Custom Mitigation QID Scripts 

The Mitigation QID Script is used to apply a temporary or permanent fix for a vulnerability. This feature is beneficial in case of zero-day vulnerabilities, where mitigation logic evolves rapidly. It allows you to quickly reduce risk without waiting for a patch.

Using Custom Mitigation QID Scripts, you can:

• Quickly deploy tailored responses to reduce risk exposure.
• Verify that mitigation is applied and is in effect.
• Safely restore the system to its default state once the patch becomes available.

Custom Mitigation QID scripts are created, edited, cloned, exported, and deprecated within CAR, which serves only as a storage repository for these scripts. Execution of these scripts is performed from the TruRisk™ Eliminate application.

Detection and Rollback Scripts for Mitigation

To ensure that a mitigation has been successfully applied and to support a rollback, you can include the following scripts as part of the mitigation logic while creating the custom Mitigation script:

• Detection Script: Verifies whether the Mitigation has been applied and, if not, automatically applies the mitigation.
• Rollback Script: Undo the mitigation. Rollback is applicable only if the mitigation is effective.

Both mitigation and rollback scripts execute the detection logic to validate the mitigation state.

Implication and Impact Factor of Mitigation

Each mitigation includes an Implication and an Impact Factor to describe the nature and extent of its effect on a vulnerability.

Implication:
The implication indicates whether the applied mitigation is Temporary or Permanent.

• Temporary: The vulnerability is temporarily reduced.
• Permanent: The vulnerability is permanently fixed.

Impact Factor:
The Impact Factor is a numerical value that represents the effect of the mitigation on the vulnerability. A higher Impact Factor results in a lower QDS after mitigation.

Based on the implication, you can define the impact factor for temporary and permanent mitigation:

• Temporary: The impact factor value is between 1 and 99.
• Permanent: The impact factor value is 100, indicating the vulnerability is permanently fixed.

Create Custom Mitigation QID Scripts

Let us understand the custom mitigation by considering an example QID 92142.

To create a Custom Mitigation QID script, follow these steps:

1. Navigate to Scripts > Scripts > Create > New Script.

   

   The Create New Script page is displayed. 

2. Enter a Name and Description for the script.

   

3. Click Next to view the Script Details page.
4. Select the Type of Script as Mitigation QID.
5. Select Platform (Windows or Linux).
6. Complete the Mitigation QID Details:

   Refer to the table below for mitigation details.

   Fields	Description
   QID Number	Provide a QID number.
   QID Severity	It is a QID Severity. You can select from values 1 (minimum) to 5 (urgent).
   Implication	Select the Implication value as Temporary or Permanent. For more information on implication, refer to Implication of Mitigation.
   Impact Factor	Provide a value to determine the level of risk reduction to be achieved after applying the mitigation. This factor is based on the Implication: Temporary: The impact factor value should be between 1 and 99. Permanent: The impact factor value is 100, indicating the risk of the vulnerability is permanently fixed. For more information on the impact factor, refer to Impact of Mitigation.
   CVE IDs	Provide CVE IDs associated with the QID.

   

7. Select the Scripting Language from the list in which you want to write the script.

   The list of supported scripting languages for Windows and Linux is as follows: 

   Platform	Supported Scripting Language
   Windows	PowerShell-Script
   Linux	Shell

8. Specify the Timeout Limit in seconds, minutes, or hours.

9. The Timeout Limit lets you define how long a script must be in execution.

   The Timeout Limit for all Windows and Linux assets ranges from one second to 48 hours. The default value is 300 seconds.

   

10. Provide the following scripts by entering the script manually or uploading the script from your local machine.

    You can define the Detection and Rollback scripts in case of temporary mitigation. For permanent mitigation, you can only define the Rollback script.

    • Mitigation Script:
      Provide the script to apply a temporary or permanent fix for a vulnerability.

      

      Example Mitigation ScriptExample Mitigation Script

      # Sample mitigation script to disable macros from running in files downloaded from the Internet (MS Project)
      $RegPath  = "HKCU:\Software\Microsoft\Office\16.0\Project\Security"
      $ValueName = "BlockContentExecutionFromInternet"
      $DesiredValue = 1
      if (-not (Test-Path $RegPath)) {
          New-Item -Path $RegPath -Force | Out-Null
      }
      New-ItemProperty -Path $RegPath -Name $ValueName -PropertyType DWord -Value $DesiredValue -Force | Out-Null
      Write-Host "Macros from Internet are now blocked for MS Project"
      exit 0
      

    • Detection Script:
      Provide the script to verify whether the mitigation has been successfully applied and, if not, automatically applies the mitigation.

      

      Example Detection ScriptExample Detection Script

      # Sample Detection script to check if the value is set to 1 or not
      $RegPath  = "HKCU:\Software\Microsoft\Office\16.0\Project\Security"
      $ValueName = "BlockContentExecutionFromInternet"
      $ExpectedValue = 1
      if (-not (Test-Path $RegPath)) {
          Write-Host "Non-compliant: Registry path not found"
          exit 1
      }
      $CurrentValue = (Get-ItemProperty -Path $RegPath -Name $ValueName -ErrorAction SilentlyContinue).$ValueName
      if ($CurrentValue -eq $ExpectedValue) {
          Write-Host "Compliant: Macros from Internet are blocked in MS Project"
          exit 0
      }
      else {
          Write-Host "Non-compliant: Macros from Internet are allowed in MS Project"
          exit 1
      }
       
      

    • Rollback Script:
      Provide the script to define the restore state for rollback mitigation. Rollback is applicable only if the mitigation is effective.

      

      Example Rollback ScriptExample Rollback Script

      # Sample rollback mitigation script to rollback value to 0
      $RegPath  = "HKCU:\Software\Microsoft\Office\16.0\Project\Security"
      $ValueName = "BlockContentExecutionFromInternet"
      $RollbackValue = 0
      if (-not (Test-Path $RegPath)) {
          Write-Host "Registry path not found, nothing to rollback"
          exit 0
      }
      Set-ItemProperty -Path $RegPath -Name $ValueName -Value $RollbackValue -Type DWord
      Write-Host "Rollback complete: Macros from Internet are allowed for MS Project"
      exit 0
       
      

11. Select the Create Script in the approved state checkbox to create the script in the approved state.

    This option is available only for the manager role.

     Users with any other role must obtain script approval from an authorized user.
    For more details, refer to Qualys CAR RBAC. 

    

15. Click Next to view the Review and Confirm page.
16. Review the details and click Confirm & Save.

The Mitigation QID script is created and displayed on the Scripts tab.

Now that we have created the custom mitigation script for QID 92142, see below to understand how the QID is mitigated.

Mitigating a Vulnerability Using a Custom Mitigation Script

1. Mitigation Becomes Available in VMDR

   After the script is created in CAR, the mitigation becomes immediately available for QID 92142 in VMDR > Vulnerabilities.

   You can search for mitigable vulnerabilities using this token:

   vulnerabilities.qualysMitigable: TRUE

   

2. Initiate the Mitigation

   Click View Risk Elimination from the Quick Actions menu to initiate mitigation for QID 92142:

   

   This opens the TruRisk™ Eliminate application with the Eliminations tab selected. You can view QID 92142 on this tab.

   

3. Let's apply the Mitigation now

   Click Mitigate Now to deploy custom mitigation. The custom mitigation script will be executed on the QID 92142. For more information on creating the mitigation job, refer to Create Mitigation Job.

   

4. Vulnerability Status in VMDR

   Once the mitigation executes successfully, the vulnerability status for QID 92142 is marked as Mitigated or Partially Mitigated on the VMDR > Vulnerabilities tab. To view the list of mitigated vulnerabilities, use this token:

   vulnerabilities.mitigated: TRUE

   

5. Rollback Mitigation When a Patch is Applied

   When a patch is applied, you can undo the mitigation by following these steps:

   1.  Navigate to the VMDR > Vulnerabilities and click View Risk Elimination from the Quick Actions menu for the QID 92142.

      

      This opens the TruRisk™ Eliminate application with the Eliminations tab selected. You can view QID 92142 on this tab.

   2. Click Rollback Mitigation. For more information, refer to Create Mitigation Rollback Job.

   

Edit the Custom Mitigation QID Script

To edit the approved script, follow these steps:

1. Navigate to the Scripts tab.
2. To edit a script, select an approved QID script and click Edit on the Quick Actions menu.

   

   The Basic Information page is displayed.

3. Modify the details as required and click Next to view the Scripts Details page.

4. Modify the editable content as required.
5. Provide the Reason for Edit.
6. Click Next to view the Review and Confirm page.
7. Review the script and click Update to save the changes to the script.

Related Topics

Cloning Scripts

Exporting Scripts

Deprecating Scripts