Anti-Virus and HIPS Exclusions
If you have Anti-Virus, EDR, or HIPS installed on your agent host it might conflict with the Cloud Agent functions. To avoid this conflict, exclude the following files, directories, and processes from all security software installed on the agent host.
Agent processes
QualysAgent.exe
- this is the Qualys endpoint service.QualysCloudAgent.exe
- Non-MSI installer needs access to disk and registry locations (see below).uninstall.exe
- this is the Qualys endpoint service uninstaller - needs r/w/d access to the following disk and registry locations.QualysSPConfig.exe
- Qualys Cloud Agent Self Protection Configuration Utility. This is used to disable the self-protection.QualysProxy.exe
- Qualys Proxy Configuration Tool. Used to configure proxy settings to Qualys Cloud Agent.QualysAgentUI.exe
– Executable used to show Patch Management Prompts/UI.STDeploy.exe
- Executable required for proper functioning Windows server patches.QualysMitigation.
exe
- Executable used to reduce or eliminate the risk of a vulnerability being exploited.- Processes under Program
Files\Qualys\QualysAgent
allow the Qualys FIM driver to load and unload if Qualys FIM is activated on the agent.
Executables and Processes
- Various Patch Management executable:
%ProgramData%\Qualys\QualysAgent\PatchManagement\Resources\
. - Driver Management Utilities:
%ProgramFiles%\Qualys\QualysAgent\EDR\
. - Agent Scan Merge executable:
%ProgramData%\Qualys\SandboxRO\agentid-service.exe
. - XDR executable for 64-bit agent host-
%ProgramData%\Qualys\QualysAgent\ LogCollector\Resources\qualys-beat_x86_64.exe
. - XDR executable for 32-bit agent host-
%ProgramData%\Qualys\QualysAgent\ LogCollector\Resources\qualys-beat_x86.exe
. - Scanner executable for Software Composition Analysis:
%ProgramData%\Qualys\QualysAgent\SwCA\Resources\SwCAScanner.exe
. - Cloud Agent Passive Sensor:
%ProgramData%\Qualys\QualysAgent\QCAPS\Resources\qcaps.exe
. - Qualys Cloud Agent Mitigation engine:
%ProgramData%\Qualys\QualysAgent\MitigationManagement\Engine\QualysMitigation.exe
.
File
- Directory to read/write/create/delete files:
%ProgramData%\Qualys\QualysAgent
. - Directory for service and uninstall:
%ProgramFiles%\Qualys\QualysAgent
. - Directory for Patch Staging:
C:\Windows\TEMP\Qualys\Staging
- Directory for Patches:
C:\Windows\ProPatches
- Directory for Patch Installation:
C:\Windows\ProPatches\Installation
- Directory for storing patch data:
C:\ProgramData\Qualys\Staging
The service creates processes; hence, ensure that AV, EDR, and HIPS unblock this action. This path is the same for both x86 and x64-bit systems.
Registry
- Registry to install service set up on the system:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QualysAgent
. - Registry for breadcrumbs information:
HKEY_LOCAL_MACHINE\SOFTWARE\Qualys
- - In this registry breadcrumb information is stored to merge Cloud Agent and appliance scanner results. The agent must create/read/write/delete access as setup needs to create the key and uninstall needs to delete the key.
- Registry to install drivers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qmon
- The Cloud Agent installs FIM, Cloud Agent Self-protection, or EDR drivers in this registry.
- Registry to install EDR drivers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qnetmon
.
QualysAgent.exe
QualysAgent.exe
performs following actions:
- It calls
CreateProcess
to launch external processes as needed. - Calls
CoCreateInstance
to instantiate COM objects. - Creates/Reads/Writes/Deletes files out of its
ProgramData
directory. - Creates/Reads/Writes/Deletes from the
hklm\software\qualys
registry key. - Enumerates and reads from all file and registry locations.