Qualys Blog

210 posts

QualysGuard Adds Malware Correlation and Virtual Patch Solutions


The forecast is "More snow."

Hundreds of people abandoned their cars on Chicago’s Lake Shore Drive after a storm left them stuck in more than a foot of snow.  Atlanta roads were nearly shut down and a Hawks game was canceled when snow overwhelmed the city’s eight snow plows.  Municipalities across the nation are finding their already thin finances stretched to the limit by snow removal costs. 

A nearly endless blizzard overwhelming resources with no end in sight…does this remind anybody else of vulnerabilities on a corporate network?  I can envision you nodding your head in agreement, thinking of the last report with quadruple-digit vulnerability counts (even when filtered to just Severity 4 and 5).  It’s not that you’re not interested in get comprehensive scanning; it would just be nicer if you could easily focus on the most important issues.

At Qualys we’ve been looking for ways to help you filter and prioritize the vulnerabilities reported by QualysGuard into more actionable – and more concise – reporting.  Last year we introduced Exploitability Correlation to help focus on high-risk vulnerabilties, and over the past month we’ve worked closely with Trend Micro to introduce two new enhancements:  Malware Correlation and Virtual Patch Solutions.

QualysGuard 6.16 introduced Malware Correlation with the Trend Micro Threat Encyclopedia, allowing you to determine which vulnerabilities have associated Malware.  For example, the screenshot below shows that QualysGuard QID #90636 (MS10-061:  Microsoft Windows Print Spooler Remote Code Execution Vulnerability) is used by STUXNET:


Using Search Lists that filter on QIDs with associated Malware will allow you really target the big risk items in your environment that could lead to something like a Conficker outbreak, while still having all the information on other vulnerabilities that need to be tracked and patched.

After you’ve determined the vulnerabilities that need to be fixed you now need to…well, do the fixing.  QualysGuard provides comprehensive information on patches available and workarounds that can be used, and in QualysGuard 6.17 we’ve added information on the availability of virtual patches that can also help mitigate risks in your environment.  A virtual patch is not a software patch per se, but is actually a mechanism – such as a HIPS firewall rule – that doesn’t actually patch the affected software but does still provide a mitigating control that reduces or eliminates the ability of an attacker to exploit the weakness.  We’ve leveraged the Trend Micro Threat Encyclopedia to determine which QIDs have virtual patching solutions provided by Trend Micro Deep Security and OfficeScan + IDF as shown in this screenshot:


We’ve also expanded our Search Lists to support filtering on both vendor-provided patches and virtual patches:


This allows you to find alternatives to applying vendor patches, especially in cases where a software patch can’t be applied (due to change control or software version dependencies) or isn’t available yet.

We’ve also tried to make it easy for you to use these new capabilities by including a few new items in our Template Library:

  • Virtually Patchable Assets v.1:  A report template listing high-priority vulnerabilities that can be remediated only via a Trend Micro virtual patch.
  • Assets at risk of Malware v.1:  A report template listing assets that have vulnerabilities with associated Malware as described by Trend Micro.
  • Critical Vulnerabilities with Virtual Patches v.1:  A Search List of high severity vulnerabilities with virtual patches correlated from Trend Micro.
  • Critical Vulnerabilities with Associated Malware v.1: A Search List of High severity remotely-accessible vulnerabilities with associated Malware correlated from Trend Micro.

Please let us know how we can improve these capabilities to make them even more useful.  In the interim, we hope you find these new features helpful in weathering the blizzard of vulnerabilities you face every day!

Verifying Integrity of Files

Verifying the integrity of files from unauthorized changes has become one of the areas of focus due to the Payment Card Industry (PCI) Data Security Standard (DSS). Traditionally, the task of verifying file integrity has been reserved for agent-based solutions that run locally on devices. However, with the introduction of QualysGuard 6.10, Policy Compliance supports agent-less verification of file integrity.

The Need for File Integrity

Verifying the integrity of critical files has always been a concern of security professionals.  However, the introduction of the Payment Card Industry (PCI) Data Security Standard (DSS) has made this a focal point for compliance.  The original standard suggested software like Tripwire to meet this requirement, but over the years, this requirement has been updated to remove specific software recommendations.  The new standard, Version 2.0, states the following:

11.5 Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Notice the change in language from the previous version: file-integrity monitoring software was replaced with file-integrity monitoring tools to clarify that software is not the sole means of meeting this requirement.

Although PCI has been a primary driver for file integrity, other regulations also require file integrity monitoring, including NIST SP 500-53 and SANS Consensus Audit Guidelines.  File integrity is a key requirement for IT policy compliance.

Traditional Methods for File Integrity

When PCI DSS Version 1.0 was introduced in 2004, the primary mechanism for meeting file integrity requirements was an agent-based solution, such as Tripwire.  Soon, other agent-based solutions quickly added file integrity capabilities to their agents to capitalize on the new PCI market.  The challenge with agent-based file integrity monitoring software is that it can be costly to implement and maintain.  Agents need to be deployed, maintained, and updated.  Some estimate that organizations can easily spend a quarter or more of their security budgets on high cost file-integrity monitoring products.  Organizations should consider more cost effective investments, such as leveraging existing technologies.

Agent-less File Integrity

Agent-less file integrity uses authenticated scans, not agents, to verify the integrity of files on a device.  During an authenticated scan, the scanner calculates an MD-5, SHA-1 or SHA-256 hash of the file.  From scan to scan, the hash values are compared to determine if a change to the file has occurred.  This approach eliminates the need for costly agents and minimizes performance impacts typically experienced with agents.

Using QualysGuard Policy Compliance, organizations can leverage their existing investment in QualysGuard to not only verify the integrity of files, but collect additional configuration settings needed for compliance.  This approach has a compounding affect on the Total Cost of Ownership for many reasons:

  1. The cost of Policy Compliance is a fraction of the cost for agent-based solutions, typically equal to the annual maintenance fees charged for the agent.
  2. Policy Compliance eliminates the cost of deploying, updating, and maintaining agents.
  3. File Integrity is included in Policy Compliance without an additional licensing.

Configuring QualysGuard Policy Compliance

To meet the requirements of file integrity monitoring, configure QualysGuard Policy Compliance as follows:

  1. Define critical Windows and/or Unix files as User Defined Controls.
  2. Add the User Defined Controls to a Policy.
  3. Update the Compliance Profile to enable File Integrity Monitoring.
  4. Scan files weekly.
  5. Report weekly.

Demo and Technical Paper

To see a demo of configuring file integrity within Policy Compliance, please view the File Integrity Check Demo.

For additional technical details on file integrity, please download the QualysGuard Tips and Techniques, File Integrity Check Document.

Configuration Scanning of Cisco IOS

If you are one of the many customers requesting support for Cisco IOS scanning within QualysGuard, your request has been answered.  With the release of QualysGuard 6.17, which marks the beginning of QualysGuard Policy Compliance 3.0, users can now scan for configuration settings on Cisco IOS 12.x and 15.x devices within Policy Compliance.

Why Cisco IOS?

With the expansion of Policy Compliance technology coverage for Operating Systems and Databases over the past few years, the next logical technology coverage was network devices.  As the leader in networking devices, Cisco, and its operating system Cisco IOS, was the primary focus from our existing customers.  In addition, Cisco IOS has well established benchmarks, including the Center for Internet Security (CIS).

Scanning Cisco IOS

Traditional agent-based solutions have always struggled with collecting Cisco IOS configuration data as organizations would not allow a permanent agent to reside on the device.  Other tools, such as the Center for Internet Security (CIS) Router Audit Tool (RAT), pulled the configurations remotely, but could not scale to hundreds or thousands of devices easily.  Now with agentless, authenticated scanning, organizations can easily collect Cisco IOS configurations on a mass scale.

QualysGuard Policy Compliance 3.0 uses a new Cisco IOS record, which is a modified SSH/Telnet record used for Unix, to provide credentials for agentless, authenticated scanning of Cisco IOS devices.  The new record supports an optional, second password for the enable prompt to execute the following commands: show version, show logging, and show running-config.  The output of these commands are normalized into an XML file in memory on the scanner appliance where signatures are executed to verify configuration settings.  By storing the output on the scanner appliance, QualysGuard minimizes any impact to the actual device during the scan.  Once the signatures are completed, the XML file is deleted from memory.


To see a demo of this new feature, please view the Cisco IOS Scanning Demo.

Integrating QualysGuard Data with RSA Archer

Is your organization using RSA Archer to manage your governance, risk and compliance program? Would you like to integrate vulnerability and configuration data from QualysGuard? RSA Archer integrates with both QualysGuard Vulnerability Management (VM) and Policy Compliance (PC) through the QualysGuard XML APIs and RSA Archer’s Data Feed Manager (DFM).

Why RSA Archer?

RSA Archer is the leading enterprise governance, risk and compliance (GRC) solution. Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions — delivered as a service. Since Qualys and RSA Archer have a large number of joint customers, it was logical to integrate our solutions, allowing customers to maximize their investment in both solutions.

RSA Archer Integration

The integration imports two types of data from QualysGuard into RSA Archer:

Vulnerability Management

Using the QualysGuard VM scanning infrastructure, vulnerability data can be collected for all enterprise assets in an automated and accurate manner. This integration automatically updates RSA Archer with asset vulnerability data to be used in remediation efforts.

Policy Compliance

The integration of QualysGuard PC with RSA Archer allows customers to automatically import compliance scan information into their RSA Archer environment. This allows asset owners to report on compliance issues identified on their assets in one single view.

RSA Archer’s integration leverages the QualysGuard XML API v1 and v2 frameworks. In addition to the QualysGuard APIs, RSA Archer uses the Data Feed Manager to integrate data within RSA Archer.

Integration Guide

For full integration details with RSA Archer, please download the QualysGuard RSA Archer Integration Guide.