Low priority question just to clarify something running around my head.
Let's say I have an asset, running Windows OS.
The asset was built and deployed to production, lets say, December 2016.
A Qualys scan is run on the system and comes up "Clean" based on current baseline in December 2016.
Server happily does its work and serves its customers.
It is now December 2017. The server has never been patched or changed in any way at all. (Surprise surprise!). It has also never been scanned again. Qualys has it listed as "Last scanned December 2016"
A new vulnerability is discovered in a file called vuln.sys which is present on all Windows OS and a patch is released imminently.
Now, my asset has this file. To ensure detection, do I need to run another scan? My understanding is that once a scan is run, the results are now in Qualys. Once a vulnerability is discovered, it can be reported against, no matter how old the last scan data is?
Am I correct?