Qualys agent installed onto VM (state "Provisioning succeeded") but VM not applicable in Azure Security Center with "The extension might be corrupted"

Anne-Gaëlle Debroise 6 Reputation points
2021-04-02T08:42:30.89+00:00

I created a Windows VM in a VNet.

I have a Qualys solution in Azure Security Center, with auto-provision set to ON, so a qualys agent has been automatically installed onto the VM. Good.
Looking at the VM extensions, I see "Provisioning succeeded" for the Qaulys agent. Good again.

83966-image.png

BUT looking at Azure Security Center recommendations, more precisely loking at the control "A vulnerability assessment solution should be enabled on your virtual machines", I see my VM in the list of "Not applicable resources" with the message "The extension might be corrupted, please try to remove it and deploy again".

83991-image.png

Why is my agent not seen as working by Azure Security Center?

Notes:

  • everything is good on Qualys server, the VM is listed in the list of handled assets, and vulnerabilites are also listed, so the agent is correclty transmitting information to Qualys server, but not to ASC?
  • the VM is correclty connected to the Log Analytics workspace of the ASC
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,055 questions
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Anne-Gaëlle Debroise 6 Reputation points
    2021-04-06T09:31:20.897+00:00

    Hello @shiva patpi ,
    Thanks for your reply.

    The extension you mention is for the ASC integrated vulnerability scanner, where on my side, I a m using a "BYOL Qualys solution" (exact naming is 'Deploy your configured third-party vulnerability scanner (BYOL - requires a separate license)').
    I configured the solution as described in https://qualys-secure.force.com/discussions/s/article/000005837.

    I got some more information for the issue I am facing: it appears to be a bug from Qualys, and they plan to fix it/deploy it by mid of April (new release of the agent).

    So I will wait until that time!

    1 person found this answer helpful.
    0 comments No comments

  2. shiva patpi 13,366 Reputation points Microsoft Employee Moderator
    2021-04-03T01:23:30.913+00:00

    Hello @Anne-Gaëlle Debroise ,
    Thanks for your query !
    As per the below document , the extension name should be WindowsAgent.AzureSecurityCenter and Type should be : Qualys.WindowsAgent.AzureSecurityCenter

    Integration of Qualys to ASC via Qualys Cloud:

    Couple of documents from Qualys Support:

    Hope above document helps you out in resolving the issue.

    0 comments No comments

  3. Stuart Cox 1 Reputation point
    2021-08-25T20:33:04.283+00:00

    I am having the same issue, trying to deploy the default free Qualys extension. Seeing the same "The extension might be corrupted, please try to remove it and deploy again" on multiple VM's, all showing as non-applicable. I've tried removing and redeploying via the portal and Security Center, but with same results.


  4. Stuart Cox 1 Reputation point
    2021-08-26T22:45:24.05+00:00

    I found our issue. We had locked down the VMs with a firewall, and the agent was not able to communicate to the Qaulys data center.

    From the docs here: https://learn.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm

    If the deployment fails on one or more machines, ensure the target machines can communicate with Qualys' cloud service by adding the following IPs to your allow lists (via port 443 - the default for HTTPS):

    If your machine is in a European Azure region, its artifacts will be processed in Qualys' European data center. Artifacts for virtual machines located elsewhere are sent to the US data center.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.