Integrated vulnerability scanner for virtual machines (Standard tier only)

The vulnerability scanner included with Azure Security Center is powered by Qualys. Qualys's scanner is the leading tool for real-time identification of vulnerabilities in your Azure Virtual Machines. It's only available to users on the standard pricing tier. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center.

This feature is currently in preview.

Note

Security Center supports the integration of tools from other vendors, but you'll need to handle the licensing costs, deployment, and configuration. For more information, see Deploying a partner vulnerability scanning solution. You can also use those instructions to integrate your organization's own Qualys license, if you choose not to use the built-in vulnerability scanner included with Azure Security Center.

Overview of the integrated vulnerability scanner

The vulnerability scanner extension works as follows:

  1. Deploy - Azure Security Center deploys the Qualys extension to the selected virtual machine/s.

  2. Gather information - The extension collects artifacts and sends them for analysis in the Qualys cloud service in the defined region.

  3. Analyze - Qualys's cloud service conducts the vulnerability assessment and sends its findings to Security Center.

    Important

    To ensure the privacy, confidentiality, and security of our customers, Microsoft doesn't share customer details with Qualys. Learn more about the privacy standards built into Azure.

  4. Report - The findings are available to you in Security Center.

Process flow diagram for Azure Security Center's built-in vulnerability scanner

Deploying the Qualys built-in vulnerability scanner

The simplest way to scan your Azure-based virtual machines for vulnerabilities is to use the built-in vulnerability scanner.

To deploy the vulnerability scanner extension:

  1. Open Azure Security Center and go to the Recommendations page for a subscription on the standard pricing tier.

  2. Select the recommendation named "Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)".

    Recommendations page in Azure Security Center filtered to Qualys recommendations

    Your VMs will appear in one or more of the following groups:

    • Healthy resources – the vulnerability scanner extension has been deployed to these VMs.

    • Unhealthy resources – the vulnerability scanner extension can be deployed to these VMs.

    • Not applicable resources – these VMs can't have the vulnerability scanner extension deployed. Your VM might be in this tab because it's on the free pricing tier, it's missing the ImageReference class (relevant to custom images and VMs restored from backup, as explained in this Azure for .NET page), or it's not running one of the supported OSes:

      • All versions of Windows
      • Red Hat Enterprise Linux 6.7, 7.6
      • Ubuntu 14.04, 18.04
      • CentOS 6.10, 7, 7.6
      • Oracle Linux 6.8, 7.6
      • SUSE Enterprise Linux 12, 15
      • Debian 7, 8
  3. From the Unhealthy resources tab, select the VMs on which you want to deploy the Qualys scanner and click Remediate.

    Selecting VMs for the Qualys scanner

    The scanner extension will be installed on all of the selected VMs.

    Scanning begins automatically as soon as the extension is successfully deployed. Scans will then run at four-hour intervals. This interval is hard-coded and not configurable.

Viewing and remediating discovered vulnerabilities

When Security Center identifies vulnerabilities, it presents findings and related information as recommendations. The related information includes remediation steps, related CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more subscriptions, or for a specific VM.

To see the findings and remediate the identified vulnerability:

  1. Open Azure Security Center and go to the Recommendations page.

  2. Select the recommendation named "Remediate vulnerabilities found on your virtual machines (powered by Qualys)".

    Security Center shows you all the findings for all VMs in the currently selected subscriptions. The findings are ordered by severity.

    List of findings from Qualys for all selected subscriptions

  3. To filter the findings by a specific VM, open the "Affected resources" section and click the VM that interests you. Or you can select a VM from the resource health view, and view all relevant recommendations for that resource.

    Security Center shows the findings for that VM, ordered by severity.

    Findings for a specific virtual machine

    In this example, you can see that 94 vulnerabilities were discovered and that 5 of them are medium severity.

  4. To learn more about a specific vulnerability, select it.

    Details pane for vulnerability #91426

    The details pane that appears contains extensive information about the vulnerability, including:

    • Links to all relevant CVEs (where available)
    • Remediation steps
    • Any additional reference pages
  5. To remediate a finding, follow the remediation steps from this details pane.

Exporting results

To export vulnerability assessment results, you'll need to use Azure Resource Graph (ARG). This tool provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal.

For full instructions and a sample ARG query, see this Tech Community post: Exporting Vulnerability Assessment Results in Azure Security Center.

Built-in Qualys vulnerability scanner FAQ

Are there any additional charges for the Qualys license?

No. The built-in scanner is free to all standard tier users. The "Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)" recommendation deploys the scanner with its licensing and configuration information. No additional licenses are required.

What permissions are required to install the Qualys extension?

You'll need write permissions for any VM on which you want to deploy the extension.

The Azure Security Center Vulnerability Assessment extension (powered by Qualys), like other extensions, runs on top of the Azure Virtual Machine agent. So it runs as Local Host on Windows, and Root on Linux.

Can I remove the Security Center Qualys extension?

If you want to remove the extensions from a VM, you can do it manually or with any of your programmatic tools.

You'll need the following details:

  • On Linux, the extension is called "LinuxAgent.AzureSecurityCenter" and provider name is "Qualys"
  • On Windows, the extension is called "WindowsAgent.AzureSecurityCenter" and provider name is "Qualys"

How does the extension get updated?

Like the Azure Security Center agent itself and all other Azure extensions, minor updates of the Qualys scanner may automatically happen in the background. All agents and extensions are tested extensively before being automatically deployed.

Some updates to the vulnerability scanner extension may require manual deployment. For example, if you're running v1.0.0.4, you must take the following steps:

  1. Verify the version of the Qualys vulnerability scanner extension running on your VM:

    1. From the Azure portal, open Virtual machines.

    2. Select the VM on which the agent is installed.

    3. From the sidebar navigation, open Extensions and select the following extension:

      Name: WindowsAgent.AzureSecurityCenter Type: Qualys.WindowsAgent.AzureSecurityCenter

    4. Review the version information of the extension.

      Qualys agent extension version information

    5. If the version is 1.0.0.4, click Uninstall and wait until the extension is no longer listed in the VM's extensions page.

    6. Restart the VM.

    7. When the VM's status is "Running", deploy the extension as described above in Deploying the Qualys built-in vulnerability scanner.

Why does my VM show as "not applicable" in the recommendation?

When you open the recommendation, you'll see your VMs in one or more of the following groups:

  • Healthy resources – the vulnerability scanner extension has been deployed to these VMs.

  • Unhealthy resources – the vulnerability scanner extension can be deployed to these VMs.

  • Not applicable resources – These VMs can't have the vulnerability scanner extension deployed. Your VM might be in this tab because it's on the free pricing tier, it's missing the ImageReference class (relevant to custom images and VMs restored from backup, as explained in this Azure for .NET page), or it's not running one of the supported OSes:

    • All versions of Windows
    • Red Hat Enterprise Linux 6.7, 7.6
    • Ubuntu 14.04, 18.04
    • CentOS 6.10, 7, 7.6
    • Oracle Linux 6.8, 7.6
    • SUSE Enterprise Linux 12, 15
    • Debian 7, 8

What is scanned by the built-in vulnerability scanner?

The scanner is running on your virtual machine and looking for vulnerabilities of the VM itself. From the virtual machine, it can't scan your network.

Does the scanner integrate with my existing Qualys console?

The Security Center extension is a separate tool from your existing Qualys scanner. Licensing restrictions mean that it can only be used within Azure Security Center.

Microsoft Defender Advanced Threat Protection also includes Threat & Vulnerability Management (TVM). How is the Security Center Vulnerability Assessment extension different?

Microsoft is actively developing world-class vulnerability management with Microsoft Defender ATP's Threat & Vulnerability Management solution, built into Windows.

Today, Azure Security Center's Vulnerability Assessment extension is powered by Qualys. The Qualys extension ensures support for both Windows and Linux VMs. The extension also benefits from Qualys's own knowledge of vulnerabilities that don't yet have CVEs.

Next steps

This article described the Azure Security Center Vulnerability Assessment extension (powered by Qualys) for scanning your VMs. For related material, see the following articles: