How to: Scan for Specific Vulnerabilities with Qualys

If you are new to Qualys, you may be wondering how to "scan for specific vulnerabilities with Qualys". You may be used to working with tools where you only get your vulnerability data when you run a scan, and looking for a way to replicate that workflow.

Qualys is different because it is agent based, continuously providing fresh data.

Nevertheless, there may be situations where it's a legitimate need, so here's how you perform a scan with a specific vulnerability in mind. 

In Qualys, vulnerabilities are defined by QIDs, so what we want to do is perform a scan targeting the specific QIDs associated with the vulnerabilities of choice. The scan should be an authenticated scan, as you will likely not get usable results with unauthenticated scanning.

 

The key to our quest to scan for specific vulnerabilities with Qualys is “Search lists”, found in the Knowledgebase tab in VMDR module. The search list is the way to specify lists of QIDs, and that has many uses.

In this example, we are looking for Spring4Shell, so we start by identifying the QID(s) we want to include in our results. We do that by searching the Knowledgebase:

Search the knowledgebase

 

Now we know that we are targeting QID 376514 in our scan for specific vulnerabilities with Qualys, the next step is to create a Search list and include QID 376514.

Include QID

 

Now we have our search list, we need to associate that search list with the scan we are going to run – enter the Option profile. The option profile tells Qualys exactly how you want your scan to be performed, and includes a setting for setting the scope to specific search lists.

So, we are going to create a new option profile and specify our search list here:

 

Make sure to include “Basic host information checks” and authentication.

 

All we have to do now is to initiate a scan using our new option profile:

 

Good.

Now, Qualys have performed a scan for just the QIDs we defined in the Search list. How do we see the output?

You can either:

  • Create a dashboard to show you all instances of the QIDs you are looking for (Great)
  • Search for the QIDs in VMDR > Vulnerabilities (OK)
  • Check the scan results page (Not great)

If you’re a seasoned Qualys admin, what you probably want to do is to ensure that you have agents deployed to all assets that supports an agent, and then create a dashboard that automatically updates, shows trends etc.