Qualys Patch Management / EDR Blog Series [Part 1]

NOTE: This is the first part of a blog series.

Part 1: Qualys Patch Management (PM)

Part 2: Qualys Endpoint Detection and Response (EDR)

Part 3: PM and EDR Remediation Demonstration

Overview

In this blog post, we will take a look at the Qualys Patch Management (PM) module. We will be answering questions including,

  • What is Qualys Patch Management?
  • What is it used for?
  • How does it work?
  • How to activate and set up?
  • Which feature does what?
  • What can we do with this module?

Part 2 of this blog series will be focusing on Qualys Endpoint Detection and Response (EDR). EDR is an important endpoint security module similar to PM. Then, in Part 3 of this blog series, we’ll be showing various remediation techniques using PM and EDR.

Patch Management (PM) with Qualys: An Overview

Qualys Patch Management is a cloud-based tool that assists security and IT professionals in quickly resolving vulnerabilities and patching their systems.

Qualys VMDR Lifecycle

Qualys Patch Management can:

  • Locate any missing fixes.
  • Patch your assets, whether they’re on-site, on mobile devices, roaming, or in the cloud.

Qualys Patch Management, built on the world’s greatest cloud-based security and compliance platform, frees you from the considerable expense, resource, and deployment issues associated with traditional software.

Qualys Patch Management video library will provide you with more information.

Patch Management Features

  • Correlates newly found vulnerabilities with the patches that are necessary.
  • Allows the use of existing Qualys Agents for deploying and uninstalling patches.
  • Patches the operating system and applications, including patches from third-party software suppliers (e.g., Adobe, Java, Google, Mozilla, Microsoft, etc.)
  • Enables patching from almost anywhere with an Internet connection (e.g., airports, coffee shops, remote offices, etc.).
  • Discovers which patches are missing or required and identify patches that have been superseded.
  • Creates patches for specific vulnerabilities, severity levels, and known threats.

Patch Sources

OS and Application Patches come from Global CDNs for Vendors (e.g., Oracle, Adobe, Microsoft, Apache, Google, etc.).

Qualys validates downloaded fixes using both digital signatures and hash values which are then validated again using Qualys Malware Insights.

Local repository (Qualys Gateway Server)

  • Patch downloads requested by one agent are cached on QGS and made “locally” available to other agents who require the patch.
  • Manifests and agent binaries are also cached by QGS.

PM Activation and Setup

The following configuration procedures are necessary to use the Qualys Patch Management (PM) program successfully:

4.1 Cloud Agent Module

4.1.1 On the target host, install Cloud Agent.

Note: Cloud Agent must be installed with an activation key that is compatible with the PM module.

PM Activation and Setup / Cloud Agent

Check out the Qualys Cloud Agent Installation Guide with Windows and Linux Scripts if you’re not sure how to install and configure “Qualys Cloud Agent.”

PM Activation and Setup

4.1.2 Assign a Configuration Profile with PM enabled to the target agent host.

To establish a “Configuration Profile” containing assets, add a new asset tag.

PM Activation and Setup

Create a new “Configuration Profile” to work with.

PM Activation and Setup / Configuration Profile Creation

PERFORMANCE: The high-performance option performs more frequent inspections.

PM Activation and Setup / Configuration Profile Creation

ASSIGN HOSTS: Choose which assets will receive this profile. Assets can be found using “Asset Tags or Asset Names.”.

PM Activation and Setup / Configuration Profile Creation

PM: For Configuration Profile, enable the PM module. To accommodate Windows Updates, the cache size must be at least 2048 MB.

PM Activation and Setup / Configuration Profile Creation

4.1.3 Activate the PM module on the target agent host (as an alternative to Configuration)

You can also manually activate the asset module instead of using Configuration Profile to enable PM.

PM Activation and Setup / Configuration Profile Creation

PM Activation and Setup / Activate Agent

4.2 Patch Management Module

To use the PM module, you must assign hosts to the profile you created.

4.2.1 Assign the target agent host to a PM Assessment Profile that is enabled.

To assign target agents for PM jobs, create an “Assessment Profile.”.

Patch Management Module

Choose which assets will be assigned.

Patch Management Module

Note: In the Assessment Profile, only asset tags can be used to choose assets.

Set up an Assessment Schedule to collect patch data from agents.

Patch Management Module

Note: Scanning time should be at least 4 hours long.

Note: Unlicensed assets will have a 24-hour scan interval.

Patch Management Module

4.2.2 Assign hosts to PM Jobs (activate the license).

To assign hosts to PM Jobs, you need to activate their licenses. The number of licenses available is limited.

Note: In License Consumption, only asset tags can be used to select assets.

Patch Management Module

Overview of the PM Application

5.1 Patch Management UI

Patch Management UI

  • CONFIGURATION: Set the frequency of patch assessments and the number of patching licenses to be used.
  • JOBS: Use one or more PM Jobs to deploy and/or uninstall specific patches for specific groups of host assets.
  • ASSETS: A list of the agent host assets that were activated by the PM module.
  • PATCHES: A catalog of application and operating system patches.
  • DASHBOARD: This section has widgets that track key patch statistics.

5.2 Assessment Profile

As the Assessment Profile, the System Profile will be used by default.

Assessment scans reveal which patches are missing and which have been implemented on an agent host.

Patch Management / Assessment Profile

5.3 License Consumption

Asset Tags are used to designate which agent host assets are patchable. (Note: Asset tags are the only way to specify.)

To prevent patching on specific assets, choose the “Exclusion” check box.

License Consumption

PM Deployment Job/ PM Uninstall Job

We’ll concentrate on the main stages in patch deployment (PM, VM, VMDR). We’ll look at various patch deployment options.

Create Deployment job:

PM Deployment Job/ PM Uninstall Job

Select your assets. “Asset Tags” or “Asset Names” can be used to select assets.

PM Deployment Job/ PM Uninstall Job

Patches that are patchable can be chosen. (isSuperseded:false)

PM Deployment Job/ PM Uninstall Job

Patches are automatically added within the scope when you click add patches. Patches that haven’t been superseded can be chosen to make patch jobs more efficient.

Note: “Key” symbol nearby patch name means “Acquire from Vendor”. These patches aren’t available for download, and they can’t be applied to the job.

PM Deployment Job/ PM Uninstall Job

Patches identified with “key-shaped” icons will not be downloaded by Qualys’ Cloud Agent, according to the confirmation notice box.

PM Deployment Job/ PM Uninstall Job

Selected patches will be listed.

PM Deployment Job/ PM Uninstall Job

Deployment Jobs can be made to run on demand or scheduled, and Recurring Jobs can be used recursively as daily, weekly, or monthly.

If a patch installation does not begin inside the given Patch Window, the job will be marked as Timed out.

To provide patch jobs for an infinite period of time, choose None.

PM Deployment Job/ PM Uninstall Job

Allow agents to download required patches prior to the commencement of a scheduled job with the Enable opportunistic patch download option enabled. (Note: This step can be only applied for scheduled jobs.)

Additional Job Settings

Messages sent to the client during deployment.

Pre-Deployment Message

  • Before patch deployment begins, a pre-deployment message is sent to the client. Can be deferred for a specified number of days and a specific time.

Deployment in Progress

Deployment Complete Message

  • The information signals the Deployment in Progress and Deployment Complete statuses.

Reboot messages were used to inform the client of the reboot.

  • Reboots are disabled when you use Suppress Reboot.

Reboot Request Message

  • Reboot Request is a notification that the client needs to reboot.
  • When the deferment limits are reached, Reboot Countdown displays a countdown message and reboots.

Clients receive pop-up messages. It is possible to customize the message descriptions.

Deployment and Reboot Communication Options

Note: The process of generating an uninstall job is similar to that of creating a deployment job. Instead of downloading patches, simply pick remove patches.

Note: Some of the patches can’t be rollback and uninstall. For this reason, uninstall patches are less than downloadable patches.

6.1 Job Status

Job Status

On the “View Progress” page, you can see the “Job Status”.

Job Status

  • Enabled: Job is presently active.
  • Disabled: Job is presently inactive.
  • Completed: Job has been completed.

Job Status

When the deployment job is finished, click View Progress to see the results.

Job Status

To see the details of a patch that failed, skipped, or succeeded, click View Patch Details.

Job Status

Patch details are listed.

Patches for Job

6.2 Patching from VM and VMDR

On the VULNERABILITIES section, both VM and VMDR support patching.

The Patches section of the Patch Management Module will be redirected if you click View Missing Patches.

Patching from VM and VMDR

Note: There are no patches for all vulnerabilities.

Patching from VM and VMDR

Filter for vulnerabilities that can be patched. Patches that are required for your job can be added from this section.

Patching from VM and VMDR

6.3 VMDR Prioritization Report

Prioritize your remediation activities with VMDR Prioritization.

VMDR Prioritization Report

Prioritize assets by selecting “Asset Tags”.

Click “Prioritize Now”.

VMDR Prioritization Report

VMDR Prioritization Report

To a new or existing job, add prioritized patches.

VMDR Prioritization Report

The “Add to New Job” or “Add to Existing Job” buttons redirect you to the tab for creating deployment jobs.

Note: Also, Prioritized Vulnerabilities can be filtered as “Patchables”.

VMDR Prioritization Report

PM Assets

When the PM module is enabled, the host assets are displayed. The number of “MISSING” and “INSTALLED” patches is displayed after a successful assessment scan.

Note: All assets have been scanned successfully.

PM Assets

View asset details, add assets to an existing job or add assets to a new job using the Quick Actions menu.

PM Assets

  • When you click Add to New Job, you’ll be redirected to the deployment job tab.
  • The “Add to Existing Job” button redirects you to the “Existing Deployment Jobs” tab.
  • Any deployment job can have additional assets added to it before it is enabled.
  • A “recurring” job might have additional assets added to it both before and after it is enabled.

PM Assets

For details of missing or installed patches, click the numbers.

You can also add a new or existing job to this section.

PM Assets

PM Assets

Patch Catalog (Patches)

On the Patch Management UI, the “Patches” tab lists all patches that are available or unavailable for assets.

By default, when a tab is clicked, it displays filtered results for available assets.

Patch Catalog

To see all patches, turn off the filters.

Patch Catalog

Use the “Quick Actions menu” to view asset details, add assets to an existing job, or add assets to a new job.

Patch Catalog

Conclusion

In conclusion, this article provided an in-depth look at Qualys Patch Management (PM), including its features, benefits, and sources. We explored how to activate and set up the PM through configurations and discussed the importance of the Deployment job. We made an overview of the PM application, assets, and patches.

To continue exploring Qualys’s endpoint security offerings, be sure to check out Part 2 of this blog series, which covers Qualys Endpoint Detection and Response (EDR). If you’re interested in staying secure, check out our Vulnerability Management services.

Endpoint Security Qualys Technical Guide Vulnerability Management