AnsweredAssumed Answered

Issues with authenticated scans on Windows Servers

Question asked by Rafal Gonzalez on Apr 3, 2020
Latest reply on Apr 4, 2020 by DMFezzaReed

Hello.

 

We are currently using Qualys Virtual Scanner Appliance and we struggle to get consistent results on part of the scanned Windows Servers.

 

Setup :

  • authenticated scan,
  • complete vulnerability detection
  • Dissolvable Agent enabled
  • Qualys user is a member of the local administrator group on each scanned server.
  • Servers are in Domain.

 

First Example :

The first scan, 6 vulnerabilities found, authentication was successful, 3 Denied QID

 

  • QID: 90918 Dissolvable Agent installation failed (Dissolvable_Agent_failed_to_install_due_to_a_system_error)
  • QID: 90399 Windows File Access Denied
  • QID: 90194 Windows Registry Pipe Access Level (Registry access denied, error code: 0xc0000022)

 

Second Scan (after 1h), authentication was successful

 

 

Second example

The first scan, 7 vulnerabilities found, 1 Denied error, no information about Dissolvable Agent, authentication was successful

 

  • QID: 90194 Windows Registry Pipe Access Level (Registry access denied, error code: 0xc0000022)

 

Second Scan (after 2h) 136 vulnerabilities found, no denied QID, authentication was successful

 

 

Nothing was changed on both scanners and assets between those scans.  How come during one scan we have full permission to the system, and next scan we don't? I would understand if we either were granted access or denied each time, but this is random.

 

Is there a better way to debug the issues with admin permission/access to resources than QID?

Where I can get a description of what exactly below status mean?

  • Dissolvable_Agent_failed_to_install_due_to_a_system_error -- are there any logs for that?
  • Registry access denied, error code: 0xc0000022

 

Due to those issues, we end up with QID's not being properly updated which causes issues for the reporting.

 

Thank you in advance for your support.

Outcomes