GFI Support Home Start a conversation Sign in
Start a conversation
  1. GFI LanGuard
  2. Articles
  3. Public Articles

GFI LanGuard Patch Download/Remediation Failures (e.g., “Not Found” / “None of the needed patches could be downloaded”) Caused by WinINet Connection Resets and/or a Corrupted CAB in the Local Repository

Table of Contents

Overview

This article describes how to troubleshoot and fix situations where Microsoft patch downloads or remediation fail in GFI LanGuard with errors such as:

  • Not Found (shown in Activity Monitor > Software Updates Download)
  • None of the needed patches could be downloaded (shown in remediation results)
  • Debug logs showing WinINet connection reset errors (for example GetLastError returned 12031)
  • A corrupted or incomplete CAB file already present in the local patch repository

For details on where to view download/remediation status in the console, see: Monitoring LanGuard Operations with the Activity Monitor

Symptoms:

  • Download failures / connection resets when pulling CAB files from download.windowsupdate.com (WinINet error 12031), and
  • a corrupted CAB already present in the local patch repository, which prevents a successful remediation until it is removed and re-downloaded.

Before you begin

  • You will need local administrator access to the LanGuard server.
  • The patch repository location may be customized; the default is typically C:\Program Files (x86)\GFI\LanGuard 12\Repository\English.

Step 1 — Identify what is failing (download vs. deployment)

  1. Open the LanGuard console and click the Activity Monitor tab.
  2. Check the exact error text in the UI (this determines what you troubleshoot next):
  3. (Optional but recommended) Open the failing download URL in Internet Explorer on the LanGuard server to validate whether the URL is accessible from the same Windows networking layer used by LanGuard. See the download troubleshooting flow in: Why do I have Remediation Problems with Third-Party Application Updates and Patches Failing to Download?

Step 2 — Fix corrupted CAB in the local repository (force re-download)

LanGuard validates update file integrity (for example by verifying expected hashes/sizes). If a CAB already exists in the local patch repository but is corrupted or incomplete, remediation can fail even if the original URL is correct. See: How does GFI LanGuard ensure update integrity?

Optional confirmation (advanced, debug mode should be enabled prior to capturing the error in logs) — Verify this is a corrupted-CAB scenario before doing Step 2

If you want to confirm that you are hitting this exact scenario, check the LanGuard server debug logs for a HASH MISMATCH error for the CAB file that is failing.

  1. On the LanGuard server, open: C:\ProgramData\GFI\LanGuard 12\DebugLogs\ and then open: lanss_v*_attendantservice.csv (and any rollover backups of that file, if present). See: Introduction to LanGuard Logs
  2. Search for the CAB filename or KB number (for example KB5071544) and for the text HASH MISMATCH for. An example of the exact error format is:
...,"error  ","RemediationPlugin","HASH MISMATCH for 'C:\Program Files (x86)\GFI\LanGuard 12\Repository\English\..._Windows10.0-KB5071544-x64.cab', expected '<sha1>', found '<sha1>'"

Option A — Fix the corrupted CAB in the repository (recommended)

  1. On the LanGuard server, open Services (services.msc).
  2. Stop the GFI LanGuard 12 Attendant service.
  3. Locate the patch repository folder.
    • Default example: C:\Program Files (x86)\GFI\LanGuard 12\Repository\English
    • The file name typically contains a prefix and the KB number, for example: *_Windows10.0-KB5071544-x64.cab
  4. Move (or delete) the corrupted CAB out of the repository.
    • Tip: moving it to a temporary folder is safer than deleting it immediately.
  5. Start the GFI LanGuard 12 Attendant service.
  6. In LanGuard, retry the download/remediation for the affected patch (for example, right-click the failed entry and choose Retry download if available, then re-run remediation).

How to validate the fix

  • The CAB is downloaded again and reappears in the repository with a new timestamp/size.
  • Remediation no longer fails due to integrity validation.

If you are troubleshooting general package integrity issues, the following article includes a general integrity verification approach: Resolving Package Installation Failures and HTTP 403 Errors in GFI LanGuard

Step 3 — If a single KB is blocking patching, temporarily ignore or exclude it (so other patches can proceed)

If one update is failing and blocking your patching workflow, you can temporarily ignore/exclude that specific KB so you can continue deploying other patches.

Option B — Ignore the KB (quick workaround)

  1. Open the LanGuard console and go to Dashboard > Patches.
  2. Select the target scope in the computer tree (single machine / group / entire network).
  3. Select the problematic patch and click Ignore under Actions.
  4. Choose the scope (for example, Entire network) and the ignore duration.

See detailed steps here: How to Configure LanGuard to Ignore Missing Patch or Vulnerability?

Option C — Exclude the KB in the scanning profile

  1. Go to Configuration > Scanning Profiles.
  2. Select the profile you are using and click Edit this Profile.
  3. In Vulnerability Assessment Options, open the Patches tab and uncheck the KB.
  4. Save the profile, then run a fresh scan so dashboard results reflect the change.

See detailed steps here: Ignoring Specific Vulnerabilities in Scans

Step 4 — If you must patch immediately, deploy the update manually

If the update is available from Microsoft but cannot be deployed via LanGuard yet (or you need an immediate workaround), you can deploy it using LanGuard’s Deploy Custom Software feature or install it manually.

For a step-by-step LanGuard Deploy Custom Software template for cumulative updates/hotfixes (MSU + BAT), see: Template to push out common Windows updates like Cumulative Updates via LanGuard's Custom Software Deployment feature

  1. Download the update from the Microsoft Update Catalog: https://www.catalog.update.microsoft.com/
  2. Install from an elevated command prompt: 
    wusa.exe "C:\Path\To\<kb>.msu" /quiet /norestart
  3. Reboot: 
    shutdown /r /t 60
  4. Verify installation: 
    Get-HotFix -Id <KB>
  5. Re-scan from LanGuard to confirm compliance.

Step 5 — If downloads still fail (proxy/network), validate proxy settings and retry

If LanGuard cannot download required patch files, remediation cannot continue. Proxy settings are a common cause.

  1. In the LanGuard console, go to Configuration > Program Updates > Edit proxy settings.
  2. For troubleshooting, try disabling proxy override / selecting Connect directly to the internet.
  3. Apply changes and retry the download/remediation.

See: GFI LanGuard Remediation Error: 'None of the needed patches could be downloaded'

If the issue persists

Collect Troubleshooter logs from the LanGuard server and provide them to Support for analysis. To avoid back-and-forth, include:

  • A screenshot of the exact error (Not Found or None of the needed patches could be downloaded)
  • The affected KB number(s) and the full download URL shown in LanGuard (if available)
  • The approximate time (with time zone) when you retried the download/remediation
  • Troubleshooter logs from the LanGuard server (captured after reproducing the issue)

How to collect the logs:

Notes on update availability

Microsoft and non-Microsoft patches are published to LanGuard via patch management database updates, and the exact time a specific KB appears may vary. For general release timing expectations, see: Patch Management Database Release Schedules

Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments