I’ve always rather liked Microsoft’s Baseline Security Analyzer (MBSA) tool, and so once I noticed that version 2 had become available I downloaded it to my system. Keeping the old version, I installed the new one and ran my first scan…only to find it didn’t work; much frowning ensued as I tried to find out what was wrong. Opening Help and following the link to the FAQ, I reasoned that I couldn’t be the only person in the world with this problem, and sure enough the fifth FAQ entry under ‘How to Correct Common Errors’ reads ‘Why am I seeing error “Failed to download security update databases” followed by “The catalog file is damaged or an invalid catalog”?’
That was the exact error I was seeing, and following the link told me that when downloading the Microsoft Update offline catalog (wsusscan.cab), before each scan attempt, the downloaded files get checked for a valid Microsoft digital signature. If the file is missing or the digital signature can’t be verified, these errors may occur. They can also occur if Internet Explorer is running in Offline mode, as this will prevent MBSA from downloading the catalog file. However, I knew that wasn’t the problem, nor was I sure why the former was happening. Running a search for wsusscan.cab discovered that it was missing; hardly surprising since I’d already been told that MBSA had failed to download the catalog. A bigger problem was that according to the FAQ, this error appeared under Windows 2000, and I definitely wasn’t running that.
Further perusal of Microsoft Knowledge Base article 835732 told me about the MS04-011 Security Update for Microsoft Windows. I installed MBSA onto a different system to see if it was a global problem and discovered it wasn’t. Then I browsed a bit further through the FAQ and discovered that MBSA could be used on systems that aren’t connected to the Internet via a command-line tool. All you need to do is download the update catalog (wsusscan.cab) and the authorisation catalog (muauth.cab) from the Microsoft website, then run the mbsacli command-line tool with the /nd switch (standing for ‘No Download’). I did this, the Command Prompt window appeared and the scan ran. I then fired up MBSA again and noticed the option to scan existing reports was no longer greyed out, so I clicked on it and a moment later was perusing the report. Obviously, this isn’t entirely satisfactory, so I’m still trying to uncover the problem.
Irritatingly, MBSA 1.2.1 still works perfectly, happily downloading the needed files, while version 2 still stubbornly resists all attempts to download the files automatically. You might be wondering why I didn’t try uninstalling the older version, and the reason is that MBSA 2 doesn’t yet support all Microsoft products: for example, it ignores Exchange Server 5.x, SQL Server 7 and 2000. For the full list, see Knowledge Base article 895660, which not only shows why you need both versions of MBSA, but also points to a third tool, the Enterprise Update Scan Tool (EST). This utility scans a number of Microsoft applications that are ignored by both versions of MBSA, including MSN Messenger, Visual Studio 2002 and 2003, ISA Server 2000 and more, which makes it a must-have tool in my opinion. The EST is interesting in that a new version gets produced to accompany specific bulletins: it doesn’t get updated every time a bulletin is produced, but only in response to a bulletin that comes out for a product that isn’t covered by either version of MBSA, or any of the Microsoft Office detection tools. I suggest reading Microsoft Knowledge Base article 894193.