Create Custom Remediation QID Scripts
The Custom Remediation QID script enables you to execute specific actions that fix an active vulnerability in VMDR. This script allows you to implement tailored remediation steps that may not be part of standard predefined solutions.
When you run the script successfully, the associated vulnerability is resolved or fully addressed.
You can only create and store Custom Remediation QID scripts in CAR. These scripts can only be executed through the Patch Management module.
You can create a Custom Remediation QID script using the following ways:
- Manually enter a script
- Upload script from local machine
- Import from GitHub
To create a Custom Remediation QID script, follow these steps:
- Navigate to Scripts > Scripts > Create >
The Create New Script page is displayed.
New Script.
- Enter a Name and Description for the script.
- Click Next to view the Script Details page.
- Select the Type of Script as Remediation QID.
- Select Platform (Windows or Linux).
- Complete the following Remediation QID Details:
Fields Description QID Number Provide a QID number. QID Severity It is a QID Severity. You can select from values 1 (minimum) to 5 (urgent). Impact Factor Provide a value to determine the impact of the script on a vulnerability.
For the remediation script, the value should be 100.This indicates that the vulnerability has been completely remediated.
Implication The implication indicates whether the impact of the script on a vulnerability is permanent or temporary. The Implication value for the remediation script is Permanent.
The Implication field is pre-populated depending upon the selected Type of Script.
CVE IDs Provide CVE IDs that are associated with a specific QID. Mitigation Type Provide a text related to the mitigation type. - Select the Scripting Language from the list in which you want to write the script.
The list of scripting languages for Windows and Linux is different.
Platform Supported Scripting Language Windows PowerShell-Command, PowerShell-Script, Python, and VBScript Linux Lua, Perl, Python, and Shell - Select a script Category from the list.
- Specify the Timeout Limit in seconds, minutes, or hours.
The Timeout Limit lets you define how long a script must be in execution.
The Timeout Limit for all Windows and Linux assets ranges from one second to 48 hours. The default value is 300 seconds.
- In the Scripts section, select Enter Script and manually enter the script by typing or copy-pasting it from another source.
You also have the following options to provide the Remediation QID script:
Example Remediation ScriptExample Remediation Script
# Initialize counters for the specified application installations $Script:appCount = 0 # Set the application name and version regex to be searched $targetAppName = "PowerShell" $versionRegex = "^6\..*" # Determine if the system is 64-bit or 32-bit and set the registry paths accordingly if ([Environment]::Is64BitOperatingSystem) { $regPaths = @("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*") } else { $regPaths = @("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*") } # Function to check if the specified application version is still present function Check-AppPresence { param ( [string]$appName, [string]$versionRegex ) # Retrieve all applications from the uninstall registry keys foreach ($regPath in $regPaths) { $apps = Get-ChildItem -Path $regPath | Get-ItemProperty foreach ($app in $apps) { if ($app.DisplayName -match $appName -and $app.DisplayVersion -match $versionRegex) { return $true } } } return $false } # Retrieve all applications from the uninstall registry keys $appList = foreach ($regPath in $regPaths) { Get-ChildItem -Path $regPath | Get-ItemProperty } # Iterate over each application to find the specified installations foreach ($app in $appList) { $appName = $app.DisplayName if ($appName -match $targetAppName) { $appVer = $app.DisplayVersion if ($appVer -match $versionRegex) { $Script:appVersion = $appVer $appUninstallString = $app.UninstallString # Increment application counter $Script:appCount++ # Check if the uninstall command uses MsiExec.exe if ($appUninstallString -match "MsiExec.exe") { # Modify the uninstall command to run silently $uninstallCommand = $appUninstallString -replace "MsiExec.exe", "MsiExec.exe /quiet" # & cmd /c $uninstallCommand } # If no suitable uninstall method is found, notify the user else { Write-Host "Unable to uninstall $appName" exit 1 } } } } # Notify the user if no specified applications were found if ($Script:appCount -eq 0) { Write-Host "$targetAppName with version matching $versionRegex not found" exit 0 } # Recheck if the application with the same version is still present after uninstallation if (Check-AppPresence -appName $targetAppName -versionRegex $versionRegex) { Write-Host "Uninstallation of $targetAppName $Script:appVersion failed." exit 1 } else { Write-Host "$targetAppName $Script:appVersion successfully uninstalled." }
- Select the Create Script in the approved state checkbox to create the script in approved state.
This option is available only for the manager role.
The user with any other user role must get the script approved by an authorized user.
For more details, refer to Qualys CAR RBAC. - Click Next to view the Review and Confirm page.
- Review the details and click Confirm & Save.
The Remediation QID script is created and displayed on the Scripts tab.
As CAR is used as a repository for storing the Remediation QID script, you can only View Details, Edit, Clone, Export Script, and Deprecate.
Edit Remediation QID Scripts
To modify the script, follow these steps:
- Navigate to the Scripts tab.
- To edit a script, select a Remediation QID script and click Edit on the Quick Actions menu.
The Basic Information page is displayed.
-
Modify the details as required and click Next to view the Scripts Details page.
- Modify the editable content as required.
- Provide the Reason for Edit.
- Click Next to view the Review and Confirm page.
- Review the script and click Update to save the changes to the script.