Common questions about vulnerability assessment

What is the Auto-Provisioning feature for BYOL, and can it work on multiple solutions?

The Defender for Cloud BYOL integration allows only one solution to have auto-provisioning enabled per subscription. This feature scans all unhealthy machines in the subscription (those without any VA solution installed) and automatically remediates them by installing the selected VA solution. Auto-provisioning will use the single selected BYOL solution for remediation. If no solution is selected or if multiple solutions have auto-provisioning enabled, the system will not perform auto-remediation, as it can't implicitly decide which solution to prioritize.

Why do I have to specify a resource group when configuring a Bring Your Own License (BYOL) solution?

When you set up your solution, you must choose a resource group to attach it to. The solution isn't an Azure resource, so it won't be included in the list of the resource group’s resources. Nevertheless, it's attached to that resource group. If you later delete the resource group, the BYOL solution is unavailable.

Are there any additional charges for the Qualys license?

No. The built-in scanner is free to all Microsoft Defender for Servers users. The recommendation deploys the scanner with its licensing and configuration information. No additional licenses are required.

What prerequisites and permissions are required to install the Qualys extension?

You'll need write permissions for any machine on which you want to deploy the extension.

The Microsoft Defender for Cloud vulnerability assessment extension (powered by Qualys), like other extensions, runs on top of the Azure Virtual Machine agent. So it runs as Local Host on Windows, and Root on Linux.

During setup, Defender for Cloud checks to ensure that the machine can communicate over HTTPS (default port 443) with the following two Qualys data centers:

  • https://qagpublic.qg3.apps.qualys.com - Qualys' US data center
  • https://qagpublic.qg2.apps.qualys.eu - Qualys' European data center

The extension doesn't currently accept any proxy configuration details. However, you can configure the Qualys agent's proxy settings locally in the Virtual Machine. Please follow the guidance in the Qualys documentation:

Can I remove the Defender for Cloud Qualys extension?

If you want to remove the extension from a machine, you can do it manually or with any of your programmatic tools.

You'll need the following details:

  • On Linux, the extension is called LinuxAgent.AzureSecurityCenter and the publisher name is Qualys.
  • On Windows, the extension is called WindowsAgent.AzureSecurityCenter and the provider name is Qualys.

How can I check that the Qualys extension is properly installed?

You can use the curl command to check the connectivity to the relevant Qualys URL. A valid response would be: {"code":404,"message":"HTTP 404 Not Found"}

In addition, make sure that the DNS resolution for these URLs is successful and that everything is valid with the certificate authority that is used.

How does the extension get updated?

Like the Microsoft Defender for Cloud agent itself and all other Azure extensions, minor updates of the Qualys scanner might automatically happen in the background. All agents and extensions are tested extensively before being automatically deployed.

Why does my machine show as "not applicable" in the recommendation?

If you have machines in the not applicable resources group, Defender for Cloud can't deploy the vulnerability scanner extension on those machines because:

  • The vulnerability scanner included with Microsoft Defender for Cloud is only available for machines protected by Microsoft Defender for Servers.

  • It's a PaaS resource, such as an image in an AKS cluster or part of a virtual machine scale set.

  • It's not running one of the supported operating systems.

Can the built-in vulnerability scanner find vulnerabilities on the VMs network?

No. The scanner runs on your machine to look for vulnerabilities of the machine itself, not for your network.

Does the scanner integrate with my existing Qualys console?

The Defender for Cloud extension is a separate tool from your existing Qualys scanner. Licensing restrictions mean that it can only be used within Microsoft Defender for Cloud.

How quickly will the scanner identify newly disclosed critical vulnerabilities?

Within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.

If I deploy a Qualys agent, what communications settings are required?

The Qualys Cloud Agent is designed to communicate with Qualys's SOC at regular intervals for updates, and to perform the various operations required for product functionality. To allow the agent to communicate seamlessly with the SOC, configure your network security to allow inbound and outbound traffic to the Qualys SOC CIDR and URLs.

There are multiple Qualys platforms across various geographic locations. The SOC CIDR and URLs differ depending on the host platform of your Qualys subscription. Identify your Qualys host platform.