Describe the issue you are having:
I’m trying to run a scan through HackerGuardian for PCI compliance and keep getting interference errors despite adding allow and bypass rules. The traffic being blocked is source ‘validation’ and ruleId ‘sanity-shellshock’.
What error message or number are you receiving?
From Hackerguardian: “Service name: Unknown - Possible Scan Interference on TCP port 443.”
What steps have you taken to resolve the issue?
I’ve added bypass and allow rules for their ips.
Was the site working with SSL prior to adding it to Cloudflare?
What are the steps to reproduce the error:
Have you tried from another browser and/or incognito mode?
N/A Please attach a screenshot of the error:
Sigh, I certainly agree. Our old scanner Trusted Site was happy with this outcome. Here’s the message from HackerGuardian:
Possible scan interference detected.
A PCI scan must be allowed to perform scanning without interference from intrusion detection systems or intrusion prevention systems.
The PCI ASV is required to post fail if scan interference is detected.
The goal of this QID is to ensure that Active Protection Systems are not blocking, filtering, dropping or modifying network packets from a PCI Certified Scan, as such behavior could affect an ASV's ability to detect vulnerabilities. Active Protection Systems could include any of the following; IPS, WAF, Firewall, NGF, QoS Device, Spam Filter, etc. which are dynamically modifying their behavior based on info gathered from traffic patterns. This QID is triggered if a well known and popular service is not identified correctly due to possible scan interference. Services like FTP, SSH, Telnet, DNS, HTTP and Database services like MSSQL, Oracle, MySql are included.
-If an Active Protection System is found to be preventing the scan from completing, Merchants should make the required changes (e.g. whitelist) so that the ASV scan can complete unimpeded.
-If the scan was not actively blocked, Merchants can submit a PCI False Positive/Exception Request with a statement asserting that No Active Protection System is present or blocking the scan.
Additionally, if there is no risk to the Cardholder Data Environment, such as no web service running, this can also be submitted as a PCI False Positive/Exception Request and reviewed per the standard PCI Workflow.
For more details on scan interference during a PCI scan please refer to ASV Scan Interference section of PCI DSS Approved Scanning Vendors Program Guide Version 3.1 July 2018 .For more details about this QID, please review the following Qualys KB article:
If the scanner cannot detect vulnerabilities on Internet-facing systems because the scan is blocked by an IDS/IPS, those vulnerabilities will remain uncorrected and may be exploited if the IDS/IPS changes or fails.
Whitelist the Qualys scanner to scan without interference from the IDS or IPS.
Service name: Unknown - Possible Scan Interference on TCP port 443.
If I’m interpreting this correctly, the only option would be to submit a false positive? But that feels odd.
I’ve added the Scanners IP blocks to a WAF Allow and WAF Bypass Rule: