Patch Management (PM)

Lab Tutorial Supplement

1
Table of Contents
PM ACTIVATION & SETUP .................................................................................................................................... 3
CONFIGURATION PROFILE .......................................................................................................................................................... 3
ACTIVATE PM MODULE .............................................................................................................................................................. 4
ASSESSMENT PROFILE ................................................................................................................................................................. 4
PM DEPLOYMENT JOB ........................................................................................................................................... 5
CREATE DEPLOYMENT JOB ......................................................................................................................................................... 6
PATCHING FROM VM AND VMDR ................................................................................................................... 10
VMDR PRIORITIZATION REPORT ................................................................................................................... 11
UNINSTALL JOB .................................................................................................................................................... 13
PM ASSETS .............................................................................................................................................................. 14
PM PATCHES .......................................................................................................................................................... 16

2
PM Activation & Setup
To successfully use the Qualys Patch Management (PM) application, the following
configuration steps are required:
1. Install Qualys Cloud Agent (CA) on target host.
2. Assign target agent host to CA Configuration Profile that has PM enabled.
3. Activate Patch Management (PM) module for target agent host.
4. Assign target agent host to PM Assessment Profile.
5. Create one or more Jobs to either deploy or uninstall patches (configure patch
license consumption).
Please note, when Asset Tags are strategically used for host assignment, steps 2, 4 and 5
(listed above) can potentially be performed prior to agent installation (step 1).
Navigate to the following URL to view the “PM Activation & Setup” tutorial:

Lab 1- http://ior.ad/782Z

Configuration Profile

Patchable host assets must belong to a Configuration Profile with the “Patch
Management” module enabled.

Ensure the “Enable PM module for this profile” switch is in the “ON” position.
Cache size – The PM agent will download patches for installation to the host cache.
Patches are downloaded directly from vendor sites, or optionally from Qualys Gateway
Server (QGS). The cache size configured must be large enough to accommodate all
patches. Cache size can range from 512 MB - 10 GB, or select the “Unlimited” option to
prevent patch downloads from exceeding available cache space.
A 2 GB minimum cache size is recommended for downloading Windows Updates.
3
Activate PM Module
Within the “Cloud Agent” application, the PM module must be activated for “patchable”
assets.

Simply use the “Quick Actions” menu of an agent host, to select the “Activate for PM”
option. Alternatively use the Cloud Agent API, to activate agents in bulk.

Assessment Profile

Within the “Patch Management” application, an Assessment Profile allows you to

specify the frequency in which host assets are scanned for missing and installed patches.

By default, any host that is not assigned to a specific profile, will be assigned to the
System Profile.

4
PM Deployment Job
While a patch assessment is useful for providing a list of “installed” and “missing”
patches, “Deployment Jobs” perform the tasks of actually installing patches to host
assets.
Navigate to the following URL to view the “PM Deployment Job” tutorial:

Lab 2 - http://ior.ad/78h4

Before creating any job, you’ll need to add “patchable” agent hosts to the “Licenses” tab
(withing the CONFIGURATION section of the Patch Management application).

Use Asset Tags to include host assets for license consumption. The “Total Consumption”
indicator is updated with the number of agent hosts labelled with the tag(s) included.

5
Create Deployment Job
You can create a “Deployment Job” for agent host assets that are missing patches.
Presently, you can add a maximum of 2000 patches to a single job.

While it is common to build a job from the JOBS section, of the PM application, jobs can
also be created within the PATCHES and ASSETS sections.
As you will see later, jobs can also be created from the Qualys VM Dashboard and the
VMDR Prioritization Report.

You can add assets to a job by Host Name or by Asset Tag. If you include more than one
Asset Tag, be sure to select an appropriate Boolean operator (i.e., Any or All).
By default, the “Patch Selector” displays patches that are “Within Scope” of the host
asset(s) your job is targeting.

For greater patching efficiency, consider selecting patches that have NOT been
superseded (“isSuperseded:false”) to eliminate older, redundant patches.

6
Patches that display the symbol will require a reboot.
If you attempt to add patches (to an existing job) that are already included, you will
receive a warning message similar to the one below:

Duplicate patches will not be added to a job.

You can run jobs on demand, or you can schedule your jobs to run at a future date and
time.

Schedule jobs to run once, or to recur on a daily, weekly or monthly basis.

You have the option to configure a “Patch Window” (i.e., “Set Duration” option), to run
the deployment job within a specific time frame.

A job will display the “Timed out” status, if the installation does not start within the
specified patch window.
Select the “None” option to give a job as much time as it needs.
7
The Deployment and Reboot Communication Options, allow you to specify the type of
“pop-up” messages end-users will receive, before, during and after job deployment.

The “Deferment” settings provide active end-users the option to postpone the start of a
job and to postpone a system reboot (if required).

If no user is logged-in, patching will begin as scheduled and rebooting will start
immediately following patch deployment.

The option to “Enable opportunistic patch downloads” potentially allows scheduled jobs
to save time by attempting to download patches, prior to job execution.

8
Assets and patches can be added to any job that is “Disabled.”

Assets and patches can be added to a “Recurring” job, both before and after it is
“Enabled.”
Once patch deployment is complete, another patch assessment scan will begin
automatically and the number of missing and installed patches will be updated for the
affected host(s).
Use the “Quick Actions” menu to view the progress of any job.

9
Patching from VM and VMDR
Patch Jobs can be quickly and conveniently created from the VULNERABILITIES section,
of Qualys VM and VMDR.
Here, patches are targeted, based upon the vulnerabilities they actually fix.
Navigate to the following URL to view the “VM & VMDR Vulnerabilities” tutorial:

Lab 3 - http://ior.ad/78xM

Not all vulnerabilities are patchable. Use the following query to locate vulnerabilities
that are patchable by Qualys’ PM module:
vulnerabilities.vulnerability.qualysPatchable:TRUE
Use the faceted search pane, to group vulnerabilities by their severity levels, CVSS
ratings, Real-Time Threat Indicators, and more.
After selecting one or more patchable vulnerabilities, click the “View Missing Patches”
option, to automatically begin job creation (within the Patch Management application).

10
VMDR Prioritization Report
Use the VMDR Prioritization report to automatically prioritize the riskiest vulnerabilities
for your most critical assets – reducing potentially thousands of discovered
vulnerabilities, to the few that matter.
By correlating vulnerability information with threat intelligence and asset context, The
Prioritization Report will help you to “zero in” on your highest risk vulnerabilities and
quickly patch them.
The VMDR Prioritization report :
• Guides you to target and quickly patch your highest risk vulnerabilities.
• Increases the security posture of your organization by identifying and
remediating the vulnerabilities that are most likely to get exploited.
• Empowers security analysts to pick and choose the relevant threat indicators for
your specific and unique organization.
• Helps you identify the specific patch that fixes a particular vulnerability.
• Provides an integrated workflow that reduces the time between vulnerability
detection and patch deployment.
Navigate to the following URL to begin the “VMDR Prioritization Report” tutorial:

Lab 4 - http://ior.ad/78zs

After selecting one or more Asset tags to specify your targeted assets, prioritization
options are provided in three categories:
• Age: Prioritize vulnerabilities by their age. Vulnerability age is the number of
days since the vulnerability was disclosed. Detection age is based on when the
vulnerability was first detected (by a scanner or cloud agent).
• Real-Time Threat Indicators (RTI): Prioritize vulnerabilities by their known and
existing threats. Combine multiple threat indicators, using the “Match Any” or
“Match All” operators.
11
 • Attack Surface: Remove vulnerabilities from the report that are not associated
with a running kernel, actively running service and other attack surface
indicators.
Once your priority options have been selected, click the “Prioritize Now” button.

The displayed assets, vulnerabilities and patches will reflect the priority options you
specified.
As you continue to make adjustments to the priority options, the displayed
vulnerabilities and patches are automatically adjusted.
Patches can be deployed individually or all at once.

12
Uninstall Job
You can create an “Uninstall Job” for agent host assets that already have patches
installed. However, not all patches are candidates for an uninstall or “rollback”
operation.

Navigate to the following URL to view the “PM Uninstall Job” tutorial:

Lab 5 - http://ior.ad/78rH

Only “Rollback” patches in the catalog are candidates for an Uninstall Job.

When displaying a list of patches, the following query will list the uninstallable or
“rollback” patches.
isRollback:true

By default (when going through the steps to build an Uninstall Job), the list of
“uninstallable” patches displayed, are “Within Scope” of your targeted host assets.

13
PM Assets
The ASSETS section of the Patch Management application displays agent host assets that
have the Patch Management module activated.
Navigate to the following URL to view the “PM Assets” tutorial:

Lab 6 - http://ior.ad/78Co

Only assets that have been successfully scanned, will display their number of MISSING
and INSTALLED patches.

The asset details include: system information, network information, installed software,
findings provided by other Qualys modules and applications, assigned Asset Tags, and
more.

14
The graphics and illustrations displayed are interactive, giving you the ability to “click”
and focus on different host findings and attributes.
Both Deployment and Uninstall Jobs can be created from within the ASSETS section.

Additional assets can be added to an any existing job that is disabled. Additional assets
can be added to a recurring job, both before and after it is enabled.

15
PM Patches
The Patch Catalog contains tens of thousands of OS and application patches. Presently
you can add up to 2000 patches to a single job.
Navigate to the following URL to view the “PM Patches” tutorial:

Lab 7 - http://ior.ad/78IP

By default, only the latest (non-superseded) and missing patches are displayed. This is
done to help you focus on the essential patches required by your host assets.

To view all patches in the catalog, remove (uncheck) the “Missing” and “Non-
superseded” filter options and then click somewhere outside of the “Filters” drop-down
menu (to refresh the displayed patches).
Any query entered into the “Search” field will be affected by these filter options.

Type the following query into the “Search” field and press the “Enter” or “Return”
key:
downloadMethod:AcquireFromVendor
Patches identified with the “key-shaped” icon, cannot be downloaded by Qualys’ Cloud
Agent.

16
 isRollback:true
The “Rollback” patches in the catalog are candidates for an Uninstall Job. Not all
patches can be uninstalled.
Patch jobs can also be created and updated from within the PATCHES section of the
Patch Management application.

Additional patches can be added to an any existing job that is disabled. Additional
patches can be added to a recurring job, both before and after it is enabled.

17