Qualys Self-Protection Feature for Cloud Agent

Qualys self-protection feature for Cloud Agent prevents non-trusted processes from making unwanted changes to a Cloud Agent.

Self-protection feature prevents the following:

• Uninstallation of Cloud Agent.
• Termination of Cloud Agent processes.
• Tampering with Cloud Agent files and directories - overwriting, deleting, renaming, modifying, and memory mapping.
• Tampering with Cloud Agent driver - unloading or detaching the driver.
• Tampering with Cloud Agent registry keys:
  
  Overwriting, deleting, and modifying registry key values.
  
  Renaming The Registry Key.

• Prevents the debugger from attaching to the Qualys agent service.
• Prevents user-defined scripts, that is the scripts uploaded by Custom Assessment and Remediation (CAR), and Patch Management, from making changes to the protected areas.

This feature is not enabled by default. To enable Qualys self-protection for a Cloud Agent, contact your Qualys representative.

Qualys self-protection feature is available only for Windows 7 and above operating systems.

Disable Self-Protection

You have to disable self-protection for Cloud Agent, to access the agent data artifacts required for debugging such as, log files.

To disable self-protection for an agent, you have to generate a key. By default, the validity of a key to disable self-protection is one day (24 hours); however, you can configure it as per your requirements. You can also disable self protection for a Cloud Agent using troubleshoot option.

Only users with the CA Manager role can generate the key to disable self-protection for a Cloud Agent.

Steps to Disable Self-Protection for a Cloud Agent

To disable self-protection for a Cloud Agent:

• Open Cloud Agent application.
• Navigate to Agent Management > Agents and select an installed Cloud Agent for which you want to disable self-protection.
• In the Quick Actions menu, click Disable Self Protection.

• In the Generate Key to Disable Self Protection screen, click Generate Key and follow the process to disable self protection for that agent.

This option to disable self-protection for a Cloud Agent is available for Qualys Cloud Agent for Windows version 5 and later.

Uninstalling Cloud Agent with Self Protection

Following are the commands to uninstall a Cloud Agent with self protection enabled. Using these commands, you can uninstall Cloud from the agent host itself.

• For .exe and .msi based agent installer package
  Uninstall.exe Uninstall=True SPFKEY=Hash Key
• For .msi based agent installer package
  Msiexec.exe /x CloudAgent_x86.msi SPFKEY=Hash Key

The Hash key to disable self protection for a Cloud Agent must be generated using Disable Self Protection option available on Cloud Agent UI.