In Part 1 and Part 2 of these blog series, we learned about Qualys Patch Management (PM) and Qualys Endpoint Detection and Response (EDR).

This blog post will be about patching with Qualys Patch Management (PM) and remediation with Qualys Endpoint Detection and Response (EDR).

PM Patching (Virtual Machine)

Using the Qualys Patch Management (PM) module, we’ll deploy missing patches to target hosts.

We’ll look at various patch deployment strategies to see how they perform.

Check out the first part of this blog series to learn how to create a new Deployment Job in Part 1: QualysPatch Management (PM).

  • Once a new Deployment Job has been created. (“On demand job” for Virtual Machine), give your job a name. “PATCHNOW – On Demand VM Test” is the name of our job.

  • Select the assets for which you want this job to apply patches. In this example, “WinDev2104Eval” is selected. This is our virtual machine.

  • Add patches that are needed for the job. Selected all VM patches that were missing.

  • Either select “On Demand” to test immediately or schedule the job.

Also, you can configure a patch window to run the deployment job only within a particular time frame. Enabling this setting ensures that the agent starts the job within the specified patch window (e.g. start time + 6 hours). If the job does not start within this time window, it will time out.

You can configure “Communication Options”. We enabled all “Deployment messages” and set “Deferment” to “Remind again in 10 minutes 5 times”.

We enabled the “Suppress Reboot” option no to receive reboot requests on the target host. We enabled “Minimize job progress window” to allow end-users to minimize message windows.

“Opportunistic patch download” can’t be enabled for “On Demand” jobs.

Note: You can enable that for your scheduled jobs.

As the last part of the configuration, all options need to be confirmed. After that click “Saved & Enabled”.

The patch status changes to Completed after saving and enabling the deployment job. (On-demand Deployment Job completes instantly after saving and enabling.)

Patch progress may be monitored by clicking View Progress.

The patching status will be changed after 10-15 minutes.

This message was sent to the destination host since the Upgrade Request option was chosen and Qualys PM needed to gain authorization to download patch files. The notification pop-up appears for this reason and the “OK” button should be clicked to proceed.

Another option is to select the “Defer” option. The number of deferral rights can be selected in the configuration options. In this example, a total of five deferral rights were set.

The job status changed to Download in Progress when we clicked OK”.

After that, the target host receives an Upgrade in Progress notification. As you can see in the Task Manager, Qualys Cloud Agent UI is in charge of patching.

After a short amount of time, the job status was changed to Patching”.

When the patching was finished, the message Upgrade completed appears and the status of the job has been changed to Completed”.

We can list all the installed patches by clicking the INSTALLED count on the column under PATCHES in the STATUS view.

Skipped patches and their reasons for skipping them can be displayed by clicking the “SKIPPED” count.

Remediation with EDR (Virtual Machine)

For testing the EDR module, our virtual machine host has a lot of harmful files like trojan, infosteallar, etc.

To remediate, we will use the EDR module. The EDR module will show all malicious files/events and will assist you in deleting or quarantining them. This section will begin with a remediation example.

You can also use the EDR module to send alerts (send an email, post on slack, send to PagerDuty) for response actions.

Please see the second part of this blog series for additional information on EDR: Part 2: Qualys Endpoint Detection and Response (EDR).

2.1 Dealing with Malicious Event

These are the malwares that should be tested on a virtual machine host. (Client-side)

These can be found under the EDR HUNTING tab.

By clicking on the names of malicious events, you may see more details about them. In View Mode, you can also quarantine or delete files.

The event’s Process Tree can be viewed.

Delete all malicious files from the Hunting or View Mode > Process Tree sections.

The status “in progress” is displayed.

Deleted files are no longer visible in the current hunting view and on the computer of the target host.

The status of deleted files can be viewed on the RESPONSE page.

The files that were deleted were also deleted from the VM host. (Client-side)

2.2 Response Action

For response actions on the EDR module, you can send alerts to people (send email, post on slack, send to PagerDuty).

To generate a response alert, you must first create an action. Click Actions in RESPONSES and click New Action.

We provided all of the required information. If you’re unfamiliar with these steps, read the second part of this blog series: Part 2: QualysEndpoint Detection and Response (EDR).

You can choose from the following options:

The action has been created.

Now we must use the rule’s action that we created previously. Creating a New Rule”.

We provided all of the required information. If you’re unfamiliar with these steps, read the second part of this blog series: Part 2: QualysEndpoint Detection and Response (EDR).

We added the action that we created previously. On this configuration option, we can adjust the action configurations.

A response action rule has been created. Now it’s time to wait for the process, file, or event that will trigger the rule in action.

When the rule we created is activated, an email will be sent to Recipient.

We received that response alert email after triggering that rule with a malicious file.


In Part 1 of our blog series, We learned about Qualys Patch Management (PM) capabilities, benefits, and sources. In addition, we learned about how to activate and configure PM using configurations. We made an overview of the PM application, assets, and patches. We also learned about the Deployment job, which is the most critical part of a PM, in great detail.

In Part 2 of our blog series, we’ve learned about the features and benefits of Qualys Endpoint Detection and Response (EDR). We learned how to enable and configure EDR using configurations. We went over the EDR application, events, reaction actions, and rule-based alerts in detail. We also learned about Hunting Events and Incidents, two of the most significant aspects of EDR.

In Part 3 of our blog series, we used PM and EDR modules to remediate the target host. We demonstrated how to patch using PM and delete/quarantine harmful files/events with EDR. We also sent an email with EDR for a response action alert.

If you’ve followed this blog post to the end, you should have a detailed understanding of:

  • PM and EDR modules.
  • When to use PM and EDR.
  • How to use PM and EDR for remediation on hosts

If you want to improve the security of your hosts’ endpoints, consider deploying PM and EDR applications. As you can see from this blog series, they provide a wide range of endpoint security solutions.

If you would like to discover what services Purplebox offers on this topic, check out our Vulnerability Management and Penetration Testing services!