• Control ID 2521 showing incomplete data.

    We have about 5% of systems failing Control 2521. It's not the same systems every time we run a report. The "domain", "hostname", "user", and "Groups" are all stand in values for the actual values. All of these a...
    last modified by cimel
  • Policy Compliance of Window Server 2016

    The authentication of Window Server 2016 IP address is passed on VA, but when doing the compliance of the same IP Address and checking the authentication report shows not attempted. Any suggestion on how to resolve th...
    Gohar Naseem
    last modified by Gohar Naseem
  • ServiceNow Configuration Compliance Integration

    Does anyone have experience with Qualys integration with ServiceNow Configuration Compliance?  Looking for real world experience, lessons learned, positives/negatives etc. 
    created by adamc
  • Qualys Patch Report with Custom time

    Hi Everyone,  I want to run a patch report for compliance reasons. Report has to be monthly report starting from 01 of the month to end of the month.  When I created patch template the time default time wa...
    sam bhat
    created by sam bhat
  • Controls Not Evaluated For A Host

    Hey all,   Controls are not getting evaluated on an IP of mine despite of adding it to PC module. Please note authentication is also getting passed.   It would be great if anyone can help me regarding t...
    Honey Johny
    last modified by Honey Johny
  • SAQ Attachments

    There does not appear to be any way to delete attachments that may have been uploaded in error by a person completing a questionnaire.  Even after all references to a file are removed from the questionnaire, no o...
    Robert Slimmer
    last modified by Robert Slimmer
  • Tomcat Authentication questions

    Has anyone dealt with tomcat installation directorys   my company has unix and windows servers that have tomcat.   Some machines have different directorys.   does every different directory need to ha...
    Ben Trevino
    created by Ben Trevino
  • LDAP Authentication for MongoDB

    Please advice if we can setup LDAP authentication for MongoDB Policy Compliance scans. MongoDB runs on a Linux machine in such case how do we setup LDAP Authentication. 
    created by cutekido
  • Not so straight-forward results of PC UDCs

    I encountered some strange results when some UDCs were assessed in the PC module:   1) First control: """     .... Ensure that a registry is set to 'Disabled' """ > Expected: "equal to 0" >...
    Ionut Pruteanu
    last modified by Ionut Pruteanu
  • Feature Request - Policy Compliance - Control View

    When Policy Compliance and Search Criteria fields actually work on the Control View pane it would be nice so that when you perform a search for a specific host, OR not it only shows you the details from the last scan....
    created by theone2018
  • Policy Compliance - Custom Controls

    Has anyone else created custom controls within the Policy Compliance module?  It seems limiting and not very straight forward.   When creating a simple registry check it seems I need to select all the ...
    last modified by theone2018
  • PCI Guidance for SSLv3 and Early TLS issues with Mitigation & Migration Plans

    Per PCI Council guidance, vulnerabilities related to SSLv3 and TLSv1.0 / TLSv1.1 which cannot be fully remediated currently can be approved via a False Positive Request so long as the merchant provides a statement con...
    Bernie Weidel
    last modified by Bernie Weidel
  • Feature Request: Allow API-based access to the Qualys PCI app

    External PCI scans should be a set and forget service unless there are findings that are non-compliant. Right now we have to check whether any of our internet-facing IPs have changed, enumerate all the new ones and th...
    Far han
    last modified by Far han
  • SSLv3 & Early TLS in PCI 3.1 – Mitigate Now / Migrate Later

    -Update- Please see the latest news from the PCI Council on this topic published 12/18/2015 which extends migration dates to 2018:Date Change for Migrating from SSL and Early TLS -Update-   In April 2015 the P...
    Bernie Weidel
    last modified by Bernie Weidel
  • NEW PCI DSS v3.2 & Migrating from SSL and Early TLS v1.1

    SSL & Early TLS vulnerabilities such as QID 38628 “SSL/TLS Server supports TLSv1.0” will be marked as a Fail for PCI as of November 1st, 2016 in accordance with the new PCI DSS v3.2.  For existing...
    Bernie Weidel
    last modified by Bernie Weidel
  • QID 42432 - Possible Scan Interference

    QID 42432 Possible Scan Interference was recently added to Qualys due to increased focus by the PCI Council. The detection is usually triggered when no http services are identified on common web service ports, such as...
    Bernie Weidel
    last modified by Bernie Weidel
  • SAQ version 3.0

    As of 2015, Qualys PCI will no longer host online versions of the Self-Assessment Questionnaire (SAQ).  The SAQ section in Qualys PCI will direct Merchants to the SAQ v3.0 download page at the PCI Council's websi...
    Bernie Weidel
    last modified by Bernie Weidel
  • Oracle 12c - Unified Auditing

     A lot of the Traditional Auditing is covered by CIDs 12619, 12620, 12621, 12622, 12623 and 12624 when using Unified Auditing. However, there is one in particular that I am having trouble...
    last modified by kcn
  • Policy Compliance - Detecting Qualys Cloud Agent is Installed

    Here is a sample policy for the Qualys Policy Compliance Module to reference detecting the Qualys Cloud Agent. Notes: You can use this template to detect other installed agents as well.  Please comment below w...
    Laura Seletos
    last modified by Laura Seletos
  • Cisco IOS Limited Privilege Account

    I've tried to follow the practice of least privilege and created a restricted account in IOS (15.2 and XE) for Qualys to use for PC scanning. The documentation shows that Qualys uses three commands to perform a PC sca...
    Charles Hill
    last modified by Charles Hill