Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


February 22, 2005

Two Mbsacli Modes


A Web Exclusive from Windows IT Pro
Jeff Fellinge
Feature
InstantDoc #45267
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Hotfixes Articles Here | Reprints
Or get the Monthly Online Pass—only $5.95 a month!
Main Article    Automate MBSA

Mbsacli lets you configure and initiate scans from a command line and more powerfully automate scans by using batch files and scripts. You can run Mbsacli in MBSA mode or HFNetChk mode. The more comprehensive MBSA mode checks for system and application vulnerabilities and missing patches and writes the scan results to an XML file.

The HFNetChk mode checks only for missing patches and doesn't save the results to an XML file. You run Mbsacli in HFNetChk mode by specifying the /hf parameter, as in

mbsacli /hf 
  [HFNetChk parameters]

The HFNetChk mode has more parameters than MBSA mode, which makes HFNetChk mode more flexible than MBSA mode. For example, MBSA mode doesn't let you specify a text file that contains a list of computers to scan as HFNetChk mode does. Additionally, HFNetChk mode lets you scan with alternate permissions. To see lists of the two modes' parameters, type the following two commands: 

mbsacli /? 
mbsacli /hf /?

Fun with Mbsacli
When a security update is installed on a computer, Windows records the installation in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix registry subkey. Very basic patch scanners might query only this location for the absence of security patches. However, this check might not be adequate. For example, you might apply a patch to Microsoft IIS, then later remove and reinstall IIS, which might copy unpatched files back to the server. But the registry might still show that the patch is installed.

The mssecure_1003.cab file used by MBSA contains file version and checksum information in addition to the registry information for a particular security update. MBSA first looks for the patch in the registry (you can suppress this check by running the tool with the /hf -z switch), then looks on the system for each file associated with the patch and compares it with data contained in the Mssecure file. If the file version or checksum differs, MBSA reports the patch as missing. To speed up your scans, you can run them without checksum checking by specifying the -nosum parameter, which instructs MBSA to check the file versions but not the checksums. This parameter is available in both Mbsacli's MBSA mode and HFNetChk mode.

To scan multiple targets, run Mbsacli as follows in MBSA mode:

mbsacli /c 2k3,2ksrv,dc5,xppro

or as follows in HFNetChk mode: 

mbsacli /hf -h 2k3,2ksrv,dc5,xppro

There should be no spaces between the comma-delimited host names.

If you run the scan in HFNetChk mode (with the /hf parameter), instead of specifying the hosts as part of the command line, you can specify as many as 256 hosts in a text file (one host per line) and then execute the file by specifying the file name on the -fh parameter. For example, you could have a file named hostlist.txt that contains the following host names: 

2k3
2ksrv
dc5
xppro

To scan these hosts by using Mbsacli in HFNetChk mode, you could use the following command:

mbsacli /hf -fh c:\hostlist.txt -nosum -z

This command instructs Mbsacli to scan the computers listed in the text file and disables checksum processing and registry processing. Only the file versions will be checked.

If you have more than 256 computers, an MBSA sample script named batchscan.js breaks a list of any length into smaller lists of 128 computers, which the script then uses Mbsacli to process. For example, you could use Microsoft Active Directory Service Interfaces (ADSI) to create a list of computers from your domain (or a specific organizational unit-OU) in one large text file and then use Batchscan to process this list to scan each computer.

Instead of specifying host names, you can direct Mbsacli to read a text file of IP addresses by using the HFNetChk -fip filename parameter. By default, MBSA scans for all missing security updates, and each security update has an associated article number that begins with Q. You can direct Mbsacli to ignore certain Q numbers by inserting the numbers in a text file, then specifying the name of that file on the -fq parameter. The -fip and -fq parameters are available only in HFNetChk mode.

When you run scans using the /hf parameter, the results are output to the screen as Web Figure B shows. This is useful if you're running the scanner interactively, but if you want to schedule the scanner to regularly run by itself, you can redirect the output to a file by using the -f outfile parameter. Remember that HFNetChk mode doesn't log results as XML files to the %userprofile%/securityscans folder.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of July 21, 2008

An often irreverent look at some of the week's other news, including an iPhone 3G defeat, 180 million copies of Windows Vista in the wild, Microsoft earnings some more Yahoo silliness, Wii vs. Xbox 360, EU vs. Intel, AMD ousts its CEO, and so much more ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

The iPhone as a Mail Device

An Exchange administrator and self-proclaimed "Windows Mobile device wrangler" gives you the scoop on how well the iPhone 3G works for enterprise email, and points out some surprising omissions in Apple's latest release. ...
Security Whitepapers Anti-Virus Is Dead: The Advent of the Graylist Approach to Computer Protection

Getting the Job Done: Comparing Approaches for Desktop Software Lockdown

Instant Messaging, VoIP, P2P, and games in the workplace: How to take back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.


ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Shortcut Guide to SQL Server Infrastructure Optimization
With right tools and techniques, you can have a top-performing SQL Server infrastructure without having to cram your data centers so that they're overflowing. Download this eBook to learn how.

WinConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Continuous Data Protection and Recovery for Exchange
Read this white paper to learn about Continuous Data Protection (CDP), Exchange 2007's local continuous replication and cluster continuous replication features.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Tips to Managing Messaging
Discover three fundamental mail and messaging management services - security, availability and control services - and how you can implement them in a Microsoft-centric mail and messaging environment.

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Drag & Drop Data Mapping Tool
Try this award-winning data mapping, & transformation tool that supports multiple databases, flat files, Web services, EDI, Excel 2007, & more! Free trial for 30 days!

Overcome bloated Windows file systems
Crossroads FMA delivers powerful yet inexpensive data migration

Bandwidth Monitoring Tool from SolarWinds
Identify largest bandwidth users in seconds. Get the free download now.

Speed Deployment of Vista and Microsoft Office
Read this white paper to learn how you can maximize your Vista and Office investments while lowering costs and increasing efficiency.

Integrated Virtualization Done Right
Download this white paper on server virtualization to begin improving resource utilization and lowering operating costs.

Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.

KVM over IP Solutions
Learn about a KVM over IP solution that is specifically designed to meet the needs of the distributed IT environment.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound
IT Library Technical Resources Directory Connected Home Windows Excavator SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing