Release 3.3

May 20, 2024

What's New?

Connect to Host using Linux Operating Systems

We have added support for the Linux Operating Systems for the Connect to Host option in the Quick Actions menu of the Assets tab. Using the following Linux commands, you can access endpoints directly from the Qualys console. The Connect to Host option is available for Linux Agent 6.3.0 and above. Use the following commands for the Linux OS :

  • auditctl
  • dpkg
  • rpm

For information about Connect to Host, refer to EDR Online Help.

New Remediation Status: Queued

From this release, we have added Queued as the initial status when you perform a Quarantine, Unquarantine, or any remediation action. Thus, the statuses are- Queued, Success, and Failed. The InProgress status is no longer available. 

The following screenshot highlights all the three statuses in the Quarantined Items tab under Responses:

Queued Status in the Responses tab.

Upload .JSON file to Exclude Instances from Scans

While configuring the anti-malware profile in the Exclusions step, you can now upload a .JSON file and exclude the instance from the scan. This option was initially available only for the File Scan. However, you can now perform this action for the Behavioral Scan, Network Protection Scan, and Device Control. You can upload a JSON file up to 2 MB.

The following screenshot highlights the .JSON file uploaded to exclude during the Behavioral Scan:

Uploaded .JSON file in Behavioral Scan

To view sample .JSON files, refer to Exclusion Support in EDR Online Help.

Bulk Unquarantine Assets

You can now unquarantine assets in bulk; this reduces the time spent unquarantining the assets one at a time. The Bulk Unquarantine Assets action can be performed in the Assets tab. After the assets are successfully unquarantined, the Activity Log under the Responses tab lists the assets. However, the asset names are not listed in the Activity Log for Bulk UnQuarantine assets. 

Points to consider for Bulk Unquarantine Assets using QQL tokens

  • There is no limit on the number of assets that can be selected when using a QQL token.
  • Upon searching and selecting a set of assets using QQL tokens and executing the bulk unquarantine asset action, a single bulk unquarantine job is generated. This job encompasses all impacted assets associated with the query.

Points to consider for Bulk Unquarantine Assets using the menu option

  • You can unquarantine up to 100 assets without using the QQL tokens.
  • When you select up to 100 quarantined assets from the Assets page and initiate the bulk unquarantine asset action, individual unquarantine requests are raised for each selected asset. Consequently, no bulk unquarantine asset job is created. Instead, all unquarantine actions are recorded and listed in the Activity Log.

The following screenshot is an example of the bulk unquarantine option in the Assets tab:

Bulk Unquarantine Assets in the Responses tab.

For information about Bulk Unquarantine Assets, refer to EDR Online Help.

Use Allow IPs Option during Quarantine Asset Configuration

The Asset Configuration under the Configuration tab now has the Allowed IPs toggle. Enable the Allowed IPs toggle to allow the list of IP addresses during the Quarantine Asset configuration. The following screenshot is an example of the Allowed IPs toggle enabled:

Quarantine Asset configuration tab.

For information about Quarantine Assets, refer to EDR Online Help

Create Exception Option Added in the Alerts tab

From the Quick Actions menu of the Alerts under the Detections tab, you can select the Create Exception option to create rules to suppress a past or a future event that you consider non-malicious. The following screenshot is an example of the Create Exception in the Quick Actions menu of the Alerts tab:

Create Exception option in the Alerts tab.

For more information about Create Exception, refer to EDR Online Help.

Enhancements in Forensics Collections

The Forensics Collection is now available for Process Memory Dump. This type of forensic collection allows you to collect data from active running processes, which will help you investigate and analyze system malicious activities. The .dmp file extension is created for the process memory dump. 

The following screenshot is an example of the Process Dump in the Forensics tab:

Process Dump option in the Forensics tab.

For more information about Forensics Collection, refer to Request Forensic Data in EDR Online Help

Updated AMSI commands for the Events tab

The amsi.command and amsi.command.length has now been updated to amsi.buffer and amsi.buffer.length. This change applies only to the Events tab under Hunting.

Updated EDR and EPP Scoring Events

The EDR and EPP scoring events help you prioritize the events. The Protection Mode and the Detection Mode in the table signify the Primary and Secondary actions you select while configuring the Antimalware Profile in the Configuration tab. The following screenshot is an example of the File Event with Application as a threat:

EDR and EPP scoring events

The following table lists the EPP and its respective EDR scoring events:

EPP Event EDR Event Protection Mode Score Detection Mode Score
Anti-Exploit ProcessEvent  7 8
Anti-Phishing NetworkEvent 4 4
Behavioral ProcessEvent 5 6
File Scan (On Demand and On Access)  FileEvent 6 8
File Scan | ThreatName -Application and Adware FileEvent 4 4
Network-Monitor NetworkEvent 6 9
Fileless-AMSI ProcessEvent 5 6
Fileless-Cmdline FileEvent 5 6
Device-Control DeviceControl NA NA
Content-Control UserControl 4 NA
Traffic-Scan NetworkEvent 6 8
Traffic Scan | Threat Name - CloudVirus NetworkEvent 4 4
Anti-Ransomware ProcessEvent 8 9

Auto-Remediation Search Tokens

We added the following new search tokens for the auto-remediation rule trigger. 

  • asset.agentid 
  • file.fullpath
  • asset.hostname 
  • file.path
  • process.image.fullpath
  • process.processfile.sha256
  • file.hash.sha256
  • malware.category
  • file.hash.md5
  • indicator.severityscore 
  • process.image.path 

To know more about these Search Tokens, refer to the EDR Online Help.