Release 3.2

April 05, 2024

What's New?

Added EDR Status in the Assets tab

New EDR Statuses Active, Inactive, and Disabled have been introduced that provides the enablement of the EDR status of each asset. Each status is represented with the Last Reported Time on the asset. If EDR is not enabled for an asset, it can be done from the Qualys Cloud Agent application.

For more information about the EDR status column or the assets page, refer to the EDR Online Help

The following screenshot is an example of the Assets tab with the newly added EDR Status column: 

Assets Page that dispalys the EDR Status.

Columns Updated in the Assets tab

The columns in the Assets tab are updated. The following table lists the column names and the description of each column:

Column Name Description
EDR Status Displays if EDR is enabled or not for the Asset. The EDR statuses are Active Inactive, and Disabled.
Anti-Malware Status Displays the anti-malware status for each asset. If the anti-malware status is disabled, you can enable it from the Qualys Cloud Agent application.
Name  Displays the asset name, last logged-in user, and the asset hardware information.
Criticality Lists the Criticality value of an asset. 
System Info Displays the agent information, including the agent OS, version, and the created date. 
Tags Lists the tags assigned to assets. 

The following screenshot displays the new Assets page and its columns:

Revamped columns of the Assets page.

You can now Unquarantine an asset from the Actions menu of the Assets page. Refer to the following screenshot of the Unquarantine asset: 

For more information about the Assets page or the Quick Actions that can be performed on this page, refer to the EDR Online Help

EDR-VMDR Integration: Added New Fields in Threat Risk & Exposure

To simplify the vulnerabilities findings amongst the hosts, we have added the option All Hosts and Current Host in the Threat Risk & Exposure page. The All Hosts option lists all the hosts that are impacted by vulnerabilities. The Total Host column in this option gives the number of hosts that are mapped to the QID. The following screenshot is an example if the All Hosts option is selected:

The Current Host option lists all the vulnerabilities that are impacted by the asset for which you are viewing its Incident Details. The following screenshot displays the columns if the Current Host is selected:

For more information about the EDR-VMDR Integration, refer to the EDR Online Help

EDR-PC Integration: Added New Fields in System Misconfiguration

You can now remediate the CIDs listed in the System Misconfiguration page using the Remediate now button. The  icon if prefix with the Control Statement represents that the CID can be remediated. The System Misconfiguraton page is also updated with new columns- Technology/Instance and Policy. With all the policy information at one place we have simplified the remediation process for you. You can remediate the CID one at a time or can perform bulk remediation. The following screenshot highlights the new additions in the System Miconfiguration page:

For more information about the EDR-PC Integration, refer to the EDR Online Help

Support for Network Attack Defense

You can now implement Network Attack Defense (NAD) to your Linux operating system. NAD protects your Linux systems from attack types such as brute force, network exploits, password stealers, drive-by-download infection vectors, bots, and Trojans.

Before you implement NAD on your Linux systems consider the following points: 

  • Qualys EPP should be enabled
  • Linux Agent 6.1.0 and above is required
  • 64-bit Linux machines that use systemctl to manage services
  • iptables package is installed
  • Linux Versions not supported: CentOS Linux 6 and 9, Oracle Enterprise Linux (OEL) 6, and Red Hat Enterprise Linux (RHEL) 6 and 9

For more information about NAD workflow, refer to EDR Online Help

Introduced Anti-malware Setup in the Configuration tab

The Anti-malware Setup button under the Configuration tab helps to reduce the network bandwidth. The setup allows you to select an installer mode to host a copy of the Anti-malware installer. The type of modes are- Cloud Installer and On-Premise. The setup page also provides the option to enable the Third-Party Anti-malware removal tool toggle to remove any third-party products and install Quays Anti-malware. 

The following screenshot is an example of the On-Premise Installer mode with Third-Party Anti-malware removal tool enabled:

On-Premise mode enabled in Anti-malware Setup page.

For more information to configure Anti-malware Setup, refer to EDR Online Help

Introduced Content Control in Configuring Anti-malware Profile

Content Control is the newly added step when you configure Anti-malware profile. In this step, you can block the websites and applications. Aggressive, Permissive, Normal, and Custom are the categories that can be opted to block the web sites.

The following Cloud Agent versions are compatible with Content Control:

  • Windows 5.5.0 or above (with and without Proxy)
  • Mac 1.0.2 or above (without Proxy)

The following screenshot is an example of the Content Control step that has Aggressive type of content control and `firefox.exe` application blocked:

Content Control step in the Anti-malware Profile page.

For more information about Configuring Anti-malware, refer to EDR Online Help

Web Access Control Exclusion in Configuring Anti-malware Profile

The Web Access Control Exclusion in the Exclusions step of the Configuring Anti-malware Profile helps you to allow or block websites. If you have blocked all the shopping websites from the Content Control option, but you want the users to access only Amazon website, you can use the Web Access Control Exclusion. Enable the Web Access Control Exclusion and type the URL www.amazon.*

The following screenshot is an example of the Web Access Control Exclusion that blocks a specific medical website and allows some websites:

Exclusions step in the Anti-malware Profile.

Updated Event Details for Process and File Type

The Summary page for the Process type now provides information about the User Session. The User Session includes the following:

  • Session Username:- Displays the name of the user or the server that is connected to the session. 
  • Session Name:- Displays the name assigned to the session. 
  • Session ID:- Displays the ID of the session. 

To generate a list of events using Qualys Query Language (QQL) that have Session Username, Session Name, or Session Userid refer Events Search Token in EDR Online Help

To view the User Session of the Process type, hover the mouse on a Process and select Event Details. The following screenshot is an example of the Summary page displaying User Session and its fields for Process type: 

Summary page of the Event Details with User Session.

The Summary page for the File type provides information about Shortcut File Target. The Shortcut File Target is a reference file that contains information of the target application. The following screenshot is an example of the Summary page displaying Shortcut File Target for File type: 

Summary page of the Event Details page with File Type and Shortcut File Target.

If you Create, Write, Delete, and Rename a file, the newly added Original File Name field in the Summary page for the File type displays the original name of the file. Refer the following screenshot of the Summary page displaying Original File Name for File type: 

Sumaary page of the Event Details page with Original File Name.

To generate a list of events using Qualys Query Language (QQL) that have Original File Name, Shortcut File Target refer Events Search Token in EDR Online Help

The User Session, Original File Name and Shortcut File Target is displayed for Windows Agent 5.5 and above. 

Timeout changes for Quarantine Host and Event Remediation

The asset response timeout for Quarantine Host is now 10 minutes and for event remediation it is 5 minutes.

To know more about the Quarantine Asset, refer EDR Online Help

New Tokens

Token Name Description
file.originalname Use this token to list the event that have an original file name.
file.shortcutfiletarget This token lists the events that have the shortcut which points to the target file application. 
session.name Provides the list of events by the session name assigned to the session.
session.userid Lists the events by the session id assigned to the session. 
session.username Use this token to search events by the session username assigned to the session.