Qualys agent installed onto VM (state "Provisioning succeeded") but VM not applicable in Azure Security Center with "The extension might be corrupted"

Question

I created a Windows VM in a VNet.

I have a Qualys solution in Azure Security Center, with auto-provision set to ON, so a qualys agent has been automatically installed onto the VM. Good.
Looking at the VM extensions, I see "Provisioning succeeded" for the Qaulys agent. Good again.

BUT looking at Azure Security Center recommendations, more precisely loking at the control "A vulnerability assessment solution should be enabled on your virtual machines", I see my VM in the list of "Not applicable resources" with the message "The extension might be corrupted, please try to remove it and deploy again".

Why is my agent not seen as working by Azure Security Center?

Notes:

• everything is good on Qualys server, the VM is listed in the list of handled assets, and vulnerabilites are also listed, so the agent is correclty transmitting information to Qualys server, but not to ASC?
• the VM is correclty connected to the Log Analytics workspace of the ASC

Answer 1

Hello @shiva patpi ,
Thanks for your reply.

The extension you mention is for the ASC integrated vulnerability scanner, where on my side, I a m using a "BYOL Qualys solution" (exact naming is 'Deploy your configured third-party vulnerability scanner (BYOL - requires a separate license)').
I configured the solution as described in https://qualys-secure.force.com/discussions/s/article/000005837.

I got some more information for the issue I am facing: it appears to be a bug from Qualys, and they plan to fix it/deploy it by mid of April (new release of the agent).

So I will wait until that time!

Answer 2

Hello @Anne-Gaëlle Debroise ,
Thanks for your query !
As per the below document , the extension name should be WindowsAgent.AzureSecurityCenter and Type should be : Qualys.WindowsAgent.AzureSecurityCenter

• https://techcommunity.microsoft.com/t5/azure-security-center/built-in-vulnerability-assessment-for-vms-in-azure-security/ba-p/1577947

Integration of Qualys to ASC via Qualys Cloud:

• https://techcommunity.microsoft.com/t5/azure-security-center/built-in-vulnerability-assessment-for-vms-in-azure-security/ba-p/1577947

Couple of documents from Qualys Support:

• https://qualys-secure.force.com/discussions/s/article/000005837
• https://qualys-secure.force.com/discussions/s/question/0D52L00004TnzjJ/qualys-cloud-agents-not-reporting-to-platform

Hope above document helps you out in resolving the issue.

Answer 3

I am having the same issue, trying to deploy the default free Qualys extension. Seeing the same "The extension might be corrupted, please try to remove it and deploy again" on multiple VM's, all showing as non-applicable. I've tried removing and redeploying via the portal and Security Center, but with same results.

Answer 4

I found our issue. We had locked down the VMs with a firewall, and the agent was not able to communicate to the Qaulys data center.

From the docs here: https://learn.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm

If the deployment fails on one or more machines, ensure the target machines can communicate with Qualys' cloud service by adding the following IPs to your allow lists (via port 443 - the default for HTTPS):

• https://qagpublic.qg3.apps.qualys.com - Qualys' US data center
• https://qagpublic.qg2.apps.qualys.eu - Qualys' European data center

If your machine is in a European Azure region, its artifacts will be processed in Qualys' European data center. Artifacts for virtual machines located elsewhere are sent to the US data center.