How does MBSA collect it's data?

H

Hasse

Hi!

I got the task of resolving why some patches aren't visible as installed by
MBSA. In my organisation patching is done eother on the client OR at the
installaion point, (read Office 2003). Now when the installation point is
patched there are, of course, no record of this patch being installed in
either ARP or the registry. MBSA doesn't report the patch being installed and
as a result the machine is deemed unsafe. My suspicion is that MBSA reads the
registry to determine what patches are installed. Can anyone confirm if this
is the case or if not, what does MBSA collect it's data? If it would read the
actual file versions of the computer everything would be OK but that seems
not to be the case.
--
/Hasse
 
R

Roger Abell [MVP]

MBSA detects need for patch based on the test criteria info in
the wsusscan2.cab file, in which you will find encoded what
conditions must be satisfied per patch, per OS for it to be
considered as installed/patched
http://go.microsoft.com/fwlink/?LinkID=74689

"Hasse" <Hasse@discussions.microsoft.com> wrote in message
news:1BAFB049-321E-4602-BD6C-D9C451A2DAEB@microsoft.com...
> Hi!
>
> I got the task of resolving why some patches aren't visible as installed
> by
> MBSA. In my organisation patching is done eother on the client OR at the
> installaion point, (read Office 2003). Now when the installation point is
> patched there are, of course, no record of this patch being installed in
> either ARP or the registry. MBSA doesn't report the patch being installed
> and
> as a result the machine is deemed unsafe. My suspicion is that MBSA reads
> the
> registry to determine what patches are installed. Can anyone confirm if
> this
> is the case or if not, what does MBSA collect it's data? If it would read
> the
> actual file versions of the computer everything would be OK but that seems
> not to be the case.
> --
> /Hasse
 
H

Hasse

Hi and thanks for the reply. I have searched for this cab file on my computer
and also analyzed the xml content of the file available through your provided
link, but I can't find anything on the specific update I'm looking for. does
MBSA actually download this cab file or does it download it's contents and
add to the scan parameters? the update I'm looking for is KB940602 OR as it
is also called KB940965. The vulnerability mentioned in KB 940965 is actually
remedied by applying patch KB8940602, a roll-up pack. I see in the XML files
extracted from the cab file that there are remarks about different filemanes
/ versions and also the name of the fullfile patch name, so it should be
visible to MBSA, unless, the prerequisites for determining if the patch is
applied is both that the fileversion is correct AND that there is a registry
record of what file applied the patch? in our case that fullfile patch isn't
present on the system since it was applied to the installation point instead.

But shouldn't MBSA still recognize the fileversion change and accept the
patch as being installed?


--
/Hasse


"Roger Abell [MVP]" wrote:

> MBSA detects need for patch based on the test criteria info in
> the wsusscan2.cab file, in which you will find encoded what
> conditions must be satisfied per patch, per OS for it to be
> considered as installed/patched
> http://go.microsoft.com/fwlink/?LinkID=74689
>
> "Hasse" <Hasse@discussions.microsoft.com> wrote in message
> news:1BAFB049-321E-4602-BD6C-D9C451A2DAEB@microsoft.com...
> > Hi!
> >
> > I got the task of resolving why some patches aren't visible as installed
> > by
> > MBSA. In my organisation patching is done eother on the client OR at the
> > installaion point, (read Office 2003). Now when the installation point is
> > patched there are, of course, no record of this patch being installed in
> > either ARP or the registry. MBSA doesn't report the patch being installed
> > and
> > as a result the machine is deemed unsafe. My suspicion is that MBSA reads
> > the
> > registry to determine what patches are installed. Can anyone confirm if
> > this
> > is the case or if not, what does MBSA collect it's data? If it would read
> > the
> > actual file versions of the computer everything would be OK but that seems
> > not to be the case.
> > --
> > /Hasse
>
>
>
 
M

Mervin Pearce [SACS]

MBSA downloads the file to C:\Documents and Settings\%user%\Local
Settings\Application Data\Microsoft\MBSA\2.0\Cache however using the
commandline interface you can specify the path anywhere. The download of
course only takes place if there is an internet connection.
 
You must log in or register to reply here.

Similar threads

V
How to preview: Azure Arc-connected Hotpatching for Windows Server 2025
Replies
0
Views
44
VishalBajaj
V
T
Microsoft improperly patches for RSAT: File Services Tools (srmclient.dll, srmscan.dll, srmshell.dll, adrclient.dll, srmstormod.dll)
Replies
0
Views
219
TenOf11
T
M
Adding my Microsoft account as a primary, but 2nd, login profile after originally creating just a local admin account
Replies
0
Views
212
mawilliamsco
M
C
Windows 10 20H2 and Server Essentials 2016 (1607) GPO no longer applying
Replies
0
Views
710
Cyber(Joe)
C
R
Windows Mixed Reality black screen, mixed reality home not loading (specifically with domain accounts)
Replies
0
Views
264
Rainer Meier
R
Back
Top Bottom