Welcome to Qualys Patch Management

To complete this course, you’ll need to download a couple of training documents:

1. The “VMDR Lab Tutorial Supplement” contains links that allow you to play the lab
tutorials for this course.
2. You can also download a copy of the course presentation slides.

Both documents are available in PDF file format from the Qualys Training and
Certification Portal (qualys.com/learning).

2
1. When you click the link to open a lab tutorial, it will open-up in your default Web
browser. If you would like to play the tutorial in a different browser, you can copy
this link and paste it into the address field of another browser.

2. When the lab tutorial opens, click the icon in the upper-right corner, to maximize
your screen size.

3. When your ready to play the tutorial, click the start button.

3
This course begins with an introduction to Patch Management, where I’ll show you
where Qualys PM fits into the Qualys VMDR Lifecycle. We’ll take a quick look at
supported operating systems and finish by highlighting some of the more important
features and benefits of the Qualys PM application.

In the “PM Activation & Setup” section, I’ll identify the requirements for activating and
setting-up the Qualys PM module. You’ll perform a lab exercise that will walk you
through PM’s activation and setup steps.

The final section of this course focuses on “Working with Qualys PM.” After a quick
overview of the PM application, you’ll learn how to create patch jobs within the PM
application, as well as creating jobs within Qualys VM and VMDR.

4
In this section I’ll show you where Qualys PM fits into the Qualys VMDR Lifecycle. We’ll
take a quick look at supported operating systems and highlight some features and
benefits of the Qualys PM application.

5
Although Qualys PM can successfully function on its own ... when combined with
Qualys Vulnerability Management, Qualys PM automatically correlates or matches
discovered vulnerabilities with their required patches, so you can prioritize patches that
fix your existing, high-risk, vulnerabilities.

With Qualys Patch Management, you can extend the functionality of your existing
Qualys agents, by simply enabling the PM module.

Qualys PM provides both OS and application patches, including those from third-party
software vendors.

Qualys PM provides patching just about anywhere an Internet connection is available,

including airports, coffee shops, and remote offices. A VPN connection to your
corporate network is NOT required.

Qualys agents can identify superseded patches, allowing you to patch more efficiently.

When Qualys PM is deployed as part of the Qualys VMDR lifecycle. you can build patch
jobs that target specific vulnerabilities, vulnerability severity levels and even

6
vulnerabilities with known and existing threats.

6
Although Qualys PM can successfully function on its own ... when combined with
Qualys Vulnerability Management, Qualys PM automatically correlates or matches
discovered vulnerabilities with their required patches, so you can prioritize patches that
fix your existing, high-risk, vulnerabilities.

With Qualys Patch Management, you can extend the functionality of your existing
Qualys agents, by simply enabling the PM module.

Qualys PM provides both OS and application patches, including those from third-party
software vendors.

Qualys PM provides patching just about anywhere an Internet connection is available,

including airports, coffee shops, and remote offices. A VPN connection to your
corporate network is NOT required.

Qualys agents can identify superseded patches, allowing you to patch more efficiently.

When Qualys PM is deployed as part of the Qualys VMDR lifecycle. you can build patch
jobs that target specific vulnerabilities, vulnerability severity levels and even

7
vulnerabilities with known and existing threats.

7
Patch Management is an important component of the Qualys Vulnerability
Management Detection and Response Lifecycle, which begins (step 1) by identify and
managing all assets throughout your enterprise architecture.

In steps two and three, your enterprise assets are analyzed for vulnerabilities which are
then prioritized according to severity levels as well as known or existing threats.

The final step of the VMDR Lifecycle (step 4) is the focus of this training course. We’ll
show you how Qualys PM allows you to respond to detected vulnerabilities and threats,
within days or even hours, rather than weeks or months.

8
Agent host assets receive their patches from Vendor
Global Content Distribution Networks (CDNs). Host assets
will receive their patches directly from the vendors that
created the patches; this includes both OS and application
patches.
Qualys uses digital signatures and hash values to validate downloaded patches, which
are validated again using Qualys Malware Insights.

Qualys Gateway Server (QGS) provides the advantage of caching downloaded patches;

Patch downloads requested by one agent, are cached on QGS and made available
locally for other agents that need the same patch.

CDN - A content delivery network, or content distribution network

9
In this section, we’ll examine the requirements and steps for activating and setting-up
Qualys PM.

10
11
Here is the list of steps, or workflow of events, that will allow Qualys PM to begin
patch assessments and deployments on host assets.
1. The first step is to install the Qualys agent on targeted host assets.
2. In step two, you’ll then assign your targeted assets to a CA Configuration
Profile that has PM enabled. The new configuration profile will be
downloaded to the targeted hosts, the very next time their agents checks-in.
3. If you have not already activated the PM module, you’ll perform this task in
step 3. Notice that steps 1, 2, and 3 are all performed within the Cloud Agent
application.
4. Step four is performed within the PM application. You’ll need to assign PM
licenses to the hosts. This is done under the Licenses tab using asset tags.
5. This is an optional step - here you’ll assign the target assets to an enabled
PM Assessment Profile. Once this step is completed, patch assessments
will be performed at the configured time interval. A patch assessment scan
simply identifies which patches are missing and which ones are already
installed on the host. If you do not add the hosts to a custom profile, the
default assessment profile will be used.
6. With the above steps completed, you’re ready to configure a patch
deployment job or a patch uninstall job.
Agent host assets with the PM module activated must be assigned to a
Configuration Profile that has PM enabled.

Cache size specifies the amount of disk cache available for downloaded
patches. At least 2 gigabytes of cache is recommended to accommodate
Windows Updates.

Qualys Cloud Agent Gateway can server as a patching proxy for agent host
assets (all OS and application patches are cached on the ”local” Cloud Agent
Gateway Server.
You have the option of activating the Patch Management module, via the agent
Activation Key, or within the CA user interface or perhaps using the CA
Application Program Interface (or API).
16
This section provides a quick overview of the Patch Management application, before
we begin a detailed discussion of the various application components.

17
The PM user interface is divided into five sections.

Patch jobs can be created from the ASSETS, PATCHES, and JOBS sections.
An assessment profile specifies the frequency of your patch assessment scans,
which determine the installed and missing patches for your agent host assets.

The "System Profile" is already added to your account and is used by default for
agents that do not belong to another profile.
An assessment profile specifies the frequency of your patch assessment scans,
which determine the installed and missing patches for your agent host assets.

The "System Profile" is already added to your account and is used by default for
agents that do not belong to another profile.
Within the "Licenses" tab of the CONFIGURATION section, use Asset Tags to
specify which agent host assets are eligible for patching.

Only AGENT host assets can consume a patching license.

22
23
24
25
When build or configuring a Deployment Job, you have the option of selecting
assets individually (by Asset Name) or by using Asset Tags.

26
27
28
By default, the Patch Selector only lists patches that are "Within Scope" of the
host assets that are targeted.

To improve efficiency, use the search field to focus on patches that have NOT
been superseded (isSuperseded: false), which can significantly reduce the total
number of patches to be installed.

29
30
31
You have the option to run a job "On-demand" or schedule it to run at another
time.

Recurring jobs can be scheduled to run daily, weekly or monthly. Monthly jobs
which are scheduled to run on the 31st of the month will be scheduled every two
months (where 31st date is available).

A recurring job (daily, weekly, monthly) is enabled three hours prior to its
scheduled time.

32
The option to enable opportunistic patch downloads, will allow Qualys Patch
Management to attempt to download patches, before the patch job starts (which can
save time).

33
34
The pre-deployment message appears at the start of a patch job. Configure
deferment options for this notification to allow end-users to postpone patching.

When patching begins, the deployment in progress message will be displayed.

The Deployment complete message will appear when the job is finished.

The "Suppress Reboot" option, can be used to prevent installed patches from
rebooting the host system.

The reboot request option will notify end-users that patch installation was
successful and a system reboot is required. You can configure deferment
options for the reboot request, as well.

You also have the option to display a reboot countdown for host systems.

35
The "Suppress Reboot" option, can be used to prevent installed patches from
rebooting the host system.

The reboot request option will notify end-users that patch installation was
successful and a system reboot is required. You can configure deferment
options for the reboot request, as well.

You also have the option to display a reboot countdown for host systems.

36
37
The PM module uses a separate process (Qualys Cloud Agent UI) for managing
patching messages and notifications displayed to end-users on the target host.
This includes messages such as patching is about to begin, patching is in
progress, and patching has completed.

Another process (stdeploy.exe) is responsible for installing the patches included

in the patch jobs you create.

38
39
Job progress status is displayed for all affected host assets.

Status types include:

• Pending – job has not started
• Job Sent – job sent to target host
• Downloaded – patches successfully downloaded
• Patching – patching in progress
• Reboot Pending – job completion is pending a host reboot
• Completed – job successfully completed (patches INSTALLED, FAILED, and
SKIPPED are displayed)
• and more...

40
Job progress status is displayed for all affected host assets.

Status types include:

• Pending – job has not started
• Job Sent – job sent to target host
• Downloaded – patches successfully downloaded
• Patching – patching in progress
• Reboot Pending – job completion is pending a host reboot
• Completed – job successfully completed (patches INSTALLED, FAILED, and
SKIPPED are displayed)
• and more...

41
Cloning an existing job allows you to create deployment job with test assets and then
clone it to create a new job with production assets.

42
43
44
45
46
47
48
49
51
52
53
54
55
57
58
59
60
61
62
63
64
65
By default, the PATCHES section lists the missing application and operating
system patches, for agent host assets.

66
By default, only the latest (non-superseded) and missing patches are displayed. This is
done to help you focus on the essential patches required by your host assets.

To view ALL patches in the catalog, remove (uncheck) the “Missing” and “Non-
superseded” filter options.

67
68
Download patch from the vendor site
The Patches tab displays a key icon for patches that can not be downloaded via the
Qualys Cloud Agent. This "key" shaped icon indicates that the patch must be acquired
from the vendor.

If you try to add such a patch to a patch job, the system will display a message
indicating it will be not be added to the job.

69
Only “Rollback” patches in the catalog are candidates for an Uninstall Job. Not all
patches can be uninstalled.

70
71
72
73
Once patch assessments have been successfully completed, the ASSETS
section will display the number of patches that are presently missing, and the
number of patches already installed, for the host assets in your Patch
Management subscription.

74
75
76
77
78
79