless of whether it comes from agents or scans.

This feature was designed to let you unify data that comes in from both the agent and the scan. It has the side effect of unifying from scan to scan as well. So if you have systems in DHCP ranges that move around, Agentless Tracking and Unified View will, in effect, deduplicate those assets.

This comes with many caveats.

Authentication

First, your authentication has to be solid. If your system doesn’t authenticate correctly, Qualys won’t recognize it.

Registry access and the Dissolvable Agent

Second, Qualys needs registry access, which means enabling the Remote Registry service, enabling the Dissolvable Agent in your scan profiles, or better yet, both.

The Dissolvable Agent confuses everyone, but it has nothing to do with the Cloud Agent product. It’s a small executable that grants Qualys registry access during the scan and then goes away when the scan finishes. It’s a solution when companies don’t want to enable the Remote Registry service.

To enable the Dissolvable Agent, navigate to Scans > Setup > Dissolvable Agent and click Accept. Then open your scan profiles in Scans > Option Profiles, open each scan, click Scan, and scroll down to near the end, about five options up, and click Enable the Dissolvable Agent.

If you have multiple scan profiles and some of them don’t have the Dissolvable Agent enabled, your results will be inconsistent.

Agentless Tracking and Unified View

Third, you have to enable both Agentless Tracking and Unified View. To enable Agentless Tracking, the primary contact on the account has to navigate to Scans > Setup > Agentless Tracking and click Agree. To enable unified view, navigate to Users > Setup > Cloud Agent Setup and check the box that says Show unified views of hosts.

Once you do all that, when a laptop bounces between wired and wireless connections, the asset will move from IP to IP, taking all of the vulnerability data with it, rather than creating duplicates. This fixes the most common problem in Qualys, and may be the best kept secret about the product.

It has a lot of moving parts and is almost entirely undocumented, and that’s why so many people get it wrong. But when you get all the parts working right, Qualys works much better.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux