Overview
This article provides information about the services and components of GFI LanGuard. After reviewing this article, you will:
- Learn what services and components are installed by the GFI LanGuard.
- Find out the plugins and modules of the Attendant service.
- Understand how LanGuard communicates with local and remote machines during a scan.
- Find out what registry keys are created by GFI LanGuard
Introduction
How are all these services and components installed?
The downloaded installation file can install GFI LanGuard itself, as well as GFI LanGuard Central Management Server - a web console that unifies multiple GFI LanGuard installations into one centralized console. All the other components are deployed through GFI LanGuard once the installation is complete. The main components are described in the table below:
| Component | Description |
|---|---|
| GFI LanGuard (Lanss) | LanGuard Application Network Security Solutions (Lanss) is the main LanGuard component. This is a windows application providing desktop UI for LanGuard, that allows managing agents, performing scans, analyzing results, remediating vulnerability issues, and generating reports. |
| GFI LanGuard Central Management Server | Also known as CMS, this component provides integration between several GFI LanGuard instances, even in remote locations. GFI LanGuard Central Management Server enables reporting but does not allow scans or remediation tasks. For more information refer to the Central Management Server. |
| GFI LanGuard Agents | Enable data processing and auditing on target machines; once an audit is finished, the result is sent to GFI LanGuard. For more information refer to Deploying GFI LanGuard Agents. |
| GFI LanGuard Update System | Enables you to configure GFI LanGuard to auto-download updates released by GFI. These updates also include checking the GFI website for newer builds. For more information refer to Program Updates. |
| GFI LanGuard Attendant Service | The background service manages all scheduled operations, including scheduled network security scans, patch deployment, and remediation operations. Read more about it in the Description section of this article. |
| GFI LanGuard Scanning Profiles Editor | This editor enables you to create new and modify existing scanning profiles. For more information refer to Scanning Profile Editor. |
| GFI LanGuard Command Line Tools | Enables you to launch network vulnerability scans and patch deployment sessions as well as import and export profiles and vulnerabilities without loading up GFI LanGuard. Command Line Tools. |
Description
Installed Services
As a part of the deployment process, GFI LanGuard installs 2 services. The Central Management Server also installs 2 services. So in an environment where both LanGuard and CMS are deployed on the same server, there will be 4 services installed.
GFI LanGuard 12 Attendant Service
|
Executable Name |
lnssatt.exe |
|
Service Name |
Gfi_lanss12_attservice |
|
Display Name |
GFI LanGuard 12 Attendant Service |
|
Logon Account |
Domain |
|
Dependencies |
No Dependencies |
The Attendant service is responsible for managing all the modules in LanGuard. It loads a set of plug-ins, which can be referenced via the registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\GFI\LNSS12\AttendantPlugins]
The plug-ins that are currently loaded by the LanGuard Network Security Scanner (LNSS) 12 Attendant Service are:
|
Agent Manager
|
This plug-in manages and controls agents. It is responsible for updating the agent configuration files, issuing orders, retrieving and importing scan results, and reading agent status messages that are displayed in the UI (User Interface). Its sub-module AgentManagerCom connects to the agent’s C$ share via SMB (Server Message Block). |
| Alerter |
This plug-in will take care of sending any alerts as configured in LNSS > Configuration > Alerting Options. The Alerter module is also used to provide information to the Status Monitor. When a scheduled scan occurs, the following occurs:
The Status monitor application will start/stop the above functionality. When the Status monitor is not started, no status information is provided to the Alerter. |
|
HttpServerAttPlugin |
The HttpServerAttPlugin is the link between the Attendant service and LanGuard’s Apache Web Server. It orders the startup/shutdown of the Apache server monitors for agent activity and notifies the attendant of these events. |
|
PatchAutoDownload
|
This plug-in downloads missing patches in the background. When this functionality is enabled, LNSS writes information on any missing patches which need to be downloaded to …\GFI\LanGuard
12\data\toolcfg_patchautodownload.mdb. This is done after each scan. The Patch Auto-Download plug reads this database and downloads the missing patches accordingly. |
|
RemediationPlugin |
The RemediationPlugin triggers any remediations done from the UI or automatic remediations. It verifies DNS (Domain Name System) and IP (Internet Protocol) information of targets before handing off the remediation actions to the remediation engine. |
|
ScanManager |
The ScanManger plugin is responsible for manual scans (interactive and scheduled scans) done from the LanGuard console. It repeatedly checks to see if it is time to initiate scheduled scans and orders the scanning engine to begin the scan. |
|
ScheduledCompactDB |
This plug-in checks the LNSS configuration and performs a compact and repair operation if LNSS is using an Access database for the scan results. |
|
ScheduledUpdates |
This plug-in takes care of automatically downloading content updates as per the schedule configured in the Program Updates > Program Updates Options. |
GFI LanGuard 12 Service
|
Executable Name |
LnssWinService.exe |
|
Service Name |
gfi_lanss12_winservice |
|
Display Name |
GFI LanGuard 12 Service |
|
Logon Account |
Domain |
|
Dependencies |
No Dependencies |
This service does not do anything in the context of technical support. It provides some API for test automation utilized by the development team for GFI LanGuard.
Central Management Server Services
If the Central Management Server is installed, there will be two additional services. More information will be provided in the Central Management Server article.
LNSSCommunicator
DCOM (out-of-process COM server) is a proprietary Microsoft technology for communication among software components distributed across networked computers. LanGuard uses a DCOM engine called LNSSCommunicator to communicate with remote (or the local) machines during a scan process and enumerate the required information.
LNSSCommunicator receives a command from a client for a Scan operation and launches the ServiceProvider (SP) plugin that performs a scan (see below). Lnsscomm then transports status messages from the scanner to the client that ordered the scan.
In order to perform all required operations during a scan, LNSSCommunicator requires at least local Administrator privileges. To ensure that this is the case, the LanGuard installation process will create a local user called LANGUARD_12_USER (numbers change according to the major LanGuard version). This user is added to the local Administrators group.
If the machine where LanGuard is installed is a domain controller, the user will be created as a domain user and will be added to the DC local Administrators group (NOT the Domain Administrator group).
Note: The LANGUARD_12_USER is created only with GFI LanGuard Main Installation. The agent installation will also make use of the DCOM engines but the identity for those engines will be ‘the launching user’ since the main application will trigger the scan itself.
Service Provider
The Service Provider Plugin handles Security Scanning. It loads and delegates the actual scanning to the modules that are found in [HKEY_LOCAL_MACHINE\SOFTWARE\GFI\LNSSX\SPPlugins].
HTService
This is LanGuard’s extension for Apache Fast CGI which is used for communicating scan results between the server and the agents. Apache launches this EXE when agents post status messages or when remediation status messages arrive. This extension sends PatchAgent message received via Http to the AttendantService via named pipe.
GFI LanGuard Registry Keys
The registry keys for GFI LanGuard are equal for the main application and agent installation. All keys are created under either one of the following keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\GFI\LNSS12] (X86 machines)
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GFI\LNSS12] (X64 machines)
This is a useful source of information about components and paths. For example:
