Assets

Devices or Assets are the entry points for attackers who can gain access to gather sensitive information on the assets or run malicious programs to control your organization's network. Use the Assets tab to secure your devices, such as laptops and desktops and monitors the system information. To ensure all the devices, servers, and networks are secure, you need options to provide robust protection for your assets.

Columns on the Assets Page

The following Assets page screenshot displays EDR Status, Anti-Malware Status, Asset Name, Criticality, System Info, and Tags columns:

The following table lists the column names and their descriptions:

Column Name	Description
EDR Status	Displays one of the following EDR Status for each asset: Active: EDR is enabled its Last Reported Time is within 24 hours. Inactive: EDR is enabled and the Last Reported Time exceeds more than 24 hours. Disabled: EDR is disabled. You can enable EDR from Qualys Cloud Agent application.
Anti-Malware Status	Displays the anti-malware status for each asset. If the anti-malware status is disabled, you can enable it from the Qualys Cloud Agent application.
Name	Displays the asset name, last logged-in user, and the asset hardware information.
Criticality	Lists the Criticality value of an asset.
System Info	Displays the agent information, including the agent OS, version, and the created date.
Tags	Lists the tags assigned to assets.

Download Asset Information in CSV Format

You can download the asset information using the Download icon  in CSV format on your local system. The CSV report contains HostName, IP Addresses, Agent Version, Criticality Score, Modules, OS, Last Logged-In User, Tags, and AV Status. The following screenshot is an example of the Download Format window when you click the download icon:

Assets Quick Actions Menu

Using the Quick Actions menu in the Assets tab allows you to perform common actions from the same page that can also be performed from different tabs. You can perform the actions such as View Details, View Events, View Incidents, View Anti-malware Scan Report, Connect to host, Request Forensic Data, and Quarantine Asset.

The following screenshot represents the Quick Actions menu of the Assets page:

View Details

The View Details action in the Assets tab provides the asset details, which includes the asset summary, system and network information, open ports, criticality score, and much more. Perform the following steps to view the listed details available in View Details:

1. From the Assets tab, hover the mouse on any of the assets to view the Quick Actions menu.
2. Click View Details.

   

   The following screenshot is the Asset Details Summary page that lists the information about the asset:

   

View Events

The View Events actions in the Assets tab provides the events list of the asset. Perform the following steps to view the listed details available in View Events:

1. From the Assets tab, hover the mouse on any of the assets to view the Quick Actions menu.
2. Select View Events. You are redirected to the Events page of the Hunting tab.

   The Events page lists all the events registered and executed on the asset. The listing of events is based on the token asset.agentId. The following screenshot lists the events and the Quick Action menu:

   

View Incidents

The View Incidents action in the Assets tab provides the incidents list of the asset. Perform the following steps to view the listed details available in View Incidents:

1. From the Assets tab, hover the mouse on any of the assets to view the Quick Actions menu.
2. Select View Incidents. You are redirected to the Incidents page of the Detection tab.

   The Incidents page lists all the incidents detected on the asset. The listing of incidents is based on the token incident.asset.agentId. The following screenshot lists the incidents and the Quick Action menu:

   

Connect to Host

The Connect to host option in the Assets tab allows you to execute the Windows shell command on the selected endpoint for investigation purposes.

Prerequisites

• Windows Agent version 5.2.1 and above.
• GAV agent version 5.3.0 and above.

User Role Permissions

• Kill Process
• Delete File Permission

By default, the file path in the remote shell executes in the C drive. Use the help command to view the list of supported commands. You can also use the help command and the supported command to view the syntax and description of the command. For example, to view the syntax and description of users command, use: help users.

Each user can establish only 10 connections at a time. Contact Qualys Support if you need more information for the connection request. 

Accessing Connect to Host

Perform the following steps to access Connect to host option:

1. From the Assets tab, hover the mouse on any of the assets to view the Quick Actions menu.
2. Click Connect to host.

   

   The command prompt takes a few minutes to establish the host connection. If the remote shell fails to connect after three consecutive attempts within the timeframe of 10 minutes, your access gets blocked for 10 minutes. In such a scenario, a message notifies that - Agent is not reachable. Please try after some time.

3. Once the remote shell is connected, it lists the supported command. Type the command in the Enter command window and click Run to execute the command.

   In the following screenshot, we used the users command as an example:

   

4. Click the download button  in the shell prompt to download the logs.

5. Click End Session to close the Remote shell window. 

   If there has been no activity for 5 minutes, a confirmation message is displayed. Click Yes, to stay connected. 

Request Forensic Data

The Request Forensic Data feature allows you to perform forensic analysis of an incident and perform the necessary response action.

Prerequisites

• Windows Agent version 5.2.1 and above.
• GAV agent version 5.3.0 and above.

At a time you can send 10 request to generate forensic data. 

Request Forensic Data from Assets tab

To request Forensic Data for a specific asset, perform the following steps on the Assets tab:

1. Hover the mouse on the required event and click the drop-down icon

2. From the Quick Actions menu, click Request Forensic Data. A notification message confirms the request has been submitted. 

   

3. Click the Forensics tab to monitor the asset's requested forensic data status.

   Once the request is complete, the Status column displays the result as Success. You can Download, View Asset Details, or Delete the instances from the Quick Actions menu of the Status column in the Forensics tab.

   The data is downloaded for all successful data requests in a .7z folder on your local system. The downloaded file consists of the output files of each script that ran on the Agent. For more information about the scripts executed on the Agent, see Scripts Executed for Forensics. 

Request Forensic Data from Forensics tab

1. To request Forensic Data for a specific asset, perform the following steps on the Forensics tab:
2. Click Request Forensic Data.
3. Select the asset for which you want the forensic data, in the Request Forensic Data page.

   Once the request is complete, the Status column displays the result as Success. You can Download, View Asset Details, or Delete the instances from the Quick Actions menu of the Status column in the Forensics tab. 

Auditing Forensic Logs from the Administration Application

Any actions performed on the Forensics tab, can be monitored from the Administration application. The following screenshot is an example of the Activity Logs that lists the action performed in the Forensics tab:

Agent Response Time Out Status

If a Forensic Request has been running (In Progress status) for more than 15 minutes, the Status column displays the instance as Failed, Agent Response Timed Out. In such scenario, you need to request for the forensic data again.  In the meanwhile, if there is any response update for the earlier failed request the status gets updated.

The following screenshot is an example that shows the Failed instance:

Quarantine an Asset

In case of any malicious event, the Quarantine Asset feature restricts the infected host machine from performing any network communication. You can quarantine an asset if its Windows Agent version is 4.9.0 and above and Linux Agent version is 6.0.0 and above. You can Quarantine an Asset from the Incidents or Asset tab.

Quarantine an Asset from the Incidents tab

To quarantine an asset based on the incident description, perform the following steps:

1. Click the Incident description that you want to quarantine.
2. In the Summary section, click Quarantine Asset.

   

3. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset Configuration will be applicable in the Allowed Applications, if this toggle is enabled.
4. To add an application, enter a valid application path in the space provided and click Add.

   

5. To remove an application, click the delete icon against the application path.

   

6. Click Execute Response.

   

   A notification Quarantine Asset request sent successfully. View Request Status is generated.

7. Click the View Request Status to follow the asset quarantine status.

   

   Once the asset is successfully quarantined the following status is displayed:

   

Quarantine an Asset from the Assets tab

To quarantine an asset from the Assets tab, perform the following steps:

1. In the Assets tab, select the Asset that you want to quarantine. The Agent version should be 4.9.0 and above.
2. From the Quick Actions menu, click Quarantine Asset.

   

3. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset will be applicable in the Allowed Applications, if this toggle is enabled.
4. To add an application, enter a valid application path in the space provided and click Add.

   

5. To remove an application, click the delete icon against the application path.

   

6. Click Execute Response.

   

   A notification Quarantine Asset request sent successfully. View Request Status is generated.

7. Click the View Request Status to follow the asset quarantine status.

   

A quarantined asset will have the icon displayed.

The icon signifies the asset is in progress state.

Quarantine Asset Configuration from the Configuration tab

From the Configurations tab, you can white list the applications that will be allowed while the asset is quarantined.

Perform the following steps to white list applications for the Quarantined asset:

1. In the Configuration tab, select Asset Configuration.
2. Toggle Allowed Applications.
3. In the Add Applications field, provide the complete path of the application. You can provide environmental variables in the field. Wild cards inputs are not supported.

   

4. Add the following paths to allow the Qualys Endpoint Protection :

   C:\Program Files\Qualys\QualysEPP\EPUpdateService.exe
C:\Program Files\Qualys\QualysEPP\downloader.exe
C:\Program Files\Qualys\QualysEPP\EPSecurityService.exe
C:\ProgramFiles\Qualys\QualysEPP\ephost.integrity.legacy.exe
C:\Program Files\Qualys\QualysEPP\EPConsole.exe
C:\ProgramFiles\Qualys\QualysEPP\EPIntegrationService.exe
C:\ProgramFiles\Qualys\QualysEPP\EPProtectedService.exeC:\Program Files\Qualys\QualysEPP\bdredline.exe
5. Click Apply.

Show Quarantined Assets Only

• To view the list of the Quarantined Assets from the Assets tab, select the Show Quarantined Assets Only checkbox. The following screenshot is an example of the option that lists the quarantined assets:

  

Unquarantine an Asset from the Assets tab

To unquarantine an asset, perform the following steps:

1. In the Assets tab, select the quarantined asset. From the Actions drop-down menu, select Unquarantine Asset.

   

2. In the Unquarantine Asset window, add your comments.
3. Click Unquarantine Asset.

   A notification Unquarantine Asset request sent successfully. View Request Status is generated.

4. Click the View Request Status to follow the release asset status.

Unquarantine an Asset from the Incidents page

To release a quarantined asset, perform the following steps in the Incidents page of the Detections tab:

1. In the Incidents page, select the required incident description of a quarantined asset.
2. In the Summary tab, click Unquarantine Asset.

   

3. In the Unquarantine Asset window add your comments.

   

4. Click Unquarantine Asset.

   

   A notification Unquarantine Asset request sent successfully. View Request Status is generated.

5. Click the View Request Status to follow the unquarantine asset status.

Failed Status Messages

The Status column in the Responses tab lists the assets with the status as Failed. Click on asset, and the Quarantine File window displays the possible failure cause. To resolve the issue, click Retry to successfully quarantine the asset.

Following are some of the remediation request failure causes:

• Input File is already deleted: The input file does not exist on the endpoint
• Agent Response Timed Out: If the Quarantine Asset request has been running (In Progress status) for more than 5 minutes, the Status column displays the instance as Agent response timed out. You can perform the action again after the timeout.
• Error: Unable to quarantine the file: The file or file path is restricted or protected for any delete or move operation.
• Error: Process does not exist: This error message occurs when the remediated process is not running anymore on the endpoint or is in the terminated state. 
• Quarantine a file does not exist: The requested file is unavailable at the endpoint. 

The following screenshot is an example of the Agent Response Timed Out: