Symptoms indicating that this workaround is required
- Latest patch definitions are available, but agent scans are not showing these patches as installed/missing, for example with Windows monthly cumulative updates.
- You see successful recent updates in the Activity Monitor > Program Updates Activity screen for both the LanGuard server and the Agents.
- You have confirmed that agent scans use a profile that detects patches (like the built-in in Full Scan and Missing Patches profiles) and that there are no errors in the scan related to the Missing Patches component (can be checked in Activity Monitor > Security Scans).
An example of one such error for the Missing Patches component is shown below, which indicates a problem with program updates on the Agent.
How to execute the workaround
-
No scans should be running throughout this process, and you must not have the scanning profiles editor open. Check for the presence of the scanprofiles.exe process in the Task Manager if you are not sure whether the editor is open, and end the task if it is running.
- On the LanGuard server, run this PowerShell script as admin (you will need to bypass the execution policy). You can also create your own PowerShell script with the following commands:
$LGUpdater = Get-Process update -ErrorAction SilentlyContinue
if ($LGUpdater) {
$LGUpdater | Stop-Process -Force
}
Remove-Item "C:\ProgramData\GFI\LanGuard 12\Update\lanss_11_mnspdata*" -Force
Remove-Item "C:\ProgramData\GFI\LanGuard 12\Update\lanss_12_2_patchmngmt*" -Force
Remove-Item "C:\ProgramData\GFI\LanGuard 12\Update\wsusscn2.cab" -Force
This will kill any running program updates and delete the old patch definitions update archives.
- Run C:\Program Files (x86)\GFI\LanGuard 12 Agent\update.exe
- Click Next.
- Select only the options shown in the image below and click Next:
-
Ensure that the updates are successfully downloaded and installed as shown in the image and click Finish - if not, do not follow the rest of the steps and contact LanGuard Support.
- Open LanGuard and navigate to Remediate > Remediation Center > Deploy Custom Software.
- Click on the Add button.
- Add the following files (video showing the steps executed here):
C:\ProgramData\GFI\LanGuard 12\PatchManagement\lanss_12_patchmngmt.mdb | ☑️ Auxiliary file | No parameters required |
C:\ProgramData\GFI\LanGuard 12\PatchManagement\wsusscn2.cab | ☑️ Auxiliary file | No parameters required |
updater.ps1 (see the next step for contents if you cannot download the file) | ☑️ Auxiliary file | No parameters required |
updater.bat (see the next step for contents if you cannot download the file) | 🔲 Auxiliary file | No parameters required |
- If you cannot download updater.ps1 and updater.bat from the links in the table above, here are the contents:
updater.bat:%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -ExecutionPolicy Bypass -File "updater.ps1"
updater.ps1:
timeout /t 1
del "updater.ps1"Move-Item -Path "C:\Windows\Patches\wsusscn2.cab" -Destination "C:\ProgramData\GFI\LanGuard 12\PatchManagement\wsusscn2.cab" -Force
Move-Item -Path "C:\Windows\Patches\lanss_12_patchmngmt.mdb" -Destination "C:\ProgramData\GFI\LanGuard 12\PatchManagement\lanss_12_patchmngmt.mdb" -Force - At this point, I recommend exporting this configuration for future use by clicking the Export button and saving the configuration XML file:
- This allows you to quickly import the files when needed:
- Once you have the remediation job set up, ensure you have selected the correct machines in the computer tree on the left and click Deploy in the bottom right corner.
- Note that for this job, it is recommended to disable reboots and Patch Verification scans. You will still need to authenticate with an account with local admin rights as usual.
- Once the deployment is complete, run the agent scans on the targets that were included in the deployment, and you should see the latest patches as missing/installed once the scan is completed and imported into the LanGuard scan results database.