I thought I heard or read somewhere that performing authenticated scans will give you the very specific os cpe info and without authentication Qualys will take a best guess. Can anyone confirm is this is true?
Yes - Authentication allows us to provide very specific os cpe info. Without authentication all VM and other such scanning tools use finger printing...it does not necessarily equate to a best guess but can appear that way.
Here is the blurb regarding the OS CPE from the setup screen:
Hope this helps,
Thanks for the insight. This actually spawns a couple of other questions: 1) Have you ever seen where the OS CPE info doesn't align? For instance I have a few assets that shows the OS CPE as "cpe:/o:microsoft:windows_7:sp1x64:" however the OS description states "Linux 2.4-2.7/Embedded Device/ F5 Networks Big-IP" or "AIX 5.x" or "FreeBSD 5.x / AIX 5.3". If we are able to grab the OS CPE wouldn't we then have an accurate OS description? 2) For any of the aforementioned assets when checking the authentication it states that "There is no authentication record set for this host". How are we capturing the OS CPE info then?
It seems as though there are several instances of contradictory information.
Can you please post output of QIC 45017 for one of these hosts? This should provide some insight into what you are seeing...
You Bet. Sorry for the delayed response. This is the QID 45017 for one of the hosts in question.
And this is the some additional info on that same device that is confusing me
Sorry to jump in, but I have seen this occur when an ip address corresponding to an asset is reused (DHCP Pool) or potentially overlaps within the same network (overlapping subnets). What I suspect is going on is the following, chronologically:
1) Qualys scanned a windows 7 host successfully using authentication, which accounts for the CPE of windows 7 sp1 x64
2) Qualys then scanned a host at that same ip in a second scan un-authenticated which is now a UNIX host. As we have not yet scanned the UNIX host using authentication correctly, we have not updated the OS CPE info (this accounts for the "TCP / IP fingerprint" method under the "technique" column in the screenshot above). I am also assuming that the screen shot above is not truncated correct?
As a next step, I'd recommend looking at looking for the following QIDs in the scan report to determine authentication status:
I suspect you'll see a hit for 105297 as you mentioned above you don't have a record for this UNIX host. Alternately, you can simply run an authentication report for this host to determine the pass fail status.
I hope this helps!
When authentication fails, we do not overwrite the OS CPE, but we do overwrite the OS.
Retrieving data ...