Recommended settings for best performance in GFI LANguard

The information in this article applies to:

  • GFI LANguard 9.0
  • GFI LANguard Network Security Scanner 7
  • GFI LANguard Network Security Scanner 8

Article ID: KBID002344

Query keywords: Antivirus, anti-virus, deployment, firewall, scan

GFI LANguard’s intensive resource access pattern and remote communication needs make it a possible victim of third party software like anti-virus/anti-spyware solutions, intrusion prevention systems or firewalls. Such problems can be avoided by following a few configuration guidelines as described below. This article has been segmented as follows:

  1. Anti-virus/anti-spyware software running on the GFI LANguard computer
  2. Firewall software running on the GFI LANguard computer
  3. Firewall software running on scanned computers
  4. Intrusion prevention systems running on scanned computers
  5. Internet access limitations

Anti-virus/anti-spyware software running on the GFI LANguard computer

Issue Encountered:

Real-time protection engines can severely diminish GFI LANguard’s scanning speed.

Solution:

Disable the real-time anti-virus engine from scanning the following GFI LANguard paths:

  • <..\Program Files\GFI\LANguard 9.0>
  • <..\Program Files\Common Files\GFI>

See also:

KBID002076
KBID003312

____________________________________________________________________________________________________________

Firewall software running on the GFI LANguard computer

Issue Encountered:

The firewall might slow down GFI LANguard scanning or even block outbound connections to scanned computers.

Solution:

Configure the firewall so that it allows the following GFI LANguard components to freely open outbound connections:

  • <..\Program Files\GFI\LANguard 9.0>\languard.exe
  • <..\Program Files\GFI\LANguard 9.0>\lnsscomm.exe
  • <..\Program Files\GFI\LANguard 9.0>\lnssatt.exe
  • <..\Program Files\GFI\LANguard 9.0>\update.exe

Issue Encountered:

The firewall might block patch deployment progress monitoring.

Solution

Enable three ports in the range 1070 to 1170 on the firewall. GFI LANguard will use the first available port in that range to monitor deployment progress.

____________________________________________________________________________________________________________

Firewall software running on scanned computers

Issue Encountered:

By default some firewall applications (like the Microsoft Windows XP Service Pack 2 inbuilt firewall) disable various ports and services. This can make the target computers totally un-discoverable, or negatively affect the scanning accuracy.

Solution

Make the following changes on the target computers firewall:

  • Enable File and Printer Sharing. Further information can be found at KBID002139
  • Enable port 135 for message sending. Further information can be found at KBID002139
  • Enable Windows Management Instrumentation (WMI) traffic. Further information can be found at KBID002333
  • You only need to enable the above types of traffic with the LANguard computer’s IP address (most current firewall products allow for such granularity).

See also:

http://msdn.microsoft.com/en-us/library/aa822854(VS.85).aspx

Issue Encountered:

The port scanning section of a GFI LANguard scan is considerably slower when the scanned computer is firewalled. Also, UDP port scanning may not be reliable with some firewall solutions. GFI LANguard will determine such cases and will report accordingly.

Solution

Only enable port scanning when needed and be prepared for doubled scan duration. You can disable / enable port scanning from a Scanning Profile using the GFI LANguard configuration. Further information can be found in the GFI LANguard Manual (Section: Scanning Profiles > 'Configuring TCP port scanning options')

____________________________________________________________________________________________________________

Intrusion prevention systems running on scanned computers

Issue Encountered:

Such systems might see the intensive port querying done by GFI LANguard as a possible attack and may totally block communication with the LANguard computer’s IP address for a period of time.

Solution

Disable the intrusion prevention engine on targets while scanning them with GFI LANguard or disable port scanning in GFI LANguard. You can disable / enable port scanning from a Scanning Profile using the GFI LANguard configuration. Further information can be found in the GFI LANguard Manual (Section: Scanning Profiles > 'Configuring TCP port scanning options')

____________________________________________________________________________________________________________

Internet access limitations

Issue Encountered:

GFI LANguard program updates will not work if the GFI LANguard computer cannot access the GFI web servers

Solution

Configure GFI LANguard to download program updates from an alternative location. See KBID002062 for further details.

Issue Encountered:

During security scanning, GFI LANguard will check if the supported virus scanners or anti-spyware software definition files are up to date. This check will fail when the LANguard computer has no Internet access. Also, downloading Microsoft updates requires Internet access.

Solution

Temporarily allow Internet access if possible.

____________________________________________________________________________________________________________