Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 1 of 21
`Case 4:18-cv-07229—YGR Document 195-12 Filed 05/10/21 Page 1 of 21
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 7
`
`EXHIBIT 7
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 2 of 21
`
`O QUALYS'
`
`D Cloud Agent White Paper
`
`Cloud Agent Platform Technical White Paper
`April 2017
`
`Affected Versions: Cloud Agent Windows 1.5.6, Linux 1.6.0, Mac 1.6.0
`
`Overview
`
`This Technical White Paper documents the system design, functionality, communication protocols,
`lifecycle, configuration, deployment, and best practices of the Qualys Cloud Agent Platform.
`
`The Cloud Agent provides a continuous view of assets for vulnerability management, policy
`compliance, and asset inventory without the need for credential management, scan windows, and
`firewall changes required by network scanner deployments. The Cloud Agent delivers visibility and
`security solutions for assets that are not able or not easily scanned from the network including
`remote/roaming users, distributed offices, and cloud server instances.
`
`System Design and Functional Approach
`
`The Cloud Agent Platform is designed for the agent and platform to work in concert to provide a high
`level of accuracy and fidelity, low end-to-end processing times, and minimal resource impact on the
`asset.
`
`The agent is designed to capture the metadata of the operating system, installed applications, and
`system configurations as needed by the different activated service modules, and upload the metadata
`to the platform for analysis, correlation, reporting, and alerting. The agent does not perform local
`processing or analysis; it only performs metadata collection which keeps resource usage extremely
`low with 5 MB RAM, 0.01% CPU at idle, and peak usage and network bandwidth tunable using
`comprehensive configuration performance parameters.
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 1 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325126
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 3 of 21
`
`O QUALYS>
`
`D Cloud Agent White Paper
`
`The Cloud Agent supports Vulnerability Management QIDs and Policy Compliance CIDs similar to the
`authenticated local checks performed by the network scanner, with some current limitations. The
`agent does not have the ability to perform active networking checks against ports or log into
`applications with credentials. The agent does not currently support Policy Compliance User Defined
`Controls (UDCs) or technologies that require credentials to log into the instance such as databases.
`Qualys recommends using the Cloud Agent in conjunction with the network scanner for on-premise
`deployments to give a unified view of the asset, where the agent provides an internal view without
`requiring authentication credentials and the scanner provides an external view.
`
`The Cloud Agent is the preferred method for assets like dynamic IP client machines, remote/roaming
`users, static and ephemeral cloud instances, and systems sensitive to external scanning where it's not
`possible or practical to do network scanning.
`
`Asset Metadata Collected by Cloud Agent
`
`The Cloud Agent design differs from the Qualys Scanner approach in that the agent does not perform
`vulnerability management and policy compliance processing in the agent itself. Rather, the Cloud
`Agent simply collects metadata on certain files, processes, and registry keys to find installed software,
`configuration settings, and environmental variables and securely transmits the metadata to the Qualys
`Platform for processing on the platform. The specifications of what the agent collects are defined in a
`configuration file called a "manifest" that is dynamically generated on the platform and downloaded
`by the agent when new vulnerability management QIDs and policy compliance CIDs are created by the
`Qualys content teams.
`
`The specific metadata collected by the agent changes over time as new QIDs and CIDs are created and
`as some older QIDs or CIDs are deprecated or superseded. Some examples of metadata collected
`include:
`
`o Files
`
`%ProgramFiles(x86)%\Google\Chrome\Application\56.0.2924.87\chrome.d11 file
`version is 56.0.2924.87
`
`%windir%\System32\ntd11.d11 Version is 6.1.7601.23677
`
`KERNEL version="2.6.32-642.6.1.e16" package="kernel-2.6.32-642.6.1.e16"
`
`o Registry
`
`HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
`PendingFileRenameOperations exists
`
`HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
`missing
`
`DisabledComponents is
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 2 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325127
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 4 of 21
`
`O QUALYS>
`
`o Configuration Settings
`
`D Cloud Agent White Paper
`
`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg
`Values\MACHINE/Software/Microsoft/Windows
`NT/CurrentVersion/Winlogon/PasswordExpiryWarning/ValueType is 4
`
`net.ipv4.conf.all.logmartians = 0
`
`The Asset Inventory module collects hardware and software information, including but not limited to
`list of installed software and versions, IP address and MAC address, hardware information such as
`manufacturer and model, BIOS, installed CPUs and Volume information, local user accounts, open
`ports, and running services and their version information.
`
`Agent — Platform Communication Design
`
`Cloud Agent communication is optimized to support large scale agent deployments while providing
`flexible and granular performance configuration controls allowing organizations to tune agent
`performance and bandwidth usage for their specific environment requirements.
`
`All communications are initiated by the agent outbound from the agent to the platform using REST
`over HTTPS/TLS on configurable intervals. (The platform does not initiate connections to the agent.)
`The agent and platform utilize SSL 3.0, TLS 1.2, SHA256 ciphers, and 2048-bit private key for the
`platform. Communications are encrypted using server certificates, with application-layer
`authentication, data security, and non-repudiation techniques. Agent communications are protocol
`compatible with stateful firewalls, application-aware firewalls, transparent and non-transparent web
`proxies, and NAT gateways.
`
`Connections are transient and initiated from the agent on configurable intervals only for the duration
`of the session after which the session is terminated. Sessions are not persistent. Content downloads
`from the platform to the agent occur only through a request/reply method initiated by the agent
`outbound to the platform; the platform does not have the ability to initiate a connection to the agent.
`
`Agents support HTTPS proxies with authentication using local configuration for all operating systems;
`PAC files and WPAD for Windows. The proxy configuration is configured using local command line
`tools (QualysProxy.exe on Windows and config-tool.sh on Linux and Mac), and can be scripted using
`software distribution tools. Windows agents configured with a PAC file check for a new PAC file at the
`start of each communication session initiated by the agent; this ensures that the agent will use the
`most recent file.
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 3 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325128
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 5 of 21
`
`O QUALYS'
`
`Cs.A.LOVS
`
`D Cloud Agent White Paper
`
`1 Ivato
`
`Portal
`Web UI
`
`Wob Unice
`
`RapesRory
`
`• V 77,7-7, 7
`
`li•clutod
`. 13rou,
`
`4 0
`
`Public
`W. StVYK•
`
`Cloud Agoot
`Dotabato
`
`Qualys Platform
`
`Customer/Remote
`Network
`
`T Operations' Seca rdy
`
`' 121(a
`61,(4
`
`loud Ai,. 14,1.
`Mac
`
`Figure: Qualys Cloud Agent Platform Communication
`
`Configuration Profile Performance Parameters
`
`The following table lists the pre-defined Configuration Profile performance parameters default values
`as of Portal 2.23. (Legacy performance parameters are still available to support older agent versions.)
`
`Performance Parameters - Default
`Agent Status Interval
`Delta Upload Interval
`Chunk sizes for file fragment uploads
`Upgrade Reattempt Interval
`Logging level for agent
`CPU Limit (Windows)
`CPU Throttle (iinux/Mac)
`
`Low
`900 secs
`60 secs
`1024 KB
`300 secs
`Verbose
`5 %
`20 ms
`
`Normal
`900 secs
`60 secs
`1024 KB
`300 secs
`Verbose
`20 %
`10 ms
`
`High
`900 secs
`60 secs
`1024 KB I
`300 secs
`Verbose_A
`80 %
`0 ms_AMI
`
`Based on real-world performance profiling, the recommended values for the new agent versions
`(Windows 1.5.6 and Linux/Mac 1.6.0) are listed in the table below for different performance profiles
`(Low, Normal, and High). Recommended values that are different from the default values are
`highlighted in red italics. It's not possible to edit the default performance profiles; one can create
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 4 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325129
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 6 of 21
`
`O QUALYS'
`
`Cloud Agent White Paper
`
`custom Configuration Profiles from one of the default profiles and change the parameters to meet
`required performance targets.
`
`Performance Parameters - Recommended
`Agent Status Interval
`Delta Upload Interval
`Chunk sizes for file fragment uploads
`Upgrade Reattempt Interval
`Logging level for agent
`CPU Limit (Windows)
`CPU Throttle (Linux/Mac)
`
`Low
`1800 secs
`10 secs
`1024 KB
`300 secs
`Verbose
`5%
`800 ms
`
`Normal
`900 secs
`5 secs
`2048 KB
`300 secs
`Verbose
`20 %
`100 ms
`
`High
`600 secs
`1 sec
`4096 KB
`300 secs
`Verbose
`80 %
`0 ms
`
`Performance parameters are configured in the Configuration Profiles and can be assigned to assets by
`direct assignment or tags. Configuration Profiles can also be linked to Activation Keys by tags, thus
`any agent installed with that tagged Activation Key will have that Configuration Profile applied to it.
`
`Configuration Profiles are assigned to assets based on the ordered priority of the profiles in the
`Configuration Profile management page — direct assignment take priority followed by tag.
`
`After provisioning, the agent downloads its assigned configuration profile and executes based on the
`parameters in the profile, including performance parameters and network blackout windows.
`
`Best practices and technical information for the performance parameters are described in the
`appropriate sections of this whitepaper. The Cloud Agent User Guide contains detailed descriptions of
`the performance parameters. Linux and Mac agents support additional tuning using a command-line
`configuration tool documented in the Installation Guide.
`
`CPU Performance Management Configuration
`
`The agent supports two different techniques for CPU performance management, one for Windows
`operating systems and one for Linux/Mac.
`
`The Windows performance management parameter is "CPU Limit", a method whereby the agent
`manages its utilization using the available Windows operating system APIs. Windows is not a hard
`real-time operating system and cannot guarantee the maximum CPU usage of a process, thus the
`Cloud Agent uses additional proprietary methods to achieve an overall usage average to meet the
`defined value. The agent continuously monitors the utilization of its threads every 100 ms and
`automatically suspends threads that are utilizing more than the defined value over each 10Orns
`sampling period until the thread's utilization is lowered to the defined CPU Limit threshold value. In
`those cases where the thread's utilization is higher than the defined threshold but are quickly lowered
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 5 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325130
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 7 of 21
`
`O QUALYS'
`
`D Cloud Agent White Paper
`
`to threshold, one will see a spike lasting 100-300 ms on average, but the overall 1-minute or longer
`averages will average to the defined threshold.
`
`The Windows Cloud Agent is single-threaded and only executes on one core; its overall system
`utilization is calculated by the agent's single-core utilization divided by the number of cores on the
`system. As an example, for a system with 4 cores, a 10% CPU Limit performance value will average to
`10% CPU usage on a single core during the agent's metadata collection period, but the overall CPU
`usage for the Cloud Agent on the system is 2.5% (one core usage divided by the number of cores, 10%
`/ 4 = 2.5% overall system usage).
`
`The Linux and Mac performance management parameter is "CPU Throttle", and performs differently
`from the Windows "CPU Limit" due to the multi-threaded nature of the Linux and Mac agents. The
`CPU Throttle implementation inserts a sleep delay between subsequent metadata collection
`commands executed by the agent. This implementation does not limit or manage the CPU utilization
`of a single process or thread that the Windows implementation provides, but rather smooths out the
`overall CPU utilization across a longer data collection period. Using larger throttle values will generate
`lower CPU utilizations over 1-minute, 5-minute, and 15-minute averages, but there still can be short-
`term spikes on 1-second and 15-second averages.
`
`The Linux and Mac agents support two additional configuration parameters outside the Configuration
`Profile to reduce the CPU utilization during its metadata collection periods. The parameters are only
`configured with the local configuration tool or by adding the parameters into the qualys-cloud-
`agent.conf file (UI management of these settings is not available). A restart of the agent is required
`for these configuration parameters to take effect.
`• Process execution priority equivalent to Linux "nice" command, v✓here higher values provide
`lower priority of the process (that will reduce CPU usage)
`o ProcessPriority=<N> where N = -20 to 19 (default 0)
`o Nice configuration at the OS level supersedes this parameter for that process
`execution
`• Command timeout logic to gracefully terminate hung processes, which lowers resource usage
`in cases where processes hang or take a long time to terminate (lower values will reduce CPU
`usage but should not be set lower than the default unless recommended by Qualys Support as
`it might cause properly running processes to terminate prematurely)
`o CmdTimeOut=<N>, N value in seconds (default 1800)
`
`Performance Profiling
`
`Multiple granular performance tuning parameters are available for the Cloud Agent to enable
`organizations to set the performance characteristics of agents relative to the asset and network where
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 6 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325131
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 8 of 21
`
`O QUALYS'
`
`CONIMUNAS.ltI11
`
`D Cloud Agent White Paper
`
`they're deployed. The performance tuning provides control over CPU resource usage and network
`bandwidth inversely related to the frequency of data collection and rate of data uploads.
`
`Agents tuned with lower CPU usage spread out the data collection over a longer time period to keep
`resource usage below specified thresholds. Agents tuned with more efficient network usage break
`data uploads into smaller fragments and increases the upload interval between each fragment to
`avoid network bursts or aggressive transmission rates.
`
`The following figure displays performance of a Cloud Agent running on an Amazon AWS t2.micro Linux
`instance with a custom configuration profile (CPU Throttle set to 1000 ms) and no other services
`except for the Amazon CloudWatch monitoring agent. While CloudWatch does not monitor individual
`processes, the metrics of this instance can be generally attributed to the Cloud Agent as it's the only
`third-party package running. CPU Idle usage of the agent is less than 0.01% CPU when taking account
`for overhead of the operating system. Instance CPU utilization is 1.2% peak corresponding to the data
`collection intervals for the Vulnerability Management and Policy Compliance modules and 0.5% CPU
`for Asset Inventory module reported over a 15-minute average period.
`
`CPU Utilization ( Percent)
`
`Statistic: Average
`
`• Time Range: Last 12 Hours • Period: 15 Minutes •
`
`1 201
`
`0,801
`
`0.601
`
`0 401
`
`0201
`
`2/10
`08 00
`
`2/10
`
`09 00
`
`2/10
`1000
`
`2110
`1100
`
`2110
`12.00
`
`2/10
`13 00
`
`2/10
`14 00
`
`2/10
`
`15 00
`
`2110
`16 00
`
`2110
`1700
`
`2/10
`1800
`
`2/10
`
`19 00
`
`Figure: Instance CPU Utilization on Amazon AWS t2.micro
`
`The following figure displays the Network In (Bytes) of the instance download with the same
`configuration as above. While CloudWatch does not monitor individual processes, the metrics of this
`instance can be generally attributed to the Cloud Agent. The 2.5MB download item represents the
`agent downloading the daily manifest that defines what data collection for all activated the agent
`needs to perform.
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 7 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325132
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 9 of 21
`
`QUALMS'
`t.
`
`J,J,,a11
`
`1
`
`D Cloud Agent White Paper
`
`Network In ( Bytes)
`
`Statistic: Average
`
`Time Range: Last 12 Hours v Period: 1 Minute
`
`1.500000
`
`1000000
`
`500000
`
`lorce
`0100
`
`10126
`
`02:00
`
`10,26
`oaoo
`
`1026
`
`04.00
`
`1026
`
`MOO
`
`1026
`
`0000
`
`1026
`
`0700
`
`10/26
`
`00:00
`
`1026
`
`0100
`
`10126
`
`10:00
`
`10126
`
`11:00
`
`10/26
`
`12:00
`
`Figure: Instance Network In (bytes) on Amazon AWS t2.micro
`
`The following figure displays the Network Out (Bytes) of the instance upload with the same
`configuration as above. The four upload amounts of 100-120 KB represent the delta uploads for the
`both activated Vulnerability and Policy Compliance modules illustrating how the Cloud Agent delta
`processing capability optimizes uploads from the agent to the platform. (The other data points are
`the data uploads for Amazon's CloudWatch monitoring service used to monitor this instance and are
`not related to the agent.)
`
`Network Out ( Byres )
`
`Statistic: Average
`
`Time Range: Last 24 Hours
`
`Period: 1 Minute
`
`120.000
`
`100.000
`
`80.000
`
`60.000
`
`40000
`
`20.000
`
`••
`
`I i I I I I I I I•
`
`10/25
`
`20:00
`
`10/25
`
`22:00
`
`10/26
`
`0060
`
`10/26
`
`02:00
`
`10,20
`
`0400
`
`10126
`
`0690
`
`10/26
`
`08:0
`
`10/26
`
`10 00
`
`10126
`
`12'00
`
`10/26
`
`14:00
`
`10/26
`
`10/26
`
`Figure: Instance Network Out (bytes) on Amazon AWS t2.micro
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 8 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325133
`
`O
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 10 of 21
`
`O QUALYS'
`
`Installation
`
`D Cloud Agent White Paper
`
`Qualys provides installers and packages for each supported operating system that are coded for each
`Qualys platform. It's not possible to connect an agent coded for one platform to another platform.
`Refer to the Installation Guide documentation for additional information on installation, install-time
`configuration, proxy configuration, log files, and more. Organizations can use their existing software
`distribution tools (SCCM, BigFix, rpm, Casper, etc.) to install the agent into target machines.
`
`The Cloud Agent can be installed into gold images including VM templates and cloud provider images
`such as Amazon AWS, Microsoft Azure, and Google Compute Platform. The platform supports
`detection of duplicate agent IDs and automatically re-provisions the duplicate agents. A Tech Note
`describes how to install an agent into a gold image without initial provisioning, "Qualys Cloud Agent
`and Cloning Support-20160726". This is the recommended method to prevent duplicate cases but is
`not required.
`
`Agent Lifecycle
`
`There are seven phases for the lifecycle of the Cloud Agent after installation.
`
`1. Provisioning
`2. Clone/Duplicate Agent UUID Detection and Re-provisioning
`3. Status Update (heartbeat)
`4. Agent Version Upgrading
`5. Data Collection and Upload
`6. Agent-Platform Synchronization
`7. Uninstallation and Purge
`
`Many of the communications methods can be tuned through Cloud Agent Configuration Profiles by
`assigning any of the pre-defined High, Normal, or Low performance profiles to agents or by creating
`custom profiles. Some implementations are not exposed as configurable settings to customers; these
`are noted where applicable.
`
`1. Provisioning
`
`The first communication request an agent performs when it executes for the first time is Provisioning.
`For this function, an agent installed with a Customer ID and Activation Key communicates to its
`associated platform to be verified as a legitimate agent. When verified, the agent generates a
`universally unique identifier (called UUID or Agent ID) and submits the UUID to the platform. The
`UUID is used by the platform to uniquely identify the agent without relying on the asset's hostname,
`IP address, or other mechanisms that can change.
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 9 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325134
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 11 of 21
`
`O QUALYS'
`
`D Cloud Agent White Paper
`
`If the asset has been or is currently being scanned using authenticated network scanning with
`Agentless Tracking enabled, the UUID already exists on the asset having been created by the network
`scanner (called Host ID from the scanner perspective) and the agent will use this UUID during the
`Provisioning process. The agent uses the same UUID as the scanner to merge results into a unified
`internal and external view of that asset and present report findings as a single asset.
`
`The provisioning interval is set to 60 seconds and is not exposed as a configurable value. Once the
`provisioning is successful, the agent does not perform any subsequent provisioning methods except in
`the case of duplicate agent UUIDs. Agents that cannot communicate to the platform for provisioning
`will keep retrying with an exponential backoff algorithm (current interval * 1.5 = next interval).
`
`After provisioning, the agent downloads its assigned configuration profile and executes based on the
`defined parameters in the profile, including performance parameters and network blackout windows.
`
`2. Clone/Duplicate Agent UUID Detection and Re-provisioning
`
`Universally Unique IDs (UUID) are required for accurate and consistent management and reporting of
`Cloud Agents. The platform has a feature to detect duplicate agent IDs and trigger the agent to re-
`provision with a newly generated agent ID. This feature is always enabled and not exposed as a
`configurable setting.
`
`The most common case where duplicate agent IDs are created is when an agent is provisioned in a
`gold image that is used to create clones, including cloud server instances, virtual environments, or
`physical environments. In this case, agents in the clones created from the gold image will have the
`same UUID as the agent in the gold image thus creating duplicate agent IDs in the platform when the
`cloned agents connect. A Tech Note describes how to install an agent into a gold image without
`provisioning, "Qualys Cloud Agent and Cloning Support-20160726". This is the recommended method
`to prevent this case but is not required.
`
`There are cases where it's not possible or practical to follow the best practices Tech Note or have an
`agent installed in a gold image without being provisioned. Usually organizations need to certify that
`the agent is operating correctly in the gold image which requires the agent to be provisioned and
`communicating to the platform. There is no method to deprovision or remove an agent's provisioning
`information once provisioned.
`
`The duplicate detection feature uses sequence numbers in the communication sessions from the
`agent to platform. The platform keeps track of sequence numbers for each agent ID and determines if
`another agent is communicating with a duplicate agent ID by detecting that the other agent's
`sequence numbers are out of sync with the first agent's sequence numbers. When the platform
`detects a duplicate agent, the platform will trigger the agent communicating on that session to re-
`provision.
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 10 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325135
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 12 of 21
`
`O QUALYS'
`
`D Cloud Agent White Paper
`
`An agent receiving a re-provision command will generate another agent UUID and start the
`provisioning process by submitting the new agent UUID to the platform to be used by the agent going
`forward. If the submitting agent UUID is the same as another agent's UUID (though highly unlikely
`after a re-provision), the platform will trigger the agent to re-provision.
`
`An older agent version can still create duplicates in the platform. When older agent versions are
`upgraded to the version of the agent that support Duplicate Agent UUI Detection (Windows 1.5.6 and
`Linux/Mac 1.6.0), the platform will detect the duplicate agent and automatically provision that agent
`with a new agent UUID. The agent data will be purged (as it's not valid due to being merged with
`another agent) and new data will be created from the initial snapshot.
`
`3. Status Interval (heartbeat)
`
`The management functions of the Cloud Agent use the Status Interval method. The agent
`communicates to the platform on a configurable interval (see below) to request any new content or
`actions to perform. In steady-state production environments, there are rarely new content or actions
`at each status check so the request/reply is very small, usually less than 1 KB.
`
`The content or actions received through the Status Update include, in order of frequency:
`
`• New manifests (that define what data to collect for activated Asset Inventory, Vulnerability
`Management, and Policy Compliance modules)
`• Configuration Profiles
`• Download installers for new agent versions (if configured)
`• Re-provisioning commands
`• Re-synchronization commands
`• Uninstallation commands
`
`New manifest content is published on average once per day, some more often, depending on new
`vulnerability disclosures and discoveries by the Qualys vulnerability research team. Configuration
`Profiles changes in production environments are rare, and new Cloud Agent binary releases are on a
`quarterly release cadence.
`
`Configuration
`
`The "Agent Status Interval" is configurable in the Configuration Profile. Default values are set to 3600
`seconds (60 minutes) for existing agents already deployed. In an upcoming Portal release, default
`values change in each profile type to follow recommended best practices of 10 minutes for High
`profiles, 15 minutes for Normal profiles, and 30 minutes for Low profiles. These recommended values
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 11 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325136
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 13 of 21
`
`O QUALYS'
`
`D Cloud Agent White Paper
`
`provide reasonable trade-offs between traffic generated by the agent and the timeliness in which the
`agents receive new content and commands.
`
`4. Agent Version Upgrading
`
`Cloud Agents are automatically upgraded when new versions are available on the Qualys Platform.
`Upgrades are transparent, retain the same agent UUID, and do not require an agent re-deployment or
`reboot of the system.
`
`Version Upgrade Control
`
`Beginning with Windows 1.5.6 and Linux/Mac 1.6.0 versions agents, once installed, will have a
`configuration profile setting that an administrator can use to enable/disable agents auto-upgrading
`from the platform using a feature named "Prevent auto updating of the agent binaries".
`
`The feature supports an organization's change management policies and allows organizations to test
`and certify new agent versions before they upgrade production agents. Once an agent version is
`certified, uncheck the "Prevent auto updating" function in the Configuration Profile and agents will
`start upgrading based on the Upgrade Check Interval setting. For organizations that wish to use third-
`party software distribution tools to upgrade deployment agent versions instead of the Qualys
`platform, use this feature to prevent upgrades entirely.
`
`Qualys requires agent versions to be upgraded within three months after the release of new agent
`versions in order to ensure functionality compatibility with Vulnerability Management QIDs, Policy
`Compliance CIDs, and platform management and reporting capabilities. The platform does not
`presently enforce this upgrade period; this may change in the future so that agents will not operate or
`operate with a reduced functionality if they are out of date.
`
`5. Data Collection and Upload
`
`The Cloud Agent operates in concert with the platform to optimize the discovery, classification, and
`reporting of vulnerabilities, compliance violations, and asset inventory. The agent uses a lightweight
`data collection mechanism to simply capture the version numbers and other metadata about the
`operating system and installed applications and sends the data to the platform for analysis and
`reporting. In this manner, the agent does not perform any analysis on the system and is only a
`conduit to capture the appropriate information in an optimized lightweight manner for the platform
`to process.
`
`CO 2017 Qualys, Inc. Distribution for Qualys Customers, Prospects, and Partners Only. (April 2017)
`
`Page 12 of 20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00325137
`
`

`

`Case 4:18-cv-07229-YGR Document 195-12 Filed 05/10/21 Page 14 of 21
`
`O QUALYS'
`
`D Cloud Agent White Paper
`
`The data collection uploads account for most of the network volume generated by the agent to the
`platform. Qualys optimizes upload volume using a delta processing approach and configurable
`performance settings.
`
`The agent executes a data collection, called a "snapshot", the first time after installation for Asset
`Inventory and each activated module on the agent (Vulnerability Management and Policy Compliance)
`and stores the results locally on the system. Modules that are activated after the agent installation
`will perform the initial snapshot when that module is activated.
`
`The size of the initial snapshot is based on different system variables including: operating system
`version and number of applications installed. Systems with large operating systems, more
`applications, and more third-party libraries will generate a larger snapshot file compared to a stripped-
`down operating system with a single application. On average, Windows initial snapshots range from
`10-20 MB, Linux snapshots range from 2-5 MB, and Mac snapshots range from 2-5 MB. The snapshot
`is uploaded to the platform governed by the Configuration Profile performance parameters assigned
`to the agent.
`
`For agents installed in gold images used for VMs and cloud provider instances, the agent can be
`configured to delay the agent startup and execution of initial snapshot after system start up by using
`the operating systems native service management functions, for example using the "Automatic
`(Delayed Start)" service setting in Windows and changing the run level for Linux systems (note:
`changing the run level will be reverted back to original value during an agent upgrade.)
`
`Subsequent data collections performed by the agent are compared to local copy of the previous
`collections and only changed information, called "deltas", are uploaded from the agent the platform.
`The agent does not re-transmit data that hasn't changed on the asset. The size of the delta files vary
`depending on any changes that have occurred on the endpoint or for any new data collection
`locations specified in the manifest. On average, delta files can range from 50 KB for delta with no
`changes to 2 MB for systems with many