MBSA CMDLINE Wizardry

MBSA (Microsoft Baseline Security Analyzer) is a free tool provided by Microsoft.  Its purpose is to scan systems to determine the systems security posture.  Most people run it as a gui, but it also has a cmdline option which allows for scripting and automation of tasks.  In this post I’ll show you how to run mbsacli the cmdline version of mbsa. 

Before you get started I recommend you obtain the latest copy of the security update catalog file (wsusscn2.cab) used by MBSA. This catalog file informs MBSA about the most recent available security updates available from Microsoft. MBSA will download a new copy of this file at runtime, but you can save time by pre-fetching the file.  This also gives you the ability to run the tool when no internet connection is available. Download mssecure.xml from here. http://go.microsoft.com/fwlink/?LinkId=76054.

 When running MBSA from the cmdline, make sure you are in the same directory where you installed MBSA or you add it to your path.  By default that directory is C:\Program Files\Microsoft Baseline Security Analyzer 2.

To get a complete listing of runtime switches, simply type mbsacli /? at the cmd prompt. I’m not going to list them all, but I will show you a few of the more common and useful switches.

/target {domain\computer}   Target by name           
/target {IP}                Target by IP                 
/r {IP-IP}                  Target by IP range      
/n                          Skip scan types             
/nvc                        Do not check for newer version of MBSA
/o                          Specify name of output file
/catalog                    Specify catalog file
/nd                         Do not download files from Microsoft
/l                          List all reports available
/lr {filename}              Show overview report   
/ld {filename}              Show detailed report

 Default Actions:

  1. MBSA scans the local host when no target is specified.
  2. Reports are automatically name Domain-ComputerName(Time)
  3. When scanning a range a report is generated for each computer scanned.
  4. Reports are stored at C:\Documents and Settings\username\SecurityScans\

 Basic Examples:

 Run all scans against local system and name the report myreport

             mbsacli /o myreport

 Scan a range of computers naming reports by IP address 

            Mbsacli /r 192.168.0.1-192.168.0.10 /o %IP%

 Scan an entire domain

             Mbsacli /d mydomain

 Advanced Examples:

 Scan a system named Joe for “Updates” only

         mbsacli /target Joe /n OS+IIS+SQL+Password

Scan IP 192.168.0.1, running only “OS” checks, do not check for a new version of MBSA, do not download any files from Microsoft, used a local stored catalog file, name the report by computer name.

Mbsacli /target 192.168.0.1 /n SQL+IIS+Updates+Password /nvc /nd/catalog c:\wsussnc2.cab /o %C%

Sample Script Pack

Microsoft provides sample scripts in the Sample Script Pack available for download at http://www.microsoft.com/downloads/details.aspx?FamilyId=3B64AC19-3C9E-480E-B0B3-6B87F2EE9042&displaylang=en.

Scanning Large Networks with Concurrent Scanning:

When scanning a large range of computers, MBSA runs single threaded. This means it scans one system at a time which can create a lengthy process against a large network. Microsoft provides multimbsa.exe, a helper for MBSA, that can run up to 64 concurrent scans. Multimbsa.exe is included in the sample script pack available from Microsoft. 

Please note, multimbsa.exe is not an independent application.  It depends on mbsa in order to run. 

Running multimbsa.exe:

Multimbsa.exe /listfile=<file> | /domain=<name> [/options=...] [/job=<name>] [/scanners=<n>] [/computers=<n>] [/show]

                Where:

/listfile - contains a list of computers to be scanned
/domain – specifies the domain to be scanned
/options - specifies command line options to be passed to mbsacli.exe
    Do not include /r, /d, /listfile, or /target with this parameter
/scanners - specifies the maximum number of concurrent scanners to run
    Default value for this option is 11, maximum is 64
/computers - specifies the maximum number of computers per scanner
    Default value for this option is 100
/job - specifies a unique file name prefix given to the scan reports
     Default value for this option is the current date and time
/show - causes each scanner window to be shown on the desktop
     Default value for this option is to hide scanner windows

 Aggregate Reports:

MBSA creates a single report for each system scanned.  This makes it difficult to correlate data across many systems.  To solve this problem use the Rollup.js, included in the sample script pack available from Microsoft, which takes multiple reports and combines them into one report

example:

Rollup all available reports into a file called rollupreport.xml

                Cscript.exe /nologo rollup.js /b > rollupreport.xml

5 Responses to MBSA CMDLINE Wizardry

  1. Louie Benzon says:

    Hi,

    Will MultiMBSA allow you to create XML output for each scanned server?

    We need the XML out produced with /xmlout but need to run MBSA from a single administration server against our multiple target servers.

    If not, how can we make MBSA create XML output without installing and running MBSA in all the target servers?

    Regards,
    Louie

  2. Steve says:

    You do not need to install MBSA on the target machines. The xml report will be created on the machine running MBSA. However MBSA will not be able to perform some specific scans from the remote machine.

    • Louie Benzon says:

      Thanks for the reply Steve.

      I’ve tried MultiMBSA but I have problems using the /options switch. Whenever I specify /options (e.g. multimbsa.exe /listfile=c:\MBSAserverlist.txt /show /options=”/nd /n iis+sql+os+password”), no scanning is performed.

      Am I using the switch correctly?

      Regards,
      Louie

      • Abe Johnson says:

        Your command line seems fine… I would just like to clarify that the /n switch indicates which scans to EXCLUDE. You have excluded everything except for the updates scan. If you are in an internal, non-internet accessible connection, no scan will be performed because you cannot reach the update server. On internal networks when testing the commandline, I generally use the /n switch with just the updates+sql option.

  3. Don says:

    HI Can you help me,

    Im wanting to run a full scan using Multimbsa.exe /listfile=computers.txt | /domain= /options –

    can you recommend options here for a full scan excluding updates

    Cheers

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: