Scanning on Windows-based assets

When are vulnerability data updates visible in QRadar?

Newly published vulnerabilities are visible on the QRadar Vulnerability Manager dashboard and in the research section of the Vulnerability tab in QRadar.

QRadar Vulnerability Manager gets daily vulnerability updates, which includes news, advisories, newly published vulnerabilities and their associated metadata, test data, and any new detection.

QRadar Vulnerability Manager systems are typically updated with the most recent vulnerabilities 2-3 days after they are announced.

What types of scanning methods are available?

The following list describes important points about scanning methods that are available to detect vulnerabilities on Windows-based assets:

Authenticated or unauthenticated scans

You must use authenticated scans to detect all Windows-based vulnerabilities. If you use an unauthenticated scan to detect Windows-based vulnerabilities, the results might not be complete and they are prone to false positives.

Registry scans

Registry scanning is used to detect vulnerabilities on the Windows operating system.

• QRadar Vulnerability Manager uses the remote registry service and Windows Management Instrumentation (WMI) to retrieve information about installed KB service packs, installed software, and enabled services from the endpoints that it scans, and this information is correlated with vulnerability definitions.

• Each Windows vulnerability definition includes the Bulletin, KB, product, OS, service pack, and required Windows service.

Open Vulnerability Assessment Language (OVAL) scans

OVAL (Open Vulnerability Assessment Language) scanning is used to detect vulnerabilities on the Windows operating system.

Open Vulnerability Assessment Language (OVAL) is a standard that is referenced when you do OVAL tests for vulnerabilities and configuration tests on assets. The following list describes information about vulnerabilities and OVAL tests.

• Tests can include any combination of registry keys, registry key values, .dll and .exe versions, running services, presence of files.

• Each vulnerability definition is an XML logical expression that determines whether the system is vulnerable.

• All .exe and .dll versions are tested.

• You can click the CVE link for a vulnerability to see whether it has an OVAL test, for example, CVE-2013-3910 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3910)
• OVAL test definitions are available online at the Oval website, (https://oval.cisecurity.org/)
• The OVAL test can override a generated vulnerability.

Windows OS patch scans

Windows operating system patch scanning is an authenticated network-based method that is used to interrogate the target computer for missing security-related software fixes and updates.

Patch scans do a limited Nmap port scan of ports, 22, 139, and 445, to determine whether the asset is a Windows or UNIX asset. If the port scan discovers NetBIOS ports 139 or 445, it knows that these ports are from a Windows-based asset. The enum vulnerability tool is used to scan a Windows asset.

Patch scans are not intrusive, and they don't do any active vulnerability tests.

Patch scans factor in superseded patches automatically.

It is possible to scan computers for Windows OS patches without configuring Windows Management Instrumentation (WMI) and Administrative Shares but the results are not complete and they are prone to false positives.

Configuration requirements for Windows-based asset scanning

• Configure remote registry access on the assets.
• Configure Windows management instrumentation (WMI) on the assets.
• To read WMI data on a remote server through a firewall, you must allow WMI requests through a Windows firewall.
• If you use a non-administrator account to monitor the Windows server, you must set minimum DCOM permissions and grant DCOM remote access permissions for that non-administrator account.
• Configure administrative shares on the assets.