Overview
This article covers the GFI LanGuard Scanning Profile Editor component. After reviewing this article, you will:
- Become familiar with the LanGuard Scanning Profiles.
- Learn about Scanning Profile Editor.
- Find out how to apply this information when working on cases related to Interactive or Agent scans.
- Be able to answer common questions and troubleshoot common issues with the Scanning Profiles.
Introduction
Scanning Profiles are a collection of tests and vulnerability checks used during LanGuard scanning operations to retrieve the scan targets' information. They are customizable, and the system comes with a set of profiles out of the box. The most commonly used profile is the default Full Scan because it simply contains all the available checks, i.e., is a combination scan of missing patches, vulnerabilities, and generally all items LanGuard is designed to look for.
With the use of agents, the Full Scan profile is ideal for getting a good picture of the entire network. However, in environments where agents cannot be used, and the connections are either slow, or the network is very large, an optimized scanning profile might need to be used in which only pinpoint checks have been activated. Choosing what to scan for is as important as selecting the correct profile.
Every Scanning Profile consists of various options and settings that can be enabled, disabled, or changed to develop a customized Scanning Profile. The Scanning Profile Editor is the central tool to customize scanning profiles or find out more about certain vulnerability checks' conditions.
Remember that some changes are applied to all the Scanning Profiles, not only the currently edited ones.
Description
Scanning Profiles
Each Scanning Profile has the options for Vulnerabilities Scanning, Patches Scanning, and General Information scanning, any of which can be turned on and off separately. This allows end-users to set profiles for certain groups of devices, such as a profile that does not report missing patches for known items or an executive rule to prevent application updates.
From the support point of view, the tricky part is that the profiles are consistently updated. The current time frame for all updates is twice a week, generally Wednesday and Friday evenings. The exception to this rule is Microsoft Patch Tuesdays, for which we release an update as soon as possible to match the release schedule.
As this list is continually being updated, there are times when specific patches may have an unwanted effect. For example, you may use a specific Java version with internal software, where newer builds are not compatible. To alleviate this, users can edit the scanning profile to prevent the software from detecting certain patches or entire product lines. Once this is done, and a new/updated profile is applied, later scans won't check for these, saving both time and resources on the scan job being performed.
All scanning profiles are saved in the Scanning Profile Database located in:
C:\ProgramData\GFI\LanGuard 12
Scanning Profile Editor
The Scanning Profile Editor is broken down into three main sections:
- Vulnerability Assessment Options: specific checks, e.g., OVAL or CVE vulnerabilities, and tests for patches, installed or otherwise.
- Network and Software Audit Options: port scanning, system enumeration, and necessary OS information.
- Scanner Options: deals with timeouts, scanning threads, and other options for scanning.
Refer to Creating and Personalizing a Scanning Profile for information on customizing a Scanning Profile.
Vulnerability Assessment Options
The patch section of each Scanning Profile contains all available Microsoft and non-Microsoft patches in the Patch Management Database.
It is impossible to view each patch's exact detection conditions since this information is already encrypted in the database.
For the vulnerabilities customization in LanGuard, the situation is the opposite. It is possible to edit the existing or create custom checks, though this can be challenging, and not many customers use this feature. All the conditions that can be used to create custom vulnerability checks are:
Script Debugger
All scripts (SSH, Python, and VB) should be developed and tested with the GFI LanGuard script debugger (scriptdbg.exe). The debugger can be reached via the LanGuard program group and comes with comprehensive documentation.
The most common mistakes and pitfalls during script debugging are described in the debuggers’ documentation.
IMPORTANT: Changes made to existing vulnerability checks will be applied to all scanning profiles.
Scanner Options
The Scanner Options of each profile allow the user to specify various settings and timeouts, mostly used for manual scans. Below is a list of the most common settings and their impact:
Network Discovery Methods
You might experience situations where they perform a manual scan on an entire domain or network segment, and LanGuard still does not recognize all available machines in this segment. The Network Discovery Methods help to work around this issue by offering different technologies, which can be enabled or disabled depending on the most appropriate method for the customer’s environment.
At least one of these methods has to work on all devices on the network for LanGuard to discover them.
Scanning threads count
This option offers the possibility to increase the number of threads used to scan several computers simultaneously. The default is 3.
Type of scanner activity output
This option can help during the troubleshooting attempts or when full debug logs cannot be obtained from the customer. When set to ‘verbose,’ the scan window will display a lot more information than in simple mode.
Dealing with Issues
Every user environment is different and may require different scans or options within the scan. Most customized profiles will start from the default Full Scan, but this will vary depending on the end-users purpose of changing the detection.
Making changes at the Scan Profile level may eliminate the need to acknowledge or ignore specific patches from the dashboard individually and manually since the item would not be detected at the scan level. Since LanGuard only imports what is detected during the scan, removing checks for individual items is sometimes more beneficial than hiding them.
Speaking of environmental variables, LanGuard does support scanning macOS and Linux devices via an Interactive scan; however, if the default SSH port in your environment is non-standard, operations will fail. This is not something LanGuard detects automatically and must be changed in the configuration of the scan to match the user's variable.
Always verify what Scanning Profile was used and whether it was modified, and check the lanss_v***_securityscanner.csv in case you need to find out why a certain check is misbehaving or what check was actually performed during a scan.
Finally, keep in mind that some of the scanning "How do I ..." questions are solved with the Scanning Profiles. For example:
- Ignoring Windows Firewall in a GFI LanGuard Vulnerability Scan
- Why is LanGuard Not Recognizing Protection Engine / Antivirus / Anti-Malware / Antispyware Software When Scanning?