Qualys Cloud Agent for Windows 5.5
March 26, 2024
New Features
Change Activation Key using Cloud Agent User Interface
With this feature, you can change the activation key for existing single or multiple agents from the Cloud Agent user interface. Earlier, you could change the activation key locally using the command line utility.
Once the new activation key is assigned:
- Applications activated with the newly assigned activation key are activated for the associated agent hosts.
- The network ID and static tags associated with the newly assigned activation key are linked to the associated agent host.
- Applications and tags associated with the earlier activation key are disassociated from the agent host.
- Applications and static tags manually activated or assigned for the earlier agent host and not associated with the earlier activation key remain activated.
Required Application Version | Qualys Cloud Platform 3.17.0.0 |
Support for Customized Logo in Patch Notifications
When the Qualys Cloud Agent is installed on the Windows assets with the Patch Management application activated, the assets receive notifications for the patch updates.
With this feature, you can customize the logo and title for these Patch Management notifications on the assets. You can use the customized logo for all assets in your subscription or select the host assets for which the customized logo and title should be used.
Required Application Version | Qualys Cloud Platform 3.17.0.0 |
Cloud Agent Enhancements
Support for Scan Delay and Randomize for SwCA Scan
With this release, you can add scan delay and randomization for SwCA scans. These parameters help spread the Cloud Agent scans over a configurable window and optimize resource consumption.
With the Scan Delay parameter, you can delay the scanning for the defined time interval. You can add randomization to the scan delay time with the Scan Randomize parameter.
These parameters are beneficial when the cloud agents are deployed across various virtual machines on a solitary ESX host. If multiple Cloud Agents start data collection simultaneously, it may result in system overload and the freezing of the ESX host. Scan Delay and Scan Randomize for SwCA Scan helps to delay and randomize the scan interval.
Required Application Version | Qualys Cloud Platform 3.17.0.0 |
Cloud Agent Health Check Tool
The Cloud Agent Local Health Check tool assesses the Health of the Qualys Agent on the specific host. The tool is available with the Cloud Agent setup for the Windows platform. The tool runs independently and does not require any parameters.
The QualysAgentHealthCheck.exe
located in the C:\ProgramFiles\QualysAgent\Qualys directory.
Use the following command to run the Qualys Agent Health Check tool: "%programfiles%\qualys\qualysagent\QualysAgentHealthCheck.exe"
Agent Health Status Evaluation
The tool assesses the overall health status of the Cloud Agent based on installation status, communication health, and application functionality. The applications assessed for health status are Vulnerability Management (VM), Policy Compliance (PC), Security Configuration Assessment (SCA), and Patch Management (PM).
- Agent communication health is evaluated based on proxy settings and connection to Qualys Server end points.
- The health of the scan-based applications is evaluated based on scan interval, upload interval, and last scan/last upload time.
- For Patch Management health, the tool initiates the patch download from specified URLs and verifies the file hash. If a patch fails to download, patch health is flagged as bad; however, if the patch is successfully downloaded but fails verification, it does not impact Patch Management health. Instead, an entry is recorded in the error section of the JSON file to indicate the failed patch verification.
Agent Health Status Output
The Agent Health Status tool provides a console output, a user-friendly text summary, and a detailed JSON report. The text report and the JSON report are generated in the HealthCheck directory, located in the same directory where the tool is executed.
The following table presents the health status and description.
Health Status | Description |
Good | Agent Health is good. |
Bad | The Agent is facing some communication issues, the Agent Service is down, or none of the applications are functioning properly. |
Poor | Some applications of the Qualys Agent are functioning correctly. |
Not Installed | Qualys Agent is not installed on the asset. |
Not Provisioned | Qualys Agent is installed but not provisioned. |
Tool Error | The Agent Health Status tool encountered a critical error while determining Agent Health. |
Example of Health Check Report
The following report shows that the overall Agent health is Poor as a result of Patch Management application health as highlighted in the report.
Example - Text ReportExample - Text Report
Example - JSON ReportExample - JSON Report
Enhancements for Endpoint Detection and Response (EDR)
Hash-based Application Blocking
With this enhancement, you can prevent applications from launching by adding SHA256 of that application to the block list. If you try to launch the blocked application, an incident is reported. The incident is displayed in the Incidents tab of the Endpoint Detection and Response application.
Required Application Version | Endpoint Detection and Response (EDR) 3.2.0.0 |
Support for Kernel Detections
With this release, we have added support for the following kernel detections in Endpoint Detection and Response (EDR):
- Parent Process ID (PID) spoofing: This feature protects an agent host against malicious processes hiding under clean parent processes.
- Remote thread detection: This feature protects an agent host against the processes trying to inject harmful DLL in other processes.
- Local Security Authority Subsystem Service (LSASS) open handle protection: This feature protects agent hosts against attempts on LSASS memory to access sensitive information.
Required Application Version | Endpoint Detection and Response (EDR) 3.2.0.0 |
Enhancements for File Integrity Monitoring (FIM)
Update in Event Success Status
With the enhancement, the event execution status is displayed in the File Integrity Monitoring application in the event details > Success Status field.
- If the event is executed successfully, the Success Status is displayed as yes.
- If the event is failed with Access Denied result, the Success Status is displayed as no.
Required Application Version | File Integrity Monitoring (FIM) 3.9.0.0 |
Enhancements for Patch Management
Randomization in Patch Download
With this enhancement, you can add randomization to downloading patches on the asset level while creating a deployment job. You can configure the Randomize Download Time, in which the agent attempts to download patches at random times after the job starts.
This helps spread the patch download and optimizes your network bandwidth utilization for a defined job across multiple assets.
Required Application Version | Patch Management 2.8.0.0 |
Enhanced Pending Reboot Status Messages
With this release, the pending reboot messages are enhanced to provide information on whether the automatic (agent-initiated) reboot or manual reboot is required.
The Patch Management window displays the following two statuses for assets where a reboot is required:
- Pending Auto Reboot: This indicates that the system will reboot automatically after all deferrals are utilized.
- Pending Manual Reboot: This indicates that the Cloud Agent initiates system reboot after all deferrals are utilized.
Required Application Version | Patch Management 2.8.0.0 |
Enhanced Patch Installation
With this change, only one patch is installed at a time on an asset instead of sending the list of patches to Ivanti SDK. The remaining patch installers are deleted if the configured patch window is elapsed.
With this change, the defined patch time frame is honored, and patch download is not performed outside the patch window.
Required Application Version | Patch Management 2.8.0.0 |
Behavior Changes
Exponential Backoff while Cloud Agent Self-Patch Binary Download
When the self-patching is enabled, the Cloud Agent downloads the new binary after each CAPI call, depending on the availability of the new binary. If the binary download fails due to certificate issues, the Cloud Agent attempts to download the new binary after each CAPI call, resulting in a loop of downloading the binary.
With this release, if an error is encountered in binary download or installation fails, the Cloud Agent applies exponential backoff—the time for which it will not attempt the new binary download. The Cloud Agent sets the next binary download time for each download failure. The maximum backoff time will be 23 hours.
The backoff is reset after the Cloud Agent self-patches successfully or after the system restart.
Platform Coverage Support
In this release, added support for the following operating systems
- Windows 11 23H2
- Windows Server 23H2
Issues Addressed
The following reported and notable issues have been fixed in this release
CRM-110421 | Fixed an issue where the agent failed to read the registry setting for the TCP port and IP details required to communicate with the SQL instance. |
CRM-115522 | Fixed an issue where CloudAgentInstaller and MSI log files were not archived. |
CRM-115602 | Fixed an issue where the Cloud Agent stopped responding due to unknown characters observed during file content processing. |
CRM-119543 | An issue was observed where the Cloud Agent could not fetch the IPv4 address during the CAPI interval. As a result, public IPs were unintentionally assigned to internal assets, causing discrepancies in the vulnerability count and incorrect reports. The issue is fixed now. |
CRM-115248 | Fixed an issue where the Cloud Agent installed on Microsoft Azure assets automatically upgraded to the latest version even though auto-update is prevented by selecting the Prevent auto updating of the agent binaries option in the configuration profile. |
CRM-114371 | Fixed an issue where the Microsoft Azure portal did not display the Cloud Agent status. |
Known Limitations and Workaround
There are no reported and notable issues open in this release.