Sunday, 12 September 2010

MultiMBSA

Until now I had only used MBSA GUI to conduct scans on Windows systems. Recently while searching for command line options in order to script the scans I stumbled upon MBSA Scripts. I tried using MultiMBSA but faced many problems and found little online help.

This post captures the steps I took to get MultiMBSA running -

1. Install MBSA on the server that will conduct the scan.
2. Extract the MBSAScripts to a folder on the same server.
3. Download the WSUSSCN2.cab file from Microsoft's website.
4. Create a folder to save the reports.

By default the scan results from MBSA are stored in the profile of the account used to run the scan under the following folder.
C:\Documents and Settings\$username\SecurityScans
If the files from the previous scans are not removed, then the MBSAscripts will create multiple entries for the same host. To ensure this does not happen make sure to remove or archive the old files.

move "C:\Documents and Settings\$username\SecurityScans\*.mbsa" "C:\Documents and Settings\$username\SecurityScans\archive\"

The other thing you need to make sure is that the WSUSSCN2.cab file is updated before every scan.
wget http://go.microsoft.com/fwlink/?LinkId=76054

Though you can mention the folder where the wsusscn.cab file is kept, I found that MultiMBSA ignored it and looked for it in the following folder

C:\Documents and Settings\$username\Local Settings\Application Data\Microsoft\MBSA\2.1.1\Cache

This may have been because I was not passing the right parameters but I fixed it by making sure I copied the file downloaded using wget to the folder mentioned above

move C:\MutliMBSA\wsusscn2.cab "C:\Documents and Settings\$username\Local Settings\Application Data\Microsoft\MBSA\2.1.1\Cache" /Y

Once you have taken care of the above things you are set to run the scan.
C:\MultiMBSA\multimbsa.exe /listfile=servers_test.txt /scanners=5 /computers=10 /options="/nd /n iis+sql+os+password /nvc /wi"

The command breakup is as follows
/listfile - file containing list of servers to be scanned.
/scanners - number of MBSA scanners to launch simultaneously.
/computers - number of computers each scanner should scan.
/options - the usual MBSAcli options.

This should launch multiple MBSA scanners in the background. Once the scans are complete run the rollup.js script in MBSAscripts folder to go through the MBSA results and consolidate the reports.

cscript.exe /nologo C:\MultiMBSA\rollup.js /b >C:\mbsareports\servers_test.xml

You can then view the file servers_test.xml in a browser. I like to create a separate file for each months patches. For e.g for the month of march 2010 you can create a report using the following command

cscript.exe /nologo e:\mbsarep\rollup.js /b MS10-016 MS10-017 MS10-018>c:\mbsareports\Mar2010.xml

There is some effort required to make sure you update your script with the latest months MS advisory number.

Finally the full script looks like this



move "C:\Documents and Settings\$username\SecurityScans\*.mbsa" "C:\Documents and Settings\$username\SecurityScans\archive\"

wget http://go.microsoft.com/fwlink/?LinkId=76054

move C:\MutliMBSA\wsusscn2.cab "C:\Documents and Settings\$username\Local Settings\Application Data\Microsoft\MBSA\2.1.1\Cache" /Y

C:\MultiMBSA\multimbsa.exe /listfile=servers_test.txt /scanners=5 /computers=10 /options="/nd /n iis+sql+os+password /nvc /wi"

cscript.exe /nologo C:\MultiMBSA\rollup.js /b >C:\mbsareports\servers_test.xml

cscript.exe /nologo e:\mbsarep\rollup.js /b MS10-016 MS10-017 MS10-018>c:\mbsareports\Mar2010.xml


Make sure you replace $username with the actual account with which you run this script. Another thing is the text has wrapped so be careful that you get it right. I hope this post is helpful.