Qualys Blog

266 posts

QualysGuard Adds Malware Correlation and Virtual Patch Solutions


The forecast is "More snow."

Hundreds of people abandoned their cars on Chicago’s Lake Shore Drive after a storm left them stuck in more than a foot of snow.  Atlanta roads were nearly shut down and a Hawks game was canceled when snow overwhelmed the city’s eight snow plows.  Municipalities across the nation are finding their already thin finances stretched to the limit by snow removal costs. 

A nearly endless blizzard overwhelming resources with no end in sight…does this remind anybody else of vulnerabilities on a corporate network?  I can envision you nodding your head in agreement, thinking of the last report with quadruple-digit vulnerability counts (even when filtered to just Severity 4 and 5).  It’s not that you’re not interested in get comprehensive scanning; it would just be nicer if you could easily focus on the most important issues.

At Qualys we’ve been looking for ways to help you filter and prioritize the vulnerabilities reported by QualysGuard into more actionable – and more concise – reporting.  Last year we introduced Exploitability Correlation to help focus on high-risk vulnerabilties, and over the past month we’ve worked closely with Trend Micro to introduce two new enhancements:  Malware Correlation and Virtual Patch Solutions.

QualysGuard 6.16 introduced Malware Correlation with the Trend Micro Threat Encyclopedia, allowing you to determine which vulnerabilities have associated Malware.  For example, the screenshot below shows that QualysGuard QID #90636 (MS10-061:  Microsoft Windows Print Spooler Remote Code Execution Vulnerability) is used by STUXNET:


Using Search Lists that filter on QIDs with associated Malware will allow you really target the big risk items in your environment that could lead to something like a Conficker outbreak, while still having all the information on other vulnerabilities that need to be tracked and patched.

After you’ve determined the vulnerabilities that need to be fixed you now need to…well, do the fixing.  QualysGuard provides comprehensive information on patches available and workarounds that can be used, and in QualysGuard 6.17 we’ve added information on the availability of virtual patches that can also help mitigate risks in your environment.  A virtual patch is not a software patch per se, but is actually a mechanism – such as a HIPS firewall rule – that doesn’t actually patch the affected software but does still provide a mitigating control that reduces or eliminates the ability of an attacker to exploit the weakness.  We’ve leveraged the Trend Micro Threat Encyclopedia to determine which QIDs have virtual patching solutions provided by Trend Micro Deep Security and OfficeScan + IDF as shown in this screenshot:


We’ve also expanded our Search Lists to support filtering on both vendor-provided patches and virtual patches:


This allows you to find alternatives to applying vendor patches, especially in cases where a software patch can’t be applied (due to change control or software version dependencies) or isn’t available yet.

We’ve also tried to make it easy for you to use these new capabilities by including a few new items in our Template Library:

  • Virtually Patchable Assets v.1:  A report template listing high-priority vulnerabilities that can be remediated only via a Trend Micro virtual patch.
  • Assets at risk of Malware v.1:  A report template listing assets that have vulnerabilities with associated Malware as described by Trend Micro.
  • Critical Vulnerabilities with Virtual Patches v.1:  A Search List of high severity vulnerabilities with virtual patches correlated from Trend Micro.
  • Critical Vulnerabilities with Associated Malware v.1: A Search List of High severity remotely-accessible vulnerabilities with associated Malware correlated from Trend Micro.

Please let us know how we can improve these capabilities to make them even more useful.  In the interim, we hope you find these new features helpful in weathering the blizzard of vulnerabilities you face every day!

Configuration Scanning of Cisco IOS

If you are one of the many customers requesting support for Cisco IOS scanning within QualysGuard, your request has been answered.  With the release of QualysGuard 6.17, which marks the beginning of QualysGuard Policy Compliance 3.0, users can now scan for configuration settings on Cisco IOS 12.x and 15.x devices within Policy Compliance.

Why Cisco IOS?

With the expansion of Policy Compliance technology coverage for Operating Systems and Databases over the past few years, the next logical technology coverage was network devices.  As the leader in networking devices, Cisco, and its operating system Cisco IOS, was the primary focus from our existing customers.  In addition, Cisco IOS has well established benchmarks, including the Center for Internet Security (CIS).

Scanning Cisco IOS

Traditional agent-based solutions have always struggled with collecting Cisco IOS configuration data as organizations would not allow a permanent agent to reside on the device.  Other tools, such as the Center for Internet Security (CIS) Router Audit Tool (RAT), pulled the configurations remotely, but could not scale to hundreds or thousands of devices easily.  Now with agentless, authenticated scanning, organizations can easily collect Cisco IOS configurations on a mass scale.

QualysGuard Policy Compliance 3.0 uses a new Cisco IOS record, which is a modified SSH/Telnet record used for Unix, to provide credentials for agentless, authenticated scanning of Cisco IOS devices.  The new record supports an optional, second password for the enable prompt to execute the following commands: show version, show logging, and show running-config.  The output of these commands are normalized into an XML file in memory on the scanner appliance where signatures are executed to verify configuration settings.  By storing the output on the scanner appliance, QualysGuard minimizes any impact to the actual device during the scan.  Once the signatures are completed, the XML file is deleted from memory.


To see a demo of this new feature, please view the Cisco IOS Scanning Demo.

Integrating QualysGuard Data with RSA Archer

Is your organization using RSA Archer to manage your governance, risk and compliance program? Would you like to integrate vulnerability and configuration data from QualysGuard? RSA Archer integrates with both QualysGuard Vulnerability Management (VM) and Policy Compliance (PC) through the QualysGuard XML APIs and RSA Archer’s Data Feed Manager (DFM).

Why RSA Archer?

RSA Archer is the leading enterprise governance, risk and compliance (GRC) solution. Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions — delivered as a service. Since Qualys and RSA Archer have a large number of joint customers, it was logical to integrate our solutions, allowing customers to maximize their investment in both solutions.

RSA Archer Integration

The integration imports two types of data from QualysGuard into RSA Archer:

Vulnerability Management

Using the QualysGuard VM scanning infrastructure, vulnerability data can be collected for all enterprise assets in an automated and accurate manner. This integration automatically updates RSA Archer with asset vulnerability data to be used in remediation efforts.

Policy Compliance

The integration of QualysGuard PC with RSA Archer allows customers to automatically import compliance scan information into their RSA Archer environment. This allows asset owners to report on compliance issues identified on their assets in one single view.

RSA Archer’s integration leverages the QualysGuard XML API v1 and v2 frameworks. In addition to the QualysGuard APIs, RSA Archer uses the Data Feed Manager to integrate data within RSA Archer.

Integration Guide

For full integration details with RSA Archer, please download the QualysGuard RSA Archer Integration Guide.