IBM Support

QRadar: Full scans might lockout some windows administration accounts

Troubleshooting


Problem

Scanning the Windows servers with a QVM full scan can sometimes lock out administration accounts.

Cause

QRadar Vulnerability Manager (QVM) tests multiple default credentials on accounts.

Resolving The Problem

You can prevent this account lock out issue by disabling the related logon tests:

  1. In the QRadar UI, click the Vulnerabilities tab.
  2. Under vulnerabilities, expand Administrative.
  3. Click Scan Policies.

    image-20180725135251-1
  4. Click Add to create a new Scan Policy
  5. Enter a Name for this Scan Policy and a Description

    image-20180725135724-1
  6. Click Enabled > Share with Everyone.
  7. Click Scan Type Full.
  8. Click the Tools tab. By default, the Included list is displayed.
  9. From the Filter menu, select Default Logons (Dos Risk).

    image-20180725140557-2
  10. Click Exclude All to remove the check marks next to the items in the list.
  11. Click Save.
  12. Verify that the Default Logons (Dos Risk) tools are in the Excluded list.

 

Note: When the "Default Logons (DOS risk)" tool is excluded in the scan policy, patch scanning will not run with Full scan behavior.

Results: You have a Full scan policy that will not lock out Administrative accounts

Where do you find more information?

 


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHLPS","label":"IBM Security QRadar Vulnerability Manager"},"Component":"","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"7.3.0;7.3.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
30 July 2018

UID

ibm10718401