Common questions about vulnerability assessment

No. The built-in scanner is free to all Microsoft Defender for Servers users. The recommendation deploys the scanner with its licensing and configuration information. No additional licenses are required.

You'll need write permissions for any machine on which you want to deploy the extension.

The Microsoft Defender for Cloud vulnerability assessment extension (powered by Qualys), like other extensions, runs on top of the Azure Virtual Machine agent. So it runs as Local Host on Windows, and Root on Linux.

During setup, Defender for Cloud checks to ensure that the machine can communicate over HTTPS (default port 443) with the following two Qualys data centers:

• https://qagpublic.qg3.apps.qualys.com - Qualys' US data center
• https://qagpublic.qg2.apps.qualys.eu - Qualys' European data center

The extension doesn't currently accept any proxy configuration details. However, you can configure the Qualys agent's proxy settings locally in the Virtual Machine. Please follow the guidance in the Qualys documentation:

• Windows proxy configuration
• Linux proxy configuration

If you want to remove the extension from a machine, you can do it manually or with any of your programmatic tools.

You'll need the following details:

• On Linux, the extension is called LinuxAgent.AzureSecurityCenter and the publisher name is Qualys.
• On Windows, the extension is called WindowsAgent.AzureSecurityCenter and the provider name is Qualys.

You can use the curl command to check the connectivity to the relevant Qualys URL. A valid response would be: {"code":404,"message":"HTTP 404 Not Found"}

In addition, make sure that the DNS resolution for these URLs is successful and that everything is valid with the certificate authority that is used.

Like the Microsoft Defender for Cloud agent itself and all other Azure extensions, minor updates of the Qualys scanner might automatically happen in the background. All agents and extensions are tested extensively before being automatically deployed.

If you have machines in the not applicable resources group, Defender for Cloud can't deploy the vulnerability scanner extension on those machines because:

• The vulnerability scanner included with Microsoft Defender for Cloud is only available for machines protected by Microsoft Defender for Servers.

• It's a PaaS resource, such as an image in an AKS cluster or part of a virtual machine scale set.

• It's not running one of the supported operating systems.

No. The scanner runs on your machine to look for vulnerabilities of the machine itself, not for your network.

The Defender for Cloud extension is a separate tool from your existing Qualys scanner. Licensing restrictions mean that it can only be used within Microsoft Defender for Cloud.

Within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.

The Qualys Cloud Agent is designed to communicate with Qualys's SOC at regular intervals for updates, and to perform the various operations required for product functionality. To allow the agent to communicate seamlessly with the SOC, configure your network security to allow inbound and outbound traffic to the Qualys SOC CIDR and URLs.

There are multiple Qualys platforms across various geographic locations. The SOC CIDR and URLs differ depending on the host platform of your Qualys subscription. Identify your Qualys host platform.

When you set up your solution, you must choose a resource group to attach it to. The solution isn't an Azure resource, so it won't be included in the list of the resource group’s resources. Nevertheless, it's attached to that resource group. If you later delete the resource group, the BYOL solution is unavailable.