Answer
Applies to:- GFI LanGuard 2012 and newer versions
When you start an agent scan from the dashboard GFI LanGuard does the steps below:
- Click the refresh and scan... Attendant service account connects to the \\Agent\c$\ProgramData\GFI\LanGuard 11\Servers\<GUID>\ directory (or \\Agent\c$\Documents and Settings\All Users\Application Data\GFI\LanGuard 11\ on 2003/XP computers) and writes a “scanorder.txt” file to the directory.
- The agent is scanning the directory and sees the scanorder.txt file and deletes it and starts the scan.
- Agent does an update and requests files: (in the httpd\ access.log.xxxxxxx log)
- 10.14.201.27 - - [xx/Dec/2012:16:06:50 -0500] "GET http://software.gfi.com/lnsupdate/index.txt HTTP/1.1" 200 7
- Agent tells the console it's begun scanning:
- 10.14.201.27 - - [xx/Dec/2012:16:07:07 -0500] "POST /service/agent HTTP/1.1" 200 1
- Lnsscomm.exe runs on the Agent machine and the scan it done. (You can use the command "wmic /node:IP_of_target process list BRIEF" to view processes on the target – note: BRIEF must be CAPs. This is also good to test WMI access)
- When lnsscomm.exe is finished you will see a yyyymmddhhmmss.xml file in the folder.
- The agent tells the console it's finished with the scan:
- 10.14.201.27 - - [xx/Dec/2012:16:20:31 -0500] "POST /service/agent HTTP/1.1" 200 1
- The attendant service account picks up this file and processes it into the GFI LANguard database backend using the lnsscorollary process.
- 2012-12-xx,16:23:35,171,3,"#000028c0","#00002318","info ","AgentManagerCOM","Calling ImportXml..."
- 2012-12-xx,16:23:35,175,3,"#000028c0","#00002318","info ","AgentManagerCOM",">> ImportScanResultsInExternalProcess \\10.14.201.27\C$\Documents and Settings\All Users\Application Data\GFI\LanGuard 11\Servers\29fe7603-921a-4518-9d6a-f7f514811c1d\20121204162032.xml"
- 2012-12-xx16:24:16,356,3,"#000028c0","#00002318","info ","AgentManagerCOM","Importer function returned success"
Priyanka Bhotika
Comments