MBSA (Microsoft Baseline Security Analyzer) is a free tool provided by Microsoft. Its purpose is to scan systems to determine the systems security posture. Most people run it as a gui, but it also has a cmdline option which allows for scripting and automation of tasks. In this post I’ll show you how to run mbsacli the cmdline version of mbsa.
Before you get started I recommend you obtain the latest copy of the security update catalog file (wsusscn2.cab) used by MBSA. This catalog file informs MBSA about the most recent available security updates available from Microsoft. MBSA will download a new copy of this file at runtime, but you can save time by pre-fetching the file. This also gives you the ability to run the tool when no internet connection is available. Download mssecure.xml from here. http://go.microsoft.com/fwlink/?LinkId=76054.
When running MBSA from the cmdline, make sure you are in the same directory where you installed MBSA or you add it to your path. By default that directory is C:\Program Files\Microsoft Baseline Security Analyzer 2.
To get a complete listing of runtime switches, simply type mbsacli /? at the cmd prompt. I’m not going to list them all, but I will show you a few of the more common and useful switches.
/target {domain\computer} Target by name
/target {IP} Target by IP
/r {IP-IP} Target by IP range
/n Skip scan types
/nvc Do not check for newer version of MBSA
/o Specify name of output file
/catalog Specify catalog file
/nd Do not download files from Microsoft
/l List all reports available
/lr {filename} Show overview report
/ld {filename} Show detailed report
Default Actions:
- MBSA scans the local host when no target is specified.
- Reports are automatically name Domain-ComputerName(Time)
- When scanning a range a report is generated for each computer scanned.
- Reports are stored at C:\Documents and Settings\username\SecurityScans\
Basic Examples:
Run all scans against local system and name the report myreport
mbsacli /o myreport
Scan a range of computers naming reports by IP address
Mbsacli /r 192.168.0.1-192.168.0.10 /o %IP%
Scan an entire domain
Mbsacli /d mydomain
Advanced Examples:
Scan a system named Joe for “Updates” only
mbsacli /target Joe /n OS+IIS+SQL+Password
Scan IP 192.168.0.1, running only “OS” checks, do not check for a new version of MBSA, do not download any files from Microsoft, used a local stored catalog file, name the report by computer name.
Mbsacli /target 192.168.0.1 /n SQL+IIS+Updates+Password /nvc /nd/catalog c:\wsussnc2.cab /o %C%
Sample Script Pack
Microsoft provides sample scripts in the Sample Script Pack available for download at http://www.microsoft.com/downloads/details.aspx?FamilyId=3B64AC19-3C9E-480E-B0B3-6B87F2EE9042&displaylang=en.
Scanning Large Networks with Concurrent Scanning:
When scanning a large range of computers, MBSA runs single threaded. This means it scans one system at a time which can create a lengthy process against a large network. Microsoft provides multimbsa.exe, a helper for MBSA, that can run up to 64 concurrent scans. Multimbsa.exe is included in the sample script pack available from Microsoft.
Please note, multimbsa.exe is not an independent application. It depends on mbsa in order to run.
Running multimbsa.exe:
Multimbsa.exe /listfile=<file> | /domain=<name> [/options=...] [/job=<name>] [/scanners=<n>] [/computers=<n>] [/show]
Where:
/listfile - contains a list of computers to be scanned /domain – specifies the domain to be scanned /options - specifies command line options to be passed to mbsacli.exe Do not include /r, /d, /listfile, or /target with this parameter /scanners - specifies the maximum number of concurrent scanners to run Default value for this option is 11, maximum is 64 /computers - specifies the maximum number of computers per scanner Default value for this option is 100 /job - specifies a unique file name prefix given to the scan reports Default value for this option is the current date and time /show - causes each scanner window to be shown on the desktop Default value for this option is to hide scanner windows
Aggregate Reports:
MBSA creates a single report for each system scanned. This makes it difficult to correlate data across many systems. To solve this problem use the Rollup.js, included in the sample script pack available from Microsoft, which takes multiple reports and combines them into one report
example:
Rollup all available reports into a file called rollupreport.xml
Cscript.exe /nologo rollup.js /b > rollupreport.xml
SecurityVibe Blog 
Hi,
Will MultiMBSA allow you to create XML output for each scanned server?
We need the XML out produced with /xmlout but need to run MBSA from a single administration server against our multiple target servers.
If not, how can we make MBSA create XML output without installing and running MBSA in all the target servers?
Regards,
Louie
You do not need to install MBSA on the target machines. The xml report will be created on the machine running MBSA. However MBSA will not be able to perform some specific scans from the remote machine.
Thanks for the reply Steve.
I’ve tried MultiMBSA but I have problems using the /options switch. Whenever I specify /options (e.g. multimbsa.exe /listfile=c:\MBSAserverlist.txt /show /options=”/nd /n iis+sql+os+password”), no scanning is performed.
Am I using the switch correctly?
Regards,
Louie
Your command line seems fine… I would just like to clarify that the /n switch indicates which scans to EXCLUDE. You have excluded everything except for the updates scan. If you are in an internal, non-internet accessible connection, no scan will be performed because you cannot reach the update server. On internal networks when testing the commandline, I generally use the /n switch with just the updates+sql option.
HI Can you help me,
Im wanting to run a full scan using Multimbsa.exe /listfile=computers.txt | /domain= /options –
can you recommend options here for a full scan excluding updates
Cheers