The ‘lnsscmd.exeA GFI LanGuard command line tool that allows running vulnerability checks against network targets.’ command line target–scanning tool allows you to run vulnerability checks against network targets directly from the command line, or through third party applications, batch files and scripts. The ‘lnsscmd.exe’ command line tool supports the following switches:

lnsscmd <Target> [/profile=profileName] [/report=reportPath] [/reportname=reportName] [/output=pathToXmlFile] [/user=username /password=password] [/Email [/EmailAddress=EmailAddress]] [/DontShowStatus] [/UseComputerProfiles] [/Wake] [/Shutdown [/ShutdownIntervalStart=<hh:mm:ss>] [/ShutdownIntervalEnd=<hh:mm:ss>]] [/?]

lnsscmd command switches

Switch	Description
Target	Specify the IP / range of IPs or host name(s) to be scanned.
/Profile	(Optional) Specify the scanning profile that will be used during a security scan. If this parameter is not specified, the scanning profile that is currently active in the GFI LanGuard will be used. NOTE In GFI LanGuard, the default (i.e. currently active) scanning profile is denoted by the word (Active) next to its name. To view which profile is active expand the Configuration tab > Scanning Profiles node.
/Output	(Optional) Specify the full path (including filename) of the XMLAn open text standard used to define data formats. GFI LanGuard uses this standard to import or export scanned saved results and configuration. file where the scan results will be saved.
/Report	(Optional) Directory or full file name for the output scan report.
/ReportName	(Optional) Name of the report to generate. If not specified, the report is saved with a default name.
/User and /Password	(Optional) Specify the alternative credentials that the scanning engine will use to authenticate to a target computer during security scanning. Alternatively you can use the /UseComputerProfiles switch to use the authentication credentials already configured in the dashboard.
/Email	(Optional) Send the resulting report by e-mail. The e-mail address and mail server specified in Configuration > Alerting Options are used.
/EmailAddress	(Optional) Dependent on /Email. Overrides the general alerting options and uses the specified email address.
/DontShowStatus	(Optional) Include this switch if you want to perform silent scanning. In this way, the scan progress details will not be shown.
/UseComputerProfiles	(Optional) Use per computer credentials when available.
/Wake	(Optional) Wake up offline computers.
/Shutdown	(Optional) Shuts down computers after scan.
/ShutdownIntervalStart	(Optional) Dependent on /Shutdown. The start time of the interval when shutdown is allowed. Use hh:mm:ss format.
/ShutdownIntervalEnd	(Optional) Dependent on /Shutdown. The end time of the interval when shutdown is allowed. Use hh:mm:ss format.
/?	(Optional) Use this switch to show the command line tool usage instructions.

The command line target–scanning tool allows you to pass parameters through specific variables. These variables will be automatically replaced with their respective value during execution. The table below describes the supported variables:

Supported variables

Variable	Description
%INSTALLDIR%	During scanning, this variable will be replaced with the path to the GFI LanGuard installation directory.
%TARGET%	During scanning this variable will be replaced with the name of the target computer.
%SCANDATE%	During scanning this variable will be replaced with the date of scan.
%SCANTIME%	During scanning this variable will be replaced with the time of scan.

Example

1. To perform a security scan on a target computer having IP address ‘130.16.130.1’.

2. Output the scan results to ‘c:\out.xml’ (i.e. XML file).

3. Generate a PDF report and save it in ‘c:\result.odf’.

4. Send the PDF report via email to ‘lanss@domain.com’

The command should be as follows:

lnsscmd.exe 130.16.130.1 /Profile="Default" /Output="c:\out.xml" /Report="c:\result.pdf" /Email /emailAddress="lanss@domain.com"

The ‘deploycmd.exeA GFI LanGuard command line tool, used to deploy Microsoft® patches and third party software on target computers.’ command line patch deployment tool allows you to deploy Microsoft^® patches and third party software on remote targets directly from the command line, or through third party applications, batch files or scripts. The ‘deploycmd.exe’ command line tool supports the following switches:

deploycmd <target> </file=FileName> [/switches=Switches] [/username=UserName /password=Password] [/warnuser] [/userapproval] [/stopservices] [/customshare=CustomShareName] [/reboot] [/rebootuserdecides] [/wake] [/shutdown] [/deletefiles] [/timeout=Timeout(sec)] [/usecomputerprofiles] [/RebootCountdown=Time(sec)] [/RebootCountdownMessage="Custom message"][/RebootAtFirstOccurenceOf=Time(formatted as "hh:mm:ss")] [/ShutDownAtFirstOccurenceOf=Time(formatted as "hh:mm:ss")] [/RebootInInterval] [/ShutDownInInterval] [/RebootIntervalStart=Time(formatted as "hh:mm:ss")] [/RebootIntervalEnd=Time(formatted as "hh:mm:ss")] [/?]

deploycmd command switches

Switch	Description
Target	Specify the name(s), IP or range of IPs of the target computer(s) on which the patch(es) will be deployed.
/File	Specify the file that you wish to deploy on the specified target(s).
/User and /Password	(Optional) Specify the alternative credentials that the scanning engine will use to authenticate to a target computer during patch deployment. Alternatively you can use the /UseComputerProfiles switch to use the authentication credentials already configured in the DashboardA graphical representation that indicates the status of various operations that might be currently active, or that are scheduled..
/warnuser	(Optional) Include this switch if you want to inform the target computer user that a file/patch installation is in progress. Users will be informed through a message dialog that will be shown on screen immediately before the deployment session is started.
/useraproval	(Optional) Include this switch to request the user’s approval before starting the file/patch installation process. This allows users to postpone the file/patch installation process for later (for example, until an already running process is completed on the target computer).
/stopservice	(Optional) Include this switch if you want to stop specific services on the target computer before installing the file/patch. NOTE You cannot specify the services that will be stopped directly from the command line tool. Services can only be added or removed through the GFI LanGuard UI.
/customshare	(Optional) Specify the target share where you wish to transfer the file before it is installed.
/reboot	(Optional Parameter) Include this switch if you want to reboot the target computer after file/patch deployment.
/rebootuserdecides	(Optional Parameter) Include this switch to allow the current target computer user to decide when to reboot his computer (after patch installation).
/wake	Wakes up offline computers.
/shutdown	(Optional Parameter) Include this switch if you want to shut down the target computer after the file/patch is installed.
/deletefiles	(Optional Parameter) Include this switch if you want to delete the source file after it has been successfully installed.
/timeout	(Optional Parameter) Specify the deployment operation timeout. This value defines the time that a deployment process will be allowed to run before the file/patch installation is interrupted.
/usecomputerprofiles	(Optional) Use data from computer profiles.
/RebootCountdown	(Optional) Display a reboot countdown window for a number of seconds to the remote user before rebooting.
/RebootCountdownMessage	(Optional) Used in conjunction with /RebootCountdown. Displays a custom message to the remote user before rebooting the computer.
/RebootAtFirstOccurenceOf	(Optional) Reboot a computer at the first occurrence of a specified time. The time is expected in the 24 hour format "hh:mm:s s". Example, 18:30:00.
/ShutDownAtFirstOccurenceOf	(Optional) Shutdown a computer at the first occurrence of a specified time. The time is expected in the 24 hour format "hh:mm:s s". Example, 18:30:00.
/RebootInInterval	(Optional) Reboot the computer after deployment if deployment completes in the specified time interval. Otherwise wait to specify the interval manually. Requires parameters /RebootIntervalStart and /RebootIntervalEnd.
/ShutdownIntervalStart	(Optional) Dependent on /Shutdown. The start time of the interval when shutdown is allowed. Use hh:mm:ss format.
/ShutdownIntervalEnd	(Optional) Dependent on /Shutdown. The end time of the interval when shutdown is allowed. Use hh:mm:ss format.
/ShutDownInInterval	(Optional) Shutdown the computer after deployment if deployment completes in the specified time interval. Otherwise wait to specify the interval manually.
/?	(Optional) Use this switch to show the command line tool’s usage instructions.

Example

1. Deploy a file called ‘patchA001002.XXX’.

2. On target computer ‘TMJohnDoe’.

3. Reboot the target computer after successful deployment of the file.

The command should be as follows::

deploycmd TMJohnDoe /file=”patchA001002.XXX” /reboot

The Impex tool is a command line tool that can be used to Import and Export profiles and vulnerabilities from GFI LanGuard Network Security Scanner. The parameters supported by this tool are the following:

impex [[/H] | [/?]] | [/XML:xmlfile [/DB:dbfile] [[/EX] [/MERGE]] | [/IM [/ONLYNEWER]] [/PROFILES | /VULNS | /PORTS | /PROFILE:name | /VULNCAT:cat [/VULN:name] | /PORTTYPE:type [/PORT:number]] [/SKIP | /OVERWRITE | /RENAME:value]]

impex command switches

Switch	Description
/H /? Run impex without parameters	Displays help information.
/XML:<xmlfile>	This parameter specifies the name of the imported or exported XML file. <xmlfile> needs to be replaced with the name of the file the profile is being exported to. NOTE This parameter is mandatory to import or export alerts.
/DB:<dbfile>	Where <dbfile> is the database file to be used during the import/export operation. If this is not specified the default "operationsprofiles.mdb" file will be used.
/EX	Exports data from database to XML file (Default option)
/MERGE	If this is specified when the target XML for export already exists, the file will be opened and data will be merged; otherwise the XML file is first deleted.
/IM	Imports data from XML file to database
/ONLYNEWER	When specified only vulnerabilities newer than the newest vulnerability in the database will be imported.
/PROFILES	Exports/Imports all scanning profiles.
/VULNS	Exports/Imports all vulnerabilities.
/PORTS	Exports/Imports all ports
/PROFILE:<name>	Exports/Imports the specified scanning profile.
/VULNCAT:<category>	Exports/Imports all vulnerabilities of the specified category.
/VULN:<name>	Exports/Imports the specified vulnerability (/VULNCAT must be specified).
/PORTTYPE:<type>	Exports/Imports all ports of the specified type.
/PORT:<number>	Exports/Imports the specified port (/PORTTYPE must be specified).
/SKIP	If an item already exists in the target XML/database, that item will be skipped
/OVERWRITE	If an item already exists in the target XML/database, that item will be overwritten.
/RENAME:<value>	If an item already exists in the target XML/database, that item will be renamed to <value>. If /PROFILE or /VULN was specified, port information merged with that item is a port or renamed by prefixing its name with <value> in any other case.

Example 1

To import specific entries from an XML file:

impex /xml:regcheck.xml /vuln:"Blaster Worm" /vulncat:"Registry Vulnerabilities"

Example 2

To import a whole XML file:

impex /xml:regcheck.xml /im