Overview

You would like LanGuard to scan a subset of machines only for the missing Microsoft Windows patches. This article guides you on creating a custom scanning profile for this (or similar) task and using it for scanning.

Solution

Each LanGuard console and agent scanning job is based on a Scanning Profile chosen to run it. For the task above, you have to create a new Scanning Profile and select only the necessary settings for it:

1. Launch the LanGuard console and go to the Configuration tab.
2. Right-click on Scanning Profiles and select Scanning Profiles Management. This opens the Scanning Profile Editor.
3. Select Complete/Combination Scans, click on the New Scanning Profile and name your profile.
   
   
    
4. If you are looking for the Microsoft patches, only scanning for the vulnerabilities brings no value for your use case and only takes scanning time. Deselect Enable vulnerability scanning.
    
   
    
5. Go to Patches > Advanced.
    
    
    
6. Use the dropdown to select No for Include non-Microsoft updates and other categories you are not interested in. Click OK.
   
   
7. Go back to Network & Software Audit Options, select System Information, and ensure that all options for Linux System Information matches the screenshot below. 
   
   • Retrieve basic OS information - No
   • Enumerate local users - No
   • Enumerate local groups - No
   • Enumerate logged on users - No
   • Enumerate disk drives - No
   • Request remote time of day - No
   • Enumerate services - No
   • Enumerate remote processes - No
   • Identify virtualization technology - No
8. (Optional) Go through the Network & Software Audit Options and enable/disable checks according to your use case. For example, disable port scanning.
   
   

Testing

The new profile should now be available to choose from the LanGuard console for scanning machines on the network.