For over a year we have been doing vulnerability scans on our external IP ranges across several geographic locations. Within the past few months, one type of system (VMware View gateway) at each location has been incorrectly identified with QID 105359, EOL/Obsolete Operating System: Microsoft Windows 2000 Detected. I opened a case about this (889137), but all Qualys would say is that it "must be something between us and the target system" and that I should "exclude the QID from reports". This is infeasible as the supposed vulnerability shows up in scan results (unless I am mistaken QIDs cannot be excluded from scans), requiring someone to spend time investigating only to find that it is once again this false positive. I'm not getting the feeling from Qualys support that anyone has actually looked at this issue.