AnsweredAssumed Answered

False Positive Investigation Steps

Question asked by urbanindy on Feb 19, 2014
Latest reply on Feb 20, 2014 by Patric Fox

I didn't see anything about this when I did a search, so I appologize if it's out there already.


I'm being asked to write a series of standard steps that we can go through for troubleshooting and reporting false positives.

Basically, we'd like to do some leg work on the front end so the interaction with Qualys support goes more smoothly.


Our current start is usually something like:

  • Infrastructure team reports that QID doesn't apply to X server because Y
  • We usually don't know a lot about QID, X or Y so we have to:
    • Look up the QID and check the vendor support and remediation links to see if the server has the applicable OS/App
    • Look up the X server to see what the results of the QID were (Z)
    • Convert Y to Z somehow (usually involving comparing a patch  (Y) to a registry key or DLL version (Z).
      • Get proof from the infrastructure team that the reported Z is not bad
      • screenshot
      • command line output
      • Vendor support interactions
  • Then we contact Qualys and start some sort of process there


So, are there any steps I can add for the Qualys part or any steps I can add to prepare for the Qualys interaction?

My hope is to make a general guide, not a five page troubleshooting decision tree.  No one likes those.