This article provides information on the scanning initiation and process workflow in LanGuard, for a more in-depth and precise understanding by agents of how scans work, irrespective of the type of scanning being performed.
There are two different ways to scan machines:
- Manual/Interactive Scan initialized through the Scan tab of the LanGuard UI.
- Agent Scans performed automatically following the agent’s scan schedule; can also be manually triggered by right-clicking on any machine (or OU) in the network tree and selecting Scan > Refresh information now.
Additionally, the main application also allows for configuring Scheduled Scans (agentless) which work in the same way as manually performed scans.
Still, regardless of where the load is being handled, the actual scanning process will follow the same pattern on every scan with only one difference: agents perform a local scan while the main application scans the targets remotely.
Scanning Process Workflow
When it is time to scan:
- AgentManager connects to the agent and copies the scanorder.txt file, which initiates the update process and executes the LNSSComm.exe file for the rest of the process.
Note: For Interactive/Manual scans, since LNSSComm is already running on the server, it will immediately launch the subsequent procedure, ignoring this step.
- LNSSCommunicator (the LNSSComm DCOM server) receives a command from for a Scan operation and loads the DbProcessor and RemEngine modules specified in
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GFI\LNSSX\Plugins]as well as the plugin that performs a scan (ServiceProvider, see below). Lnsscomm then transports status messages from the scanner to the client that ordered the scan.
- Subsequently, the Service Provider (SP) handles Security Scanning operations. It delegates the actual scanning to a series of plugins registered in
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GFI\LNSSX\SPPlugins]and transports status messages from these plugins.
- The Service Provider loads the plug-ins in the “Init Operation” registry key first. Currently, only the Scripting Engine (SEngine) is being loaded initially. The Scripting Engine is loaded immediately since this module requires complex initialization to be performed. SEngine is used to run the scripts which check for vulnerabilities, Custom TCP discovery, and Port Scanning.
- During the scan, the plug-ins in the “Scanner Operation” registry key are being loaded. First, the modules in the ‘RunFirstPlugins’ are loaded. Currently, only gatherlivepcop.dll (Gather Live PC OP) is loaded and is used to check if the machines, which need to be scanned, are online by using one or more of the Network Discovery Methods configured for the profile in the Scanner Options tab. This module will fill in a cache in memory with the IPs and other information on the machines that are discovered to be online.
- The Service Provider is checking this cache in memory. When new information is found in this cache, the service provider will instruct each module specified in "RunAfterPlugins". Below is the list of modules that are currently being loaded:
|Gather Info OP
|Port Scans OP
|Gather Linux Info OP
|WMI OP + WMIOPC
|Mobile Device Scanner Plugin
|Get Installed Products OP
|Missed Patch OP
The diagram shown below further describes this process.
Understanding Scanning Logs
Scanning logs review and understanding is a broad topic that is covered in detail by the Using Debug Logs for Scanning Process Troubleshooting article.
Refer to Data Structure and Log Review for more information about the LanGuard Data Structure and Logs format understanding.