• SAQ Attachments

    There does not appear to be any way to delete attachments that may have been uploaded in error by a person completing a questionnaire.  Even after all references to a file are removed from the questionnaire, no o...
    Robert Slimmer
    last modified by Robert Slimmer
  • Tomcat Authentication questions

    Has anyone dealt with tomcat installation directorys   my company has unix and windows servers that have tomcat.   Some machines have different directorys.   does every different directory need to ha...
    Ben Trevino
    created by Ben Trevino
  • LDAP Authentication for MongoDB

    Please advice if we can setup LDAP authentication for MongoDB Policy Compliance scans. MongoDB runs on a Linux machine in such case how do we setup LDAP Authentication. 
    created by cutekido
  • Not so straight-forward results of PC UDCs

    I encountered some strange results when some UDCs were assessed in the PC module:   1) First control: """     .... Ensure that a registry is set to 'Disabled' """ > Expected: "equal to 0" >...
    Ionut Pruteanu
    last modified by Ionut Pruteanu
  • Feature Request - Policy Compliance - Control View

    When Policy Compliance and Search Criteria fields actually work on the Control View pane it would be nice so that when you perform a search for a specific host, OR not it only shows you the details from the last scan....
    created by theone2018
  • Policy Compliance - Custom Controls

    Has anyone else created custom controls within the Policy Compliance module?  It seems limiting and not very straight forward.   When creating a simple registry check it seems I need to select all the ...
    last modified by theone2018
  • PCI Guidance for SSLv3 and Early TLS issues with Mitigation & Migration Plans

    Per PCI Council guidance, vulnerabilities related to SSLv3 and TLSv1.0 / TLSv1.1 which cannot be fully remediated currently can be approved via a False Positive Request so long as the merchant provides a statement con...
    Bernie Weidel
    last modified by Bernie Weidel
  • Feature Request: Allow API-based access to the Qualys PCI app

    External PCI scans should be a set and forget service unless there are findings that are non-compliant. Right now we have to check whether any of our internet-facing IPs have changed, enumerate all the new ones and th...
    Far han
    last modified by Far han
  • SSLv3 & Early TLS in PCI 3.1 – Mitigate Now / Migrate Later

    -Update- Please see the latest news from the PCI Council on this topic published 12/18/2015 which extends migration dates to 2018:Date Change for Migrating from SSL and Early TLS -Update-   In April 2015 the P...
    Bernie Weidel
    last modified by Bernie Weidel
  • NEW PCI DSS v3.2 & Migrating from SSL and Early TLS v1.1

    SSL & Early TLS vulnerabilities such as QID 38628 “SSL/TLS Server supports TLSv1.0” will be marked as a Fail for PCI as of November 1st, 2016 in accordance with the new PCI DSS v3.2.  For existing...
    Bernie Weidel
    last modified by Bernie Weidel
  • QID 42432 - Possible Scan Interference

    QID 42432 Possible Scan Interference was recently added to Qualys due to increased focus by the PCI Council. The detection is usually triggered when no http services are identified on common web service ports, such as...
    Bernie Weidel
    last modified by Bernie Weidel
  • SAQ version 3.0

    As of 2015, Qualys PCI will no longer host online versions of the Self-Assessment Questionnaire (SAQ).  The SAQ section in Qualys PCI will direct Merchants to the SAQ v3.0 download page at the PCI Council's websi...
    Bernie Weidel
    last modified by Bernie Weidel
  • Oracle 12c - Unified Auditing

     A lot of the Traditional Auditing is covered by CIDs 12619, 12620, 12621, 12622, 12623 and 12624 when using Unified Auditing. However, there is one in particular that I am having trouble...
    last modified by kcn
  • Policy Compliance - Detecting Qualys Cloud Agent is Installed

    Here is a sample policy for the Qualys Policy Compliance Module to reference detecting the Qualys Cloud Agent. Notes: You can use this template to detect other installed agents as well.  Please comment below w...
    Laura Seletos
    last modified by Laura Seletos
  • Cisco IOS Limited Privilege Account

    I've tried to follow the practice of least privilege and created a restricted account in IOS (15.2 and XE) for Qualys to use for PC scanning. The documentation shows that Qualys uses three commands to perform a PC sca...
    Charles Hill
    last modified by Charles Hill
  • Download exceptions with history

    Hello,   In exceptionmanegement the history details is one of the key elements audit likes to investigate, since we store the business need for requesting an exception.   Now I'm wondering, is there a way ...
    created by pl2015
  • Control Statistics - Total not the same for all Controls

    Hello All,   Have a Policy Compliance report which is based on 70 hosts   When reviewing the Control Statistics portion of the report, I see that the total hosts is not consistently 70:   A few examp...
    B M
    created by B M
  • Exceptions - View Details of Exception being Approved

    Hi All,   When reviewing exceptions in the Exceptions menu, the window does not provide details of the exception being validated (i.e. Expected and Actual values)   One has to open Pass/Fail report in anot...
    B M
    created by B M
  • Check 'List of Installed AV' not available for Win 8 and 10

    Hello All,   Running CID 5241 on my environment, but see that this CID is not available for Windows 8, 8.1 and 10   Any other alternatives? or any dates for the CID to be updated?   Thanks & Rega...
    B M
    last modified by B M
  • PC Reports - "report was interrupted before it could finish"

    When executing a PC report via the API or on-demand via the console for a certain technology, I continuously see the report fail with status of "errors".  I am using dynamic asset tags (only 2) for report creatio...
    last modified by jdratcliffe