Have Anti-Virus or HIPS software installed? To avoid conflicts with Cloud Agent, ensure that you exclude the following files, directories, and processes from all security software installed on the system.
QualysAgent.exe - this is the Qualys endpoint service
QualysCloudAgent.exe - Cloud Agent installer needs access to disk and registry locations (see below)
uninstall.exe - this is the Qualys endpoint service uninstaller - needs r/w/d access to following disk and registry locations
QualysSPConfig.exe - Qualys Cloud Agent Self Protection Configuration Utility. Used to disable the self-protection.
QualysProxy.exe - Qualys Proxy Configuration Tool. Used to configure proxy settings to Qualys Cloud Agent.
QualysAgentUI.exe – Executable used to show Patch Management Prompts/UI.
- %ProgramData%\Qualys\QualysAgent\PatchManagement\Resources\ - Various Patch Management executables.
- %ProgramFiles%\Qualys\QualysAgent\EDR\ - Driver Management Utilities.
- %ProgramData%\Qualys\SandboxRO\agentid-service.exe – Agent Scan Merge executable.
- %ProgramData%\Qualys\QualysAgent\ LogCollector\Resources\qualys-beat_x86_64.exe - XDR executable for 64-bit.
- %ProgramData%\Qualys\QualysAgent\ LogCollector\Resources\qualys-beat_x86.exe - XDR executable for 32-bit.
- %ProgramData%\Qualys\QualysAgent\SwCA\Resources\SwCAScanner.exe- Scanner executable for Software Composition Analysis.
- %ProgramData%\Qualys\QualysAgent\QCAPS\Resources\qcaps.exe - Cloud Agent Passive Sensor.
%ProgramData%\Qualys\QualysAgent - we read/write/create/delete files in this directory and sub-directories
%ProgramFiles%\Qualys\QualysAgent - this is where the service and uninstall live. The service will create processes, so HIPS needs to make sure to unblock this action. This path is same for both x86 and x64-bit systems.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QualysAgent - this is where the agent setup installs the service into the system.
HKEY_LOCAL_MACHINE\SOFTWARE\Qualys - this is where breadcrumb information lives to merge agent and appliance scanner results. The agent needs c/r/w/d access here; setup needs to create the key; uninstall needs ability to delete the key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qmon - this is where the agent setup installs the driver into the system if Qualys File Integrity Monitoring (FIM) is activated or Self-protection is enabled or Qualys EDR is activated on the agent.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qnetmon - this is where the agent setup installs the driver into the system if Qualys EDR is activated on the agent
Calls CreateProcess to launch external proceses on occasion
Calls CoCreateInstance to instantiate COM objects
Creates/Reads/Writes/Deletes files out of its programdata directory
Creates/Reads/Writes/Deletes from the hklm\software\qualys registry key
Enumerates and reads from all file and registry locations