Overview
GFI LanGuard console or Agent scans do not detect some available Windows updates or fetch all the missing patches for the scanned servers and client machines. These updates and missing patches are not listed in the LanGuard console Remediation center, and some already remediated updates might still show up instead. Also, if you check the available updates directly on the client machine, Windows update shows them.
Solution
There are several possible root causes for some of the patches and updates not being detected. The most common are LanGuard not receiving the latest definitions updates or a particular update/patch not being supported. There might also be problems with missing requirements for the successful scans, issues with the backend scan results database, or the environmental factors disrupting scanning operations.
Getting the latest definitions
-
The updated definitions are only provided to the latest versions of the product that are released. If you are not using the latest LanGuard version - Upgrade the GFI LanGuard.
-
Environmental changes may be preventing LanGuard from automatically downloading the latest patch detection and vulnerability definitions. Follow the Updating LanGuard Server Manually When Product Does Not Get Latest Definitions or Agents Do Not Update article to ensure you have the most recent definitions.
Determining if a particular update/patch is supported
LanGuard is designed to focus on the security aspects of an IT environment and only detects missing patches relevant to the security of a system, network, or application. The LanGuard security research team reviews the general distinction between security and non-security relevant patches for all updates before being implemented in the patch database. During this process, some patches might be considered non-critical and not applicable to the system's security. In this case, LanGuard does not support these patches.
Also, the LanGuard scan results for missing patches or service packs may differ from those delivered by Microsoft's Update Service due to Microsoft practices.
Follow these steps to determine if a patch is supported and is in GFI LanGuard's patch management database:
- Review the security and third party patches that GFI LanGuard supports. This does not include Microsoft Non-Security patches (more than 25,000).
- Ensure that the LanGuard's Program Updates are up-to-date:
- Open the Scanning Profiles Editor (using the shortcut Ctrl+P) in the LanGuard console and search patches by their Q-Number (same as the KB number).
- If the scan results are coming from a LanGuard Agent, ensure that the program updates are up-to-date.
Run a custom scan on the agent machine from the console by right-clicking the computer and going to Scan > Custom scan. This will allow you to see if the agent's results and the console scan are the same. If the console scan can find the missing patch(es), there is a problem with Agent updates. Address it by Fixing GFI LanGuard Agent Failed Updates.
- If LanGuard does not detect the supported Microsoft Security Patch, verify this patch compliance Using Microsoft WUA to Scan for Updates Offline. For a PowerShell alternative, see Using WUA to Scan for Updates Offline with PowerShell.
Determining if a particular KB is an actual patch
Some KBs are articles only, not patches; this may cause confusion, as these particular KBs will not appear in LanGuard. An example of such KBs is KB5008102.
Searching the KB in https://support.microsoft.com/ will allow you to see more details:
Clicking on the CVE link and scrolling down to the "Security Updates" section will allow you to locate the required update for your OS (under the "Article" column):
Determining if a particular update/patch is superseded
Some patches may be superseded by a more recent patch that has already been installed - these will also not be detected by LanGuard, since they are up-to-date under a different KB.
Click the desired link from the "Download" column, then click on the name of the required update:
In the window that pops up, select "Package Details" to ensure that the selected update has not been replaced by a more up-to-date one (in this example, KB5008218):
Legacy Windows OS
If target machines(s) are running legacy Microsoft products, for example, Windows 7 and Windows Server 2008/R2, and Extended Security Update (ESU) keys are not installed and activated, this can be the root cause. Refer to the solution in the Missing Patches, Scanning and Remediation Failures for Microsoft Windows Server 2008, 2008 R2, and Windows 7 Without ESU Support article.
Additionally, older Windows devices that have not updated to SHA-2 cryptographic hash functions do not receive updates through Windows Update. Refer to the Why am I getting 'A certificate chain processed' error when scanning? article for the solution.
The environmental factors
If LanGuard is not detecting the supported patch, but the WUA check finds it, the environmental factors may influence the LanGuard scanning results.
Scans might encounter errors due to the requirements not met.
Verify the Required Settings are met in your environment. Be thorough - all of these settings are equally important; without them, operations will fail. Pay extra attention to all the required services on the client machines and the Required Network Connectivity and Security Permissions - these are the most common root causes for the LanGuard operations issues.
Check the scan results in the console and the debug logs (by default, C:'ProgramData\GFI\LanGuard 12\DebugLogs\) for the following: The RPC server is unavailable. If the error is there, address it following the corresponding artcile, or seek the help of your network security team as the issue may be with firewall rules somewhere on the route, beyond your scope of visibility.
Maintaining the backend scan results database.
Scan results are saved to the database, and LanGuard uses this data to determine what patches are missing. If there are problems with the database, the results would be unreliable and may lead to a patch not being suggested for the remediation.
For example, if the SQL Express database has reached its maximum capacity, scan results just won't be saved for the LanGuard to analyze them. Maintain the Scan Results Database backend in good shape to avoid database size issues or corruption.
Real-time protection engines and the LanGuard installation
Real-time protection engines can affect the LanGuard server installation. If antivirus was running when LanGuard was installed, there is a high probability that certain .dll files were corrupted during the installation. In such cases, it is recommended to reinstall the LanGuard server, strictly ensuring all the requirements and following the installation steps.
Using a custom profile with incorrect settings
If you are using a custom scanning profile, make sure that you turned on the patches scanning options there.
Testing
After taking care of the environmental variables and determining that the patch is supposed to be detected, run a new scan of the client machine and verify that detection is successful. If the issue persists, contact GFI LanGuard Support.
Please include all information related to the patch or service pack, along with any information gathered during the troubleshooting process, including the following: