How does MBSA collect it's data?

TheMSsForum.com: The Microsoft Software Forum

Hi!

I got the task of resolving why some patches aren't visible as installed by
MBSA. In my organisation patching is done eother on the client OR at the
installaion point, (read Office 2003). Now when the installation point is
patched there are, of course, no record of this patch being installed in
either ARP or the registry. MBSA doesn't report the patch being installed and
as a result the machine is deemed unsafe. My suspicion is that MBSA reads the
registry to determine what patches are installed. Can anyone confirm if this
is the case or if not, what does MBSA collect it's data? If it would read the
actual file versions of the computer everything would be OK but that seems
not to be the case.
--
/Hasse
Top

Re: How does MBSA collect it's data? by Roger

Roger
Tue Sep 04 09:24:05 PDT 2007

MBSA detects need for patch based on the test criteria info in
the wsusscan2.cab file, in which you will find encoded what
conditions must be satisfied per patch, per OS for it to be
considered as installed/patched
http://go.microsoft.com/fwlink/?LinkID=74689

"Hasse" <Hasse@discussions.microsoft.com> wrote in message
news:1BAFB049-321E-4602-BD6C-D9C451A2DAEB@microsoft.com...
> Hi!
>
> I got the task of resolving why some patches aren't visible as installed
> by
> MBSA. In my organisation patching is done eother on the client OR at the
> installaion point, (read Office 2003). Now when the installation point is
> patched there are, of course, no record of this patch being installed in
> either ARP or the registry. MBSA doesn't report the patch being installed
> and
> as a result the machine is deemed unsafe. My suspicion is that MBSA reads
> the
> registry to determine what patches are installed. Can anyone confirm if
> this
> is the case or if not, what does MBSA collect it's data? If it would read
> the
> actual file versions of the computer everything would be OK but that seems
> not to be the case.
> --
> /Hasse


Top

Re: How does MBSA collect it's data? by Hasse

Hasse
Wed Sep 05 05:28:01 PDT 2007

Hi and thanks for the reply. I have searched for this cab file on my computer
and also analyzed the xml content of the file available through your provided
link, but I can't find anything on the specific update I'm looking for. does
MBSA actually download this cab file or does it download it's contents and
add to the scan parameters? the update I'm looking for is KB940602 OR as it
is also called KB940965. The vulnerability mentioned in KB 940965 is actually
remedied by applying patch KB8940602, a roll-up pack. I see in the XML files
extracted from the cab file that there are remarks about different filemanes
/ versions and also the name of the fullfile patch name, so it should be
visible to MBSA, unless, the prerequisites for determining if the patch is
applied is both that the fileversion is correct AND that there is a registry
record of what file applied the patch? in our case that fullfile patch isn't
present on the system since it was applied to the installation point instead.

But shouldn't MBSA still recognize the fileversion change and accept the
patch as being installed?


--
/Hasse


"Roger Abell [MVP]" wrote:

> MBSA detects need for patch based on the test criteria info in
> the wsusscan2.cab file, in which you will find encoded what
> conditions must be satisfied per patch, per OS for it to be
> considered as installed/patched
> http://go.microsoft.com/fwlink/?LinkID=74689
>
> "Hasse" <Hasse@discussions.microsoft.com> wrote in message
> news:1BAFB049-321E-4602-BD6C-D9C451A2DAEB@microsoft.com...
> > Hi!
> >
> > I got the task of resolving why some patches aren't visible as installed
> > by
> > MBSA. In my organisation patching is done eother on the client OR at the
> > installaion point, (read Office 2003). Now when the installation point is
> > patched there are, of course, no record of this patch being installed in
> > either ARP or the registry. MBSA doesn't report the patch being installed
> > and
> > as a result the machine is deemed unsafe. My suspicion is that MBSA reads
> > the
> > registry to determine what patches are installed. Can anyone confirm if
> > this
> > is the case or if not, what does MBSA collect it's data? If it would read
> > the
> > actual file versions of the computer everything would be OK but that seems
> > not to be the case.
> > --
> > /Hasse
>
>
>
Top

Re: How does MBSA collect it's data? by Mervin

Mervin
Thu Sep 06 12:16:27 PDT 2007

MBSA downloads the file to C:\Documents and Settings\%user%\Local
Settings\Application Data\Microsoft\MBSA\2.0\Cache however using the
commandline interface you can specify the path anywhere. The download of
course only takes place if there is an internet connection.


Top