Overview
This article provides information on the Interactive scans, specifically Scheduled scans, in GFI LanGuard. This information is useful to differentiate how Scheduled scans operate when compared to Agent scans. Additionally, the information provided herein can be helpful to support agents when troubleshooting Scheduled scan-related issues, especially on how to analyze the outputs of the LanGuard Attendant log.
Information
Scheduled scans trigger a server-side scan from the console, which may lead customers to confuse setting up a Scheduled scan and an Agent scan. The main complaint customers report on this issue is that scans are taking hours to complete. Interactive scans vs. Agent scans are configured in two different locations. In this module, we will specifically call out the Scheduled scan process.
A Scheduled scan is a network audit that is scheduled to run automatically on a specific date/time and at a particular frequency. Scheduled scans can be set to execute once or periodically, and they can be monitored by navigating to Activity Monitor > Security Scans.
Scheduled scans should be used:
- When GFI LanGuard Agents are not deployed on the target computers.
- To automatically perform periodical and regular network vulnerability scans using the same Scanning Profiles and parameters.
- To automatically trigger scans after office hours and generate alerts and auto–distribution of scan results via email
- To automatically trigger auto-remediation options, e.g., Auto-download, deploy missing updates, etc.
Refer to the below articles for additional instructions on how to work with Scheduled scans.
After the scan is scheduled, the system will write the configuration into the toolcfg_schedulescan.xml file, located under the \Program Data\GFI\LanGuard 12\ directory.
Scheduled scans are initiated by the submodule ScanManager attached to the LanGuard Attendant service. The ScanManger submodule is responsible for manual scans performed from the LanGuard console. It makes constant checks to determine if it is time to initiate Scheduled scans, and it orders the scanning engine to begin the scan, which can be observed in the LanGuard Attendant log. Below is an example of the system checking the scan schedule.
2019-07-11,19:03:38,725,3,"#00001674","#00001984","info ","ScanMngSys","ProcessMain - Agent scans checked. Checking scheduled scans... "
2019-07-11,19:03:38,725,3,"#00001674","#00001984","debug ","ScanMngSys","Scans::AgentScan::CheckScheduledScans - >>"
2019-07-11,19:03:38,725,3,"#00001674","#00001984","info ","ScanMngSys","Scans::AgentScan::CheckScheduledScans - Checking scheduled scan with with ID 16 and target 'localhost'..."
2019-07-11,19:03:38,725,3,"#00001674","#00001984","info ","ScanMngSys","Utils::Recurrence::RecurrenceUtils::IsTimeToRecur - The rule has been done today and the time was set in the past. Skipping recurrence for current day."
2019-07-11,19:03:38,725,3,"#00001674","#00001984","info ","ScanMngSys","Scans::AgentScan::CheckScheduledScans - Recurrence check log results was: Computed data is: HadNeverOccurredBefore='True', Last='30/12/1899 18:45:48', Now='11/07/2019 19:03:38', Next='11/07/2019 18:45:48', Setting Timestamp='11/07/2019 19:03:22'. Weekly: WeeksPassedSinceLast='6267'"
- #00001984: This number represents the process ID. This ID generally changes for each task performed, but keep in mind that the threads are not always written together in the log and that thread ID’s can be re-used.
- ID 16 and target 'localhost': The ID and hostname will vary, depending on what machines are selected. Each device is assigned an ID in the database.
- Last='30/12/1899: The date shows 1899 as a default date since this machine has not been scanned with the Scheduled scan previously; this will change after the first Scheduled scan is completed.
With the log excerpt shown above, you can use the information from the Scheduled scan to gather a bit more about how the customer’s environment is configured. Using the Last field explained above, for example, you can determine the last time the scan was run, or if it has ever been executed at all. But if end-user reports that they have been scanning every week, and the Last field in the logs shows the last scan was over a month ago, you need to determine where the discrepancy is, for which you may use the following fact-finding questions:
- Is the end-user implementing Agent scans instead? Does that match what they are expecting to be used in their environment?
- Is the machine on which the Scheduled scan configured displayed in the appropriate list?
The below code is a copy of the default toolcfg_scheduled scan, with the changes to scan Monday through Friday every week:
<Recurrence type="2">
<Date></Date>
<Time>18:45:48</Time>
<Daily period="1"/>
<Weekly period="1" days="0111110"/>
<MonthlyExactDay day="1" period="1"/>
<MonthlyOrdinalDay ordinal="0" dayName="0" period="1"/>
<RunOnce datetime="20190711185227"/>
<Forced occurNow="0" lastDateTime=""/>
</Recurrence>
The <Recurrence type="2"> section indicates that it is a weekly recurrence, so you need to look at the Weekly period. Each day is represented by a 0 or 1. As you can see from the days="0111110" sequence, Sunday is disabled, Monday through Friday are enabled, and Saturday is disabled as well.
Note: In the above notation, Sunday is the first day of the week represented by the first digit within the quotation marks, and Saturday the last.