IBM Support

Disabling IBM QRadar Vulnerability Manager (QVM) scanning tools

Question & Answer


Question

In QVM, you can configure Scan Profiles to specify how and when your network assets are scanned for vulnerabilities. Scan Profiles in turn use Scan Policies, which provide you with a central location to configure specific scanning requirements. You can use scan policies to specify scan types, ports to be scanned, vulnerabilities to scan for and scanning tools to use. More information on Scan Policies and Scan Profiles, can be found in the Scan Configuration section of the product documentation.

Some scanning tools run a brute-force attack on the target system. While it is expected of a tool that tests for vulnerabilities, it can also lead to administrative accounts to be locked out. For example, the "mssql - sa checksa check" tool attempts to log in to a Microsoft SQL Server by using four default users and ten common passwords. The "sa" user is part of that user list and could be locked out due to excessive login attempts. Under such circumstances, some organizations might choose to disable the tool.

This article explains how a certain scanning tool can be disabled.

Answer

The default Scan Policies in QVM cannot be edited. Instead, a copy of a scan policy has to be created. When the copy is created, the Tools section can be edited to include or exclude any of the tools mentioned there. If a user hovers over a certain tool, more information about the tool, is displayed.
For example, to disable the "mssql - sa checksa check" tool the following steps can be used:
  1. Click the Vulnerabilities tab.
  2. In the navigation pane, select Administrative > Scan Policies.
  3. On the Scan Policies page, click a pre-configured scan policy.
  4. On the toolbar, click Edit.
  5. Click Copy.
  6. In the Copy scan policy window, type a new name in the Name field and click OK.
  7. Click the copy of your scan policy and on the toolbar, click Edit.
  8. In the Description field, type new information about the scan policy.
  9. Go to the Tools tab.
  10. Find the "mssql - sa checksa check" tool and clear the check mark next to it.
  11. Click Save.
Once a new scan policy is created, it can be used in a new Scan Profile that targets specific hosts in the environment. For example, by using the policy created prior, a Scan Profile can be created which targets Microsoft SQL Server hosts only.

 

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHLPS","label":"IBM Security QRadar Vulnerability Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version","Edition":" ","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Historical Number

TS003219245

Product Synonym

QVM

Document Information

Modified date:
11 May 2020

UID

ibm16202766