Windows Onboarding Recommendations
We have compiled the following recommendations to onboard EDR along with Malware Protection on Windows systems:
- Ensure the onboarding activities are carried out with the support of your TAM. This helps to escalate and take preventive measures in case of any issues.
- Perform a pilot tryout on a small set of assets. Select assets with varying software and hardware configurations for the pilot tryout.
- On the assets selected for the pilot tryout, ensure the agent version is 4.5 or later. Refer to the Cloud Agent Windows Installation Guide for step-by-step instructions.
- Ensure the EDR application is enabled on the Configuration Profile. After you have enabled the EDR application, you can enable the Malware Protection capabilities.
- If you are a new Qualys customer, ensure that the agents do not self-patch (auto-update). To restrict agents from auto-updating, ensure that the Prevent auto-updating of the agent binaries setting is selected for the Configuration Profiles in the Cloud Agent application. You can enable this setting after a successful pilot tryout.
- If you are an existing Qualys customer, create a new configuration profile for selected assets with the Prevent auto updating of the agent binaries setting disabled for the pilot tryout. This will automatically upgrade your Windows Agent on these assets to the latest version (4.5 or later).
- Continuously monitor asset performance for the following in-progress activities:
- Agent deployment or version upgrade
- EDR enablement on endpoints
- Malware Protection software enablement on top of EDR on endpoints
-
Things to monitor:
-
CPU utilization
-
Memory utilization
-
High I/O
-
Network bandwidth
-
Number of EDR events captured (Hunting tab of EDR UI).
-
Endpoint performance with other antivirus software, Qualys products, and other software (such as coexistence, slowness, and system crashes must be monitored closely)
-
- For the pilot tryout, monitor the assets for at least 1 to 2 business weeks.
- If you face issues during the pilot tryout, we recommend that you tune the configurations:
- Increase CPU and memory if assets are underperforming.
- Improve network bandwidth.
- If you see an unnecessary or high volume of events on the UI, contact the Qualys Support team to tune the policy.
- After a successful pilot tryout, when you are ready to deploy this across all assets, ensure you enable these assets in small batches.
- Keep a considerable gap between onboarding two collections. This ensures that the bandwidth and CPU utilization are under control on endpoints.