Answer

GFI LanGuard remote communication needs and intensive resource access pattern make it a possible victim of third party software like anti-virus/anti-spyware solutions, intrusion prevention systems, or firewalls.  Such problems can be avoided by following a few configuration guidelines as described below:

Real-time protection engines can severely diminish GFI LanGuard’s scanning speed

• Disable the real-time anti-virus engine from scanning the following GFI LanGuard paths (on the server as well as agent machines):
  • Microsoft Windows Vista/Server 2008 and later
    • \ProgramData\GFI\
    • 64-bit: \Program Files (x86)\GFI\
    • 32-bit: \Program Files\GFI\
  • Microsoft Windows XP/Server 2003:
    • \Documents and settings\all users\application data\GFI\
    • \Program Files\GFI\
• Exclude the directory of the MS SQL database files (*.mdf/*.ldf)
• Exclude the directory of the MS SQL server instance
• Disable antimalware protection for C:\Program Files (x86)\GFI\LanGuard 12 Agent\Httpd\bin\httpd.exe (HTTP protocol, usually running on one of the TCP ports 1070-1080)
• Disable antimalware protection for the IIS web site GFI LanGuard Central Management Server (HTTPS protocol, usually running on one of the TCP ports 1070-1080)

The firewall might slow down GFI LanGuard scanning or even block outbound connections to scanned computers

• The Firewall should allow the following servers:
  • C:\Program Files (x86)\GFI\LanGuard 12 Agent\Httpd\bin\httpd.exe (HTTP protocol, usually running on one of the TCP ports 1070-1080)
  • IIS web site GFI LanGuard Central Management Server (HTTPS protocol, usually running on one of the TCP ports 1070-1080)
  • MSSQL Server (if using TCP connections, not Named Pipes connections 
• The Firewall should allow the following TCP clients:
  • C:\Program Files (x86)\GFI\LanGuard 12\*.exe
  • C:\Program Files (x86)\GFI\LanGuard 12 Agent\Httpd\bin\httpd.exe
  • C:\Program Files (x86)\GFI\LanGuard 12 Agent\*.exe
  • C:\Windows\Patches\PatchAgent.exe
  • C:\Program Files (x86)\GFI\LanGuard 12 Server\*.exe
• For communication between agents and server open the following ports in the firewall
  • Finds the list of required ports here

By default some firewall applications (like the Microsoft Windows inbuilt firewall) disable various ports and services.  This can make the target computers totally un-discoverable, or negatively affect the scanning accuracy

• Make the following changes on the target computers firewall:
  1. Enable File and Printer Sharing
  2. Enable Windows Management Instrumentation (WMI) traffic
     • It should only be needed to enable the above types of traffic with the GFI LanGuard computer’s IP address (most current firewall products allow for such granularity)
• ​See: What are the required settings to scan a machine and successfully install missing patches using GFI Languard
• http://msdn.microsoft.com/en-us/library/aa822854(VS.85).aspx

The port scanning section of a GFI LanGuard scan is considerably slower when the scanned computer is firewalled. Also, UDP port scanning may not be reliable with some firewall solutions.  GFI LanGuard will determine such cases and will report accordingly

• Only enable port scanning when needed and be prepared for doubled scan duration.
  • You can disable / enable port scanning from a Scanning Profile using the GFI LanGuard configuration. Further information can be found in the GFI LanGuard Manual (Section: Scanning Profiles > Configuring TCP port scanning options)

Some Systems might see the intensive port querying done by GFI LanGuard as a possible attack and may totally block communication with the GFI LanGuard computer’s IP address for a period of time

• Disable the intrusion prevention engine on targets while scanning them with GFI LanGuard or disable port scanning in GFI LanGuard.
  • You can disable / enable port scanning from a Scanning Profile using the GFI LanGuard configuration. Further information can be found in the GFI LanGuard Manual (Section: Scanning Profiles > Configuring TCP port scanning options)

GFI LanGuard program updates will not work if the GFI LanGuard computer cannot access the GFI web servers

• Configure GFI LanGuard to download program updates from an alternative location.
  • ​Related: How to update GFI LanGuard if in a secure network

During security scanning, GFI LanGuard will check if the supported virus scanners or anti-spyware software definition files are up to date. This check will fail when the GFI LanGuard computer has no Internet access. Also, downloading Microsoft updates requires Internet access

• Temporarily allow Internet access if possible
  • Related: ​How to manually download a patch in GFI LanGuard

The GFI LanGuard database backend is growing to maximum capacity in a short period of time

• The GFI LanGuard MSSQL database backend is growing to maximum capacity in a short period of time
  • Note: the Microsoft SQL Server Express version 2008 and later has a max database size of 10GB

 

Related Articles:

• For more information on communications used when scanning and deploying with GFI LanGuard, refer to:
  Required Settings to Scan a Machine and Successfully Install Missing Patches Using GFI Languard