I just noticed an issue in my subscription that I wanted to share with the larger community. We deployed 100k+ cloud agents a few months ago and everything seemed to be fine. We did notice, especially lately, that most agent have a rolling "last check-in" or "last activity" of about 12-15 hours. This indicated the data being processed by Qualys was delayed, but it was still getting through. As we started looking at the vulnerability data though we found that the vulnerability scan data was days old, and the scan data that was there seemed to be coming from the scanner appliances. For my workstation in particular, the last scan data was from June 7th because my workstation is never online when the scanners sweep through the network.
I opened a case with Qualys and did some more digging. I ran the following Asset Search:
Asset Group: All
Tracking Method: Agent
Last scan: not scanned within the past 2 days
The above search returned 103,000 assets. When I did the inverse for the last scan date, I only had about 5k assets. This means the vast majority of our cloud agents do not have VM scan data. The agents are all activated for the VM module. I can see in the agent logs that the vulnerability manifests are being processed and completed. The latest update I have from Qualys is that the data is being sent but QWEB is not processing the data it's receiving from the cloud agents.
This is now a Sev2 for us given the large impact, but I don't know if I'm the only one impacted. If you're concerned about whether you're impacted, run the above search for your subscription and see what results you get.