Qualys Cloud Agent (CA)

Qualys, Inc. Corporate Presentation

Welcome to Qualys Cloud Agent aka CA training.

0
 Training Documents

• Presentation Slide
• LAB Tutorial Supplement

https://qualys.com/learning

1 Qualys, Inc. Corporate Presentation

You will need to download the training documents needed to complete the Cloud
Agent course from the Qualys learning portal: qualys.com/learning.
Note that you will need a PDF reader like Adobe Acrobat to view these files.

1
 Play Lab Tutorials

2 Qualys, Inc. Corporate Presentation

1. When you click the link to open a lab tutorial, it will open up in your default Web
browser. If you would like to play the tutorial in a different browser, you can copy
this link and paste it into the address field of another browser.
2. When the lab tutorial opens, click the icon in the upper-right corner, to maximize
your screen size.
3. When you are ready to play the tutorial, click the start button.

2
 Agenda
§ Cloud Agent Overview
§ Cloud Agent Installation & Deployment
• Agent Activation Key
• Installation Components
• Agent Installation Options
§ Agent Asset Inventory & Details
§ Cloud Agent Lifecycle and Configuration

3 Qualys, Inc. Corporate Presentation

The agenda of this training is to:

• Provide you with an overview of the Cloud agent, where it fits in the scanning
process, the platforms it supports, use-cases, etc.
• Discuss the procedure to install/deploy a cloud agent on client devices
• Discuss agent host details shown in Qualys post deployment
• Cloud agent lifecycle and configuration profile settings

3
 Overview

Qualys, Inc. Corporate Presentation

The objectives for this section are:

1. To provide a high-level overview of CA behaviors and characteristics
2. To identify operating systems and Qualys applications supported by CA
3. To discuss the New RedHat CoreOS feature

4
 Cloud Agent Overview

• Gives you a continuous view of assets

• Does not require credential management, scan windows or firewall
changes
• Delivers visibility for assets that are not easily scanned from network
including remote/roaming users, distributed offices and cloud server
instances
• Is light-weight, remotely deployable, centrally managed and self-updating

4 Qualys, Inc. Corporate Presentation

Qualys Cloud Agent provides a continuous view of assets for vulnerability

management, policy compliance, file integrity monitoring, EndPoint Detection and
Response, Patch Management and asset inventory without the need for credential
management, scan windows, and firewall changes.

Cloud Agent delivers visibility and security solutions for assets that are not easily
scanned from the network including remote or roaming users, distributed offices and
cloud server instances.

The agent is light-weight, remotely deployable, centrally managed and self-updating.

5
 Agent OS Support

• Qualys Cloud Agent supports multiple operating systems.

5 Qualys, Inc. Corporate Presentation

Cloud Agent installation is supported on a variety of operating systems including:

• Windows XP SP3 or greater

• Apple Mac OS X
• Red Hat Enterprise Linux
• Oracle Enterprise Linux
• Amazon Linux
• SuSE Linux
• CentOS
• Fedora
• Debian
• Ubuntu
• FreeBSD
• IBM AIX
• Solaris
• Core OS

6
 Full Stack Solution for Red Hat OpenShift

Container Sensor
(Container and Image
Vulnerability and Compliance
Assessment)

Container

Container
Cloud Agent for RedHat
CoreOS on OpenShift
4.x In-Container
(Host level assessment) Instrumentation
(Runtime Protection)
OpenShift 4.x
OpenShift 4.x Infrastructure CRI-O
Security RHCOS Represents an installed Qualys Sensor

6 Qualys, Inc. Corporate Presentation

At Qualys, we have focused on delivering a full stack solution for Red Hat OpenShift.
To do this, we utilize both Container Sensors and Cloud Agents.

As you can see in the diagram, our container sensor solution is deployed as its own
container. It assesses images and running containers in your runtime environment.

This solution is technically independent from the Cloud Agent container and provides
inventory, vulnerability, and compliance assessments; with data merging and sharing
between modules on the Qualys Cloud Platform.

Our Container Security Solution has been in the market for a while now and supports
Docker, Container-D, and Crio runtimes.

But what about the Host OS? RHCOS does not permit modification of the host. This is
a powerful security measure.

7
That does not mean it is impervious to attack, but it does provide a strong base for
building excellent layered security solutions.

Our unique first to market solution, uses an agent-as-container approach.

Easily deployed, our containerized agent scans the Host OS to provide visibility,
actionable intelligence, and auditing.

Qualys full-stack security for Red Hat OpenShift adds visibility, actionable intelligence,
and security auditing for Red Hat Enterprise Linux CoreOS, the operating system that
underpins OpenShift deployments for running containers securely. With this new
offering, Qualys is now the first and only solution with the ability to scan directly into
Red Hat Enterprise Linux CoreOS in Red Hat OpenShift, so you can manage and
reduce risk at both the host OS and container levels. Built on the Qualys Cloud
Platform, Qualys’ solution seamlessly integrates with customers’ vulnerability
management workflows, reporting and metrics to help reduce risk.

7
 Agent Application Support
§ Vulnerability Management (VM)
• Continuous Monitoring (CM)
• Threat Protection (TP)

§ Global Asset View(GAV) or Cyber Security Asset Management (CSAM)

§ Policy Compliance (PC)
§ Security Configuration Assessment (SCA)
§ File Integrity Monitoring (FIM)*
§ Endpoint Detection & Response (EDR)*
§ Extended Detection & Response (XDR)*
§ Custom Assessment & Remediation (CAR)*
§ Patch Management (PM)*

* Agent Exclusive Application

7 Qualys, Inc. Corporate Presentation

Qualys Cloud Agent supports the applications listed here from the Qualys Cloud
Platform:

Qualys Cyber Security Asset Management i.e. CSAM or Global AssetView is

automatically activated for all agents depending on which of these applications is
included in your subscription. There’s no charge for deploying Cloud Agent only for
the purpose of asset inventory.
When you activate the VM module for an agent, Continuous Monitoring and Threat
Protection are also included in the agent data collection. You can activate Policy
Compliance or Security Configuration Assessment for an agent, but not at the same
time.

Qualys File Integrity Monitoring, Endpoint Detection & Response, Extended Detection
and Response, Custom Assessment and Remediation and Patch Management are
agent exclusive applications i.e., they are not supported by other Qualys sensors.

8
 Cloud Agent Deployment

§ Windows Agents are installed using an administrative account and

operate with local system privileges

§ By default, Linux Agents run with ’root’ privileges but can be

configured to run in a specific user and group context

8 Qualys, Inc. Corporate Presentation

In the previous slides, we saw that Cloud Agent supports multiple Windows, Linux
and other platforms.

On Windows devices, agents must be installed using an administrative account and

will operate with system-level privileges.
On Unix and Linux systems, The agent installation requires root-level access. Also,
After the Cloud Agent is installed, it can be configured to run in a specific user and
group context using Qualys’ configuration tool. However, this will limit the level of
access of the Cloud Agent.

9
 Agents as Data Collectors

§ Cloud Agent serves as a “data collector”(keeping host’s resource usage

extremely low) -- collected data and metadata is sent to the Qualys Cloud
Platform for testing
§ Cloud Agent provides the “response” functionality for many Qualys
applications
§ Qualys application modules provide their own “manifest” identifying data
to be collected
§ AGENT data is uploaded to the Qualys Platform for assessment, analysis,
correlation, reporting, and alerting
§ Data collected by a Qualys Agent is called AGENT data

9 Qualys, Inc. Corporate Presentation

Functioning in the “data collector” role, agents collect everything needed by its
activated Qualys application modules.
Agents are designed to capture Operating System and application metadata, including
installed applications, registry keys, running processes, and system configurations.

Apart from collecting data for asset inventory, vulnerability and compliance
assessment, the Agent also supports the ability to respond to security gaps on the
host. This is achieved by way of patching through Patch Management, malicious file
and process remediation through EndPoint Detection and Response and
misconfiguration remediation through Custom Assessment and Remediation.

Each agent-supported application module identifies tasks to be performed and data

to be collected, in a manifest. There are different manifests for each Qualys
application module.

By design, the processing of agent data begins only after it is successfully transferred
to the Qualys Platform. This helps to minimize the number of resources needed by
the agent.

Talking about terminology, Data collected by a Qualys Agent is referred to as AGENT

data. This contrasts with the data collected by a Qualys Scanner Appliance, which is
referred to as SCAN data.

10
 Cloud Agent Benefits
§ Extends visibility to assets not easily scanned:
• Remote users working from home
• Assets behind network load balancers or filtering devices
• Ephemeral assets with erratic processing cycles
• Hosts that are not always powered on, or ephemeral instances that may not
be available during scheduled scan windows
• Hosts that live in IaaS Platforms such as AWS and Microsoft Azure
§ More frequent visibility of critical assets without increasing network traffic (via
delta uploads)
§ Works well with host assets that frequently change names or IP addresses (uses
Qualys Host ID tracking)
§ Agents do not rely on Authentication Records
10 Qualys, Inc. Corporate Presentation

Cloud Agent extends visibility to assets not easily scanned, including roaming devices
such as laptops, remote users working from home, ephemeral cloud instances that
are not always online, and assets behind network filtering devices or load balancers.

Once the agent successfully transfers initial data “snapshot” to the Qualys Platform,
all successive data transfers will focus exclusively on the things that have changed, i.e.
deltas. This can significantly reduce the amount of bandwidth typically consumed by
traditional scanner appliances, allowing you to monitor critical hosts more frequently.

Unlike the traditional scanner appliance, Agent uniquely tracks its findings using
Qualys Host ID or agent host UUID, which makes the process ideal for hosts that
frequently change names or IP addresses.

Cloud Agent is installed as a local service with SYSTEM-level privileges, so it does not
require authentication records to access local system data and artifacts.

11
 Cloud Platform
IaaS Providers

Remote Users

Coffee Shop

Qualys Cloud Platform

Corporate Environment
11 Qualys, Inc. Corporate Presentation

1. To begin data collection, an agent must first be installed on a host.

2. Once the agent has successfully downloaded its application manifest(s), it will
collect data to produce a host snapshot.
3. Agent will then send this “snapshot” to the Qualys Cloud Platform for processing.

12
 Agent Platform Communication

• All communications are initiated by the agent outbound to the platform

over port 443 using REST over HTTPS/TLS
• The platform does not initiate connections to the agent
• The agent and platform utilize TLS 1.2, SHA256 Ciphers, and 2048-bit
private key for the platform
• Communications are encrypted using server certificates, with application-
layer authentication, data security and non-repudiation techniques

12 Qualys, Inc. Corporate Presentation

Cloud Agent communication is optimized to support large-scale agent deployments

while providing flexible and granular performance configuration controls allowing
organizations to tune agent performance and bandwidth usage for their specific
environmental requirements.
The agent initiates all connections on port 443 from the agent to the platform using
REST over HTTPS/TLS. The platform does not initiate connections to the agent. The
agent and platform utilize TLS 1.2, SHA256 ciphers, and 2048-bit private key for the
platform. Communications are encrypted using server certificates, with application-
layer authentication, data security, and non-repudiation techniques. Agent
communications are protocol compatible with stateful firewalls, application-aware
firewalls, transparent and non-transparent web proxies, and NAT gateways.

Cloud Agent also supports the use of HTTPS proxies.

13
 Installation and Deployment

Qualys, Inc. Corporate Presentation

The objectives for this section are:

1. Understand some of the best practices and pre-installation checks before starting
with agent deployment
2. Identify and understand the steps to complete an agent installation
3. Learn to build an Agent Activation Key and identify its components
4. Understand the different agent deployment options
5. Identify the signs of a successful agent installation
6. New MSI Extract Feature

14
 Large Cloud Agent Deployment

• Deploy across wide network geography

• Consider:
- # of agents deployed per location
- Amount of internet egress bandwidth

• Stagger agent deployment

• Configuration Profile: “Low” performance setting

13 Qualys, Inc. Corporate Presentation

The best practice recommendation is to deploy initial Cloud Agents across a wider
“network geography” taking into account the number of agents in a specific location
and the amount of Internet egress bandwidth. You can easily deploy 50,000 agents at
once if they’re spread across multiple locations and have different Internet egress
links; however, the recommendation is to stagger the installation over a few hours or
days if they’re all located in the same data center or backhauled from multiple
locations that share a single Internet egress link.

If many are deployed at the same time, agents will back off from calling home
(communicating with the platform) if there are any interruptions in communication.
This helps prevent connection storms to the platform.

The agents will also randomize to prevent them from calling home all at once if they
are in the same location.

Installation of large groups of agents at one time should also have a Low-performance
profile assigned to them prior to installation such that the initial snapshot upload is
spread over a longer time period to smooth out bandwidth usage; after the initial
snapshot is uploaded, the agents can be changed to a Normal or High-performance
profile if required.

15
 Pre-installation Checks

• Verify host OS is supported by Cloud Agent

• Verify host OS patches and root certificates are up-to-date
• Verify target host can access the Qualys Platform

www.qualys.com/platform-identification/

14 Qualys, Inc. Corporate Presentation

Before attempting to install or deploy agents, ensure the target OS is supported by

Cloud Agent.

Next, you want to verify you have connectivity between each target host and the
Qualys Cloud Platform. There are test URLs for each public platform. Add these URLs
to agent deployment packages (SCCM, BigFix, etc.) to test for successful connectivity,
before installing the Cloud Agent.

It is a good idea to update OS patches and root certificates (on target hosts) before
installing the Cloud Agent.

Starting with the Windows 1.6.0 agent version, the agent and installers are signed
with an Extended Validation (EV) code-signing certificate. This requires the OS to
validate the signed executables using certificates from the trusted root CA. You will
encounter errors in the agent log file if the appropriate root certificates are not
installed.

16
 Agent Activation Key

1. Activation Keys allows you to

manage and control the
distribution of Cloud Agents

2. Add a ”static” tag to each key to

label and track agent hosts
deployed
3. Application modules selected
will be activated at agent
deployment

4. Create keys without limits or set

limits by maximum number of
agents or expiration date

15 Qualys, Inc. Corporate Presentation

Now, let’s see how to install an agent:

1. Activation Keys contain the components to successfully deploy agents. You must
first create one or more Activation Keys, before installing an agent.
Log into the Qualys Cloud Agent application, and under Agent Management-
>Activation keys, generate a new activation key.

2. Give the key a title. Creating different keys for different types of hosts in your
network or different deployments is recommended.

3. It is also recommended to create a “static” tag so that any asset deployed with this
key, will receive this tag. This is a very important feature of implementation. More on
this is covered in later parts of the course. There is a philosophy around configuring
your tags and you should do some planning when tagging your agent hosts. Tagging
assets from here will allow you to assign performance to a given set of deployed
agents. You may want to differ performance on workstations vs servers, or prod vs
dev. Tags can also be used in reports.
For example, if you want to report against workstations that have the agent that have
been deployed out of San Francisco.

3. If I don’t select any of the checkboxes explicitly, the agent would do some basic
information gathering of the host. I’d get OS, hostname, and IP information

17
since CyberSecurity Asset Management or Global AssetView is selected by default
depending on which of these applications is included in your subscription. So, you
get automatic and free inventory of hosts where agents are deployed.

A license is charged per application you activate. You can deploy the agent to collect
data for Vulnerability Management, EndPoint Detection and Response, Extended
Detection and Response, Secure Config Assessment, Policy Compliance, Patch
Management or File integrity monitoring.

Application modules not selected can be activated later (after deployment).

17
 Activation Key Limits

§ Create keys that are unlimited or choose the option to set limits
§ If both limits are selected, the key will expire when the first limit is reached

16 Qualys, Inc. Corporate Presentation

By default, the activation key usage is unlimited and can be deployed for as many
host systems as your subscription allows.

However, you have the option to set limits:

1. The first option for setting limits is by configuring maximum number of agents, like
if you want to provision the same key for a specific business unit or location.
2. You can also limit by date, which is used in a case where you want to trial the
agent, or you want it to be temporary.

If both settings are configured, the key will expire when the first limit is reached.

18
 Lab Tutorial 1

Create Activation Key (pg. 4)

5 min.

17 Qualys, Inc. Corporate Presentation

1. Create CA Lab Activation Key

2. Create and add a static tag (CA Lab) to key
3. Add application modules to key
4. No restrictions or limits
5. Generate key

19
 Install Agents

§ Select the “Install Agent” option

from the Quick Actions menu of any
Activation Key

§ Each Activation Key contains

installation instructions for agent
supported operating systems
§ Click “Install Instructions” for any
OS, to view its instructions and
download the agent installation
components

18 Qualys, Inc. Corporate Presentation

This is the next wizard after clicking on “generate key” presenting installation
instructions and artefacts for an Activation Key. You can get the same wizard by
selecting an activation key, opening its “Quick Actions” menu and selecting “Install
Agent”.

Click “Install Instructions” for any OS, to view agent installation instructions
and download its agent installation components.

20
 Installation Components

§ Run the agent

installer on a target
host, using the
provided installation
command.

1. Agent installation
command

2. Agent installer (.exe,

.rpm, .deb, .pkg)

§ When using third-party applications to build custom deployment packages, these two
components should be included

19 Qualys, Inc. Corporate Presentation

The primary agent installation components include:

1. Agent installation command

2. Agent installer/executable

These two components must be included in your installation packages.

Before we install the agent via the command line, we’ll first need to copy this
command and also download the executable, which will need to be on the machine
where we issue the command.

21
 Lab Tutorial 2

Agent Installation Components (pg. 7)

5 min.

20 Qualys, Inc. Corporate Presentation

1. Use CA Lab Activation Key to install agent

2. Download installation components for Windows agent
3. Download agent installer
4. Copy installation command

22
 MSI Extract

• Traditionally, the Cloud Agent has relied on .exe for

installation

• As an admin, you can preconfigure a MSI file to make easy

deployment within an organisation

• Starting with CA version 4.5 and above, Qualys supports MSI

Install

21 Qualys, Inc. Corporate Presentation

Traditionally, the Cloud Agent has relied on .exe for installation on Windows hosts.
However, as an admin, you can preconfigure an MSI file to make easy deployment
within an organisation. Starting with Cloud Agent version 4.5 and above, Qualys
supports MSI Install.

Some Use Cases of MSI are:

• It's relatively easy to make a tree of MSI files.
AND
• You might want more precise control over how the installation is managed. MSI
has very specific rules about how it manages the installations, including installing,
upgrading, and uninstalling.

From the high-level user's perspective, the new setup is an exe containing the setup
components to install Qualys agent on the target machine. The exe contains two MSIs
– one for 32-bit machines, and another one for 64-bit machines. The exe would
extract the correct MSI and invoke the MSI engine to begin the installation process.
The exe can also be instructed to only extract the MSI/MSI(s).

23
 MSI Extract

To extract MSI from the downloaded exe file, run the following command:
QualysCloudAgent.exe ExtractMSI=<value>
Any agent version above 4.5 will support MSI

For ExtractMSI, use following values (value) as per host architecture

For example, if you want to install cloud agent on a 32-bit machine, you need
to extract MSI package with value for ExtractMSI=32
32: Extracts 32-bit MSI Installer

22 Qualys, Inc. Corporate Presentation

To extract MSI from the downloaded exe file, run the following command:
QualysCloudAgent.exe ExtractMSI=<value>

For ExtractMSI, use following values (value) as per host architecture.

For example, if you want to install cloud agent on 64-bit machine, you need to extract
MSI package with value for ExtractMSI=64.
- 32: Extracts 32-bit MSI Installer
- 64: Extracts 64-bit MSI Installer
- BOTH: Extracts both (32-bit and 64-bit) the MSI Installers
- AUTO: Extracts the appropriate MSI based on the OS architecture. It extracts 32-bit
MSI on a 32-bit machine and 64-bit MSI on a 64-bit machine

24
 Agent Deployment Options

1. Software distribution tools

• Automate agent deployment using popular third-party tools (e.g., SCCM, Chef,
Ansible, Puppet, BigFix, Casper, Altiris)
2. Gold Image (virtual host)
• Install Cloud Agent in a “master” image
• If a new instance has the same Qualys Host ID (as the “master” image), the agent
will renegotiate a new Host ID with the Qualys Platform

3. Command line (used in our training lab, today)

• Manual installation
• Highlights the various elements of an agent installation

23 Qualys, Inc. Corporate Presentation

You can deploy/push install the Cloud Agent in 3 ways:

• Third-party software management and distribution applications such as SSCM,

Puppet, BigFix, etc. can be used to perform large-scale agent deployments by
packaging Qualys provided activation key and installer script together. This method
is commonly used in production environments to perform large-scale agent
deployments.

• Agent can be installed in a master or gold image on platforms such as Amazon

AWS, Microsoft Azure and Google Compute Platform. Each new instance created
from the master image may potentially have the same Qualys Host ID as the
“master” image. In this case, the agent will renegotiate its UUID with the Qualys
Cloud Platform.

• In this course, you will manually install an agent from the command line.

25
 Lab Tutorial 3

Command Line Installation (pg. 9)

5 min.

24 Qualys, Inc. Corporate Presentation

1. Agent installer and installation command have been downloaded to Windows

host
2. Verify the presence of the agent installer and execute the installation command
3. Open Task Manager and verify Qualys Cloud Agent process is running
4. Navigate to \ProgramData\Qualys\QualysAgent and display the contents of
Log.txt

26
 Verify Agent Installation
Qualys Cloud Agent Process

§ Look for the Qualys Cloud Agent

process in Windows Task Manager
§ List running processes on a Unix-
based host:

ps –e | grep qualys

25 Qualys, Inc. Corporate Presentation

Following a successful agent installation, the Qualys Cloud Agent process will appear
in Windows Task Manager. View a list of running processes on a Unix or Linux host to
view the Cloud Agent process.

27
 Verify Agent Installation
Qualys Host ID

§ Look for the Qualys Host ID in the

Windows Registry:
HKLM\SOFTWARE\Qualys

§ Unix-based hosts store the Qualys

Host ID in the ‘hostid’ file:
/etc/qualys/hostid

• Provisioning tasks typically have not completed if Qualys Host ID is not present
• EXCEPTION: “Gold Images” and hosts configured for Agentless Tracking may already have a
Qualys Host ID
26 Qualys, Inc. Corporate Presentation

The presence of a Qualys Host ID is a good indicator that the agent has successfully
contacted the Qualys Cloud Platform. On Windows hosts, the Host ID can be found
under the Qualys registry key. On a Unix or Linux host the Host ID is stored in a plain
text file (/etc/qualys/hostid).

If an agent host has not acquired its Host ID, provisioning may still be in progress, or
the agent was unsuccessful in contacting the Qualys Cloud Platform.

NOTE: Virtual hosts (created from a gold or master) image may potentially already
have a Qualys Host ID. We’ll examine a couple of solutions to this challenge, in the
“Provisioning” discussion, later.

If the “Agentless Tracking” feature is enabled in Qualys VM, VMDR, or PC, a host may
have already received Its Qualys Host ID, before an agent is installed. In this case, the
agent will simply use the Qualys Host ID provisioned by the Agentless Tracking
feature. For more information on the “Agentless Tracking” feature, please see the
Qualys “Scanning Strategies & Best Practices” and “Reporting Strategies & Best
Practices” training courses.

28
 Verify Agent Installation
Cloud Agent Log File

§ Windows: \ProgramData\Qualys\QualysAgent\Log.txt
§ Unix: /var/log/qualys/qualys-cloud-agent.log

27 Qualys, Inc. Corporate Presentation

CA log file contains a list of cloud agent activity. Searching this file will reveal agent
connection attempts that are successful (return code 2xx) and unsuccessful (return
code 4xx, 5xx). It is best to search the end of the CA log file for the most recent
connections attempts.

On a Linux host search for the character string “Http request.” On a Windows host
search for the character string “Http status.”

HTTP Status Codes:

1xx Informational.
2xx Success. ...
3xx Redirection. ...
4xx Client Error. ...
5xx Server Error.

Members of the Qualys Technical Support team will typically request a copy of your
agent log file, when working on agent support calls:
• Unix/Linux: var/log/qualys/qualys-cloud-agent.log
• Windows: \ProgramData\Qualys\QualysAgent\Log.txt

See Lab Appendix D, to learn about the information that is useful when working with
the Qualys Technical Support Team.

29
Regarding some other files present in the same path:
• A manifest is what the cloud agent is supposed to collect from the host system.
Consider it the recipe it follows for data collection. Different manifests exist for
different Qualys applications you’ve activated. There is a folder for self-patching.
The agent will update itself automatically unless configured not to. Config files
relate to how and when the agent should act and when it shouldn’t generate
network activity.
• The agent also maintains a snapshot locally to mirror the snapshot stored in the
platform.

29
 Proxy Configuration

Qualys, Inc. Corporate Presentation

Qualys Cloud agent supports the use of a Proxy for agent communication.

The objectives of this topic are:

1. Outline the need for proxy servers or Qualys Gateway Servers
2. Provide a comparison of Windows and Linux proxy options

See “Proxy Configuration” in the lab tutorial supplement for this course for more
proxy configuration details.

30
 Agents and Proxies

§ In an environment without proxy servers, Qualys Cloud Agents will

communicate directly with the Qualys Platform on TCP/443
§ Agents can also be configured to communicate through a proxy server,
including Qualys Gateway Server (QGS)
§ QGS also provides a cache for patch downloads and other agent artifacts
including manifests and agent binaries
§ By default, Windows agents use the same proxy configuration as their host
OS
§ By default, Linux agents operate in non-proxy mode

28 Qualys, Inc. Corporate Presentation

In an environment without proxy servers, Qualys Cloud Agents will communicate

directly with the Qualys Platform on TCP/443.

Agents can also be configured to communicate through a proxy server, including

Qualys Gateway Server (QGS).

Then, proxy server (QGS or otherwise) will connect with Qualys Cloud Platform on
behalf of agent hosts.

QGS also provides a cache for patch downloads and other agent artifacts including
manifests and agent binaries.

• By default, Windows agents use the same proxy configuration as their host OS and
Linux agents operate in non-proxy mode.

Note: If proxy connection fails then agent will attempt a direct connection outbound

31
(Fail Open).

31
32 Qualys, Inc. Corporate Presentation
29 Qualys, Inc. Corporate Presentation

Without any proxy server, all agent hosts will contact the vendor CDN individually to
download the respective patches, consuming high amounts of network bandwidth.
However, with QGS configured as a proxy server, QGS will download and cache all
these patches locally and agent assets can download them from here as per patch
deployment job schedules. This saves network bandwidth consumption.
For ex. What if multiple agent hosts are to download the same patch? They can now
get the same from QGS’ cache locally rather than individually probing vendor CDNs.

32
 TLS 1.2 Required

§ TLS 1.2 must be enabled on client machines to communicate with the

Qualys Cloud Platform
§ Agent host assets that do not meet this requirement will need to
communicate with the Qualys Platform through a proxy server that
supports TLS 1.2
§ Use Qualys Gateway Server (QGS) to meet this TLS 1.2 requirement

30 Qualys, Inc. Corporate Presentation

TLS 1.2 is a host requirement, for communicating with the Qualys Cloud Platform.

Any agent host that does not meet this requirement (e.g., Windows XP and Windows
Server 2003) will need to communicate with the Qualys Platform through a proxy
server that supports TLS 1.2. Qualys Gateway Server meets this requirement.

33
 Proxy Configuration for Windows agents
§ By default, agent proxy settings are not configured to talk through a proxy
§ The agent attempts to detect a Windows Proxy Auto-Discovery (WPAD) auto-proxy
§ Proxy settings are stored under the Qualys registry key (HKLM\SOFTWARE\Qualys\Proxy)
§ The Qualys Proxy utility (QualysProxy.exe) will automatically create this key, if not already present

§ Use third-party software management and distribution tools or the Windows Remote
Registry service to set the proxy configuration for agents, during or after agent installation
31 Qualys, Inc. Corporate Presentation

By default, agent proxy settings on Windows clients are not configured to talk
through a proxy, and the agent attempts to detect a Windows Proxy Auto Discovery
(WPAD) auto-proxy.

Windows agent proxy configuration can be accomplished by creating and editing the
Qualys Proxy registry key (HKLM\SOFTWARE\Qualys\Proxy). The Qualys Proxy utility
(QualysProxy.exe) will automatically create this key, if it is not already present.
Steps to use QualysProxy.exe:
From an elevated command prompt, execute QualysProxy.exe to:
• Configure Proxy Server(s) and port(s)
• Configure proxy username and password if authentication is required
• Configure Proxy Auto-Configuration (PAC) file URLs (when WPAD is not available)
• Enable/disable WPAD for agent hosts

QualysProxy.exe works with third-party software management and distribution tools.

Any application that can access the Remote Registry Service (including Group Policy
Management Console, Group Policy, WMI, etc.) can create or modify agent proxy
configuration settings.

Use third-party software management and distribution tools or the Windows Remote
Registry service to set the proxy configuration for agents, during or after agent

34
installation.

34
 Proxy Configuration for Linux agents

§ By default, Linux agents operate in non-proxy mode

§ Linux agents can be configured to use an HTTPS proxy, using one of the following
configuration files:
1. /etc/sysconfig/qualys-cloud-agent (.rpm)

2. /etc/default/qualys-cloud-agent (.deb)

3. /etc/environment (.rpm and .deb)

§ Existing proxy configuration support is extended to support Proxy Auto-Configuration

(PAC) file
§ URL to the PAC file must be set using http_proxy or https_proxy in the following format
in the same file:
https_proxy=pac+http://url.to/proxy.pac

32 Qualys, Inc. Corporate Presentation

By default, Linux agents operate in non-proxy mode. Agents can be configured for
proxy communications using the ’qualys-cloud-agent’ proxy configuration file:

• /etc/sysconfig/qualys-cloud-agent (.rpm)
• /etc/default/qualys-cloud-agent (.deb)

If this file does not already exist, you must create it. Both .rpm and .deb
environments support proxy configuration in the /etc/environment file.

Configure proxy using one of the above configuration files:

Add one of the following lines:
• https_proxy=https://[<username>: <password>@]<host>[:<port>]
• qualys_https_proxy=https://[<username>: <password>@]<host>[:<port>]

If the proxy is specified with the https_proxy environment variable, it will be used for
all commands performed by the Cloud Agent. If the proxy is specified with the
qualys_https_proxy environment variable, it will only be used by the Cloud Agent to
communicate with our cloud platform.

Now, this configuration is extended to support Proxy Auto-Configuration (PAC) files

for Linux agents.

35
The URL to the PAC file must be set in http_proxy or https_proxy in the following
format: https_proxy=pac+http://url.to/proxy.pac in the same file.

35
 Post Deployment

Qualys, Inc. Corporate Presentation

In this section, we’ll review the info seen after deploying the agents:
1. Identify the agent asset details provided by the Cloud Agent application and other
Qualys applications.
2. Learn to use the Qualys Query Language (QQL) and Query Tokens, to search for
agent assets.

Further, we will explore the new Windows Self-protection feature for Windows cloud
agents.

36
 Agents Tab

§ Use the “Quick Actions” menu to view

asset details

33 Qualys, Inc. Corporate Presentation

Once the agents are successfully deployed, i.e. installed and communicating with the
Qualys Cloud platform, you will see respective agent hosts under the ”Agents” tab in
the CA application. Use the “Quick Actions” menu for any agent host listed here, to
view specific asset details.

The Asset Summary displays host OS details, geolocation information, names and
addresses, activity updates, and Asset Tags.
There is also a Cloud Agent tag which automatically gets associated with any asset
where cloud agent is deployed. This is important to know when reporting, scanning
and using CSAM or GlobalAsset view. You can use this tag to include or exclude cloud
agent hosts in your scans, reports and queries.

The very next lab tutorial provides a quick tour of the various asset detail
components.

37
 Lab Tutorial 4

Asset Details & Queries (pg. 18)

5 min.

34 Qualys, Inc. Corporate Presentation

1. View asset details for host with all agent modules activated
2. Display all ”View Mode” options including GCP Instance Information
3. Use lastCheckedIn query token find agent host that have not checked-in for seven
days
4. Download the result set into a spreadsheet (.csv) file

38
 Search for Assets

§ All agent hosts are labeled with the “Cloud Agent” Asset Tag

35 Qualys, Inc. Corporate Presentation

One of the more useful queries (when searching for agent hosts) uses the
“lastcheckedIn” query token, which can help you with identifying agents that are
failing to communicate with the Qualys Platform. For example, if someone manually
uninstalls an agent from its host (without using the Qualys UI or API), a stale host
record will remain in your account, until you remove it. Use the “lastCheckedIn”
token to help you find stale agent hosts, using a timeframe of your choice.

All agent host assets are labelled with the “Cloud Agent” tag. Using the “tags.name”
token (with a value of “Cloud Agent”) will help you to find agent host assets from the
search field of any Qualys application.

39
 How To Search

§ Click the “Help” icon

inside the “Search”
field for more
information on
building queries and
using the Qualys
Query Language
(QQL)

36 Qualys, Inc. Corporate Presentation

Information and examples for using Qualys Query Language (QQL) to build effective
queries can be found by clicking the “Help” icon, inside the “Search” field.

40
 Windows Self Protection Feature

Qualys, Inc. Corporate Presentation

In this topic, we’ll explore the Self-Protection feature for Windows cloud agents
which helps prevent tampering of cloud-agent binaries and processes by
unauthorised users and processes.

41
 Windows Cloud Agent Self-Protection (SPF)
• Prevents tampering of Qualys Cloud Agent binaries and processes on Windows systems

• Prevents the following:

o Uninstallation of Cloud Agent

o Termination of Cloud Agent processes

o Tampering with Cloud Agent files and directories

o Tampering with Cloud Agent driver

o Tampering with Cloud Agent registry keys

o Prevents the debugger from attaching to the Qualys agent service

o Prevents user-defined scripts, that is the scripts uploaded by Custom Assessment, Remediation, and Patch
Management, from making changes to the protected areas

• On-demand scan configuration in registry and proxy configuration are not impacted by SPF

• Contact TAM/Support to enable this feature for your account

37 Qualys, Inc. Corporate Presentation

The Cloud Agent Self-protection feature helps prevent non-trusted processes from
making unwanted changes to the file directories and registry entries used by the
Qualys Cloud Agent.

It also prevents:
• Uninstallation of Cloud Agent, Termination of Cloud Agent processes, Tampering
with Cloud Agent driver, Tampering with Cloud Agent registry keys and Prevents
the debugger from attaching to the Qualys agent service. Lastly, It prevents user-
defined scripts, i.e. the scripts uploaded by Qualys Custom Assessment and
Remediation, and Patch Management, from making changes to the protected
areas.

However, On-Demand Scan configuration which requires a registry change on the

host will still work and proxy tool can still be used to configure a proxy for the agent,
with Self-Protection enabled.

To get this feature enabled in your account, please contact your Qualys TAM or
engage Qualys support.

42
 Lab Tutorial 5

Explore Windows Self-protection Feature (pg. 21)

5 min.

38 Qualys, Inc. Corporate Presentation

1. understand Self-protection feature usecase

2. Create key to disable Self-protection feature
3. Disable Self-protection on the agent host using this key

43
 Lifecycle and Configuration

Qualys, Inc. Corporate Presentation

The objectives of this section are:

1. Identify and define the Cloud Agent lifecycle events and status flags:
• Agent Provisioning and Re-provisioning
• Configuration Profile download
• Agent Upgrades
• Agent Status Interval
• Data Collection and Upload
• Application Manifests download
• Agent – Platform Synchronization
• Activate, Deactivate, Uninstall Agents
2. Learn to build and configure a CA Configuration Profile
3. Understand the different agent data collection methods

44
 Cloud Agent Lifecycle Events

1. Agent Provisioning and Re-provisioning

2. Configuration Profile Download
• Agent Status Interval (heartbeat)

• Agent Version Upgrades

• Data Collection and Upload

3. Manifest Download
4. Agent-Platform Synchronization
5. Activate/Deactivate Application Module
6. Agent Uninstall (if necessary)

39 Qualys, Inc. Corporate Presentation

Throughout its life, an agent will go through a series of events or workflows:

• Agent provisioning was demonstrated in the first part of this course. It involves
validation of legitimate agents on the Qualys cloud platform. This stage also
involves agent clone detection and re-provisioning.

• Once provisioning is successful, an agent will download its configuration profile. A

configuration profile specifies various agent behaviors and characteristics. Other
lifecycle events are controlled by settings in the downloaded configuration profile,
including: 1) Agent Status Interval, 2) Agent Version Upgrades, and 3) Data
Collection Methods.

• Next, an agent will download its manifest for applications, that are activated for
agent data collection. The manifest tells the agent the metadata to collect for a
particular application such as VM, PC, EDR, etc. from the host. Data collection will
begin now.

• Once an agent has successfully transferred its first data “snapshot” to the Qualys
Platform, it will regularly perform synchronization checks, to ensure data on both
sides is accurate and consistent.

• Application modules can be activated or deactivated for individual or entire groups

45
 of agents.

• Uninstalling an agent will free its license for use elsewhere.

45
 Cloud Agent Activity

§ Provisioned – Agent successfully connected to the cloud and registered

§ Configuration Downloaded – The agent has successfully downloaded a new or updated
Configuration Profile
§ Manifest Downloaded – The agent has successfully downloaded a new or updated manifest
§ Agent Downloaded – A new agent version was downloaded, and the agent was auto-updated
§ Inventory Scan Complete – Agent successfully collected and uploaded host inventory data
§ Scan Complete – Agent successfully collected and uploaded host metadata for assessment on
the Qualys platform

40 Qualys, Inc. Corporate Presentation

As agents complete various lifecycle events, different status flags are displayed in the
host’s “Last Activity” column.

In this slide, you can see a comprehensive list of status flags for an agent host.
You can also find them by navigating to the online help page from the Agents tab:
Under the “agent status” quick link.
OR
Refer to the agent log file.
You can see the various agent status flags based on agent activity from the time the
agent is provisioned to the time data collection and scanning are complete.

The last time an agent checked in is displayed in the host’s “Last Checked In” column.

46
 Agent Provisioning and Re-provisioning

Qualys, Inc. Corporate Presentation

This section covers the 1st step of the agent lifecycle: Agent Provisioning and Re-
provisioning.

47
 Provisioning

§ Agent calls home with Customer ID and Activation ID

§ Platform validates Agent
§ Agent generates Qualys Host ID (UUID)

§ EXCEPTION: “Gold Images” and hosts configured for Agentless Tracking may already
have a Qualys Host ID

41 Qualys, Inc. Corporate Presentation

After the agent is deployed, it calls home to the platform with its customer id and
activation key that were provided during installation.

The platform then identifies the agent as legitimate based on the customer ID and
activation key validation. All communication is initiated outbound from the agent to
the platform using REST over https.

For Linux/Unix hosts, upon successful validation, the agent generates a host ID or
universally unique ID for the asset. For Windows agents, the host id is provisioned
directly without verification. The Host ID is used to uniquely track or identify the
asset without relying on its hostname, IP address, or anything else that can change.

If you’ve been scanning the host with a scanner appliance, and have activated the
Agentless Tracking Identifier, and if the Host ID already exists, the agent will use that
existing ID and merge your agent data and scan results to provide a single unified
view of the asset. For more information on the “Agentless Tracking Identifier”
feature, please see the Qualys “Scanning Strategies & Best Practices” and “Reporting
Strategies & Best Practices” training courses.

After being provisioned, the agent does not perform any subsequent provisioning
actions except in the case of duplicate host IDs. Agents that cannot communicate to
the platform for provisioning will keep retrying with an exponentially increasing delay.

48
After provisioning, the agent downloads its assigned configuration profile and
executes based on the defined parameters in the profile, including performance
parameters and network blackout windows. So, you want to be sure your
configuration profile is built and assigned appropriately before installation.

48
 Clone Detection

§ Common in virtual host deployments from a “master” image:

§ CA has already been provisioned within the “master” image, including
the Qualys Host ID
§ Each virtual host created from the “master” image will initially have
the same Qualys Host ID (as the master image)
§ Qualys platform will issue a re-provision command if Agent ID is already in
use
§ Prevents the same Agent ID (Qualys Host ID) from being used by more
than one host

42 Qualys, Inc. Corporate Presentation

The next step is for the platform to verify that the Host ID is unique. This feature is
always enabled and not exposed as a configurable setting.

The most common case where duplicate host IDs are created is when an agent is
provisioned in a gold image that is used to create clones, including cloud instances,
virtual environments, or physical environments. In this case, cloned agents will have
the same host ID as the agent in the gold image thus creating duplicate host IDs in
the platform when the cloned agents connect. To remedy this, the platform will find
the duplicate ID and issue a re-provision command so the agent will regenerate a new
unique host ID.

49
 Cloud Agent Preparation for Cloning / Gold Image

§ Configuration steps are available in some of the agent OS Installation

Guides to build a gold image without provisioning the Qualys Host ID
§ Gold image will not consume an agent license
§ Avoids agent re-provisioning

43 Qualys, Inc. Corporate Presentation

Cloud Agent configuration steps and deployment best practices are available in the
agent OS Installation Guides available on qualys.com/documentation:
While Qualys has coded the agent to deduplicate host IDs, the best practice involves
building a gold image without provisioning the Qualys Host ID to avoid agent re-
provisioning later. For example, when building a master image, avoid renegotiation by
deploying agent on a host that is disconnected from the network.

Please note that the Gold image will not consume an agent license.

50
 Configuration Profile Download

Qualys, Inc. Corporate Presentation

This section covers the 2nd step of the agent lifecycle: Configuration Profile
Download
Here, we will also discuss the various settings of the configuration profile.

Note: Before installing the agent, you’ll want to create the configuration profile.
When the agent first gets installed and calls home, it will ask for it’s configuration
profile before it does much else.
So, this profile marries the performance configured for the assigned hosts.

51
 CA Configuration Profile
Agents can only use one Configuration Profile at-a-time but may change from one
profile to another

Configuration Profiles provide:

o Suspending data collection
o Preventing auto-updating of agent
binaries
o Blackout Windows
o Agent Performance Settings
o Assigned Hosts
o Data collection intervals and
options

44 Qualys, Inc. Corporate Presentation

Agents can only use one Configuration Profile at-a-time but may change from one
profile to another.

Each Configuration Profile contains settings for:

• Suspending data collection

• Preventing auto-updating of agent binaries

• Blackout Windows

• Agent Performance

• Assigned Hosts

• Agent Scan Merge

• Data collection intervals and options

52
 Lab Tutorial 6

Cloud Agent Configuration Profile (pg. 22)

15 min.

45 Qualys, Inc. Corporate Presentation

1. Create the CA Lab Configuration Profile

2. Complete all Configuration Profile Creation steps:
• Define General Info settings
• Define Blackout Windows
• Customize agent performance and select the LOW presets
• Define Agent Status Interval
• Define Delta Upload Interval and Chunk sizes for file fragment
uploads
• Define Upgrade Reattempt Interval
• Define Logging Level
• Define Priority Status Upload Interval
• Define CPU Limit and CPU Throttle
• Choose VM Scan Mode
• Add “CA Lab” tag to Assigned Hosts
• Briefly define Agent Scan Merge. The lab tutorial supplement provides
more details on agent scan merge (pages 27 – 30)
• Define VM, PC, SCA scan intervals
• FIM and EDR are defined but not enabled
• PM is enabled by default
3. Explain Configuration Profile precedence

53
 Configuration Profile Precedence

§ The “Default” profile will be used for any agent host not assigned to a Configuration Profile
§ If an agent host is assigned to more than one profile, the profile closest to the top of the list will
take precedence (top-down)
46 Qualys, Inc. Corporate Presentation

You can create multiple Configuration Profiles for your needs. This allows you the
flexibility to adjust agent performance for different system and network conditions.
However, since Each Cloud Agent host can have only 1 profile assigned, there is a
precedence that occurs. If an agent is assigned to more than one profile; the highest
priority profile will be assigned to the host, i.e. The matching profile closest to the top
of your configuration profile list is assigned to the agent.

Always keep generic configuration profiles at the bottom and more specific profiles at
the top of the list.
Notice that configuration profiles can be reordered to establish the appropriate order
of precedence.

Note: A Default profile also exists for hosts that do not have one assigned explicitly.

54
 Configuration Profile: General Info

Qualys, Inc. Corporate Presentation

This topic covers the various settings in the configuration profile starting with the
General Settings.
The General Information settings establish things like the profile name and
description, along with some default data collection and update options.

55
 Default Profile

§ Only one profile can be designated as the default profile for your
subscription. If an agent host does not meet the host assignment criteria
for any other configuration profile, the default will be used

47 Qualys, Inc. Corporate Presentation

Only one profile can be designated as the default profile for your subscription. If an
agent host does not meet the host assignment criteria for any other configuration
profile, the default will be used.

56
 Suspend Data Collection

§ Although not commonly used, selecting this option will stop agents from
performing VM, PC, SCA, and Inventory scans
§ Agents will continue to get manifest updates, configuration updates, and
even agent version updates

48 Qualys, Inc. Corporate Presentation

The option to suspend data collection from agents will effectively stop the agent from
performing VM, PC, SCA and Inventory scans. Although scanning has stopped, agents
will continue to receive manifest updates, configuration updates and agent version
updates.

57
 In-Memory SQLite Databases

§ Windows agents with SQLite In-Memory Databases enabled, consume

slightly higher memory while using slightly less CPU and disk space
resources

49 Qualys, Inc. Corporate Presentation

Windows agents with SQLite In-Memory Databases enabled, consume slightly higher
memory while using slightly less CPU and disk space resources.

58
 Agent version Upgrades
§ By default, Cloud Agents will automatically upgrade to the latest version
§ ~80% of all agents have the auto-upgrade option enabled

§ To certify and upgrade agents via a third-party software manager, click the ”Prevent auto
updating of the agent binaries” check box

50 Qualys, Inc. Corporate Presentation

By default, agents will automatically upgrade to the latest agent version. This setting
is configurable.

Organizations can prevent the auto-update of agents, if required: By enabling

“Prevent auto updating of agent binaries” function in the configuration profile.
This supports an organization’s change management process. Controlling agent
version upgrades, allows organizations to test and certify new agent versions before
they upgrade production agents.
Once an agent version is certified as per your internal policy, “Prevent auto updating
of agent binaries” function can be unchecked in the Configuration Profile so that
agents can start auto-upgrading again.
Once this restriction has been removed, the “Agent Status Interval setting” in the
performance section, will determine when each agent checks-in to receive the new
update. We will talk about this feature in the upcoming slides.

For organizations that wish to use third-party software distribution tools to upgrade
deployment agent versions instead of the Qualys platform, this feature can be used to
prevent upgrades entirely.

It is recommended that you update your agents within three months of release of a
newer agent version. This will ensure the agent is properly covering all vulnerabilities
for vulnerability management and controls for policy compliance.

59
 End-of-Service Cloud Agent Versions
§ Cloud Agent versions that are no longer supported:

ACTION REQUIRED: Upgrade your cloud agents to the latest version and take
advantage of new agent features.

51 Qualys, Inc. Corporate Presentation

Some older versions of Cloud Agent have reached end-of-support and should be
upgraded to the latest version to take full advantage of new features and benefits.
Please consult the Cloud Agent Platform Support Availability matrix for more
information on end-of-service agents.

60
 Find Agents No Longer Supported

There are multiple ways to find End-of-Service agents:

§ Search for QID 105961 “EOL/Obsolete Software: Qualys Cloud Agent
Detected” (CA, VMDR):
vulnerabilities.vulnerability.qid:105961

§ Search by Agent Version (CA, Global AssetView/CSAM, VMDR):

agentVersion<2.1*

§ Search by Software Lifecycle Stage (CSAM):

software:((name:Qualys) and (lifecycle.stage:'EOL/EOS'))

§ Cloud Agent Dashboard

52 Qualys, Inc. Corporate Presentation

There are multiple ways to find end-of-service agents.

Search for QID 105961, using the vulnerability qid token, to detect End of
Service Cloud Agent versions in the Cloud Agent and VMDR applications.

You can also use the “agentVersion” token for this purpose which is supported in
Cloud Agent, Global AssetView or CSAM and VMDR applications.

The “software name” and “software lifecycle stage tokens are supported in the CSAM
application.

Lastly, you can use the “Agent Version Distribution” widgets in the Cloud Agent
Dashboard.

61
 Cloud Agent Dashboard

§ Click on any version distribution to display its agent hosts.

53 Qualys, Inc. Corporate Presentation

Click on any version number in the bar chart to display its agent hosts and you have
the option to download that list as well.

62
 Best Practices for Agent Binary Upgrade

§ Use the auto upgrade feature or upgrade agents quarterly:

• Recommended: Use auto-update to take advantage of Qualys’ latest agent
features
• Good: Certify and upgrade agents via a third-party software package
manager, on a quarterly basis
• Minimum: Upgrade agents via a third-party software package manager, on an
as-needed basis
§ Qualys also recommends upgrading Gold Image builds quarterly, even if
auto-upgrade is enabled

54 Qualys, Inc. Corporate Presentation

Although not all hosts are candidates for the agent auto-upgrade feature, Qualys
recommends using this option wherever possible to take advantage of the latest
agent features.

When using third-party software distribution tools such as SCCM, BigFix, Chef and
others to upgrade agents, Qualys recommends performing agent upgrades quarterly.
At a minimum, upgrade all EOS agents and continue to keep agents upgraded on an
as-needed basis.

Qualys recommends updating Gold Image builds quarterly, even if auto-upgrade is

enabled.

63
 Third-Party Tool Tips

§ Windows agent upgrades require the PatchInstall parameter:

QualysCloudAgent.exe PatchInstall=TRUE

§ The CustomerID and ActivationID arguments are not required when

performing an agent upgrade

55 Qualys, Inc. Corporate Presentation

Here are some tips when upgrading agents:

It is required for software distribution tools to use the ‘PatchInstall’ argument

to successfully upgrade existing installed Windows agents. If not, the installer will fail
to upgrade the existing installed Windows Agent.
Do not attempt to use the CustomerID and ActivationID parameters when upgrading
agents.

64
 Configuration Profile: Blackout Windows

Qualys, Inc. Corporate Presentation

This topic covers the next setting in the configuration profile: Blackout Windows.

65
 Blackout Windows

§ Prevent communication
between agents and the
Qualys Platform at
specified times of the
week
§ This is useful if you want
your agents to stop
communicating during
expected times of heavy
or increased network
traffic

56 Qualys, Inc. Corporate Presentation

You can add blackout windows to stop communication between the agent and the
Qualys Cloud platform, at specified times each day of the week. This can be
especially useful when coordinating the communication flows for different groups of
agents, or simply use this option to stop agent communications during expected
times of peak network traffic.

66
 Configuration Profile: Performance

Qualys, Inc. Corporate Presentation

This topic covers the agent configuration settings that have a significant impact on
agent CPU and network performance.

67
 Performance

§ Select default preset levels (LOW, NORMAL, or HIGH) or turn-on the

“Customize” toggle switch

57 Qualys, Inc. Corporate Presentation

To control the amount of system or network resources used by each agent, you can
use the preset performance settings of (LOW, NORMAL, or HIGH). Or use the
"Customize" option for more granular control.

68
 Status Interval

Agent calls home regularly to check for new updates or actions:

§ New manifests
§ Configuration Profiles
§ Download installers for new
agent versions
§ Activate/Deactivate modules
§ Re-provision, Re-synchronize and
Uninstallation commands
58 Qualys, Inc. Corporate Presentation

‘Agent status interval’ acts as a heartbeat for the agent to communicate with the
platform.

All communication between an agent and the Qualys Platform must be initiated by
the agent.
The agent must call home regularly to verify any new and relevant updates. The agent
calls home on a configurable interval, between 15 - 45 minutes, to request any new
content or actions to perform. If you are in a steady state production environment,
there are rarely new updates at each status check, so the request and reply is usually
under 1KB in size.

The content or actions received through the status update include:

• New manifest download
• Configuration Profile download
• Installer download for new agent versions, if configured in the profile
• Activation or Deactivation of application modules
• Re-provisioning, Re-synchronization and Uninstallation commands

69
 Performance - Agent Bandwidth Usage

Using the settings illustrated above, a 4 MB data transfer will be broken-up

into 4 chunks, each sent 10 seconds apart.

59 Qualys, Inc. Corporate Presentation

The "Delta Upload Interval" setting and the "Chunk sizes for file fragment uploads"
setting, both work together.

When an agent is ready to transmit a “snapshot” to the Qualys Cloud Platform, the
“Chunk sizes for file fragment uploads” setting will determine whether the
“snapshot” file will be broken-up into smaller fragments or chunks.

If more than one “chunk” is to be sent to the Qualys Cloud Platform, the “Delta
Upload Interval” setting determines the amount of time between individual “chunk”
transmissions.

Data collections are compared to latest snapshot and only changes (deltas) are
uploaded to the Qualys Platform.

Cloud Agent network performance is impacted by agent status interval, delta upload
interval, and chunk sizes for file fragment uploads.

The agent status interval or agent heartbeat will determine how often an agent
"checks-in" to collect new manifests, configuration profiles, and perform other agent
management tasks.

70
The delta upload interval combined with the Chunk sizes for file fragment uploads
setting, will have the greatest impact on network performance.

Agents that operate in a network environment with limited capacity will typically
benefit from using smaller chunk or fragment sizes.

Larger chunk or fragment sizes typically work best in network environments with
greater resources and bandwidth.

Increasing the delta upload interval, will force longer delays between data uploads,
reducing impact on the agent's network environment.
Lower delta upload interval settings work best in network environments with greater
capacity.

70
 Bandwidth Considerations For Large Deployments
§ Bandwidth usage is typically greatest at agent deployment (e.g., initial
data transfer does not have same efficiency as delta transfers)
§ Consider creating a special “Deployment” Configuration Profile that
uses LOW bandwidth performance settings and/or Blackout Windows
§ If agent deployment covers a wide geographic area, identify the number
of deployment locations and the total number of agents per location
§ Stagger agent deployments if many hosts are in the same location.
§ Leverage the Qualys Gateway Service (QGS) for:
• Consolidate agent communications and data transfers
• Cache agent downloads and manifests

60 Qualys, Inc. Corporate Presentation

Bandwidth usage is typically greatest at agent deployment (e.g., initial data transfer
does not have same efficiency as delta transfers). When deploying agents in an
enterprise (large) environment, consider spacing out your deployment over time and
wide geographic areas. Consider creating a special “Deployment” Configuration
Profile that uses LOW bandwidth performance settings and/or Blackout Windows.

If agent deployment covers a wide geographic area, identify the number of

deployment locations and the total number of agents per location. You likely do not
want all your agents calling home at the same time. Stagger your deployment over
hours or days if located in the same location.

Qualys Gateway Server provides proxy services for cloud agents. It an be used for
assets that don’t have direct internet access or when you want to optimize
bandwidth.

Leverage the Qualys Gateway Service (QGS) to:

Consolidate agent communications and data transfers.
Cache agent downloads and manifests.

71
 Performance – CPU Limit & Throttle

• How Long Does It Take an Agent to Collect Data?

61 Qualys, Inc. Corporate Presentation

While the agent “Data Collection Interval” setting determines how often or frequently
an agent collects assessment and inventory data, the CPU Performance settings
determine how quickly or slowly the agent goes about the task of data collection.

For Windows, faster data collections speeds are associated with higher “CPU Limit”
percentages and slower data collection speeds are associated with lower “CPU Limit”
settings.

For Unix/Linux, faster data collection speeds are associated with lower “CPU
Throttle” values and slower data collection speeds are associated with higher “CPU
Throttle” values.

72
 CPU Throttle & Limit Comparison

CPU
CPU Limit
Throttle Notes
(Windows)
(Linux/Mac)

0 ms 100% Fastest data collection

1-10 ms 20% Best trade-off between CPU

11-20 ms 10% usage and scan performance

20+ ms 5% Slower data collection

62 Qualys, Inc. Corporate Presentation

Notice that the windows CPU Limit column is included in this table to help illustrate
the inverse relationship between the CPU Throttle setting, and agent performance.

The middle (blue) rows in this table represent the agent performance sweet spot.
This is a good place to start and attempts to balance agent performance with CPU
usage. Adjustments should then be made higher or lower, according to available
resources and performance needs.

73
 Recommended settings
Windows CPU Limit and Linux/Mac CPU Throttle

LOW NORMAL HIGH

WINDOWS
5% 20% 80%
CPU Limit

LINUX/MAC
800 ms 100 ms 0 ms
CPU Throttle

63 Qualys, Inc. Corporate Presentation

To help you choose the correct CPU performance settings for your agents, Qualys
provides these recommendations:

For LOW performance agents, those that reside on host assets with limited CPU
resources:
Qualys recommends a 5% CPU Limit for Windows and 800 milliseconds for the Linux
or Mac CPU Throttle.

The NORMAL setting provides the best balance between CPU usage and agent
performance.
Here, Qualys recommends a 20% Windows CPU Limit and a 100 millisecond Linux or
Mac CPU Throttle.

And finally for host assets with extended resources and the best possible agent
performance:
Qualys recommends an 80% or greater Windows CPU Limit and a Linux or Mac CPU
Throttle of 0 milliseconds.

74
 Recommended settings
Agent Status Interval, Delta upload Interval, and File Fragment Chunk Sizes

LOW NORMAL HIGH

Agent Status
1800 sec. 900 sec. 600 sec.
Interval

Delta Upload
10 sec. 5 sec. 1 sec.
Interval

Chunk sizes for file

1024 KB 2048 KB 4096 KB
fragment uploads

64 Qualys, Inc. Corporate Presentation

To help you choose the right network performance settings for your agents, Qualys
provides these recommendations:

To limit or reduce an agent's impact on it’s network, use the low settings:
1800 seconds for Agent Status Interval
10 seconds for Delta Upload Interval
and chunk sizes of 1024K

For maximum agent performance, on networks with adequate capacity, use the high
settings;
600 seconds for Agent Status Interval
a 1 second delta upload interval
and chunk sizes of 4096K

For network environments that fall somewhere in-between the high-end and the low-
end, use the normal settings:
a 900 second agent status interval
5 second delta upload interval
and chunk sizes of 2048K

75
 Performance – Upgrade Reattempt Interval
Logging level for agent

65 Qualys, Inc. Corporate Presentation

The "Upgrade Reattempt Interval" specifies the amount of time an agent will wait
before re-attempting an agent version update.

Logging level for agent determines the amount and detail of log messages generated
by the agent. Value can be Verbose, Info (i.e. informational), Warn (i.e. Warning),
Error or None. Recommended: Verbose for all performance levels.
When practical, Qualys recommends using the "Verbose" agent logging level.

Priority Status Upload Interval is the interval between the completion of the Priority
Status Upload and the start of the next Priority Status Upload. Specify a value
between 30 and 300 seconds. Default is 60 seconds.

76
 VM Scan Mode

• By default, Qualys Cloud

Agent for Linux, runs VM
scan with the same
privileges configured by
the Qualys user to run the
agent
• VM Scan Mode now allows
Cloud Agent to run VM
scans with different levels
of privileges

66 Qualys, Inc. Corporate Presentation

By default, the Qualys Cloud Agent for Linux runs a VM scan with the same privileges
configured by the Qualys user to run the agent.

VM Scan Mode now allows the Cloud Agent for Linux hosts to run VM scans with
different levels of privileges.

You can define the VM scan mode in the configuration profile, under the Performance
section, under Unix Specific Parameters.

By default, the Customize toggle button is turned off. To enable the VM Scan Mode,
you need to enable the Customize toggle button.
Once the Customize toggle button is turned on, the Agent User option is selected in
the VM Scan Mode drop-down menu.

For the supported platform and Windows agent version, refer

to Features by Agent Version section in the Cloud Agent Platform
Availability Matrix.

For more details on this feature, refer to

https://blog.qualys.com/product-tech/2022/08/15/qualys-security-
updates-cloud-agent-for-linux

77
 VM Scan Modes

• Agent configured user permissions: Runs VM scan with the same privileges
configured by the user to run Qualys Agent
• Safe mode: Runs VM scan only with lower privileges and would not run any
commands/binary with elevated privileges
• Dynamic privilege elevation: By default, Qualys Agent runs
the VM scan lower privileges. However, the Cloud Agent will dynamically
elevate the privileges to root access only for those commands that failed due
to permissions with lower privileges

67 Qualys, Inc. Corporate Presentation

The different modes available are as follows:

• Agent configured user permissions: Qualys Agent runs VM scan with the same
privileges configured by the customer to run Qualys Agent.
• Safe mode: Qualys Agent runs the VM scan only with lower privileges and would
not run any commands/binary with elevated privileges.
• Dynamic privilege elevation: By default, Qualys Agent runs the VM scan lower
privileges. However, the Cloud Agent will dynamically elevate the privileges to
root access only for those commands that failed due to permissions with lower
privileges.

Note: For the Safe mode and Dynamic Privilege elevation, the Cloud Agent must be
configured with the non-root user which is part of the Sudo group.

78
 Agent User Modes through API
• You can Configure VM Scan Modes using Cloud Agent API as well:

• The VM scan modes can be set using the vmScanMode parameter in create and update
configuration profile APIs

68 Qualys, Inc. Corporate Presentation

Please consult the Qualys Cloud Agent API guide for more information on setting the
Agent User mode through the API.

79
 Configuration Profile: Assign Hosts

Qualys, Inc. Corporate Presentation

This topic covers the "host assignment" option in the configuration profile which
helps to ensure the agents you deploy are assigned to the correct configuration
profile.

80
 Assign Hosts

§ Assign host assets to

a Configuration
Profile by Asset Tag
or Host Name
§ BEST PRACTICE: Rely
on Asset Tags to
assign hosts

69 Qualys, Inc. Corporate Presentation

Agent hosts can be assigned to a configuration profile by Asset Tag or explicitly by

name.

BEST PRACTICE: Rely on Asset Tags to assign hosts.

If a deployed agent does not meet the host assignment criteria for any of your
configuration profiles, the "default" configuration profile will be used.

81
 Activation Key Tag Strategy

• BEST PRACTICE:
Assign “static”
tags to agent
Activation Keys
and use them to
ensure agent
hosts receive
their
appropriate
performance
settings,
patching
licenses, and
patch job
assignments
70 Qualys, Inc. Corporate Presentation

BEST PRACTICE: Use this strategy to assign agent host assets to their appropriate
profiles, licenses, and jobs (at the time of agent deployment):

Assign a “static” tag to each agent Activation Key to easily locate the agent hosts it
deploys. You can then use the same “static” tag to assign these hosts to their
Configuration Profile.

82
 Configuration Profile: Agent Scan Merge

Qualys, Inc. Corporate Presentation

This topic covers the ”Agent Scan Merge" option in the configuration profile.

83
 Remote Only QIDs

§ A Qualys Scanner’s
“remote” perspective is
required to detect “Remote
Only” QIDs
§ Perform supplemental scans
for agent hosts that are
impacted by “Remote Only”
QIDs
§ These hosts will have both
SCAN data and AGENT data

71 Qualys, Inc. Corporate Presentation

Supplemental scans (using a Qualys Scanner Appliance) may be performed on agent

hosts, to provide coverage for “Remote Only” QIDs.

84
Qualys Scanner Appliances produce SCAN data. Qualys Agents produce AGENT
data. When a Qualys Scanner is used to scan a host that already has a Qualys
Agent installed, both SCAN data and AGENT data records are collected and
stored.

SCAN data and AGENT data can be successfully merged, when both types of
records contain a common field or attribute. The Agent Correlation Identifier
provides this common attribute.

When Agent Scan Merge is enabled in a Configuration Profile, the Agent

Correlation Identifier is exposed on TCP ports 10001-10005. By default, the
lowest available port number will be used. Use the “Bind All” option to bind on
all five ports simultaneously.

Configure “On Premise Detection” to expose the Agent Correlation Identifier

only on a trusted network. An IP address range configured to: 0.0.0.0/0 enables
this feature for all agent hosts.

Once Agent Scan Merge is enabled, the ‘agentid-service’ can be viewed from
Windows Task Manager or within a Unix/Linux process list. Use the netstat
command to view its assigned port number(s).

85
85
Once the Agent Correlation Identifier is accepted, within the “Asset Tracking
and Data Merging Setup” options (in Qualys VM or VMDR), Qualys Scanners will
attempt to read the Agent Correlation Identifier from agent hosts.

AGENT data and SCAN data can be successfully merged using the Agent
Correlation Identifier attribute.

86
86
 Configuration Profile: Agent Data Collection

Qualys, Inc. Corporate Presentation

This topic covers the Data Collection Intervals setting in the configuration profile for
VM, PC and SCA.

87
 Interval vs. Event-Driven Data Collection

§ VM, PC, and SCA collect data at configured

intervals.
§ FIM and EDR capture host events as they
occur.
§ Patch assessment scan intervals are
configured within the PM application.

74 Qualys, Inc. Corporate Presentation

The remaining options, allow you to customize the data collection methods used by
agent hosts. Some Qualys applications collect data at user-defined intervals and
other applications capture events as they occur on the host.

Focusing on data collection allows the agent to remain relatively lightweight, while
sending the collected data to the Qualys platform for assessment and enrichment.

VM, PC, and SCA provide user-defined intervals for data collection, while FIM and EDR
use event-driven techniques. Although Patch Management (PM) provides user-
defined intervals for its patch assessment scans, this setting must be configured
within the PM application.

88
 Scan Intervals

• Data Collection Interval setting specifies the frequency of VM, PC and other scans
• At each interval agents perform assigned tasks and collect host metadata (as
specified in the application manifest(s)
• To complete each interval, collected data is transferred to the Qualys Platform for
processing
• NOTE: The countdown to the very next interval will begin as soon as the data
transfer and post-processing steps have been completed

75 Qualys, Inc. Corporate Presentation

The Cloud Agent operates together with the Qualys platform to optimize the
discovery, classification, and reporting for asset inventory, vulnerability management,
policy compliance, file integrity monitoring and Endpoint Detection and Response.

The agent uses a lightweight data collection mechanism to simply capture metadata
about the operating system and installed applications and sends this data to the
platform for analysis and reporting. In this way, the agent does not perform any
analysis on the system but is simply a conduit to capture the relevant information in
an optimized lightweight manner for the platform to process. So, the actual
vulnerability, compliance and other evaluations happen in the cloud.

The agent executes a data collection, called a “snapshot”, the first time after
installation for collecting Asset Inventory data. It will also do so for each activated
module. This happens every 4 hours by default for Vulnerability Management and
Policy Compliance.

Again, agents know what data to collect from the manifests they receive from the
Qualys platform. The agent stores the results from the data collection locally on the
system. If let’s say the Policy Compliance module is activated after the initial agent
installation, the agent will perform the initial snapshot when that module is activated.

Subsequent data collections performed by the agent are compared to a local copy of

89
the previous collections and only changed information, called “deltas”, are uploaded
from the agent to the platform, i.e. The agent does not re-transmit data that hasn’t
changed on the asset.

NOTE: The countdown to the very next interval will begin as soon as the data transfer
and post-processing steps have been completed. The countdown to the next interval
begins at the END of the previous interval (i.e., it does NOT begin at the START of the
previous interval).

89
 On-demand Scan

Qualys, Inc. Corporate Presentation

This topic covers the on-demand scan feature which provides the flexibility to initiate
a scan without waiting for the next scheduled scan.

90
 On-Demand Scan

• USE-CASE: You are using a third-party patching tool and you want to
validate successful vulnerability patches, immediately

• Can be launched from

• Host system
• Qualys Platform

76 Qualys, Inc. Corporate Presentation

For example, if you’re using a third-party patching tool and you want to validate
successful vulnerability patching immediately, you can use the on-demand scan
feature to do such a validation without having to wait for the scheduled scan.
Scan on Demand is a single use execution that is initiated manually on the host itself,
using locally or remotely executed scripts or GPO, or from software distribution tools
at the end of a patch deployment job.

Note that this type of scan will work if the agent is not already scanning.

There are 2 ways of launching on-demand scans:

You can initiate it from the host system or from the Cloud Agent User Interface.

91
 On-Demand Scan

§ Manually perform VM, PC, SCA, UDC, and inventory scans on

Windows and Linux agent hosts
§ Application module must be activated and its associated
manifest must be downloaded, prior to performing an “on-
demand” scan
§ A successful “on-demand” scan will reset the countdown to
the next scan interval

77 Qualys, Inc. Corporate Presentation

The target application module must be activated and its associated manifest must be
downloaded, prior to performing an “on-demand” scan.

The On Demand Scan runs independently of the interval scan that you configure in
the Configuration Profile and will reset the scan interval on the local agent after a
successful scan.

92
 Launch On-Demand Scan from Agent Host
§ On-demand scans for Windows are configured in the Windows Registry

§ On-demand scans for Linux are executed from the command line

78 Qualys, Inc. Corporate Presentation

First, let’s see how we can launch an on-demand scan from the host system:

For Windows, this is configured in the Windows Registry under

HKEY_LOCAL_MACHINE\SOFTWARE|QUALYS\QualysAgent\ScanOnDemand.
Set the ‘Scan on Demand’ registry value to ‘1’ to launch the scan immediately.

You can also use the ‘ScanOnStartup’ registry key to initiate an on-demand scan
whenever the host starts up. Simply, set this registry key value to 1 and the on-
demand scan will start every time the host starts or restarts.

On-demand scans for Linux are executed from the command line using the
cloudagentctl script.
The same command can be used on Mac Operating Systems as well.

Please see the lab tutorial supplement for this course for more examples and details
for running on-demand scans for Windows and Linux.

93
 On-Demand Scan from Cloud Agent Module

• On-demand scans can now be

initiated from the Cloud Agent User
Interface

• Can be launched for individual Agent

hosts or in bulk
• Limited to 1000 concurrent on-
demand scans and 15000 scans per
day

79 Qualys, Inc. Corporate Presentation

The on-demand scan feature helps you with the flexibility to initiate a scan without
waiting for the next scheduled scan. You can now initiate the on-demand scan using
the Cloud Agent User Interface, in addition to the defined interval scans.

This can be launched for individual Agent hosts or for multiple hosts in bulk.

Currently, you can initiate 1000 on-demand scans concurrently for each subscription.
And you can send a maximum of 15000 on-demand scan requests per day.

To launch this scan using the Cloud Agent module:

1. In the Cloud Agent, navigate to the Agents tab.
2. In the Agents tab, click the agent row > On Demand Scan from the Quick Actions
menu.

94
 Launch On-Demand Scan from Cloud Agent Module
• Following on-demand scans can
be initiated from the Cloud
Agent module:
o Inventory
o Vulnerability Scan
o Policy Compliance Scan
o UDC Scan
o SCA Scan
• Selected scan type must be
activated for the agent host
• Select the checkbox to use CPU
throttle limits from the
Configuration Profile assigned to
the agent host
80 Qualys, Inc. Corporate Presentation

Using this feature, you can initiate VM, PC, Inventory, UDC, and SCA scans. The
modules required for the selected scan type must be activated for the agent host.

By default, Cloud Agent for Windows uses a throttle value of 100, and Cloud Agent for
Linux uses a value of 0 (no throttling).
If you want to use the values in the configuration profile, select the Use CPU Throttle
limits set in the respective Configuration Profile for agents check box.

Note: This feature is supported only on Windows and Linux and will be available only
when the Windows and Linux agent binaries with on-demand scan support will be
available.
Supported agent versions are :
Windows Agent 5.0.1 or greater
Linux Agent 5.6 or greater
(Above Agent Versions are not GA yet)

Please consult the Cloud Agent Platform Support Matrix, Features by Agent Version
section for up-to-date information on supported agents.

95
 Lab Tutorial 7

Launch On-Demand Scan (pg. 34)

10 min.

81 Qualys, Inc. Corporate Presentation

1. Launch on-demand scan for a windows host by changing the registry key
2. Launch on-demand scan for another host from the Cloud agent UI

96
 Scan Delay and Scan Randomization

Qualys, Inc. Corporate Presentation

This topic covers the use cases for the scan delay and scan randomization settings
that are a part of the VM/PC data collection interval.

97
 Multiple Cloud Agent Network Challenges

• Whenever new Cloud Agents are deployed, all the agents trying to
communicate with the QCP at the same time can be taxing on the network
• New Manifests come out and the same need to be transferred at the same
time for all Cloud Agents deployed in a network
• Agents are also responsible for data collection which they are doing all at
the same time
• Post blackout windows, the agent assets would all start processing at the
same time

82 Qualys, Inc. Corporate Presentation

This slide outlines the impact of agent communication on network resources in the
absence of any way to stagger this communication.

98
 CA communication without Scan Delay and Scan
Randomization(1/4)
Scan Interval 4 hours

Qualys Cloud Platform

Corporate Environment

Network Bandwidth Usage=Bandwidth utilization per agent *no of agents

83 Qualys, Inc. Corporate Presentation

1. As you can see here, all the agents are trying to communicate with the platform
at the same, time, this can be taxing on your network and your firewalls
2. Sample bandwidth utilization 2mb/agent * no of agents
3. Network Bandwidth Usage=Bandwidth utilization per agent *no of agents

99
 Scan Delay and Scan Randomization(2/4)
• Scan Delay: The time added to the start of scanning, both for new installs and for
interval scanning. Value of 0 (zero) means no delay added.

• Scan Randomize: The range of randomization added to Scan Delay to offset

scanning. For example, if the randomization range is 60 minutes, then a random
number between 1 and 60 is calculated and used to delay the start of the next
scanning interval. Value of 0 (zero) means no randomization will occur.

84 Qualys, Inc. Corporate Presentation

Scan Delay and Scan Randomize values can be configured to make sure that agents
don’t collect and send data to the Qualys platform all at the same time during delta
uploads. It is a means to stagger agent communication with the Qualys platform, so
that impact on the network is reduced. This can also help avoid excessive disk I/O on
VDI assets when all of them share the same underlying infra or for preventing agent
hosts that are coming out of blackout windows from starting a scan and delta upload
all at the same time, and in other similar scenarios.

Additional Use cases for this:

Elastic cloud when 1000s of assets are deployed at the same time
When new manifests come out, especially for remote office locations and slow links
When new agent installer versions come out

100
 Scan Delay (3/4)
Scan Interval 4 hours
T= Scan Interval Scan Delay 20 mins
TCA = Time when agent sends data to QCP
Scan Randomization 0

TCA = T +20

Qualys Cloud Platform

Corporate Environment

Network Bandwidth Usage=Bandwidth utilization per agent *no of agents

85 Qualys, Inc. Corporate Presentation

T would be the time when agent is restarted, or agent host is restarted, instead of
downloading manifest immediately, there is delay.

101
 Scan Randomization(4/4)
T= Scan Interval Scan Interval 4 hours
TCA = Time when agent sends data to QCP Scan Delay 20 mins
Scan Randomization 30 mins

TCA = T + 20 +12
Randomize= 12 min
TCA = T + 20

Randomize= 5 min Qualys Cloud Platform

TCA = T + 20 +5
Corporate Environment

Network Bandwidth Usage= Bandwidth requirement of single agent

86 Qualys, Inc. Corporate Presentation

1. With scan delay and scan randomization, you can now control the effect that the
agents have on your network resources, and not send all their data, at the same
time.
2. Here the network bandwith will be /3
3. So if we put sample values of scan delay=20 mins and Randomize any value
between 1-30, this is a sample of how we will be able to stagger the
communication between the agents and the Platform. The delay interval is
applied to all the agents and the randomize value is a means to stagger
communication between 2 consecutive agents communicating with the platform.
4. Scan data is being sent, here also we need to set t, t will be scan interval . Time
when agent will send data toTCA= scan interval(T) +delay+randomize

102
 Event-Driven Data Collection

• Events are captured and logged as they

occur for FIM and EDR

• Event log payloads are transferred to the

Qualys Platform at frequent intervals

87 Qualys, Inc. Corporate Presentation

Kernel drivers allow agents to collect event data for FIM, EDR and XDR, as the events
occur on the agent host. The “Payload Threshold Time” setting specifies the
frequency of event log transmissions to the Qualys Platform.

103
 Data Collection Summary

Data Collection Intervals

• VM, PC, and SCA scans are performed every 4 hours to every 30 days
• Inventory scans are performed daily
• Patch assessment scans (configured in the PM application) are performed every 4 hours to
every 30 days

On-Demand Scans
• Perform “on-demand” VM, PC, SCA, UDC, and inventory scans on Windows and Linux agent
hosts
Event-Driven Data Collection
• Events are captured and logged as they happen for FIM, EDR and XDR
• Logged events are transferred to the Qualys Platform at frequent intervals (i.e., Payload
Threshold Time

88 Qualys, Inc. Corporate Presentation

This slide provides a summary of the various agent data collection methods.

Agent data collection methods are dependent on the Qualys application module.

104
 Manifest Download

Qualys, Inc. Corporate Presentation

This section covers the next agent lifecycle stage: Manifest Download.

105
 Application Manifests

§ A “manifest” identifies the tasks to be performed and data to be collected

by the agent
§ Qualys Application Modules have their own separate manifests
§ When a new application module is activated for an agent host, the agent
receives a new manifest and data collection begins
§ Application modules frequently send updated manifests to agents
• Example: New QIDs added the the Qualys Knowledgebase may require additional data
collection
• Data collection will also begin following the download of an updated manifest

89 Qualys, Inc. Corporate Presentation

A manifest identifies the metadata an agent will collect from its host for a given
application. Qualys Application Modules have their own separate manifests.

When a new application module is activated for an agent host, the agent receives a
new manifest and data collection begins. Data collection also begins after an agent
receives an updated manifest.

Manifests get updated regularly, especially in the case of VM where Qualys is

continually adding new vulnerability signatures to our KnowledgeBase.

106
 Manifest Type Description Data Collection
Inventory Collects asset inventory such as hardware, Daily Intervals
software, active services, etc...
Vulnerability Collects data defined by QIDs in the Qualys User-Defined Intervals (240 -
Vulnerability KnowledgeBase. 43200 min.)
PolicyCompliance Collects System Defined Control (SDC) datapoints User-Defined Intervals (240 -
defined in the PC Control Library. 43200 min.)
UDC Collects User Defined Control (UDC) datapoints 4 hour intervals
defined in the PC Control Library.
SCA Collects compliance datapoints defined in CIS User-Defined Intervals (240 -
Policy Controls. 43200 min.)
AutoDiscovery Automatically discovers host middleware 1 hour interval
technologies.
MiddlewarePC Collects compliance datapoints for host 4+ hour intervals
middleware assessments.
FIM Collects events for targeted file and directory Event-Driven (Payload
changes and modifications. threshold time 30 - 1800 sec.)
EDR Collects events for targeted processes, process Event-Driven (Payload
mutex, registry keys, and suspect file locations. threshold time 30 - 1800 sec.)

90 Qualys, Inc. Corporate Presentation

This table provides a summary of manifest types along with their respective data
collection methods.
Inventory data is collected daily, Vulnerability and compliance data every 4 hours by
default, and FIM ,EDR data on an event-driven basis.

107
 Agent – Platform Synchronization

Qualys, Inc. Corporate Presentation

This section covers the next agent lifecycle stage: Agent - Platform Synchronization.

108
 Host Snapshot Synchronization

• Both Cloud Agent and the Qualys Cloud Platform maintain a copy of the
host snapshot

• Delta processing includes integrity checks to ensure the snapshot on the

host matches the snapshot in the Qualys Platform
• If integrity check fails, the agent will automatically re-synchronize with the
Qualys Platform

• Digital signatures are used to validate communications between agent

and platform

91 Qualys, Inc. Corporate Presentation

The delta processing feature of the Cloud Agent includes a synchronization

mechanism that guarantees that local snapshot files and the data processed by the
platform are the same.

If the integrity check fails on either side, the agent will re-synchronize automatically,
i.e. Both the agent and the platform will delete existing snapshot data and start as if
it’s a newly provisioned agent.

Note that Digital signatures are used to validate communications between agent and
the platform.

109
 Activate, Deactivate & Uninstall Agents

Qualys, Inc. Corporate Presentation

In this section, we will discuss how to activate, deactivate and uninstall agents for
different applications.

110
 Activate Application Modules

• Deploy Cloud Agent

Activation Key with
module(s) already
enabled

OR
• Activate module(s) from agent host’s
“Quick Actions” menu (for agents that
have already been deployed)

92 Qualys, Inc. Corporate Presentation

Qualys application modules (selected within an agent Activation Key) are activated at
the time of agent deployment. Application modules can also be activated from the
“Quick Actions” Menu of any agent hosts.

111
 Lab Tutorial 8

Activate, Deactivate & Uninstall Agents (pg. 37)

10 min.

93 Qualys, Inc. Corporate Presentation

1. Deactivate the PC application module for an agent host

2. From the “Agents” tab, uninstall agents from three hosts, using the “Actions”
button in the Cloud Agent UI

If you didn’t activate your agents at the time of key creation, it can be done after
deployment. Remember, activation of the agent is required if you want it to collect
data for a particular application. This is what counts against the number of licenses
you purchased.

112
 Deactivate Application Module

§ Deactivate individual
application modules
for agent host assets

94 Qualys, Inc. Corporate Presentation

You can also deactivate agents. You can do so in bulk by using the actions menu, or
you can do so individually by using the quick actions menu. When you deactivate an
agent, you are saying, “I no longer want my agent on this host to collect data for a
particular application, such as Vulnerability management, or policy Compliance.” This
will free up a license you purchased for that application.

You can also activate or deactivate for FIM, EDR, XDR and/or Patch Management.

113
 Uninstall And Purge
Approaches:
1. Uninstall agents using the “Uninstall Agent” action in the
Qualys UI or using API
• Automatically purges VM and PC data

2. Uninstall agent from the local host

• Performed from command prompt or terminal window on the
host
• VM and PC data must be purged manually

3. Uninstall and purge agents automatically

• Performed using Purge Rules that are configured under Global
AssetView/CyberSecurity Asset Management

95 Qualys, Inc. Corporate Presentation

Agents can be manually uninstalled using either “Uninstall Agent” action in the Cloud
Agent user interface or through the Cloud Agent API. You can uninstall agents from
the Qualys user interface individually or in bulk.
This will trigger an uninstallation command for the agent to pick up on the next Status
Interval request, if the agent is still running and removes the agent license from any
assigned modules, thereby freeing up a license to be used for other systems. Any
asset inventory, vulnerability, or policy compliance data is purged from the platform.
Cloud agents must be uninstalled using this method to ensure appropriate data clean-
up measures are performed.

Agents uninstalled using the local OS uninstaller will remove the agent locally on that
system but will not free up that agent’s license nor purge the results as the platform
will not know that the agent was uninstalled. Any asset inventory, vulnerability, or
policy compliance data is retained in the platform, i.e. agent data will not be removed
during a local uninstallation. Administrators will need to uninstall the agent from the
Cloud Agent UI or API to free up the license and purge the data.

Agents can also be uninstalled and purged automatically using Purge Rules configured
under the Global AssetView or CyberSecurity Asset Management application. The
rules can be based on time-related and cloud-provider metadata. More on Purge
Rules will be covered later.

114
 Bulk Agent Updates

Qualys, Inc. Corporate Presentation

The objective of this section is to understand the different options for updating
agents in bulk.

115
 Actions Button

§ Within the Cloud Agent

application, select multiple
Perform actions on agent hosts and use the
multiple agent hosts “Actions” button to perform
tasks in bulk
§ Execute queries to help filter
agents for selection

96 Qualys, Inc. Corporate Presentation

Select multiple agent hosts from the Cloud Agent UI and then use the “Actions”
button to perform updates in bulk.

116
 Edit Activation Key

§ Add or remove application

module(s) and choose
“Update for all agents”

§ This method covers present

as well as future agent
deployments

97 Qualys, Inc. Corporate Presentation

Adding and removing application modules can be performed for all existing agents
using their associated Activation Key. Simply select the “Apply Changes to all existing
agents” option. Future agent deployments will receive the updated module
configuration.

117
 Cloud Agent API
Uninstall Agents

98 Qualys, Inc. Corporate Presentation

Agents can be uninstalled in bulk using the Cloud Agent API.

118
 Agent Purge Rules
Qualys Global AssetView/CSAM

§ Purge rules run daily

§ Create rules to
automatically purge
agent host assets from
your account by:
• lastActivity
• lastCheckedIn
• activatedForModule
• agentActivationKey
• agentVersion
• configurationProfile

99 Qualys, Inc. Corporate Presentation

Asset Purge Rules (provided in Global AssetView/CSAM application) will remove

agent assets from your account, based upon various agent statuses and
configurations:

• lastActivity
• lastCheckedIn
• activatedForModule
• agentActivationKey
• agentVersion
• configurationProfile

You can configure purge rules for cloud agent assets (assets in public cloud using
cloud provider metadata or otherwise).

Please refer to the cloud agent video library for more details on how to configure
purging for agent hosts:
https://www.qualys.com/training/library/cloud-agent/

Note: This feature is not enabled by default. Please contact your Qualys TAM/Support
for further assistance.

119
 Last Reminders
Certification Exam
• Multiple choice questions
• Answer 70% of the questions correctly to receive a passing score
• Please consult the Cloud Agent presentation slides and lab tutorial supplement to help you answer the
exam questions

Trial Account
https://www.qualys.com/free-trial/

102 Qualys, Inc. Corporate Presentation

You can enrol for the Cloud Agent Examination to get certified.

You can request a free Qualys limited trial account by submitting a request on this link
https://www.qualys.com/free-trial/

120
 Thank You

[email protected]

Qualys, Inc. Corporate Presentation

Thank you for completing the Qualys Cloud Agent training.

121