Copyright 2016 by Qualys, Inc. All Rights Reserved. 1

Qualys 8.8 Release Notes

This new release of the Qualys Cloud Suite of Security and Compliance Applications includes

improvements to Vulnerability Management and Policy Compliance.

Qualys Cloud Platform

Improvements to Asset Search

Choose Kerberos, NTLM protocols for Authentication

Select SMB Version for Windows Authentication

Better Explanation for Authentication Not Attempted

New Replace Scanner Options

Increased Storage Option

New Locale Tab in User Profile

Create IPv6 Asset Groups without a Scanner Appliance

Qualys Vulnerability Management (VM)

New Scan Option – Close Vulnerabilities on Dead Hosts

Display CVSS v3 scores in reports

New Operand in Dynamic Search List for CVSS

KnowledgeBase Download shows more QID attributes in XML and CSV

Vulnerability Notification shows more QID attributes in CSV file

Qualys Policy Compliance (PC/SCAP)

New Support for Oracle WebLogic Server Authentication

New Support for Checkpoint Firewall Authentication

IBM HTTP Server 8 Support

IBM WebSphere Application Server 8 Support

Improvement to Exception Assignments

Support Agent IPs in Compliance Policy

User Defined Controls: New Reporting Option for “Item not found” Error

New Windows UDC: Group Membership Check

New Technologies Supported for WMI Query Check UDC

Qualys API Enhancements

See the Qualys API Release Notes 8.8 for details. You can download the release notes and our user guides

from your account. Just go to Help > Resources.

Qualys Release Notes 2

Qualys Cloud Platform

Improvements to Asset Search

You can now generate and download the Asset Search Report from the Reports tab. Go to Reports > New

> Asset Search Report to generate the report.

Select a report format: CSV, XML, HTML, PDF and MHT, provide search attributes, and then click Run

to generate the report. The Asset Search Report in specified format is saved to your reports list where you

can share it and download it, just like other reports.

Qualys Release Notes 3

Asset Search Report: Action on all Hosts

Want to launch a vulnerability scan or remove a tag on all the hosts in your asset search report? You can

do it in a jiffy. Select an action and click Apply.

The action menu includes

options like Edit All, Purge

All, and Add All to Asset

Groups.

Asset Search Report: Services search enhanced

You can now enter the name of the services to be searched on the hosts. You can enter up to ten comma

separated values. Either type the name of the services or select from the existing list of services.

Qualys Release Notes 4

Choose Kerberos, NTLM protocols for Authentication

You can now choose the authentication protocols you want to use for authentication to Windows and MS

SQL Server target hosts. Your options are Kerberos, NTLMv2 and NTLMv1. You’ll choose

authentication protocols when defining login credentials for your authentication records.

Windows Domain Level Authentication

All three authentication protocols are supported. Kerberos and NTLMv2 are enabled by default in new

records. If NTLM was enabled in a record prior to this release, then NTLMv1 is enabled.

Windows Local Host Level Authentication

NTLMv2 and NTLMv1 protocols are supported. NTLMv2 is enabled by default in new records. If NTLM

was enabled in a record prior to this release, then NTLMv1 is enabled.

Qualys Release Notes 5

MS SQL Server Authentication (PC only)

All three authentication protocols are supported. Kerberos and NTLMv2 are enabled by default in new

records. MS SQL records created prior to this release will have all three protocols enabled.

Select SMB Version for Windows Authentication

You can now select a minimum SMB protocol version, such as version 1, 2.0.2, 2.1, etc, and we’ll require

that each Windows target has that version or later. If the target has an older version of the SMB protocol,

authentication will fail and the host will not be scanned.

How do I set up a minimum SMB version?

Go to Scans > Authentication > Windows Records and navigate to the Login Credentials section. Select

the minimum SMB version for your Windows host authentication. Authentication will fail for target hosts

that have an SMB version that is older than the minimum version selected. For example, if you set a

minimum of 2.0.2 and you scan a Windows host with version 1.0 authentication will fail and the host will

not be scanned.

Tip - You can set a minimum

SMB version without also

requiring SMB signing.

Qualys Release Notes 6

Better Explanation for Authentication Not Attempted

When you see the Not Attempted authentication status you’ll also see an explanation in the Cause

column. There are multiple reasons you can get this status and the explanation provided will depend on

the reason.

Authentication status appears in the authentication records list. Go to Scans > Authentication and click

the Details link. In this example, the host 10.10.10.215 has a status of N/A (Not Attempted) because this

is a Windows host in a Unix record.

You can also run an Authentication Report to see authentication status for your hosts. In this example, the

host 10.10.30.159 has a status of Not Attempted. This is a Unix host and there are Unix records in the

account but this host doesn’t match any of those records.

Tip – If you’re in VM, authentication information is based on vulnerability scan data. If you’re in PC,

authentication information is based on compliance scan data. Let’s say you scanned a host in PC but

you didn’t scan it in VM. You’ll see a Pass/Fail status in PC and Not Attempted in VM.

Qualys Release Notes 7

New Replace Scanner Options

New options in the Replace Scanner Appliance workflow give you more control over which

configurations are updated.

Go to Scans > Appliances > New > Replace Scanner Appliance. Select the appliance you want to replace

and the one you want to use. Then go to the Replace Scanner Options section to choose these options:

Do not copy Configurations from Old Scanner to New Scanner – Select this option if you do not want

us to transfer appliance settings from the old appliance to the new one. Settings include the polling

interval, heartbeat checks, scanning options, VLANs and static routes.

Do not remove New Scanner from Business Objects – Select this option if you do not want us to

remove the new appliance from asset groups and schedules it was already associated with.

Increased Storage Option

You can now keep scan and map results

for up to 13 months when using the auto

delete feature.

Go to Scans > Setup > Storage to tell us

how long to store your results, or clear

this setting if you do not want results

automatically deleted.

Qualys Release Notes 8

New Locale Tab in User Profile

We moved the Language and Time Zone settings to a new Locale tab in your user profile. Just choose

User Profile below your user name or edit any user from the users list to see it for yourself.

Create IPv6 Asset Groups without a Scanner Appliance

IPv6 Scanning must be enabled for your subscription. Contact your Account Manager or Support to get it.

This makes it easier for you to create asset groups with IPv6 hosts. You’ll select a scanner appliance for

scanning your IPv6 hosts later, at scan time. Keep in mind the appliance must be enabled for IPv6

scanning. To create IPv6 asset groups: Go to Assets > Host Assets and choose Filters > IPv6 to IPv4

Mappings. Mark the check box next to each host you want to add to the asset group and select “Add to a

new Asset Group” from the Actions menu. You can also create asset groups from an Asset Search report.

Qualys Release Notes 9

Qualys Vulnerability Management (VM)

New Scan Option – Close Vulnerabilities on Dead Hosts

This feature must be enabled for your subscription. Contact your Account Manager or Support to get it.

Choose this option to quickly close vulnerabilities for hosts that are not found alive after a set number of

scans. You configure this option in your scan option profile. When enabled, we’ll mark existing tickets

associated with dead hosts as Closed/Fixed and update the vulnerability status to Fixed.

Qualys Release Notes 10

Display CVSS v3 scores in reports

We now display the CVSS v3 scores for vulnerabilities assigned to CVEs by NIST, in vulnerability

reports and KnowledgeBase QIDs. Two new fields are added to display the CVSS v3 scores: CVSS3

Base Score and CVSS3 Temporal Score. You can view these fields in all formats of the reports.

Here are some sample reports where you can see the CVSS v3 scores:

Scan Report

Patch Report

KnowledgeBase

You can also specify CVSS v3 scores as criteria in your dynamic search lists. Go to KnowledgeBase >

Search Lists and specify the CVSS3 Base Score and CVSS3 Temporal Scores that you want to search on.

Qualys Release Notes 11

New Operand in Dynamic Search List for CVSS

You can now search for a score less than the specified CVSS and CVSS3 (Base and Temporal) scores. Go

to KnowledgeBase > Search Lists > Dynamic List. Choose the “less than” option and specify the desired

value. The search results will list all vulnerabilities that have scores less than the specified value.

Tip - You’ll see these same options when searching for QIDs in the KnowledgeBase.

KnowledgeBase Download shows more QID attributes in XML and CSV

We’ve added these attributes to XML and CSV formats if applicable to the QID – Remote

Discovery (i.e. can be exploited through remote discovery), Patch Available, and Exploit Available.

These attributes are represented by icons next to the vulnerability title in the KnowledgeBase.

Choose New > Download to download a KnowledgeBase report to CSV or XML format. You’ll see the

additional attributes under Sub Category.

Qualys Release Notes 12

CSV sample

XML sample

Qualys Release Notes 13

Vulnerability Notification shows more QID attributes in CSV file

The Vulnerability Notification email is sent from the Qualys Cloud Platform when we’ve added and/or

updated vulnerabilities in the Qualys KnowledgeBase. We’ve added the attributes Remediation Link and

Product Affected to the attached CSV file.

Vulnerability Notification email (no changes):

CSV file: This shows the QID Remediation Link and Product Affected when available.

Qualys Release Notes 14

Qualys Policy Compliance (PC)

New Support for Oracle WebLogic Server Authentication

We now support compliance scans for Oracle

WebLogic servers running on Unix hosts. Simply

create a new Oracle WebLogic Server authentication

record with details about your installation and the

server domain. Unix authentication is required so

you’ll also need a Unix record for the host running the

server.

Which technologies are supported?

- Oracle WebLogic Server 11g

- Oracle WebLogic Server 12c

How do I get started?

- Go to Scans > Authentication.

- Check that you have a Unix record already defined

for each host running an Oracle WebLogic Server.

- Create an Oracle WebLogic Server record for the

same host. Go to New > Application Records > Oracle WebLogic Server (as shown on the right).

Your Oracle WebLogic Server Record

You’ll need to tell us where the server is installed. Then specify a single domain or use the Auto Discover

option (the default setting) and we’ll find all the domains for you.

Qualys Release Notes 15

New Support for Checkpoint Firewall Authentication

We now support compliance scans for Checkpoint Firewall devices.

Simply create a new Checkpoint Firewall authentication record.

Checkpoint Firewall is a sub-type of Unix authentication, similar to Cisco

IOS. An IP address in the Checkpoint Firewall record cannot also exist in a

Unix or Cisco IOS record.

How do I get started?

Go to Scans > Authentication, and choose New > Checkpoint Firewall (as

shown on the right). This authentication type is supported for compliance

scans only.

Your Checkpoint Firewall Record

You’ll notice that the settings in this record are the same as Cisco IOS

records with the exception of Expert Password. This is the password

required for executing the “expert” command on the target hosts.

Qualys Release Notes 16

IBM HTTP Server 8 Support

We’ve extended our support for Apache Web

Server authentication to include IBM HTTP Server

8.x. These technologies are already supported:

IBM HTTP Server 7.x, Apache HTTP Server 2.2

and 2.4, and VMware vFabric Web Server 5.x.

You’ll need an Apache Web Server record to

authenticate to your server, and scan it for

compliance.

How do I get started?

- Go to Scans > Authentication.

- Check that you have a Unix record already

defined for the host running the web server.

- Create an Apache Web Server record for the

same host. Go to New > Application Records >

Apache Web Server (as shown on the right). This

authentication type is supported for compliance

scans only.

IBM WebSphere Application Server 8 Support

We’ve extended our support for IBM WebSphere

Application Server to include Version 8. We

already supported WebSphere Application Server

7.x.

You’ll need an IBM WebSphere App Server record

to authenticate to your application server, and scan

it for compliance.

How do I get started?

- Go to Scans > Authentication.

- Check that you have a Unix record already

defined for the host running the application server.

- Create an IBM WebSphere App Server record for

the same host. Go to New > Application Records >

IBM WebSphere App Server. This authentication

type is supported for compliance scans only.

Qualys Release Notes 17

Improvement to Exception Assignments

When assigning exceptions in bulk (either during batch request or bulk edit) we’ll now restrict the list of

possible assignees to only those users who have access to all of the selected exceptions, meaning they

have access to the hosts those exceptions apply to. This is to prevent an exception from being assigned to

a user who can’t take action on it.

Support Agent IPs in Compliance Policy

Now you can report on agent host compliance by adding agent host IPs to your policies. Managers and

Auditors have permission to add agent IPs to policies, view and report on agent IPs.

It’s easy to do. Open your policy in the Policy Editor, edit the assets for the policy and select the new

option “Include all hosts with PC agents”. All hosts in your PC Agent license will be included.

Note – This option only appears

in accounts with PC Agent.

Qualys Release Notes 18

Reporting on Agent Hosts

Easily identify agent hosts in your reports and data lists by looking for the tracking method AGENT.

You’ll also notice that we’ve added the policy evaluation date to your policy reports, interactive reports,

and to the policies list.

Policy Summary

Control View

Qualys Release Notes 19

Policy Report

You must choose the option

“All Assets in policy” to

include agent hosts in your

policy report.

Qualys Release Notes 20

Interactive Reports

Exceptions List

Tip – Be sure you’re showing the Tracking column to see this in your list.

Policies List - Policy Last Evaluated Date

We evaluate the policy when there are new scan results available, updates to the policy, or updates to the

hosts in the policy.

Qualys Release Notes 21

User Defined Controls: New Reporting Option for “Item not found” Error

This new option allows you to pass or fail the control in cases where it returns error code 2 “item not

found” (e.g. scan did not find file, registry, or related data, as appropriate for the control type). When

selected, we’ll add a checkbox to the control in the policy where you’ll set the status you prefer Passed

(default) or Failed.

Enable in Control Settings

Select the new option (highlighted below) in your control settings to return the status Passed or Failed

instead of Error when error code 2 “item not found” is returned. Here’s an example of a Windows

Registry Permission control.

Tip – The Ignore errors setting

is not applied to controls that

return the “item not found”

error. Those controls will be

evaluated according to your

policy and status will be set to

Passed or Failed.

Edit Control in Policy Editor

Choose the status you’d like to return in the policy’s control settings.

In this example, we’ll get the

status Passed if the registry key

is not found. Clear the option to

get a status of Failed instead.

Qualys Release Notes 22

New Windows UDC: Group Membership Check

Set up a Group Membership Check UDC to list the members of a local group. It’s easy to do. Go to

Policies > Controls > New > Control, and select Group Membership Check on the Windows tab. Tell us

the group name and the maximum number of results you want returned.

After saving your

control, add it to a

policy in order to

report the list of

members for the

group.

In your reports, the Actual value lists all the group members including users, aliases and groups. The

Extended Evidence shows group statistics and indicates whether the limit set in the control was reached.

Qualys Release Notes 23

New Technologies Supported for WMI Query Check UDC

These technologies are now supported: Windows 2003 Active Directory and Windows 2008 Active

Directory.

Want to create a WMI Query Check for these technologies? Go to Policies > Controls > New > Control,

and select WMI Query Check. Tell us the namespace to be evaluated and the WMI query you want to use.

Scroll down to the Control Technologies section to provide a rationale statement and expected value for

each technology you’re interested in.