Configuration Profile Settings

General Info

Name your configuration profile

Give it a name that helps you to identify it when you assign it to agents. The name can have a maximum of 256 characters.

Make this profile the default

Select this option and we'll automatically apply this configuration profile when you install agents. This saves you time!

Suspend Scanning on all agents using this profile

Select if you want all agents using this configuration profile to stop scanning their hosts. What happens? Agents will stop scheduling scans once the profile is downloaded to the agent host. A scan is in progress at the time of the profile download is allowed to complete including all scan subevents (e.g. change list upload, snapshot download, merging). Agents will continue to self update (get new versions), get manifest updates, and get configuration updates after scanning is stopped.

Enable self protection

For Windows Agent 4.6 or later, select this option if you want to prevent the tampering of the Qualys Cloud Agent. This includes uninstallation, termination of the agent process, and registry key, file and directory manipulation owned by agent.

SQLite In-Memory Databases

Windows Cloud Agents with SQLite In-Memory Databases enabled consumes slightly higher memory, slightly less CPU, and reduced disk. By default, it is disabled.

Prevent auto updating of the agent binaries

Select if you want all agents using this configuration profile to stop self-upgrade. The agents will then retain the same agent version and will not be auto-updated. This configuration profile setting applies to Windows Agent 1.5.5+ and Linux/Unix/MacOS Agent 1.6.0+.

Description for this profile

Enter a description for your configuration profile. This will be saved with the profile settings and will be visible to all users with access to it.

 

Blackout Windows

Defining blackout windows

Configure as many blackout windows as you like. Each window is defined for a timeframe on certain days of the week. Blackout window configuration cannot be 24 hours a day for all 7 days, as the agent will no longer be able to communicate with the platform.

Performance Settings

Customize performance settings

Select a pre-defined performance level (Low, Normal, High) and customize the individual settings. Your settings will be saved with the profile.

VM Scan Mode

Enable VM Scan Mode

Turn on the Customize toggle button to enable the settings. Scroll to the UNIX SPECIFIC PARAMETERS (versions 5.x and above) section and select the required option from the drop-down menu. Your settings are saved with the profile.

What happens to the Agents

Based on the toggle settings you configure, the Qualys Agent scan is performed in one of the following modes:

- Agent configured user permissions: Qualys Agent runs VM scan with the same privileges configured by the customer to run Qualys Agent.

- Safe mode: Qualys Agent runs the VM scan only with lower privileges and would not run any commands/binary with elevated privileges.

- Dynamic privilege elevation: By default, Qualys Agent runs the VM scan lower privileges.  However, the Cloud Agent will dynamically elevate the privileges to root access only for those commands that failed due to permissions with lower privileges.

Default Settings

By default, the Customize toggle button is turned off. To enable the VM Scan Mode, you need to enable the Customize toggle button.

Note: Even if the  Customize toggle button is turned off, the configuration profile will have the Agent User privileges enabled.

By default, when the Customize toggle button is turned on, the Agent User option is selected in the VM Scan Mode drop-down menu.

New Performance Profile

Name this performance profile

Give this performance profile a name to help you recognize it.

Set parameters

The performance settings control how agents run the scripts in the agent manifest, which is managed by the cloud platform. You can configure how agents gather security data and upload it to the cloud, agent installation and self-updates, and how agents receive and transmit data in the cloud.

Assign Hosts

Assign hosts to this profile (by tag or by name)

Assign tags and we'll assign this profile to the agent hosts with these tags. Go to the AssetView (AV) application to create and manage tags.

Choose agent hosts by name and we'll directly assign this profile to the hosts you pick.

Agent Scan Merge

Toggle Enable Agent Scan Merge to ON if you wish to enable agent scan merge for the configuration profile.

If this option is enabled, unauthenticated and authenticated vulnerability scan results from agent VM scans for your cloud agent assets will be merged.

If you toggle Bind All to ON, service tries to connect to all the listed ports. Else service just tries to connect to the lowest free port among those specified.

Scan Interval

Configure Data Collection Interval

Configure the interval at which the agent collects data for the assets associated with this profile. Data collection interval is the time lapse between the completion of previous scan and the start of the next scan. Specify a value between 240 minutes (4 hours) and 43200 minutes (30 days). Default is 240 minutes.

Configure Scan Delay

The time added to the start of scanning, both for new installs and for interval scanning. Value of 0 (zero) means no delay added. Scan Delay configuration is only supported for Windows Cloud Agent 4.4 and later versions.

Configure Scan Randomize

The range of randomization added to Scan Delay to offset scanning. For example, if the randomization range is 60 minutes, then a random number between 1 and 60 is calculated and used to delay the start of the next scanning interval. Value of 0 (zero) means no randomization will occur. Scan Randomize configuration is only supported for Windows Cloud Agent 4.4 and later versions.

FIM

FIM configuration

Enable FIM for this agent, and then specify settings for transmitting FIM data to the Qualys cloud platform.

FIM events are transmitted to the Qualys Cloud platform when either of the following occurs: FIM event log file reaches the maximum specified size, payload threshold time is hit, or the disk usage for total FIM data on the agent reaches the maximum specified size.

Max event log size

FIM events are transmitted to the Qualys Cloud platform when the FIM event log file reaches the maximum specified size. You can specify a file size between 10 KB and 10240 KB. Default is 1024 KB. This value can be lower if the Payload threshold time is lower.

Payload threshold time

FIM events are transmitted to the Qualys Cloud platform when the FIM payload threshold time is hit, ie., the specified seconds elapse after the previous payload was sent to the Qualys cloud Platform. You can specify a threshold between 30 seconds and 1800 seconds. Default is 300 seconds. This value is lower the better to prevent data loss on busy systems.

Maximum disk usage for FIM Data

This is the maximum size on disk available to a Cloud Agent for caching FIM events to be sent to the Qualys Cloud Platform for processing . If the maximum size is reached, the oldest events are deleted in order to create space for newly generated events. You can specify a disk usage size between 100 MB and 2048 MB. Default is 300 MB.

Configure Data Collection Interval

Configure the interval at which the agent collects data for the assets associated with this profile. Data collection interval is the time lapse between the completion of previous scan and the start of the next scan. Specify a value between 240 minutes (4 hours) and 43200 minutes (30 days). Default is 360 minutes.

SCA

Configure Data Collection Interval

Configure the interval at which the agent collects data for the assets associated with this profile. Data collection interval is the time lapse between the completion of previous scan and the start of the next scan. Specify a value between 240 minutes (4 hours) and 43200 minutes (30 days). Default is 240 minutes.

EDR

EDR configuration

Enable EDR for this agent, and then specify settings for transmitting EDR data to the Qualys cloud platform.

Max event log size

EDR events are transmitted to the Qualys Cloud platform when the EDR event log file reaches the maximum specified size. You can specify a file size between 10 KB and 10240 KB. Default is 1024 KB. This value can be lower if the Payload threshold time is lower.

Payload threshold time

EDR events are transmitted to the Qualys Cloud platform when the EDR payload threshold time is hit, ie., the specified seconds elapse after the previous payload was sent to the Qualys cloud Platform. You can specify a threshold between 30 seconds and 1800 seconds. Default is 60 seconds. This value is lower the better to prevent data loss on busy systems.

Maximum disk usage for EDR Data

This is the maximum size on disk available to a Cloud Agent for caching EDR events to be sent to the Qualys Cloud Platform for processing . If the maximum size is reached, the oldest events are deleted in order to create space for newly generated events. You can specify a disk usage size between 100 MB and 2048 MB. Default is 1024 MB.

PM

PM configuration

PM is enabled by default. Review/update PM configuration settings as appropriate.

Cache size

This setting determines how much space the agent should allocate to store downloaded patches on the asset. By default, 2048 MB are allocated. If you are planning on using the opportunistic download, where an agent downloads patches before deployment, it is recommended to increase the cache size, or to allow for Unlimited Cache size. Note that the agent will clear the cached files after deployment.