What is the IP range for Qualys Malware scanner? Is it different from all the other modules ?
Typically this is activated via WAS. When you created a new application in WAS to scan down near the bottom of the application definition you can enable the malware monitoring and the schedule.
Please let me know if you have further questions, David
Thank you David. I would like to know the IP range of scanners. From which IP range the scan performed for malwares
Depends on how your scanning but if your using the Qualys SOC to do the scanning it would come from Qualys. The range is 18.104.22.168/20 (22.214.171.124-126.96.36.199) . You can't find this range in Qualys by going to Help->About and then under General Information. Now if you are scanning an internal application I would assume a portion of URLs that are found in an application are checked against a list of "known" malware sites. So Qualys is not reaching out too all of those links they basically are looking up the link a list and if the link shows up then it has been reported somewhere.
We have had this come up has a high alert; not often but when it does it is something that you should pay attention too.
Please let me know if you have any other questions, David
FYI here is a report on Malware URLS; although it is in email not sites.
Malicious URL Emails Soar 600% in Q3 - Infosecurity Magazine
Thank you Busby. Is it possible to get false positives on Malware Detection when the Qualys IP range is blocked for a site.
Consider xyz.com site stakeholders blocked Qualys IP range to avoid scanning. When Qualys MDS scans this site, it is showing n number of malwares. How it is possible ?
I don't work for Qualys so not sure but they could also be pulling the URLS from their own Catalog.
So if you are scanning site www.xyz.com and at some point the hosting provider blocks the site. The WAS Scan data still would have all the URLs that were last crawled. So when the MD scanner kicks off it may be reading those URLs from WAS and checking them. So even if the main site is no longer online the scanner might still detect that one of the links could be malicious.
dferguson should be able to comment more accurately.
Retrieving data ...