If you work in a corporate environment, there’s a chance you see something called the Qualys Cloud Agent running on your computer. And information about this mysterious agent can be hard to come by? What does the Qualys cloud agent do? How does it work? I’m glad you asked.
Is the Qualys Cloud Agent malicious?
Let’s get something out of the way first. The Qualys cloud agent isn’t malware and it isn’t malicious. It’s well behaved software from an established computer security vendor. I worked at Qualys for a couple of years and I’ve administered Qualys, including the cloud agent, at a number of large companies, so I understand it pretty well. I don’t think Qualys always explains their agent as well as they could.
A lot of security companies have produced agents and some of them are terrible. The word “agent” is a dirty word in IT as a result of that. I know, I lived for about two years with a Crowdstrike agent on my work machine that chewed up more than half the machine’s CPU power and made an already intolerably slow and unstable computer even slower and more unstable. Not to mention crazy loud.
I’m not sure how much of that was Crowdstrike and how much of it was the person who ran it. But the Qualys agent doesn’t behave like that by default. And it’s actually pretty difficult to make the Qualys agent act badly like other agents.
What the Qualys Cloud Agent does
Qualys’ main product scans computers for vulnerabilities and produces ginormous reports for security analysts to argue about. But that’s another topic. The Qualys Cloud Agent feeds into that product, but it doesn’t do a traditional scan the way a Qualys appliance does. It takes some clever shortcuts that make it more efficient. Way more efficient.
When you first install the agent, it does perform something resembling a traditional vulnerability scan. It looks at key files on the system and passes metadata to the Qualys Cloud for processing. Only metadata gets transferred, so it’s light on CPU and network usage. The Qualys Cloud Platform then processes the metadata and produces an initial assessment of the device’s security posture. And since the agent has direct access to all the files, the results are equivalent to an authenticated scan.
The amount of processing that happens on the local system is negligible. The assessment takes less than 10 minutes and rarely uses 10 percent of a single CPU core.
I’ve seen it take four hours for this initial scan to process, but I’ve also seen it take less than 30 minutes. It generally checks in again every four hours but scanning on demand is possible.
From that point forward, Qualys never has to do a full scan of the system again. It only looks for changes. When one of Qualys’ signatures changes, Qualys checks the relevant files and sends the metadata in for processing. If a file on your system changes and that file is relevant to one of Qualys’ signatures, Qualys grabs the relevant metadata and sends it in for processing. These incremental scans are extremely lightweight. If you blink, you miss them.
I keep the Qualys Cloud Agent loaded on a couple of my own PCs for demonstration purposes, and I’ll pull those machines up after updates drop to show customers and prospects the effect of the machines pulling down updates. You can see the newly discovered vulnerabilities show up on the system after Qualys releases its QIDs, then you can see some of the vulnerabilities disappear as the system pulls down updates, then the pending restart QID shows up, and after I let the machine reboot (or it takes matters into its own hands and reboots itself), the vulnerabilities disappear. If I’m in a position to actually restart a machine, if all the stars align perfectly I can show it happening in near realtime.
Use of the Cloud Agent in other Qualys products
Qualys can use this same agent to do other functions. For example, since the agent is already monitoring files for changes, it wasn’t hard to build a file integrity monitoring product that alerts you to potentially unauthorized changes.
As Qualys thinks of other use cases for a lightweight agent that knows when files change on a system, they’ve been building other security products around the agent. It wasn’t all that big of a stretch for them to add EDR capabilities to it. EDR is endpoint detection and response. It’s what companies load on a system once they realize antivirus isn’t enough protection.
The agent is also able to deploy updates using Qualys’ patch deployment product. And Qualys has also considered building a syslog forwarder into the Windows agent. Customers have asked them to do it, since many of the Windows syslog forwarders are surprisingly bad, and if Qualys added that functionality, it would be one less agent to load.
I once worked for a CISO who said he wanted one agent to rule them all–a single agent he could instruct IT to load on all machines that would feed all of his security products. I’m not 100% certain that the Qualys agent meets his requirement, but it’s certainly close. It’s closer than any other security agent I’ve seen.
Misuse of the Qualys agent
The Qualys agent is lightweight enough that you don’t really notice it’s there. Especially if you leave all of the settings at Qualys defaults. The defaults give a good balance of Qualys performance vs overall system performance. This may sound strange coming from a guy who once wrote a 200-page book on changing Windows defaults to get better performance, but the Qualys defaults are rather good, and I don’t remember ever having to change their defaults during a deployment.
That’s not to say I haven’t tried. I once built a configuration where I turned all the Qualys settings up to the maximum, to try to get my results faster on my test systems. It didn’t work well and I don’t recommend it. I didn’t get the results much faster, because the heavy lifting happens on the Qualys side. Normally the system could handle it with every setting turned up to 11 out of 10, but on rare occasions the CPU would spike and it might cause me problems. Do that at enterprise scale and you’ll regret it.
I learned my lesson and just went back to the default settings, and I’ve never encountered any issues.
Proof of the Qualys agent’s efficiency at default settings
I have a system I use for protein folding simulations that help with COVID-19 research. I bought some parts near the start of the COVID-19 pandemic and put the system to work in my basement running Folding@Home. My Folding@Home client is configured to try to use 100% of the CPU and the GPU.
I have the Qualys Cloud Agent installed on this same machine. Folding@Home interferes sometimes with the system pulling down security updates, so it’s a fantastic machine to use for demonstrating security updates. It applies the updates eventually, but it rarely applies them quickly.
Folding@Home and the Qualys agent coexist well. Qualys still gets its data, and that system has racked up 207 million points for COVID-19 research. The Qualys agent has not harmed that system. The team I participate in is ranked 1,079 and still climbing, and this system is the #2 contributor on the team. Potentially we’re a month or two away from cracking the top 1,000.
If the Qualys agent works well on that, it’ll do fine in corporate environments. And it does.