IBM Support

QRadar: Why do QRadar Vulnerability Manager scan results have different values after every scan

Question & Answer


Question

Administrators might notice that their QRadar Vulnerability Manager(QVM) scans vary when run daily or hourly. What is causing these scans to have different results after every scan?

Cause

Vulnerabilities and QVM scan tools are updated through auto-updates. When this happens, it can contribute to why the scans produce different results. There are different causes of why a scan of assets can result in a different number of total vulnerabilities found.

Answer

These are the most common reasons for scan results being different after each scan.
  • The Asset is patched or updated since the last scan. A patched applied to an asset changes the results.
  • The Asset is not connected to the network at the time of a scan. Some of the Assets could be laptops, which are shut down or disconnected from the network since the last scan.
  • The Scan has new vulnerabilities to look for:
    • The vulnerabilities that are being checked for are changing daily.
    • New vulnerabilities are being found along with new tests to detect them.
    • The QVM Tools being updated daily to be able to detect these new Vulnerabilities on the assets. Therefore, running a scan each day could give different results.
    • An asset is detected or changes due to flow data.
  • The Asset does not respond within the required timeout period while being scanned, resulting in extra tools not being called because OS, ports, or patches were not detected due to the timeout. This can happen if:
    • Administrators scan too large a network or subnet resulting in the scan timing out.
    • The asset is offline at the time of the scan.
    • Too many assets are scanned at the same time and the scan times out on the asset.
  • A different Scan Profile or Scan Policy is used. For comparisons, the same scan profile and Policy has to be used. Any changes to the scan policy result in a difference in the scan results.
  • Configuration or Credential changes on the Asset being Scanned. If there are changes applied on the Asset to be scanned the result is the tools are no longer able to access and fully interrogate the asset.
For more information about QRadar Vulnerability Manager best practices, see: 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwu1AAA","label":"Assets"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
15 October 2021

UID

ibm16498125