Asset Discovery and Management with Qualys

Document created by Leif Kremkow on Aug 18, 2017Last modified by Chris Carlson on Jul 5, 2018
Version 3Show Document
  • View in full screen mode

Here are five different approaches to identifying assets on your network, followed by a comparison between the different approaches to help you choose which method suits you best.


For the purpose of this document "assets" means anything with an IPv4 address on your network.


Within the Vulnerability Management application, Qualys offers five different methods with which to manage assets.



The Map is among Qualys' oldest features. The Vulnerability Management application includes unlimited use of the Map for no additional cost.


Collecting data with the Map is either referred to as performing a "map" or a "discovery scan". The Map is very closely related to vulnerability detection scans in terms of how it works, but at Qualys we try to reserve the word "scan" (or "scanning") for vulnerability detection.


From the Domain definition that it is given as a target (for example ""), the Map will build a list of possible targets, such as by guessing host names (for example "www"). If the Domain definition also included a netblock (such as "[]"), then the list of possible targets will be complemented with the provided IP addresses.


Once a list of viable targets has been established, the Map will run a limited TCP port scan, a limited UDP port scan, and send an ICMP Echo Request (ping). For live targets, it will also attempt to determine the Operation System via TCP Fingerprint.


For internet facing targets the discovery activity can either be launched from an external Appliance hosted by Qualys, or by using an Appliance (physical or virtual) to reach targets that cannot be reached from the internet.


See "How does QualysGuard mapping work?" for a more complete discussion, or "Discovery Scans- How does the scanner determine which port(s) to use?" for a focussed view of the limited port scanning.


Scan without Authentication

Alongside the Map, the non-authenticated scan is among the oldest features of Qualys Vulnerability Management service.


Using Qualys' vulnerability detection capabilities is commonly simply referred to as "scanning". Over the years we have expanded our platform's capabilities with authenticated scans in Vulnerability Management, the PCI Compliance service, the Policy Compliance service, and Web Application Scanning service. Now "scanning" can take on many different meanings depending on context. However, for the purpose of this document, we are only considering the features of Vulnerability Management.


A vulnerability scan will, in similar fashion to a Map Discovery, try to connect with a target over the network by probing different TCP and UDP ports, and establishing communications with the services available.


Just like the maps, the scans can either be launched from an external Appliance hosted by Qualys for targets on internet facing resources, or using an Appliance (physical or virtual) to connect with targets that cannot be reached from the internet.


See ["How does vulnerability scanning work?"]


Scan with Authentication

This is simply the same vulnerability scanning as described above ("Scan without Authentication") in Vulnerability Management, except that the user has provided Qualys with system credentials. This is also referred to as "trusted scanning" and is closely related to the authenticated, or "trusted", scanning you find in Policy Compliance. This fundamental idea is also shared with Web Application Scanning, where you can also run trusted/authenticated scans to analyze the application layer at the top of the stack.


But for the purpose of this document, authenticated scanning refers only to the possibility in Vulnerability Management to perform in-depth analysis of the configuration of a host locally as opposed to only the services that are made available on the network.

It is now possible for the scanner to log into a target using remote access services (such as SMB/CIFS/WMI, or SSH), and analyze the operating system locally.


Cloud Agent

Qualys' Cloud Agent is an alternative to scanning with Appliances. Typically, a scan would come from either a scanner hosted by Qualys or an Appliance hosted by the customer (see also "Map" or "Scan without Authentication" above).


Using a small piece of software that is installed on the target itself does away with many of the typical challenges that customers have faced with an appliance based approach. The challenges of scanning through a firewall, of not being able to reach devices that are never on the corporate network, or that you can only scan during authorized scanning windows are all resolved.


The Cloud Agent is able to deliver Vulnerability Scan and Policy Compliance data in-lieu of a classic scan from an Appliance.


However, the Agent is also able to be in a "dormant" state whereby it behaves in similar fashion to the Map and reports only basic asset properties back to Qualys.


See the "Cloud Agent Getting Started Guide" for a full discussion of the Cloud Agent's requirements, deployment, configuration, and usage.



Qualys is working on new services that will further extend the single-pane visibility its is able to provide. Asset Discovery will be further enhanced by the new Container Security for Docker and a Passive Scanner services.


Extending visibility beyond assets in traditional virtualization environments, Qualys Container Security performs inventory and real-time tracking of changes to containers deployed across on-premises and elastic cloud environments. Container Security generates detailed inventory listings and provides advanced metadata so that users can identify assets based on multiple attributes. Additionally, they can use topology views to visualize container environment assets and their relationships. See our June 12th press release for more information.


The Passive Scanning Appliance is expected to sniff network devices and traffic, to do real-time discovery and identification, including unauthorized devices, APT traffic, and malware files. It profiles unknown device types based on traffic and activity patterns. In order to gather this information, it is being designed to connect to a mirroring port on a central switch to gain visibility across all networks. See the Qualys Cloud Platform white paper for more informaiton.




MapScan no Auth.Scan w/ Auth.Cloud AgentContainer Sec.Passive Scanner
Requires an appliance to be deployed that is able to reach the targets for internal discovery.

Subject to contracted subscription license and may incur additional fees. (1)
Requires you to have valid login credentials for the target system.
Able to go beyond original scope definition to identify related targets.
Requires you to deploy agent software on target systems.
Generates list of live systems by sweeping through the network.
Generates list of installed software.
Generates list of open ports.❌ (2)
Generates list of listening services.
Generates list of installed operating systems.
Track asset data in Asset View dashboard.
Available now.


(1): Vulnerability Management and/or Policy Compliance on the Agent includes initial asset inventory capabilities.


(2): Whilst the Passive Scanner is expected to generate lists of open ports, this list will be limited to the ports that were actively in use. Ports on which there is no traffic will not be detected as being open.


(3): Listening service refers to a specific protocol (SMTP, HTTP, etc) that is on a given port, not the daemons/services that might have been started on a given host, which the Authenticated Scan and Cloud Agent are able to report upon.


(4): The Cloud Agent will report the Operating System that is was installed on, but it will not be able to sweep the network and browse.

7 people found this helpful