I can't seem to find the right settings i think.
I installed a private-webserver with malicious code (php-reverse-shell.php / shell.php (webshell) and a shell.jsp).
They are located in root and other various folders.
When i perform a WAS scan (even with MD enabled), Qualys does not find those malicous files.
Am i missing something here? Every option is enabled and when i examine apache.log, I can see qualys is seeing 1 of those files but doesnt do anything with it.