MBSA ans SUS

TheMSsForum.com: The Microsoft Software Forum

Is there a way to configure MBSA so it does not go back to Microsoft to get its updates? I run MBSA on a secure Windows 2000 Active Directory network which also has a SUS server on it. When I run MBSA on a test W/S and use the SUS option, I get an error and it doesn't seem to run the scan properly. The error I get is "Unable to access Security.xml file". I thought that if I used the SUS server option during a scan, that MBSA would use the SUS server to identify which patches were missing on the test W/S. Am I wrong in my thinking? Any thoughts

Thank
Brun
Top

Re: MBSA ans SUS by Torgeir

Torgeir
Thu May 06 10:33:45 CDT 2004

Bruno wrote:

> Is there a way to configure MBSA so it does not go back to Microsoft
> to get its updates? I run MBSA on a secure Windows 2000 Active
> Directory network which also has a SUS server on it. When I run MBSA
> on a test W/S and use the SUS option, I get an error and it doesn't
> seem to run the scan properly. The error I get is "Unable to access
> Security.xml file". I thought that if I used the SUS server option
> during a scan, that MBSA would use the SUS server to identify which
> patches were missing on the test W/S. Am I wrong in my thinking?
Hi

As I understand it, when you use the /SUS parameter, the only thing
that is fetched from the SUS server is the Approveditems.txt file
(or download the file from the SUS server yourself using IE and the
URL http://<susservername>/approveditems.txt and just point to the
file directly with the SUS parameter). The scan will then be
performed against the list of approved security updates on the
local SUS server.

In addition, if you are not able to connect to Microsoft over the
Internet, you need to download the latest MSSecure_1033.CAB (e.g. from
another computer outside your secure network), and place it in the
"Microsoft Baseline Security Analyzer" folder before you run MBSA.
MSSecure_1033.CAB contains MSSECURE.XML that contains information
about all the security updates released by Microsoft. Then you
should not need any Internet connection while running MBSA.

Latest version of MSSecure_1033.CAB can always be downloaded
from here (it is regularly updated):
http://go.microsoft.com/fwlink/?LinkId=18922


Some info from Microsoft:

mbsacli.exe /?

<quote>
/sus [susserver | susfilename] Specify the URL of the SUS server or the
file path to the approveditems.txt file. If a URL
or path is not specified, then the value stored in
the registry will be used if available.
</quote>


Microsoft Baseline Security Analyzer (MBSA) 1.2 Q&A
http://www.microsoft.com/technet/security/tools/mbsaqa.mspx

<quote>
Q.
How does MBSA V1.2 work with Software Update Services (SUS)?

A.
MBSA V1.2 provides support for performing the security updates portion
of a scan against a local SUS server. Users can select this option in
the MBSA UI or in the MBSA command line interface. This portion of the
scan will then be performed against the list of approved security
updates on the local SUS server, rather than against the complete list
of available security updates listed in the mssecure.xml file
downloaded by the tool at runtime. Note that all security updates that
are checked as approved in the SUS UI, including those updates that
have been superseded, will be scanned and reported by MBSA.
</quote>


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/community/scriptcenter/default.mspx
Top