Comments on: Comparing QualysGuard PCI to Comodo HackerGuardian http://www.koopman.me/2008/03/comparing-qualysguard-pci-to-comodo-hackerguardian/ Dave Koopman's Blog Wed, 08 Feb 2012 22:35:41 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Inner Game http://www.koopman.me/2008/03/comparing-qualysguard-pci-to-comodo-hackerguardian/comment-page-1/#comment-61 Inner Game Fri, 08 Jan 2010 16:29:52 +0000 #comment-61 Oh boy, I was just about to buy the Comodo product when I came across this post. I just checked out the McAfee option, and of all the ones I checked out it seems to be the most professional one. Nice write up, thank you. S_ Oh boy, I was just about to buy the Comodo product when I came across this post.

I just checked out the McAfee option, and of all the ones I checked out it seems to be the most professional one.

Nice write up, thank you.

S_

]]> By: erik http://www.koopman.me/2008/03/comparing-qualysguard-pci-to-comodo-hackerguardian/comment-page-1/#comment-59 erik Fri, 27 Nov 2009 02:44:34 +0000 #comment-59 directory listings that are intentional, isolated and are a part of functionality (like a documents directory or a source directory) should not make a site fail PCI. Widespread unintentional listings should. Please reread PCI directory listings that are intentional, isolated and are a part of functionality (like a documents directory or a source directory) should not make a site fail PCI. Widespread unintentional listings should. Please reread PCI

]]> By: DaveK http://www.koopman.me/2008/03/comparing-qualysguard-pci-to-comodo-hackerguardian/comment-page-1/#comment-20 DaveK Fri, 01 Aug 2008 00:01:38 +0000 #comment-20 I've received a call from Qualys, but missed the phone, they left me a message. They caught wind of this blog article and wanted to tell me they did send me an email about the false positive analysis, and gave me the date/time they sent it. I must have missed it, but going back through my email, I found this: -------- Original Message -------- Subject: QualysGuard PCI Support -- False Positive Review From: support at qualys.com Date: Thu, March 27, 2008 9:21 am To: [blurred] User: David Koopman Company: [blurred] User Login: [blurred] Qualys Support has reviewed your false positive request for scan ModPHP4 and determined whether the identified issue(s) were accepted or rejected as false positives. If a false positive issue is accepted, then the vulnerability will no longer show up in scan reports for the specific host. If a false positive issue is rejected, then you must fix the vulnerability in order to meet PCI compliance standards. To view comments for accepted/rejected false positives, access the QualysGuard PCI Web application using the following link: https://pci.qualys.com/merchant/ For more information, please email Qualys Support: mailto:support@qualys.com (c) Copyright 2006-2007 Qualys, Inc. All rights reserved. http://www.qualys.com -------------------------------------- My account is no longer active, so I can't login to the PCI web application and view the reason. I want to send my humble apology for claiming I didn't receive a response. I just missed it. I’ve received a call from Qualys, but missed the phone, they left me a message. They caught wind of this blog article and wanted to tell me they did send me an email about the false positive analysis, and gave me the date/time they sent it. I must have missed it, but going back through my email, I found this:

——– Original Message ——–
Subject: QualysGuard PCI Support — False Positive Review
From: support at qualys.com
Date: Thu, March 27, 2008 9:21 am
To: [blurred]

User: David Koopman
Company: [blurred]
User Login: [blurred]

Qualys Support has reviewed your false positive request for scan ModPHP4 and
determined whether the identified issue(s) were accepted or rejected as false
positives.

If a false positive issue is accepted, then the vulnerability will no longer
show up in scan reports for the specific host. If a false positive issue is
rejected, then you must fix the vulnerability in order to meet PCI compliance
standards.

To view comments for accepted/rejected false positives, access the QualysGuard
PCI Web application using the following link:
https://pci.qualys.com/merchant/

For more information, please email Qualys Support:
mailto:support@qualys.com

(c) Copyright 2006-2007 Qualys, Inc. All rights reserved.
http://www.qualys.com
————————————–

My account is no longer active, so I can’t login to the PCI web application and view the reason.

I want to send my humble apology for claiming I didn’t receive a response. I just missed it.

]]> By: Ravi http://www.koopman.me/2008/03/comparing-qualysguard-pci-to-comodo-hackerguardian/comment-page-1/#comment-19 Ravi Wed, 30 Jul 2008 21:42:52 +0000 #comment-19 Reading the PCI council guidelines, looks like false positives can't be removed from scanning altogether they need to be reviewed each time .. bummer! PCI council wants to hear about bad scanning vendors ... they can be reported at https://www.pcisecuritystandards.org/docs/asv_feedback_form_-_client.doc Reading the PCI council guidelines, looks like false positives can’t be removed from scanning altogether they need to be reviewed each time .. bummer!

PCI council wants to hear about bad scanning vendors … they can be reported at https://www.pcisecuritystandards.org/docs/asv_feedback_form_-_client.doc

]]> By: ImGreen http://www.koopman.me/2008/03/comparing-qualysguard-pci-to-comodo-hackerguardian/comment-page-1/#comment-18 ImGreen Fri, 18 Jul 2008 08:26:53 +0000 #comment-18 I just ran a scan using Qualys QA and I got the same false positive. I guess this hasn't been fixed yet. I just ran a scan using Qualys QA and I got the same false positive. I guess this hasn’t been fixed yet.

]]> By: DaveK http://www.koopman.me/2008/03/comparing-qualysguard-pci-to-comodo-hackerguardian/comment-page-1/#comment-14 DaveK Sun, 29 Jun 2008 17:30:28 +0000 #comment-14 They never responded, but removed it as a vulnerability, so I guess they agreed. Note: I have run a scan using McAfee Secure (previously HackerSafe). I'll update this entry with those results when I get a chance. 7/31 AMENDMENT: see my 7/31 comment below, my 6/29 statement about never responding is incorrect. I'm only leaving this statement here for historical purpose. They never responded, but removed it as a vulnerability, so I guess they agreed.

Note: I have run a scan using McAfee Secure (previously HackerSafe). I’ll update this entry with those results when I get a chance.

7/31 AMENDMENT: see my 7/31 comment below, my 6/29 statement about never responding is incorrect. I’m only leaving this statement here for historical purpose.

]]> By: Matthew Kaufman http://www.koopman.me/2008/03/comparing-qualysguard-pci-to-comodo-hackerguardian/comment-page-1/#comment-13 Matthew Kaufman Tue, 17 Jun 2008 18:55:39 +0000 #comment-13 Has Qualys replied to your report of the OpenSSH false positive yet? And if so, what did they say? Has Qualys replied to your report of the OpenSSH false positive yet? And if so, what did they say?

]]>