on Oct 9, 2019A vulnerability detection has a lifecycle. I have described this many times for new administrators, and recently included the information in a post response which prompted me to create this document in hopes I will be making the information easier to find.
Going into this, let's all try to remember three very important facts:
- that all detections are a snapshot in time, a momentary capture of information that could change the very next moment.
- detections are entered in the database keyed by a specific combination of IP, QID and Port.
- Example: Many detections that report on port tcp/80 will also report on tcp/443. These are two detections made unique by the tcp port.
- Vulnerability management is a never ending cycle of of trust, but verify.
Detection Statuses Explained (in my own words):
NEW = First Time Detected (ever), occurs once, and only once for a specific combination of IP, QID and Port.
ACTIVE = Detected in 2 or more consecutive scans on a specific combination of IP, QID, and Port.
- This status is reported on the next scan following a NEW or REOPENED status is reported and will continue to report until FIXED is reported.
FIXED = Not detected in the very last scan, on a specific combination of IP, QID and Port.
- This status can occur following NEW, ACTIVE or REOPENED and can be achieved multiple times over, hence the reason for Last Fixed Date.
- FIXED means the condition found previously was INACTIVE at the time of the most current detection scan.
REOPENED = First time detected following a FIXED status result on a specific combination of IP, QID and Port.
- REOPENED will appear only ONCE after a previous scan returned a FIXED status, all subsequent detections will be marked ACTIVE until FIXED is reported.
- This status can occur more than once, hence the reason for Last Reopened Date.
- IMPORTANT: Vulnerability detections scans are a snapshot in time. If you see a QID "flapping" between ACTIVE > REOPENED > FIXED additional research into the detection and asset status is needed.
NEW, ACTIVE, REOPENED = ACTIVE, unmitigated, potentially exploitable risk.
FIXED = INACTIVE, potentially exploitable risk was not detected in the last detection scan occurrence.
I add some useful information taken from the following link: https://qualys.secure.force.com/articles/Knowledge/000002690
Note: Generally, Qualys does not mark QID as closed if scanner does not recheck same vulnerability.
For example: If vulnerabilities had been detected on port 23 and then in the next scan you do not include Port 23 or Port 23 could not be accessed due to Firewall, then vulnerabilities detected on Port 23 will not be marked as closed. In this case, during the next scan, you must ensure that port 23 is open and the service is running on the port. The scanner will then check on that port and check if vulnerabilities exist on that port and the scanner will update the status accordingly.
Note: Qualys also provides a Authoritative scan option, that closes QID’s without scanning the same ports. For more information, refer Authoritative option.