Anti-Virus and HIPS Exclusions

If you have Anti-Virus, EDR, or HIPS installed on your agent host it might conflict with the Cloud Agent functions. To avoid this conflict, exclude the following files, directories, and processes from all security software installed on the agent host.

Agent processes

• QualysAgent.exe - this is the Qualys endpoint service.
• QualysCloudAgent.exe - Non-MSI installer needs access to disk and registry locations (see below).
• uninstall.exe - this is the Qualys endpoint service uninstaller - needs r/w/d access to the following disk and registry locations.
• QualysSPConfig.exe - Qualys Cloud Agent Self Protection Configuration Utility. This is used to disable the self-protection.
• QualysProxy.exe - Qualys Proxy Configuration Tool. Used to configure proxy settings to Qualys Cloud Agent.
• QualysAgentUI.exe – Executable used to show Patch Management Prompts/UI.
• STDeploy.exe - Executable required for proper functioning Windows server patches.
• QualysMitigation.exe - Executable used to reduce or eliminate the risk of a vulnerability being exploited.
• Processes under Program Files\Qualys\QualysAgent allow the Qualys FIM driver to load and unload if Qualys FIM is activated on the agent.

Executables and Processes

• Various Patch Management executable: %ProgramData%\Qualys\QualysAgent\PatchManagement\Resources\.
• Driver Management Utilities: %ProgramFiles%\Qualys\QualysAgent\EDR\.
• Agent Scan Merge executable: %ProgramData%\Qualys\SandboxRO\agentid-service.exe.
• XDR executable for 64-bit agent host-%ProgramData%\Qualys\QualysAgent\ LogCollector\Resources\qualys-beat_x86_64.exe.
• XDR executable for 32-bit agent host-%ProgramData%\Qualys\QualysAgent\ LogCollector\Resources\qualys-beat_x86.exe.
• Scanner executable for Software Composition Analysis: %ProgramData%\Qualys\QualysAgent\SwCA\Resources\SwCAScanner.exe.
• Cloud Agent Passive Sensor: %ProgramData%\Qualys\QualysAgent\QCAPS\Resources\qcaps.exe.
• Qualys Cloud Agent Mitigation engine: %ProgramData%\Qualys\QualysAgent\MitigationManagement\Engine\QualysMitigation.exe.

File

• Directory for Cloud Agent installation and uninstallation: %ProgramData%_QualysAgentInstaller

  Ensure that you add the %ProgramData%_QualysAgentInstaller to the exclusion criterion to prevent Cloud Agent installation and uninstallation failure.

• Directory to read/write/create/delete files: %ProgramData%\Qualys\QualysAgent.
• Directory for service and uninstall: %ProgramFiles%\Qualys\QualysAgent.
• Directory for Patch Staging: C:\Windows\TEMP\Qualys\Staging
• Directory for Patches: C:\Windows\ProPatches
• Directory for Patch Installation: C:\Windows\ProPatches\Installation
• Directory for storing patch data: C:\ProgramData\Qualys\Staging

 The service creates processes; hence, ensure that AV, EDR, and HIPS unblock this action. This path is the same for both x86 and x64-bit systems.

Registry

• Registry to install service set up on the system: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QualysAgent.
• Registry for breadcrumbs information: HKEY_LOCAL_MACHINE\SOFTWARE\Qualys -
• In this registry breadcrumb information is stored to merge Cloud Agent and appliance scanner results. The agent must create/read/write/delete access as setup needs to create the key and uninstall needs to delete the key.
• Registry to install drivers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qmon
• The Cloud Agent installs  FIM, Cloud Agent Self-protection, or EDR drivers in this registry.
• Registry to install EDR drivers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qnetmon.

QualysAgent.exe

QualysAgent.exe performs following actions:

• It calls CreateProcess to launch external processes as needed.
• Calls CoCreateInstance to instantiate COM objects.
• Creates/Reads/Writes/Deletes files out of its ProgramData directory.
• Creates/Reads/Writes/Deletes from the hklm\software\qualys registry key.
• Enumerates and reads from all file and registry locations.