Configure EDR settings

You can enable EDR module for a profile, and configure what events are transmitted to the Qualys Cloud Platform.

- Toggle Enable EDR module for this profile to ON. This is required for EDR data collection to occur.

- Configure what EDR artifacts are transmitted to the Qualys Cloud Platform. Defaults are provided as shown, so this step is optional. You can configure values for max event log size, payload threshold time, and maximum disk usage for EDR data. Toggle a configuration setting to ON before you using it. You must set at least one configuration setting to ON if you have enabled EDR for this profile.

Sample CA configuration profile showing EDR settings

(EDR settings are available only when EDR is enabled for your subscription)

EDR settings

Configure settings constitute the time lapse after which the following types of EDR events are transmitted to the Qualys Cloud Platform:

Max event log size - EDR events are transmitted to the Qualys Cloud platform when the EDR event log file reaches the maximum specified size. You can specify a file size between 10 KB and 10240 KB. Default is 1024 KB. This value can be lower if the Payload threshold time is lower.

Payload threshold time - EDR events are transmitted to the Qualys Cloud platform when the EDR payload threshold time is hit, ie., the specified seconds elapse after the previous payload was sent to the Qualys cloud Platform. You can specify a threshold between 30 seconds and 1800 seconds. Default is 60 seconds. This value is lower the better to prevent data loss on busy systems.

Maximum disk usage for EDR Data - This is the maximum size on disk available to a Cloud Agent for caching EDR events to be sent to the Qualys Cloud Platform for processing . If the maximum size is reached, the oldest events are deleted in order to create space for newly generated events. You can specify a disk usage size between 100 MB and 2048 MB. Default is 1024 MB.

Enable and Disable Malware Protection

You can enable or disable malware protection for a profile.

Note: Qualys EDR can co-exist with other anti-malware software. However, if you are using Qualys EDR with the Malware Protection enabled, admins must exclude appropriate processes, internal tools, and anti malware softwares so that our Malware Protection module does not inadvertently block their functionalities. Failing to exclude processes might affect your operations and cause problems with the application functionality. You can review the default AV configuration policy and make necessary changes based on your organizational requirements using the Configuration tab in the EDR module.

You can disable malware protection for a profile. When you disable malware protection, a Confirmation dialog box appears to inform that malware protection will be removed from the agent hosts associated with the configuration profile and you can choose to confirm or cancel the action. This prevents unintentional and accidental disablement of malware protection.

disable malware protection confirmation