Qualys Cloud Agent for Windows 6.1

February 17, 2025

New Features

With this release of Qualys Cloud Agent for Windows, we are introducing the following new features and enhancements.

Launch Anti-malware On Demand Scan

With this release, we are providing support to launch the anti-malware on-demand scan without waiting for the next scheduled scan. Earlier, only scheduled anti-malware scans were supported for Qualys Anti-malware Application (EPP).

This feature allows you to launch a custom on-demand scan right from the Endpoint Detection and Response (EDR) user interface, targeting malicious activities observed in specific files or folders.

The anti-malware on-demand scan improves the responsiveness to potential risks and ensures that malware attacks are mitigated in time.

Required application version

Endpoint Detection and Response 3.6.1

Retry Qualys Anti-malware Tool Installation

With this feature, you can retry Qualys Anti-malware tool (EPP) installation from the Endpoint Detection and Response (EDR) application, if the EPP installation fails. Earlier, you had to retry installation from Cloud Agent user interface.

Now, you no longer need to navigate between different Qualys applications to retry EPP installation. This helps you prevent system disruptions and more efficient threat management.

Required application version

Endpoint Detection and Response 3.6.1

Patch Management Enhancements

Pause/Exit/Cancel the Patch Jobs

With this release, we have introduced script-based pre-actions to cancel the ongoing patch deployment jobs. Based on the actions defined in the script, a special return code is generated to cancel the patch job. The following table shows the different return codes and their implications.

Return Code	Description
12	Indicates the ongoing patch job is paused/canceled. If the pre-actions defined in the patch job script are not successful, the script runs until it reaches the timeout value. Once the script reaches the timeout value, the patch job status is marked as Paused.
101	Indicates the skipped patch job pre-actions and post-actions.
2064	This code shows the Cloud Agent health status. It indicates that the patch job is canceled due to a special return code.

This feature helps you automate patch deployment jobs and better manage system resources by ensuring that patches are not deployed until all the pre-actions are successfully completed.

If the patch deployment job is stuck, and you can not run the new patch job, then use the patch management reboot option to resolve the issue.

Required application version

Patch Management 3.3.0.0

Mitigation Enhancements

Rollback Mitigated Vulnerabilities

We have enhanced Qualys Mitigation to support the rolling back of applied mitigations. With the mitigation rollback job, you can rollback the fix script applied as a temporary fix for the vulnerabilities for which patches are available and deploy the patch to fix the vulnerabilities.

Example:

If you had blocked a port to protect your assets from potential risks using a mitigation job, and now wanted to deploy patches using that port, you could not do it as Qualys Mitigation had no option to revert the applied mitigation. Now, with this enhancement, you can roll back the applied mitigation as and when required.

Required application version

Mitigation 1.1.0

EDR Enhancements

Support for AMSI Event Exclusion Rules

Microsoft's Anti-malware Solution Interface (AMSI) tool detects non-browser-based script events. With its built-in script inspection capabilities, AMSI protects your assets from malicious software that uses script-based infiltration methods to attack your assets.

With this release, we have added support for defining exclusion rules for AMSI event-based detection. Using the AMSI exclusion criteria, you can limit the resource utilization of your assets by exploiting data trimming, process-based, path-based, and content-based exclusion capabilities.

Required application version

Endpoint Detection and Response 3.6.0

Support for Regex Values in Exclusion Rules for Kernel Detections

With this release, we have added support for using regex values while creating exclusion rules for Kernel detection. You can use the dot star (.*) quantifier while configuring the exclusion rules for Kernel detection. The folder/file paths followed by regex value are excluded from the scan scope and hence do not capture kernel detection events. Check the following examples to better understand this functionality.

Exclusion Rule	Description
.*/<folder1>/<folder2>/<folder3> /<ﬁle>	In this rule, a wildcard character is used at the beginning. This rule excludes kernel detection events for all the folders that have the path <folder1>/<folder2>/<folder3>/<file> from any system drive. For example, D:\<folder1>/<folder2>/<folder3>/<ﬁle>
<drive>/<folder1>/<folder2>/ .*/<folder3>/<ﬁle>	This rule excludes kernel detection events for all the ﬁles present in folder <folder3>. Here any folder present between <Folder2> and <Folder3> also gets considered. For example, <drive>/<folder1>/<folder2>/<Any Folder>/<folder3>/<ﬁle>
<drive>/<folder1>/<folder2> /<folder3>/.*.exe	This rule excludes kernel detection events from the <folder3> for all the ﬁles with the ﬁle type EXE. For example, abc.exe, xyz.exe

Exclusion Rule

Description

.*/<folder1>/<folder2>/<folder3>
/<ﬁle>

In this rule, a wildcard character is used at the beginning. This rule excludes kernel detection events for all the folders that have the path <folder1>/<folder2>/<folder3>/<file> from any system drive.

For example, D:\<folder1>/<folder2>/<folder3>/<ﬁle>

This rule excludes kernel detection events for all the ﬁles present in folder <folder3>. Here any folder present between <Folder2> and <Folder3> also gets considered.

For example, <drive>/<folder1>/<folder2>/<Any Folder>/<folder3>/<ﬁle>

<drive>/<folder1>/<folder2>
/<folder3>/.*.exe

This rule excludes kernel detection events from the <folder3> for all the ﬁles with the ﬁle type EXE.

For example, abc.exe, xyz.exe

Using regex values in EDR exclusion rules helps you easily manage the exclusion criteria and optimize resource utilization by reducing the detection count to only important and genuine ones.

Required application version

Endpoint Detection and Response 3.6.0

Behavior Change

There are no behavior changes in this release.

Platform Coverage Support

There is no new platform coverage added in this release.

Issues Addressed

The following important and notable issues are fixed in this release.

Issue	Description
CRM-132773	We had an issue where the patch jobs caused unexpected reboots if you deferred reboot action during the job execution window. We fixed this issue by prompting a manual reboot if the job execution window has elapsed and reboot action for the patch job is pending.
CRM-132173	We fixed an issue where the scheduled patch jobs were getting timed out due to the execution of special reboot jobs. Now we execute the special reboot jobs when no other patch jobs are running.
CRM-129605	We fixed an issue where the Deployment Complete notification was displayed even if no patches were installed during the patch job. Now, we have provided an option to manage notifications in the job configuration workflow.

Known Issues, Limitations, and Workarounds

There are no known issues or limitations in this release.