network scanner for windows patch KB835732

[Guest]

Good Morning,
Way back when (almost two years ago), Microsoft released a scanning tool
that could probe hosts on a network to see if they they had critical patches
KB824146 and KB823980 which was a particular useful tool when Blaster hit. I
was wondering if there is a similar tool to scan for KB835732 critical patch
since this seems to be a big one for blocking the vulnerbilities that some
recent viruses are exploiting (like Sasser, Korgo, and more recently Sygate).

Any suggestions?

Thanks much!

 

[Steven L Umbach]

Microsoft Baseline Security Analyzer can scan the network for missing
critical updates with either GUI or command line. If you use the GUI you can
select just check for security updates to speed up the scan. I don't know of
a tool offhand to scan for just KB835732 but it would not be a bad idea
to scan for all missing updates anyhow. The link below provided more
details. --- Steve

http://www.microsoft.com/technet/security/tools/mpsa.mspx

 

[Roger Abell [MVP]]

If you open a cmd prompt and cd to the install dir of MBSA then
you can use the included HfNetChk that is within MBSA by command
mbsacli -hf -?
You will see that you can specify what all hosts to scan in a number of
ways. You will also see that you can specific the control file with -x
When you run such as
mbsacli -hf -v
to do a default patch check of the local machine then the mssecure.xml
will be left in the MBSA install dir.
So you could do such as
mbsacli -hf -v -d <your domain> -x mssecure.xml
and you even could if really desired edit down the control xml so that
it would only cause the few patches of interest to be interrogated.

 

[Guest]

Thanks guys, i'll give the MBSA a shot and see how that works

 

[Guest]

It worked...kind of...
When i did the scan of one of our subnets, it came up with about 20 pcs, but
it said that the user signed on didn't have admin rights so it stopped the
scan. Out of a list of 20, only 1 was fully scanned.
I looked online to see if there was a way around an admin needing to be
signed in, but i may have missed the answer with my Friday befuddled mind.
It's a shame too, because the information that it provided on the one that
was allowed to fully scan was very helpful.
Is there some trick or option that i'm missing?
Thanks again.

 

[Steven L Umbach]

I believe that you need to be local administrator on the computers you
scan - at least for a full scan. By default a domain admin would be in the
local administrators group of domain computers and it would be easy enough
for a domain admin to add another domain user to the local administrators
group on the domain computers with a logon script if that would help as then
a non domain admin could scan and otherwise manage domain computers without
being a domain admin. . -- Steve