Re: MBSA ans SUS

From: Torgeir Bakken \(MVP\) (Torgeir.Bakken-spam_at_hydro.com)
Date: 05/06/04

• Next message: Joseph: "Computer reboots while loading Windows XP"
• Previous message: jay: "Repeating Updates - update to Tom's info"
• In reply to: Bruno: "MBSA ans SUS"
• Next in thread: Bruno: "Re: MBSA ans SUS"
• Reply: Bruno: "Re: MBSA ans SUS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 06 May 2004 17:33:45 +0200

Bruno wrote:

> Is there a way to configure MBSA so it does not go back to Microsoft
> to get its updates? I run MBSA on a secure Windows 2000 Active
> Directory network which also has a SUS server on it. When I run MBSA
> on a test W/S and use the SUS option, I get an error and it doesn't
> seem to run the scan properly. The error I get is "Unable to access
> Security.xml file". I thought that if I used the SUS server option
> during a scan, that MBSA would use the SUS server to identify which
> patches were missing on the test W/S. Am I wrong in my thinking?
Hi

As I understand it, when you use the /SUS parameter, the only thing
that is fetched from the SUS server is the Approveditems.txt file
(or download the file from the SUS server yourself using IE and the
URL http://>/approveditems.txt and just point to the
file directly with the SUS parameter). The scan will then be
performed against the list of approved security updates on the
local SUS server.

In addition, if you are not able to connect to Microsoft over the
Internet, you need to download the latest MSSecure_1033.CAB (e.g. from
another computer outside your secure network), and place it in the
"Microsoft Baseline Security Analyzer" folder before you run MBSA.
MSSecure_1033.CAB contains MSSECURE.XML that contains information
about all the security updates released by Microsoft. Then you
should not need any Internet connection while running MBSA.

Latest version of MSSecure_1033.CAB can always be downloaded
from here (it is regularly updated):
http://go.microsoft.com/fwlink/?LinkId=18922

Some info from Microsoft:

mbsacli.exe /?

<quote>
  /sus [susserver | susfilename] Specify the URL of the SUS server or the
                        file path to the approveditems.txt file. If a URL
                        or path is not specified, then the value stored in
                        the registry will be used if available.
</quote>

Microsoft Baseline Security Analyzer (MBSA) 1.2 Q&A
http://www.microsoft.com/technet/security/tools/mbsaqa.mspx

<quote>
Q.
How does MBSA V1.2 work with Software Update Services (SUS)?

A.
MBSA V1.2 provides support for performing the security updates portion
of a scan against a local SUS server. Users can select this option in
the MBSA UI or in the MBSA command line interface. This portion of the
scan will then be performed against the list of approved security
updates on the local SUS server, rather than against the complete list
of available security updates listed in the mssecure.xml file
downloaded by the tool at runtime. Note that all security updates that
are checked as approved in the SUS UI, including those updates that
have been superseded, will be scanned and reported by MBSA.
</quote>

-- 
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/community/scriptcenter/default.mspx

• Next message: Joseph: "Computer reboots while loading Windows XP"
• Previous message: jay: "Repeating Updates - update to Tom's info"
• In reply to: Bruno: "MBSA ans SUS"
• Next in thread: Bruno: "Re: MBSA ans SUS"
• Reply: Bruno: "Re: MBSA ans SUS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: MBSA ans SUS ... > Is there a way to configure MBSA so it does not go back to Microsoft ... > Directory network which also has a SUS server on it. ... When I run MBSA ... about all the security updates released by Microsoft. ... (microsoft.public.security) RE: lookfing for updates never finishes ... > I fresh install my PC and go to updates site, ... > claims to have nothing to download. ... But then when I point MBSA at the same ... > machine (telling MBSA to compair to my SUS server approved items list) it ... (microsoft.public.windowsupdate) Re: Update Site Catalog? ... The security update sync tool only affects updates detected by MBSA. ... your normal monthly security updates package with type "MBSA" or type ... > - Create a new package for the February Updates. ... (microsoft.public.sms.swdist) Re: Security Updates for .NETFramework 2.0? ... I would download MBSA 2.0 and run it on your computer. ... below it is supposed to check for needed updates for NET Framework. ... packs or security updates for .NETFramework 2.0. ... (microsoft.public.windowsxp.security_admin) Re: SUS does not see all security updates... ... MBSA and hence SMS only detects "Security" updates and does not ever detect ... "Recommended" non-security updates. ... There are also some exceptions for Security updates which MBSA cannot ... (microsoft.public.sms.misc)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint