|
Posted by embee-essay on June 16, 2007, 10:54 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Two points for answering my own post.
Upon further review, in my opinion MBSA 2.0.1 is useless as a patch level
verification tool for Windows XP SP2 at least. That was not the answer I was
hoping for. It's the first time I've been tasked with a project related to
Windows security in several years. From the outside, things are worse not
better.
Is there no Microsoft option for patch level validation that doesn't use the
same engine and database as the patch management process? So there is no
problem with a single engine and database for both tasks? Other than a
purely hypothetical problem of course. And whatever trivial problems that
might arise would be addressed very quickly by blogs where we would be
reassured that there was no evidence of any widespread exploitation. Getting
up to speed now.
For Office XP, MBSA 2.0.1 is way of the mark. Listing MS04-027, MS06-012,
MS06-012, MS06-017, MS06-039, MS06-047, MS06-054, and MS06-058 as all
missing when they have all been applied.
Microsoft Office Updates Inventory Tool, Windows Update, and Office Update
all three correctly report zero Office XP updates missing.
System services and driver files with known bad checksum were missed by MBSA
2.0.1.
Other than that, the GUI was still pretty. It went clickety-clickety ding in
the right places.
To my original question quoted below, it can't be done. To perhaps help
another traveling down the same dead end.
I needed legacy support so off to the kingdom of Schultze. NOTE: limited
(free) version of the Shavlik tool does not support any useful output
format, e.g., csv or xml. The free version fails to detect bad checksums or
incorrect file versions.
http://www.shavlik.com/products/netchk-limited.aspx
You'll need the offline XML
http://xml.shavlik.com/data/hfnetchk6b.cab
It does XPSP2 and some other legacy apps in what appears to me to be the
same thorough and superficial way.
hfnetchk4pro.exe -x "C:\Program Files\Shavlik
Technologies\NetChk.9.0.145\hfnetchk6b.cab" -history 5 -v -f
"%USERPROFILE%\Desktop\HFOUT.TXT"
From Microsoft I needed
Scroll to the "Scanning" section of the FAQ
http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx
Q. What happened to the HFNetChk-style scan of previous versions of MBSA?
Q. What happened to the ability to use only MBSACLI.EXE /HF to perform
security update checks without performing a full MBSA 2.0 installation?
Windows Update Agent stand-alone installer
http://download.windowsupdate.com/v6/windowsupdate/redist/standalone/windowsupdateagent20-x86.exe
MBSA 2.0.1 Scroll to the "Download Now" section NOTE: This is a significant
break from past Microsoft behavior wherein security updates were available
without Genuine Windows Validation MBSA 2.0.1 requires Genuine Windows
Validation (MBSA 1.2.1 did not)
http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx
And the CAB file
http://go.microsoft.com/fwlink/?LinkID=74689
There are only four options when requiring XML output so I'll not post a
lengthy command line here.
> Anyone have a quick and dirty command line equivalent for the new MBSA.
>
> * Run in HFNetChk mode
> * Point to a downloaded CAB, and
> * Do not attempt a network connection to check for updates to the client or
> patch database or anything else pls
> * Display security update reason codes, DLL X was wrong version, etc
> * Use custom XML template and write results to a file
>
> I don't want to rewrite a policy and get it approved just to comply with a
> new tool. I can't make heads or tails of even which version to use. As for
> heavy lifting, MS picked up a huge weight and then dumped it on my head. ;-)
>
| 
XML site map