Overview
Low performance does not appear out of thin air, usually, it is the result of wrong environment settings, unannounced changes, non-optimal configuration, or ignored requirements.
This article describes the recommended settings to ensure the GFI LanGuard best performance.
Information
GFI LanGuard remote communication needs and intensive resource access patterns make it a possible victim of third party software like anti-virus/anti-spyware solutions, intrusion prevention systems, or firewalls.
The best performance can be achieved and many problems avoided by following a few configuration guidelines described below.
Real-time Protection Engines
Real-time protection engines can lead to unexpected errors and severely diminish GFI LanGuard’s scanning speed. To avoid this:
- Disable the real-time anti-virus engine from scanning the following GFI LanGuard paths (on the server as well as agent machines):
- Microsoft Windows Vista/Server 2008 and later
- 64-bit:
<system drive>:\Program Files (x86)\GFI\
- 32-bit:
<system drive>:\Program Files\GFI\
- 64-bit:
- Microsoft Windows XP/Server 2003:
<system drive>:\Documents and settings\all users\application data\GFI\
<system drive>:\Program Files\GFI\
- Microsoft Windows Vista/Server 2008 and later
- Exclude the shared application data directory
<system drive>:\ProgramData\GFI\
from scanning - Exclude the directory of the MS SQL database files (*.mdf/*.ldf) from scanning
- Exclude the directory of the MS SQL server instance from scanning
- Disable antimalware protection for
<system drive>:\Program Files (x86)\GFI\LanGuard 12 Agent\Httpd\bin\httpd.exe
(HTTP protocol, usually running on one of the TCP ports 1070-1080) - Disable antimalware protection for the IIS web site GFI LanGuard Central Management Server (HTTPS protocol, usually running on one of the TCP ports 1070-1080)
Firewalls
The firewall might slow down GFI LanGuard scanning or even block outbound connections to scanned computers
- The Firewall should allow the following servers:
C:\Program Files (x86)\GFI\LanGuard 12 Agent\Httpd\bin\httpd.exe
(HTTP protocol, usually running on one of the TCP ports 1070-1080)- IIS web site GFI LanGuard Central Management Server (HTTPS protocol, usually running on one of the TCP ports 1070-1080)
- MSSQL Server (if using TCP connections, not Named Pipes connections)
- The Firewall should allow the following TCP clients:
- C:\Program Files (x86)\GFI\LanGuard 12\*.exe
- C:\Program Files (x86)\GFI\LanGuard 12 Agent\Httpd\bin\httpd.exe
- C:\Program Files (x86)\GFI\LanGuard 12 Agent\*.exe
- C:\Windows\Patches\PatchAgent.exe
- C:\Program Files (x86)\GFI\LanGuard 12 Server\*.exe
- For communication between agents and server open the following ports in the firewall
The firewall might disable various ports and services
By default, some firewall applications (like the Microsoft Windows inbuilt firewall) disable various ports and services. This can make the target computers totally un-discoverable, or negatively affect the scanning accuracy.
Make the following changes on the target computers firewall:
- Enable File and Printer Sharing.
- Enable Windows Management Instrumentation (WMI) traffic.
- It should only be needed to enable the above types of traffic with the GFI LanGuard computer’s IP address (most current firewall products allow for such granularity).
Firewalls slow down port scanning and may affect UDP scanning reliability
The port scanning section of a GFI LanGuard scan is considerably slower when the scanned computer is firewalled. Also, UDP port scanning may not be reliable with some firewall solutions. GFI LanGuard will determine such cases and will report accordingly.
- Only enable port scanning when needed and be prepared for doubled scan duration. You can disable/enable port scanning from a Scanning Profile using the GFI LanGuard configuration.
Intrusion Prevention Systems
Some intrusion prevention products might see the intensive port querying done by GFI LanGuard as a possible attack and totally block communication with the GFI LanGuard computer’s IP address for a period of time.
- Disable the intrusion prevention engine on targets while scanning them with GFI LanGuard, add relevant exclusion rules in the Intrusion Prevention System engine, or disable port scanning in GFI LanGuard.
Internet Access Restrictions
GFI Web Servers Access
GFI LanGuard program updates will not work if the GFI LanGuard computer cannot access the GFI web servers.
- Add exclusions to the required sources on the internet.
- It is also possible to configure GFI LanGuard to download program updates from an alternative location, refer to Updating GFI LanGuard in a Secure Network.
Affected LanGuard Operations
During security scanning, GFI LanGuard will check if the supported virus scanners or anti-spyware software definition files are up to date. This check will fail when the GFI LanGuard computer has no Internet access. Also, downloading Microsoft updates requires Internet access.
- Temporarily allow Internet access if possible. Manually downloading a patch can work as a workaround in certain situations.
GFI LanGuard allows scanning and patching for Linux computers connected to the Internet and running a supported distribution. Actual operations are performed by a built-in Package Manager (i.e. like Windows Update) on each Linux Machine.
NOTE: If a Linux computer is not connected to the Internet, GFI LanGuard won't be able to patch it. There is no workaround.
Database Backend
The GFI LanGuard database backend in large environments or with an intensive scanning schedule can grow to maximum capacity. Refer to Maintaining the SQL Database Used by LanGuard to keep Database backend in good shape to avoid database size issues or corruption.
Note: The Microsoft SQL Server Express version 2008 and later has a max database size of 10GB