Qualys PM and EDR Remediation Demonstration

Overview

In Part 1 and Part 2 of this blog series, we learned about Qualys Patch Management (PM) and Qualys Endpoint Detection and Response (EDR).

This blog post will cover how to patch with Qualys Patch Management (PM) and remediate with Qualys Endpoint Detection and Response (EDR). We will provide an overview of the PM and EDR modules and offer guidance on when to use them.

The article goes on to detail how to use Qualys PM and EDR for host remediation, including methods for patching using PM and deleting or quarantining harmful files/events with EDR.

Continue reading to learn more about these powerful tools for endpoint security.

PM Patching (Virtual Machine)

Using the Qualys Patch Management (PM) module, we’ll deploy missing patches to target hosts.

We’ll look at various patch deployment strategies to see how they perform.

Check out the first part of this blog series to learn how to create a new Deployment Job in Part 1: QualysPatch Management (PM).

• Once a new Deployment Job has been created. (“On demand job” for Virtual Machine), give your job a name. “PATCHNOW – On Demand VM Test” is the name of our job.

• Select the assets for which you want this job to apply patches. In this example, “WinDev2104Eval” is selected. This is our virtual machine.

• Add patches that are needed for the job. Selected all VM patches that were missing.

• Either select “On Demand” to test immediately or schedule the job.

Also, you can configure a patch window to run the deployment job only within a particular time frame. Enabling this setting ensures that the agent starts the job within the specified patch window (e.g. start time + 6 hours). If the job does not start within this time window, it will time out.

You can configure “Communication Options”. We enabled all “Deployment messages” and set “Deferment” to “Remind again in 10 minutes 5 times”.

To avoid receiving reboot requests on the target host, we enabled the “Suppress Reboot” option. Additionally, we enabled “Minimize job progress window” to allow end-users to minimize message windows.

You can’t enable “Opportunistic patch download” for “On Demand” jobs.

Note: You can enable that for your scheduled jobs.

As the last part of the configuration, you need to confirm all options. After that click “Saved & Enabled”.

The patch status changes to Completed after saving and enabling the deployment job. (On-demand Deployment Job completes instantly after saving and enabling.)

By clicking View Progress, you can monitor patch progress.

The patching status will change after 10-15 minutes.

This message was sent to the destination host since the Upgrade Request option was chosen and Qualys PM needed to gain authorization to download patch files. Click the “OK” button to proceed because the notification pop-up appears for this reason.

Another option is to select the “Defer” option. You can select the number of deferral rights in the configuration options. In this example, a total of five deferral rights were set.

The job status changed to Download in Progress when we clicked OK”.

After that, the target host receives an Upgrade in Progress notification. As you can see in the Task Manager, Qualys Cloud Agent UI is in charge of patching.

After a short amount of time, the job status became “Patching”.

After completing the patching, the system displayed the message “Upgrade completed” and changed the status of the job to “Completed”.

We can list all the installed patches by clicking the INSTALLED count on the column under PATCHES in the STATUS view.

Clicking the “SKIPPED” count displays the skipped patches along with their reasons for being skipped.

Remediation with EDR (Virtual Machine)

For testing the EDR module, our virtual machine host has a lot of harmful files like trojan, infosteallar, etc.

To remediate this, we will use the EDR module. The EDR module will show all malicious files/events and will assist you in deleting or quarantining them. This section will begin with a remediation example.

You can also use the EDR module to send alerts (send an email, post on Slack, send to PagerDuty) for response actions.

Please see the second part of this blog series for additional information on EDR: Part 2: Qualys Endpoint Detection and Response (EDR).

2.1 Dealing with Malicious Event

You should test malwares on a virtual machine host. (Client-side)

You can find these under the EDR HUNTING tab.

By clicking on the names of malicious events, you may see more details about them. In View Mode, you can also quarantine or delete files.

You can view the event’s Process Tree.

Delete all malicious files from the Hunting or View Mode > Process Tree sections.

The status “in progress” is displayed.

Deleted files are no longer visible in the current hunting view and on the computer of the target host.

On the RESPONSE page, you can view the status of files that have been deleted.

The files that were deleted were also deleted from the VM host. (Client-side)

2.2 Response Action

For response actions on the EDR module, you can send alerts to people (send email, post on Slack, send to PagerDuty).

To generate a response alert, you must first create an action. Click Actions in RESPONSES and click New Action.

We provided all of the required information. If you’re unfamiliar with these steps, read the second part of this blog series: Part 2: QualysEndpoint Detection and Response (EDR).

You can choose from the following options:

The action has been created.

Now we must use the rule’s action that we created previously. “Creating a New Rule”.

We provided all of the required information. If you’re unfamiliar with these steps, read the second part of this blog series: Part 2: QualysEndpoint Detection and Response (EDR).

We added the action that we created previously. On this configuration option, we can adjust the action configurations.

We created a response action rule. Now it’s time to wait for the process, file, or event that will trigger the rule in action.

When the rule we created is activated, an email will be sent to Recipient.

We received that response alert email after triggering that rule with a malicious file.

Conclusion

We covered Qualys Patch Management (PM) capabilities, benefits, and sources in Part 1 of our blog series. In addition, we explained how to activate and configure PM using configurations. We made an overview of the PM application, assets, and patches. We also learned about the Deployment job, which is the most critical part of a PM, in great detail.

In Part 2 of our blog series, we discussed the features and benefits of Qualys Endpoint Detection and Response (EDR). We learned how to enable and configure EDR using configurations. We went over the EDR application, events, reaction actions, and rule-based alerts in detail. We also learned about Hunting Events and Incidents, two of the most significant aspects of EDR.

In Part 3 of our blog series, we used PM and EDR modules to remediate the target host. We demonstrated how to patch using PM and delete/quarantine harmful files/events with EDR. We also sent an email with EDR for a response action alert.

In summary, after following this blog post to the end, you should have a detailed understanding of:

• PM and EDR modules.
• When to use PM and EDR.
• How to use PM and EDR for remediation on hosts

If you want to improve the security of your hosts’ endpoints, consider deploying PM and EDR applications. As you can see from this blog series, they provide a wide range of endpoint security solutions.

Additionally, if you would like to discover what services Purplebox offers on this topic, check out our Vulnerability Management and Penetration Testing services! We can help you improve your organization’s security posture and protect your critical assets from cyber threats.