Comparing Azure Vulnerability Scanning Solutions | Quisitive
A man stands at a fork in the road to represent the two Azure vulnerability scanning solutions that we compare in this blog
Comparing Azure Vulnerability Scanning Solutions
February 6, 2023
Cameron Fuller
Explore Microsoft's two built-in Azure vulnerability assessment solutions for VMs, Microsoft Defender and Qualys, and find which is best for your organization.

Microsoft Defender for Cloud provides recommendations on various items related to Azure resources (and on-prem resources via ARC). For example, one of the recommendation types focused on vulnerabilities that may exist on virtual machines (VMs). Microsoft provides two built-in Azure vulnerability assessment solutions for VMs.

Azure Vulnerability Scanning with Microsoft Defender Vulnerability Management

One is “Microsoft Defender vulnerability management,” and the other is the “integrated vulnerability scanner powered by Qualys” (referred to from here forward as “Qualys”). Microsoft includes both solutions as part of Microsoft Defender for Servers. In addition, Microsoft has made “Microsoft Defender vulnerability management” (referred to from here forward as “Default”) the default vulnerability scanner. These two options are shown below in Figure 1.

Image reads: 
"An Azure vulnerability scanning or assessment solution should be enabled on your virtual machines"

Figure 1 : Azure vulnerability scanning solutions currently available

Azure Vulnerability Scanning with Qualys

I recommend using the Qualys scanner instead of the Default vulnerability scanner. This is because the Qualys scanner looks for more vulnerabilities, resulting in a more complete result.

If you want to go further into the weeds from what I found, feel free to continue reading through the functional comparison, FAQ, and Reference Links sections below.

Functional comparison of Qualys vs Microsoft Defender:

  • When comparing a similar system in both scanners, the Qualys scanner identified significantly more vulnerabilities than the Default scanner.
  • The Default scanner currently focuses only on software updates. At the same time, the Qualys scanner also identifies items such as null sessions, built-in guest accounts, Windows Explorer autoplay, and cached login credentials.
  • In my example, the Qualys scanner found 8x as many vulnerabilities for a similar domain controller compared to the Default scanner.
  • Both solutions are included in Microsoft Defender for Servers, so they currently have no cost difference.

FAQ’s:

  • Do these scanners identify the same vulnerabilities? While there is some level of overlap in the vulnerabilities identified, they appear to be scanned using a different database for vulnerabilities.
  • Can you use both Azure vulnerability scanners on a single system? Unfortunately, only one vulnerability scanner can be installed at a time on a system. However, one vulnerability scanner can be used and then removed and replaced with the other vulnerability scanner. An example of these scanners and what they look like after deployment is shown in Figure 2.
Azure Vulnerability Scanning Solutions  - subsciption

Figure 2 : Two machines with one onboarded to each vulnerability scanner.

  • Do the scanners use the same vulnerability identifier? Each scanner uses a different naming convention Default uses letters such as “QXCJCS,” versus Qualys, which uses numbers such as “90044”.
  • Does using one scanner versus the other impact the secure score? Having either vulnerability scanner is considered acceptable to meet the “Machines should have a vulnerability assessment solution” requirement. However, the various vulnerabilities found by each scanner also need to be resolved to increase the secure score. So the more comprehensive scanner (Qualys) will require more work to remediate the issues identified and improve the secure score.
  • Is there a way to see a complete list of what each scanner assesses? Unfortunately, I could not find a way to get a complete list of what each scanner checks. I attempted to find this data through searching with Kusto but was unsuccessful. (hint, search for securityresources | where type =~ “microsoft.security/assessments/subassessments”) .
  • When was this assessment performed? I performed this evaluation on the week of 1/23/23.

Qualys usage is included per this article: Defender for Cloud’s integrated vulnerability assessment solution for Azure, hybrid, and multicloud machines | Microsoft Learn

So, what is your experience with these options? Do you have any insights that you can provide? Please feel free to reach out to me with them on LinkedIn or Twitter!

Potential vulnerabilities keeping you up at night?

Get a comprehensive view of your security posture with Quisitive’s Comprehensive Cloud Security Assessment, including clear next steps for improvement.

> Learn more