Qualys "Scan Now" / "Scan on Demand"

How can you cause a Qualys scan to happen faster than the 4+ hours (4 to 6 hours) that we have now?

Our Qualys system will complete a vulnerability assessment of your devices every 4+ hours (generally 4 to 6 hours) which, if you are completing vulnerability remediation work over time, is generally fine, however, sometimes there is a need to kick off the re-scan a little quicker.

Qualys report that this is how you can achieve that:

WINDOWS

ADD SCAN ON DEMAND FROM ADMIN COMMAND PROMPT

REG ADD "HKLM\SOFTWARE\Qualys\QualysAgent\ScanOnDemand\Vulnerability" /v ScanOnDemand /t REG_DWORD /d 1 /f

ADD SCAN ON RESTART FROM ADMIN COMMAND PROMPT

REG ADD "HKLM\SOFTWARE\Qualys\QualysAgent\ScanOnDemand\Vulnerability" /v ScanOnStartup /t REG_DWORD /d 1

The agent monitors the Qualys registry hive at
HKLM/Software/Qualys/QualysAgent/ScanOnDemand key in real-time for specific values and initiates the scan for each supported manifest based on the values set.

For Cloud Agent for Windows version 4.8 or later, when a module is activated, the agent
creates the registry structure and subkeys for on-demand scan automatically. For versions
earlier than 4.8, only root keys are created and the subkeys, data, and values to configure
and execute the scans need to be set manually, using scripts, or registry configuration
tools. 

Registry Tree

Registry Configuration Settings

The following table describes the configuration settings and functionality for the Scan on
Demand and Scan on Startup feature.

Example

Configuration example for CPU Limit of 100%, Scan on Demand data of "1" to execute
immediately, and Scan on Startup data of "1" to execute on agent service startup.

NOTE:

If the agent is already performing a manifest collection or is in the delta
upload/PendingDelta state, the agent will not initiate the on-demand or on-startup scan.
This ensures data integrity between the agent and the platform for the in-progress scan.

Network Blackout Windows take precedence.

  • Scan on demand or startup when the agent is in a network blackout window
    will still execute, but the delta will not upload to the Qualys platform until the agent is out
    of a network blackout window.
  • If the agent is in a network blackout window that is preventing the previous scan's delta
    to be uploaded, the scan on demand or scan on startup will not execute until the previous
    scan's delta upload is fully completed.
  • The agent will not execute an on-demand or on-startup scan for a manifest type that is
    not assigned (activated).

DUPLICATED DEVICES AFTER RELOAD (GHOSTS)

If you reload a device, Qualys will see this as a new device, as the UUID used by Qualys will be different when you reinstall the device - if you want to keep that the same, so our system updates your existing entity, please export the registry key, where the UUID is stored, before you reload the device. 

From an admin command prompt run:

reg export hklm\software\qualys c:\qualysregkeys.reg

If you would prefer we remove the device, just ask and we will delete it, otherwise it remains on your device issue list.

macOS

To force Qualys to complete an on-demand scan on an Apple macOS, you can execute the terminal script:

/Applications/QualysCloudAgent.app/Contents/MacOS/cloudagentctl.sh action=demand type=vm cputhrottle=0

LINUX OS

To force Qualys to complete an on-demand scan on a Linux-based system, you can execute the terminal script:

/usr/local/qualys/cloud-agent/bin/cloudagentctl.sh action=demand type=vm cputhrottle=0