Qualys duplicate assets

One of the most frequent problems people ask me about when doing a health check on their vulnerability management program is duplicate assets in Qualys. If you simply run the tool with the defaults, it is definitely possible to end up with duplicate assets. But with a few configuration changes, you can mostly eliminate this problem.

Enabling agentless tracking to help Qualys duplicate assets

duplicate assets in Qualys
Duplicate assets are a common problem in Qualys. Two isn’t better than one when it comes to scan results. Agentless tracking in combination with some other features helps solve the problem. Even on network scans.

Agentless tracking lets Qualys track systems by writing an identifier to the system. Then you can configure Qualys to use this identifier to eliminate duplicate assets. People have mixed reactions to this idea, but the benefits outweigh the imagined drawbacks.

This first step has to be done by whoever the primary contact is on the account. Go to VMDR > Assets > Setup > Asset tracking and data merging, and enable agentless tracking and agent correlation identifier. Then go to asset tracking and data merging, and select smart merging.

Then go to Cloud Agent > Configuration profiles, edit your configuration profile,  hover over the agent scan merge option, click edit, then enable agent scan merge and also click the bind all option to enable it on all network interfaces. This helps laptops, which always have both wired and wireless interfaces. It also helps servers with multiple network interfaces. If you have more than one configuration profile, you have to do this on all of them.

This feature was designed to let Qualys merge both agent and network scans, but it also helps if you only do network scans.

If your infrastructure team ever tears a system down to bare metal and rebuilds it, make sure they save the Qualys registry keys and restore them afterward.

Prepopulating the Qualys UUID

If letting Qualys write to your systems is a bridge too far, you can theoretically prepopulate the registry key HKLM\SOFTWARE\Qualys\HostID with a UUID you generate. The caveat is you have to make sure it’s truly unique, otherwise, you’ll cause Qualys to mix assets. And don’t expect Qualys to support using their tool in this manner if you run into problems.

It’s much easier to just let Qualys generate the UUID and write it to the system when it finds a previously unscanned system. It will only do this once. Competing scanners do the same thing. The difference is they don’t ask permission, they just do it.

Use authenticated scans

Authenticated scans are one of the other keys to solving this problem. If your scans do not authenticate, Qualys has no way to read the identifier, and has to fall back on matching the name and IP address. That was the problem that got you into this mess in the first place. Authenticated scans are also much more accurate, so they are something you want to do anyway.

Make sure that you set up authentication records. Also make sure you enable the dissolvable agent in your scan option profile. The dissolvable agent is a necessity to read the windows registry reliably. The dissolvable agent is one of the least understood and most hated features in Qualys. But it was the workaround they came up with to avoid infringing on one of Tenable’s patents. Tenable patented the only way to remotely read the Windows registry that makes sense, so Qualys is stuck doing this way for another decade or so until the patent expires.

But as long as your scans authenticate and the dissolvable agent is working, your scan results will deduplicate much more reliably.

Purging old duplicate systems

One thing to keep in mind is all of these fixes only help you going forward. You are not able to go backward and merge old scan results. After you make these changes, I recommend deleting systems you haven’t seen in more than 30 days. This will help to clean up those old duplicates. In the user interface, use asset search to search for systems that you have not seen in more than 30 days. Then purge them. Asset purging is one of the fundamentals that Qualys covers in their training, so I very much recommend getting familiar with it.

Qualys also has the ability to set up purge rules to purge and deactivate agents after a period of time. This is one of those features that has to be enabled buy a Qualys employee. Be sure to contact your technical account manager to get this feature enabled.

Once you enable this feature, the amount of care and maintenance your Qualys installation requires on a regular basis decreases dramatically. I got so used to having this feature that now that I frequently forget you have to ask for this feature, and it is a game changer.

If you found this post informative or helpful, please share it!
%d bloggers like this: