This article presents an overview of GFI LanGuard Configuration in general and the corresponding tab options in the LanGuard Console, and how the settings may affect the interaction with the product. This also covers Database configuration and common issues. After reviewing this article, you will:
- Learn the Configuration tab navigation settings.
- Find out component settings available to view and configure.
- Understand the functions and meanings of each option settings.
- Find out the available Database settings.
- Understand credentials usage and common issues.
- Become familiar with notifications and alert settings.
- Learn how to handle common issues.
GFI LanGuard has a lot of components and configuration settings, and a slight misconfiguration or change in an environment may lead to problems with various LanGuard operations. Essentially the root cause of many issues is often the wrong configuration somewhere on the road. It is important to know the configuration options available and how they affect the functionality of the LanGuard.
GFI LanGuard Configuration Tab
The majority of GFI LanGuard settings are accessible from the Configuration tab. Settings available there enable users to make changes to the configuration of different LanGuard components. It is possible to customize and configure various aspects of GFI LanGuard, including scan schedules, vulnerability checks, scan filters, and scan profiles.
To access Configuration tab launch GFI LanGuard console and click on Configuration.
Configuration tab user interface has three distinct areas:
- The Configurations - allows choosing the component or settings to view and configure.
- The Common Tasks area - changes depending on the selected option from the Configurations navigation pane. For example, Deploying agents or changing the settings are common tasks for Agent Management, and that's exactly what is offered on the screenshot above.
- The right-hand area has no name, and this is where all the information appears and where the configuration changes are being made. The contents also depend on what is chosen in the Configurations navigation pane.
- Agents Management
- Scanning Profiles
- Scheduled Scans
- Mobile Devices
- Software Categories
- Application Inventory and Auto-Uninstall Validation
- Software Updates
- Alerting Options
- Database Maintenance Options
- Program Updates
- Central Management Server
The agent management section allows deploying and uninstalling agents as well as changes to the agent settings. In this section, one can also change the communication port used by the agents to communicate with the main interface. Here users can enable agents to automate network security auditing and to distribute scanning load across machines.
GFI LanGuard can be configured to deploy agents automatically on newly discovered machines or manually, on selected computers. Agents enable faster audits and drastically reduce network bandwidth utilization. When using Agents, audits are performed using the scan target's resource power. Once an audit is finished, the results are transferred to GFI LanGuard in an XML file.
NOTE: GFI LanGuard Agents can be deployed only on machines running Microsoft Windows operating systems that meet a minimum set of system requirements.
Agent Management can be accessed in different ways:
- Right-click on a specific machine or group from the GFI LanGuard dashboard and go to Properties -> Agent Status.
- From the Home menu, select Manage Agents.
- From Configuration tab -> Agents Management.
The Agent Management page provides a list of all the machines that have been added to this LanGuard installation. It also presents their current agent status, varying from Installed or Computer not Online, to agents stuck in a Pending Install.
This can help to quickly determine if operations on the device may not be functioning as expected due to a variance on how it is applied across the system. For example, one device may be stuck when installing the agent software, but all others in the group functioning correctly. What is different about this device?
A device with an agent may need to be configured with specific credentials to operate properly or based on the size of the network, report to different Relays to reduce bandwidth over the WAN (Wide Area Network).
All the configuration from this section is saved in C:\ProgramData\GFI\LanGuard 12\toolcfg_agentservers.xml
For more information on the individual selections for Agents Management, please refer to Deploying GFI LanGuard Agents.
Here users can configure Scanning Profiles that determine how vulnerability scans are performed and what network data is collected.
Scanning Profiles can be a tricky subject as the profiles are consistently updated. The current time frame for all updates is twice a week, generally Wednesday and Friday evenings. The exception to this rule is Microsoft Patch Tuesdays, for which we release an update on Tuesday or after as soon as possible to match the release schedule.
As this list is continually being updated, there are times when specific patches may have an unwanted effect. For example, you may use a specific version of Java compatible with internal software, and newer versions are not compatible. To alleviate this, we can edit the scanning profile to prevent the software from detecting certain patches, or entire product lines. Once this is done and a new/updated profile is applied, farther scans won't check for these, saving both time and resources on the scan job being performed.
As we can see from the screenshot, there are different category types, separate profiles, and subsections that can be managed individually. Each scan has the options for Vulnerabilities Scanning, Patches Scanning, and General Information scanning, any of which can be turned off separately.
This allows end-users to set scanning profiles for certain groups of devices, such as a profile that does not report missing patches for known items, an executive rule to prevent application updates, or making sure that the Sales Team is not constantly needing to downgrade after LanGuard has been detected and installed an update.
For more information on the configuration, please refer to Scanning Profile Editor.
This Configuration section allows setting up Scheduled Scans.
While it's preferred to use the GFI LanGuard Agent, in some environments without agents, Scheduled Scans can be used to scan single machines or entire subnets. This section is used only to set up Interactive Scans (also called Manual). Agent scans cannot be initiated from this menu; however, as the scan itself is very similar, the end results may not change, but agent scans will take less time and provide the results in a much more timely manner as discussed in Agents Management.
For more information on the configuration, please refer to Creating a Scheduled Scan.
Scanning is one of the main GFI LanGuard operations, and you may sometimes run into issues with Scheduled Scans, such as scheduled scans not running or not showing the results.
Whether or not a scheduled scan is due, is constantly being checked by the Scheduled Scans plug-in which is loaded by the GFI LanGuard Attendant service. After a scheduled scan has been performed, the results of the scan are compared to the previous results from a scan done to the same computer using the same scanning profile. If these differ, an alert is generated by LNSS. The alert is sent to the administrator using the Alerter plug-in, which is also loaded by the GFI LanGuard Attendant service.
The scheduled scans information is saved to C:\ProgramData\GFI\LanGuard 12\toolcfg_scheduledscan.xml
Here users manage the configuration settings for mobile phones, tablets, and other mobile devices.
GFI LanGuard has the capability of scanning and reporting on mobile devices attached to the network and managed by Exchange Active Sync, Office 365, Google Apps, or Apple Profile manager. For this type of scan, we are actually gathering the data from the Device Management Source, and not scanning devices themselves.
So what are the findings for mobile devices scanning? For example, for the devices managed by Exchange Active Sync, the results of the latest scan are compared to the internal list and current versions, and the outcome is presented to the user. The most common finding is a device not being on the latest version of iOS or Android available for said device.
There is no remediation for Mobile Devices. The findings from this are meant to point you in the correct direction to resolve the issue, but for Mobile Devices, you will need to manually go to the device and start any updates.
For instructions on how to add the types of mail environment for the Mobile Device, please refer to Mobile Devices Discovery.
Here users manage Software classification into Categories.
When we are talking about Software we are dealing with an ever-moving target, with new software constantly being added and the existing products evolving. Therefore Software Categories were introduced to break the information down into more manageable chunks.
Categories help by grouping items together by their functions, such as Antivirus, Anti-phishing, Anti-spyware, or backup client. GFI LanGuard is able to scan for software installed in the network and automatically classify it into predetermined or custom categories.
These categories are also used during the scan results. One of the common questions in this category is the report stating No antivirus installed on this machine, when in fact there is an A/V installed, but it is not recognized by the system. With corrected settings here users won’t get any more such security warnings when in fact they have an antivirus, but it is not supported and automatically classified by LanGuard.
This process works on top of LanGuard’s existing categorization engine, so you will not lose that functionality upon creating custom categories. This also means that one piece of software may end up belonging to multiple categories since they cannot be removed from the default category.
The information is stored in C:\ProgramData\GFI\LanGuard 12\toolcfg_softwarecategories
For more information on how to set up the Software Categories, please refer to Configuring Software Categories.
Applications Inventory and Auto-Uninstall Validation
Here users can see a list of applications detected during past scans to add unauthorized applications to scan profiles.
GFI LanGuard applications inventory provides a list of all applications detected during past scans or added manually. The list can be used to specify unauthorized applications, regardless of whether it is for security, compliance, or productivity reasons.
Before applications can be removed during scans, the application must first go through an un-installation validation process to confirm it is able to be removed without manual intervention. If the application is unable to meet this process, then LanGuard will not be able to remove it automatically. Configuring Unauthorized Applications Auto-Uninstall covers all the needed steps:
- Setting an application as unauthorized.
- Adding new applications to the unauthorized list.
- Validating unauthorized applications for auto-uninstall.
- Managing applicable scheduled scans (applying the rule to the scheduled scan).
The application inventory is queried from the ‘AppsInstalled’ table of the scan result database.
Here users can configure auto-remediation options for software updates and service packs.
One of the main goals with LanGuard is to update the software installed throughout the network, both for Security concerns and to keep systems up to date. Part of this process involves creating a repository for the server to distribute the patches across the network.
This repository can have its location changed, as well be configured to download either all patches or only the patches the system finds are needed. Due to the number of patches, and the storage to hold them all, we generally suggest using the option Only Needed Patches as shown below.
As was mentioned above, due to file size or capacity issues some users may need to adjust the location of their repository directory, which can be done on the Patch Repository tab. Along with this, we also have an option for users who still have a WSUS server in their environment - it is possible to use this repository in combination with our own to further reduce the need for downloads.
Lastly, there is the Timeframe tab, which allows users to set hours to download these needed patches. This can help to save bandwidth during business-critical times, such as setting the system to only download these patches after 7 PM and before midnight or for a scan to run at 1 AM. If there are bandwidth issues in the environment, this can help to limit the issues and allow the network to function normally during work hours.
For more information on how to configure System Updates, please refer to Configuring missing updates auto-deployment.
The configuration and all patches available for approval are saved in C:\ProgramData\GFI\LanGuard 12\toolcfg_patchautodownload.mdb
Here users can configure the alerting options of GFI LanGuard, for example, mail server and administrator E-Mail settings.
For certain events, end-users may want to be informed as soon as an issue is found. Gfi LanGuard has an alert module that can be enabled to notify administrators or specific users of violations in policies and scans or when finding unauthorized software in the environment.
The configuration of this section is very straightforward, just click on one of the links and enter correct email and server connection information.
The mail server settings are saved in C:\ProgramData\GFI\LanGuard 12\toolcfg_schedulescan.xml
The daily email digest settings - in C:\ProgramData\GFI\LanGuard 122\toolcfg_repsscheduled.xml
For more information on how to set up the Alert system, please refer to Configuring Alerting Options.
Database Maintenance Options
Here users can configure settings and perform maintenance operations on the security scan results database.
You can manage the Database backend settings by clicking on the corresponding option. As of GFI LanGuard version 12, the back-end of the system must be Microsoft SQL Server (Express or Full version). If there is no SQL Server available in the environment the bundled SQL Express will be deployed.
Depending on the environment, the administrator may need to adjust the credentials here - this is one of the most common fixes when having database connectivity issues. If the option Use Windows Authentication is chosen, the system will use the same credentials as the LanGuard services running. This should work fine as long as the end-user has given permissions to that account in SQL.
Alternatively, we generally suggest using the SQL SA credentials since no additional internal configuration is required for this to work. The SA account has all of the proper access needed to function correctly.
There are a few other tabs to be used here. Scanned Computers will show a list of all devices that have scan results in the database. Here users can remove any machines that have been scanned, which will delete their scan results from the database, and remove them from the system.
Saved Scan Results are similar except that this tab shows a list of all of the stored scans. This can be useful if there is an issue with a specific scan or when testing the scan profile that produces unexpected results. This allows users to remove the specific scan, rather than the entire machine or history.
Lastly, Retention allows users to set up automated rules that will set how many scans to keep and remove scans as necessary based on the parameters set.
The database configuration is stored in C:\ProgramData\GFI\LanGuard 12\toolcfg_database.xml
For more details on each individual tab and the settings within refer to Maintaining the SQL Database Used by LanGuard.
Here users can work with Program Updates, to control which updates should be downloaded and installed automatically as well as review the last time when the updates were successfully installed.
This section is covered by the Program Updates article. The most important point to know is that if there are scanning/detection issues for patches that should be available, you should always check first that the system is up to date, and if not, update it by following Updating LanGuard Manually.
All update settings are stored in C:\ProgramData\GFI\LanGuard 12\toolcfg_updates.xml
Central Management Server
Here users can check and configure connection settings to GFI LanGuard Central Management Server.
GFI LanGuard Central Management Server is used only for reporting. Scans and remediation take place only in GFI LanGuard. The information is sent to the Central Management Server soon after it becomes available in GFI LanGuard. Synchronization usually takes a few minutes. The delay depends on network size and the amount of data being transferred.
In the Central Management Server web console, users can view what patches are missing, review vulnerabilities, and allow multiple logins at the same time. But they can not perform any remediation or configuration, such as editing scanning profiles or account permissions.
For configuration, click on Configure GFI LanGuard Central Management Server and provide the server address, port, and, if necessary, the credentials.
For more information on the Central Management console itself and its functionality, please refer to the Central Management Server course.
Here users can view and configure licensing details, look up the version and check for newer builds.
When dealing with issues you should confirm if you are running the latest product version, and if not, upgrade. Fixes are generally not released for the older versions of LanGuard, so one of the first troubleshooting steps is always to verify that you are on the latest release with the latest fixes available.
You are entitled to the upgraded version of the software as long as you have a valid SMA (Software Maintenance Agreement). For more information, please refer to Upgrading the License Keys.
In this section, it is also possible to enter the new License or verify whether the license limit is exceeded or almost reached when dealing with 'License limit exceeded' cases.
Multiple LanGuard Instances working with the same Microsoft SQL Database
In environments where multiple subnets, domains, or other circumstances create the need for multiple instances of LanGuard, it is possible to configure these multiple instances to log into a single central SQL database.
Note: For multiple installations of GFI LanGuard to successfully log to the same Microsoft SQL database, it is important to ensure that all the installations are running the same version and build of GFI LanGuard.
The GFI LanGuard Databases
Languard uses Microsoft SQL Server or Microsoft SQL Server Express. Previously Languard supported the Microsoft Access database and some configuration databases are still in the Microsoft Access.
Patch Management DB
|C:\ProgramData\GFI\LanGuard 12\PatchManagement||Contains all Microsoft and non-Microsoft patch definitions, download links as well as patches that are superseded by others.|
Scanning Profile DB
|C:\ProgramData\GFI\LanGuard 12||Contains all scanning
profiles information and settings (except for patch definitions), as well as all vulnerability definitions.
Patch Auto Download DB
|C:\ProgramData\GFI\LanGuard 12||1. Stores the patch auto-download and repository configuration settings.
2. Stores the current download queue which is displayed in the UI under Activity Monitor > Security Updates Download.
Scan Results DB
SQL: Any SQL server locally or on the network
|Contains all scan results as well as additional information about all machines (Agent settings, scan recurrence, which machines are licensed, etc.).|
The Scan Results is the most widely used database with a complex structure, reference the Scan Results Database Structure document for the database structure, values, and the meaning of each value.
Common Database Questions
Not surprisingly there are database-related how-to questions. The most common questions are about Changing the GFI LanGuard Database Backend, Configuring Database Retention in GFI LanGuard, and Backing Up GFI LanGuard.
There are some common issues related to the configurations and the database. Some of them were already mentioned in the sections above, more issues are listed below.
The LNSScommunicator DCOM Object is what allows the LanGuard server to communicate with the agents. It is configured by default to use a service account created by LanGuard during the installation. Setting LNSScommunicator to Launching User can help when troubleshooting communication problems or dealing with access denied issues.
When viewing the scan results from an Agent Scan or an Interactive/Scheduled Scan, the following error occurs: "The patch management database is unavailable."
The root cause for this error is usually not the Patch Management database itself, but the agent or server not being able to complete an update session. See the corresponding article on how to handle this error.
When attempting to connect to a backend MS SQL Server database there is an error similar to "Failed to connect to database". Most common root causes and troubleshooting suggestions are listed below:
- A network firewall preventing the connection to the SQL Server. Check with the network administrator.
- A local firewall such as Windows Firewall is being used:
- Check that it is not blocking the GFI LanGuard from making outgoing connections to the SQL Server.
- Make sure that outgoing TCP connections are allowed to SQL Server.
- If a firewall is being used on the SQL Server machine make sure that it allows incoming connections and that the SQL Server port is not being blocked. By default, this is TCP port 1433.
- The specified credentials are incorrect.
- Check that the username you entered exists in SQL Server and make sure that the password is correct.
- The named instance is not correct. If you don’t know what the instance name is you can run the following case-sensitive command in the command prompt on the SQL Server to display the list of available SQL servers on the same network: sqlcmd -L
For more information refer to Resolving 'Could not connect to database backend' Error in GFI LanGuard Console.
There are several situations where Windows Authentication could create issues for LanGuard. For instance, if SQL was set to use Windows authentication, and there are changes made to Active Directory's user's permissions structure, this can prevent LanGuard from properly communicating with SQL. Resolve SQL Login Failures by Switching to Mixed Mode Authentication.
- GFI LanGuard Agent and Relay Agent System Requirements
- Best Practices for Setting up Account Permissions with Alternative Credentials
- Configuring Software Categories
- Configuring Unauthorized Applications Auto-Uninstall
- Configuring Patch Auto-Deployment in GFI LanGuard for Missing Updates
- Configuring Alerting Options