Qualys Recommended Option Profile – Upcoming Important Changes

As part of our ongoing improvements to the Qualys products, we will be updating our Qualys Option profiles and the default settings that are applied when creating new option profiles, this will align the default settings applied to option profiles with those that are recommended by the Qualys Security Solution architect and in collaboration with Product Management.

What is an Option Profile?

The Option Profile includes the required scan configuration setting that you want to use for the scan job like which ports to scan, QIDs to be scanned, the required authentication selection during the vulnerability scans. The Option Profile is a prerequisite while launching the scans and serves as critical component for a successful detection of the vulnerabilities.

For all VM/VMDR customers the existing option profile settings will not be changed, any new option profile created will use the new recommended settings mentioned below.

Default Option Profile – Qualys Recommended Option Profile”

In the upcoming deployment of the Qualys VMDR in September, will include the below mentioned changes in the Option Profile and Qualys will push a new profile as “Qualys Recommended Option Profile” for all VM/VMDR subscriptions.

The “Qualys Recommended Option Profile” will increase the default TCP ports to 2,800 ports (from 1,900 – 2,800 ports), and with a couple of performance setting changes to improve the performance that will contribute to the faster completion of the scans and with a few default settings that are that are enabled as a best practices.

The changes that will be made include:

1. Changing the Standard TCP ports scanned from 1,900 to 2,800
   This will align the ports that are scanned with the latest most commonly used port based on Qualys Threat Research Unit (TRU), this ensures that we are detecting services and vulnerabilities while carrying out Qualys scans.
   
2. Additional TCP Ports extended from 12,500 to 20,500
   
3. Purge old host data when the OS is changed
   During the scans, if we observe the Operating System (OS) vendor is changed in the latest scan then we will purge the earlier reported vulnerability findings and retain the vulnerability findings for the recent OS vendor.
   This action is only initiated when the OS is accurately detected during the Authenticated Scans or by a Cloud Agent.
   Example:
   If the OS is upgraded from Windows 10 to Windows 11 or Red Hat Enterprise Linux 8 to Red Hat Enterprise 8, then this purge OS option will not be enforced. If the OS changed from “Linux to Windows” or “Debian to Ubuntu” or “Windows to MAC” then this Purge Host option will be enforced
   
4. Scan Performance changes
   By default, “Enable Parallel Scaling for Scanner Appliances” will be enabled on Option Profiles and the number of internal hosts to scan in parallel will be changed from 30 to 50, while the Total Processes to Run in Parallel (per hosts) number will be increased from 10 to 20.
   These changes will dramatically help increase scan performance and the time it takes for scans to complete. The current Option Profiles were set many years ago, since both networks and endpoints have come along way and the performance changes have been changed to aligned with faster networks and faster assets.
   
5. Authentication Records
   Internal assets should always be scanned with authentication where possible, this helps customers reduce duplicates, false negatives, and false positives. Therefore, we will now be enabling Windows, Unix by default when creating an option profile to minimise the chance of customers introducing issues with badly configured option profiles.
   
6. Dissolvable Agent
   The Qualys dissolvable agent has been used by many customers for many years to help minimise duplicates and to allow successful scan of Windows assets, like the above we will be enabling this by default to help minimise duplicates and false negatives.
   The Dissolvable Agent (Agent) is a small executable that is pushed to a Windows system during a scan and automatically removed when the last scan of the asset is complete.
   
7. Asset Discovery Changes
   The final set of changes we will be making to the new default option profiles is related to the asset discovery element of scans, we will be disabling ICMP as a discovery method by default while enabling the option ‘Ignore Firewall Generated TCP-RST and TCP SYN-ACK Packets’.
   Changing these settings will help reduce the amount of noise being generated when the Qualys scans are running its asset discovery scans.

What’s changing for Creating/Editing Option Profile

Existing Option Profiles:
All existing option profiles that are created by the customer will available, with the updated Standard TCP Ports as “about 2,800” by default. 

The existing profile settings configured by the customer will remain As Is and untouched, and will not have any of the above mentioned profile settings enabled by default.

For the earlier created or old profiles, the “Save As” option will be disabled.

Create New Option Profile:
In the upcoming deployments, the “Qualys Recommended Option Profile” will be pushed/introduced to all VM/VMDR customers; this profile will be listed in the Option Profile. While creating a new option profile, the above-mentioned Recommended Option Profile setting will be set as default for the customers to ensure the best practice settings are used while scanning.

For any new subscription creations, the default option profile will be the Qualys Recommended Option Profile.

Qualys recommends using the latest option profile, as it covers a lot of use cases for the betterment of scan and performance improvements. Customers can start using the new profile setting with 2,800 ports and with the enhanced configurations. The same workflow changes are expected in the Option Profile API. 

If customers wish to change any of the default settings, you will be able to disable and continue to use. 

Benefits with the New Option Profile:

• With the above listed use cases, customers can use the default settings instead of making these changes while creating every profiles.
• Additional set of required Ports and Services will be discovered by the scans, to ensure that the Standard Ports are adopted during the vulnerability scans
• With the default enablement of Parallel Scaling for Scanner Appliances, you will see a significant improvement in the scanning duration
• Based on the recent mandates by the PCI DSS v4.0 – Requirement 11.3.1.2, recommends performing internal vulnerability scans with authentication.

When will be the New Option Profile available:

In the Qualys Cloud Platform 10.30 release, Qualys will be releasing the new option profile to  all VM/VMDR customer subscriptions. The tentative timelines is the end of September, 2024

Resource

• Option Profile Guide
• Qualys VMDR Release Notes
• Get Started with VMDR
• Qualys VMDR Solution Brief

Contributors

Ramesh Ramachandran, Principal Product Manager, VMDR

Kevin O’Keefe, Senior Security Solutions Architect