How does Qualys vulnerability scanning work?


QualysGuard scanning methodology mainly focuses on the different steps that an attacker might follow in order to perform an attack. It tries to use exactly the same discovery and information gathering techniques that will be used by an attacker.

whole the scanning exercise is done in following steps:

1. Checking if the remote host is alive – This detection is done by probing some well-known TCP and UDP ports.  By default, we probe TCP Ports 21-23, 25, 53, 80, 88, 110-111, 135, 139, 443, 445 and UDP Ports 53, 111, 135, 137, 161, 500.  This can be changed by editing the option profile.  If the scanner receives at least one reply from the remote host, it continues the scan.

2. Firewall detection – The second test is to check if the host is behind any firewalling/filtering device. This test enables the scanner to gather more information about the network infrastructure and will help during the scan of TCP and UDP ports.

3. TCP / UDP Port scanning – The third step is to detect all open TCP and UDP ports to determine which services are running on this host. The number of ports is configurable, but the default scan is approximately 1900 TCP ports and 180 UDP ports.

4. OS Detection – Once the TCP port scanning has been performed, the scanner tries to identify the operating system running on the host. This detection is based on sending specific TCP packets to open and closed ports.

5. TCP / UDP Service Discovery – Once TCP/UDP ports have been found open, the scanner tries to identify which service runs on each open port by using active discovery tests.

6. Vulnerability assessment based on the services detected – Once the scanner has identified the specific services running on each open TCP and UDP port, it performs the actual vulnerability assessment. The scanner first tries to check the version of the service in order to detect only vulnerabilities applicable to this specific service version. Every vulnerability detection is non-intrusive, meaning that the scanner never exploits a vulnerability if it could negatively affect the host in any way.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.