IBM Security QRadar

Is her a way to figure out why my scans fail to attempt authentication on a subnet.

The scan will scan the subnet but only returns port data, ssl cert, etc. 

I've tried using Centralised creds, putting creds in profile using default scan policy and others 

Same polices/profile configs  authenticate on other subnets 

Is there a log which might explain this, I can find nothing that i can see in Qradar.log or .error

------------------------------
Kenny Murphy
------------------------------

Hi Kenny,

The easiest way is to hover over the warning /!\ sign you see against the asset in question in your scan results.

On the QVM screen, in Scan Results, click on the number of Assets found for the particular scan profile. You will see in the first column a warning sign /!\ . Hovering over will show the reason for the authentication failure.

Assuming the authentication issues you're seeing are to do with Windows assets, they would need to be configured specifically for scanning. I would recommend having a look here https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_qvm_vuln_windows_scanning_techniques.html 
You will also find the documentation on configuring permissions for *nix assets https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/c_qvm_scan_setup.html 

There are many factors at play here, so if neither the authentication failure reason shown in the hover over nor the documentation is helping you solve this issue I'd recommend contacting support who will be able to have a closer look and diagnose this with you.  

Thanks,
Thibault

------------------------------
THIBAULT BARILLON
------------------------------

Original Message:
Sent: Fri August 02, 2019 04:47 AM
From: Kenny Murphy
Subject: QVM Authentication

Is her a way to figure out why my scans fail to attempt authentication on a subnet.

The scan will scan the subnet but only returns port data, ssl cert, etc. 

I've tried using Centralised creds, putting creds in profile using default scan policy and others 

Same polices/profile configs  authenticate on other subnets 

Is there a log which might explain this, I can find nothing that i can see in Qradar.log or .error

------------------------------
Kenny Murphy
------------------------------

Hi, Kenny
if you have access to a windows server you should have a look into the event viewer. There you could check if your scanner tried to authenticate to the server to begin with.
Another problem I currently have to deal with is maybe also the cause for your current issue. Do you know if you allow authentication with ntlm or ntlmv2 protocol on your servers? Since qvm is using ntlmv2 as authentication protocol, you cannot authenticate to the servers if you block domain logon via ntlm.
For this check your Group Policy Management Console if "Network Security: LAN Manager Authentication level"
I have placed a question to the developer community today, addressing this issue: https://developer.ibm.com/answers/questions/514367/qvm-authenticated-scans-using-ntlm-and-kerberos-pr/

Best regards
David

------------------------------
Altanian David
------------------------------

Original Message:
Sent: Fri August 02, 2019 04:47 AM
From: Kenny Murphy
Subject: QVM Authentication

Is her a way to figure out why my scans fail to attempt authentication on a subnet.

The scan will scan the subnet but only returns port data, ssl cert, etc. 

I've tried using Centralised creds, putting creds in profile using default scan policy and others 

Same polices/profile configs  authenticate on other subnets 

Is there a log which might explain this, I can find nothing that i can see in Qradar.log or .error

------------------------------
Kenny Murphy
------------------------------

Multiple reply. Please delete.

Multiple reply. Please delete.