Qualys Blog

266 posts

QualysGuard Adds Malware Correlation and Virtual Patch Solutions


The forecast is "More snow."

Hundreds of people abandoned their cars on Chicago’s Lake Shore Drive after a storm left them stuck in more than a foot of snow.  Atlanta roads were nearly shut down and a Hawks game was canceled when snow overwhelmed the city’s eight snow plows.  Municipalities across the nation are finding their already thin finances stretched to the limit by snow removal costs. 

A nearly endless blizzard overwhelming resources with no end in sight…does this remind anybody else of vulnerabilities on a corporate network?  I can envision you nodding your head in agreement, thinking of the last report with quadruple-digit vulnerability counts (even when filtered to just Severity 4 and 5).  It’s not that you’re not interested in get comprehensive scanning; it would just be nicer if you could easily focus on the most important issues.

At Qualys we’ve been looking for ways to help you filter and prioritize the vulnerabilities reported by QualysGuard into more actionable – and more concise – reporting.  Last year we introduced Exploitability Correlation to help focus on high-risk vulnerabilties, and over the past month we’ve worked closely with Trend Micro to introduce two new enhancements:  Malware Correlation and Virtual Patch Solutions.

QualysGuard 6.16 introduced Malware Correlation with the Trend Micro Threat Encyclopedia, allowing you to determine which vulnerabilities have associated Malware.  For example, the screenshot below shows that QualysGuard QID #90636 (MS10-061:  Microsoft Windows Print Spooler Remote Code Execution Vulnerability) is used by STUXNET:


Using Search Lists that filter on QIDs with associated Malware will allow you really target the big risk items in your environment that could lead to something like a Conficker outbreak, while still having all the information on other vulnerabilities that need to be tracked and patched.

After you’ve determined the vulnerabilities that need to be fixed you now need to…well, do the fixing.  QualysGuard provides comprehensive information on patches available and workarounds that can be used, and in QualysGuard 6.17 we’ve added information on the availability of virtual patches that can also help mitigate risks in your environment.  A virtual patch is not a software patch per se, but is actually a mechanism – such as a HIPS firewall rule – that doesn’t actually patch the affected software but does still provide a mitigating control that reduces or eliminates the ability of an attacker to exploit the weakness.  We’ve leveraged the Trend Micro Threat Encyclopedia to determine which QIDs have virtual patching solutions provided by Trend Micro Deep Security and OfficeScan + IDF as shown in this screenshot:


We’ve also expanded our Search Lists to support filtering on both vendor-provided patches and virtual patches:


This allows you to find alternatives to applying vendor patches, especially in cases where a software patch can’t be applied (due to change control or software version dependencies) or isn’t available yet.

We’ve also tried to make it easy for you to use these new capabilities by including a few new items in our Template Library:

  • Virtually Patchable Assets v.1:  A report template listing high-priority vulnerabilities that can be remediated only via a Trend Micro virtual patch.
  • Assets at risk of Malware v.1:  A report template listing assets that have vulnerabilities with associated Malware as described by Trend Micro.
  • Critical Vulnerabilities with Virtual Patches v.1:  A Search List of high severity vulnerabilities with virtual patches correlated from Trend Micro.
  • Critical Vulnerabilities with Associated Malware v.1: A Search List of High severity remotely-accessible vulnerabilities with associated Malware correlated from Trend Micro.

Please let us know how we can improve these capabilities to make them even more useful.  In the interim, we hope you find these new features helpful in weathering the blizzard of vulnerabilities you face every day!

Configuration Scanning of Cisco IOS

If you are one of the many customers requesting support for Cisco IOS scanning within QualysGuard, your request has been answered.  With the release of QualysGuard 6.17, which marks the beginning of QualysGuard Policy Compliance 3.0, users can now scan for configuration settings on Cisco IOS 12.x and 15.x devices within Policy Compliance.

Why Cisco IOS?

With the expansion of Policy Compliance technology coverage for Operating Systems and Databases over the past few years, the next logical technology coverage was network devices.  As the leader in networking devices, Cisco, and its operating system Cisco IOS, was the primary focus from our existing customers.  In addition, Cisco IOS has well established benchmarks, including the Center for Internet Security (CIS).

Scanning Cisco IOS

Traditional agent-based solutions have always struggled with collecting Cisco IOS configuration data as organizations would not allow a permanent agent to reside on the device.  Other tools, such as the Center for Internet Security (CIS) Router Audit Tool (RAT), pulled the configurations remotely, but could not scale to hundreds or thousands of devices easily.  Now with agentless, authenticated scanning, organizations can easily collect Cisco IOS configurations on a mass scale.

QualysGuard Policy Compliance 3.0 uses a new Cisco IOS record, which is a modified SSH/Telnet record used for Unix, to provide credentials for agentless, authenticated scanning of Cisco IOS devices.  The new record supports an optional, second password for the enable prompt to execute the following commands: show version, show logging, and show running-config.  The output of these commands are normalized into an XML file in memory on the scanner appliance where signatures are executed to verify configuration settings.  By storing the output on the scanner appliance, QualysGuard minimizes any impact to the actual device during the scan.  Once the signatures are completed, the XML file is deleted from memory.


To see a demo of this new feature, please view the Cisco IOS Scanning Demo.

Integrating QualysGuard Data with RSA Archer

Is your organization using RSA Archer to manage your governance, risk and compliance program? Would you like to integrate vulnerability and configuration data from QualysGuard? RSA Archer integrates with both QualysGuard Vulnerability Management (VM) and Policy Compliance (PC) through the QualysGuard XML APIs and RSA Archer’s Data Feed Manager (DFM).

Why RSA Archer?

RSA Archer is the leading enterprise governance, risk and compliance (GRC) solution. Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions — delivered as a service. Since Qualys and RSA Archer have a large number of joint customers, it was logical to integrate our solutions, allowing customers to maximize their investment in both solutions.

RSA Archer Integration

The integration imports two types of data from QualysGuard into RSA Archer:

Vulnerability Management

Using the QualysGuard VM scanning infrastructure, vulnerability data can be collected for all enterprise assets in an automated and accurate manner. This integration automatically updates RSA Archer with asset vulnerability data to be used in remediation efforts.

Policy Compliance

The integration of QualysGuard PC with RSA Archer allows customers to automatically import compliance scan information into their RSA Archer environment. This allows asset owners to report on compliance issues identified on their assets in one single view.

RSA Archer’s integration leverages the QualysGuard XML API v1 and v2 frameworks. In addition to the QualysGuard APIs, RSA Archer uses the Data Feed Manager to integrate data within RSA Archer.

Integration Guide

For full integration details with RSA Archer, please download the QualysGuard RSA Archer Integration Guide.

FDCC Enhancement: SCAP Scanning of Windows 7, Windows 7 Firewall, and IE8

With the continued growth and adoption of the Security Content Automation Protocol (SCAP), the National Institutes of Standards and Technology (NIST) is publishing more content to support the new United States Government Configuration Baseline (USGCB). With the release of QualysGuard 6.17, users can now import NIST content and scan Windows 7, Windows 7 Firewall, and Internet Explorer 8 in the QualysGuard FDCC Module.

Importing NIST Content

Since NIST has not finalized the content for Windows 7 and Internet Explorer 8, the FDCC Module does not currently have the new content available for import. However, the current content from NIST can be uploaded as a custom policy in the FDCC Module. To access the NIST content, please visit http://web.nvd.nist.gov/view/ncp/repository. Once you have the files downloaded, you can upload the content by performing the following steps:

  1. From the Tools section, select Policies
  2. From the menu, select New, FDCC Policy…
  3. Choose the following files downloaded from the NIST website.          
      • XCCDF Content
      • CPE OVAL Definitions
      • CPE 2.0 Dictionary
      • OVAL Compliance Definitions
  4. NOTE: Since the NIST content is still in draft, Schematron Validation is not currently supported for Windows 7 and Internet Explorer 8.

    FDCC - Win 7

    Figure 1: New FDCC Policy: Validate

  5. Click Validate to create the policy.
  6. Once validated, verify the Title, FDCC Profile, and Description. Click Save.
  7. FDCC - Policy

    Figure 2: New FDCC Policy : Save

  8. Add Asset Group(s) to the new FDCC policy.

Scanning Targets

Once the FDCC policy has been created, you are ready to scan targets by performing the following steps:

  1. From the Navigation section, select FDCC Scan
  2. From the menu, select New, Scan
  3. Enter the following information and click Launch:
    • Title
    • FDCC Policy
    • Compliance Profile
    • Scanner Appliance
    • Asset Group(s)

FDCC - Launch

Figure 3: Launch FDCC Scan

Filtering Frameworks within Policy Compliance

Do you ever want to see the control mappings in a report without doubling or tripling the size of the report? What about excluding certain control mappings from the control API to limit data exported? With the release of QualysGuard 6.17, users can now filter the frameworks at the subscription and/or report level within Policy Compliance.

The Need for Framework Filtering

The current control knowledgebase includes over 6,700 configuration checks mapped to dozens of frameworks, including the Center for Internet Security (CIS) benchmarks, the Control Objectives for Information and related Technology (CObIT) 4.0 and 4.1, the Health Insurance Portability and Accountability Act (HIPAA), etc.  These extensive mappings create a large number on control/mapping pairs available in the subscription.  For the majority of organizations that require only a subset of this data, the current data is too large to consume.

Filtering Frameworks with Policy Compliance

In order to limit the number of control/mapping pairs, QualysGuard 6.17 introduces the capability to limit which frameworks are displayed in the subscription and/or reports.  Each filter is described in detail below:

Subscription Filter

A subscription level filter will reduce the number of frameworks available for view in the subscription, which includes control search, reports, and the control API. Applying this filter will not filter the Controls knowledgebase, just the framework mappings visible in the subscription.

All available frameworks are enabled by default in the subscription. Change which frameworks are visible by selecting Setup/Frameworks… from the menu. Once the frameworks have been filtered, the following areas of the subscription will be affected:

  1. The Control API will limit the framework mappings in the output when the parameter “details=All” is set.
  2. The Search dialog within the Controls knowledgebase will limit the framework mappings based on the subscription settings.
  3. The Report Templates will limit the framework mappings based on the subscription settings if the Glossary or External Mappings sections are selected.

Report Template Filter

Frameworks are filtered in reports based on the subscription settings, but this feature also allows additional filtering in reports. The report level filter will reduce the number of frameworks available in the reports only.

All available frameworks in the subscription are enabled by default in reports. Change which frameworks are visible by selecting the new tab, Frameworks, in the report template.  Once the frameworks have been filtered, reports using this template will only show the selected frameworks in the Glossary or External Mappings sections, if selected.

Demo and Technical Paper

To see a demo of these steps, please view the Filter Framework Demo.

For full technical details on Filter Frameworks, please download the QualysGuard Tips and Techniques, Filter Frameworks Document.