[unisog] Server based scan for student computers (ESP Wizard)

Christian Wyglendowski Christian.Wyglendowski at greenville.edu
Tue May 17 21:03:20 GMT 2005


I have been messing around trying to get your standalone MBSA wrapper to
work.  I can successfully compile an executable, but I get the following
output when I run it:

       IE version: 6

Output folder: C:\DOCUME~1\CWYGLE~1\LOCALS~1\Temp
Extract: mbsacli.exe... 100%
Extract: XP.txt... 100%
Extract: XP1.txt... 100%
Extract: XP2.txt... 100%
Extract: 2000.txt... 100%
Extract: 2003.txt... 100%
Extract: NT4.txt... 100%
Extract: mssecure.cab... 100%
Microsoft Baseline Security Analyzer
Version 1.2.1 (1.2.4013.0)
(C) Copyright 2002-2004 Microsoft Corporation. All rights reserved.
HFNetChk developed for Microsoft Corporation by Shavlik Technologies,
(C) Copyright 2002-2004 Shavlik Technologies, LLC. www.shavlik.com

Please use the -v switch to view details for
Patch NOT Found, Warning and Note messages
XML Load failed for .
Unable to read XML from mssecure.cab

Error: Unable to load the XML file from the following location - 


       mbsacli exec status: 0

       Detected OS/SP: XP 2
       Checking for <title>Directory listing for /</title>.
       Checking for <h2>Directory listing for /</h2>.
       Checking for <hr>.
       Checking for <ul>.
       Checking for <li><a
       Checking for <li><a href="2000.txt">2000.txt</a>.
       Checking for <li><a href="2003.txt">2003.txt</a>.
       Checking for <li><a
       Checking for <li><a
       Checking for <li><a href="checker.exe">checker.exe</a>.
       Checking for <li><a
       Checking for <li><a href="checker_nr.exe">checker_nr.exe</a>.
       Checking for <li><a href="checker_old.exe">checker_old.exe</a>.
       Checking for <li><a href="ioA.ini">ioA.ini</a>.
       Checking for <li><a href="ioC.ini">ioC.ini</a>.
       Checking for <li><a href="mbsacli.exe">mbsacli.exe</a>.
       Checking for <li><a href="mssecure.cab">mssecure.cab</a>.
       Checking for <li><a href="NT4.txt">NT4.txt</a>.
       Checking for <li><a href="readme.txt">readme.txt</a>.
       Checking for <li><a href="setdate.exe">setdate.exe</a>.
       Checking for <li><a href="XP.txt">XP.txt</a>.
       Checking for <li><a href="XP1.txt">XP1.txt</a>.
       Checking for <li><a href="XP2.txt">XP2.txt</a>.
       Checking for </ul>.
       Checking for <hr>.
Delete file: C:\DOCUME~1\CWYGLE~1\LOCALS~1\Temp\mbsacli.exe
Delete file: C:\DOCUME~1\CWYGLE~1\LOCALS~1\Temp\XP.txt
Delete file: C:\DOCUME~1\CWYGLE~1\LOCALS~1\Temp\XP1.txt
Delete file: C:\DOCUME~1\CWYGLE~1\LOCALS~1\Temp\XP2.txt
Delete file: C:\DOCUME~1\CWYGLE~1\LOCALS~1\Temp\2000.txt
Delete file: C:\DOCUME~1\CWYGLE~1\LOCALS~1\Temp\2003.txt
Delete file: C:\DOCUME~1\CWYGLE~1\LOCALS~1\Temp\NT4.txt
Delete file: C:\DOCUME~1\CWYGLE~1\LOCALS~1\Temp\mssecure.cab
Delete file: C:\DOCUME~1\CWYGLE~1\LOCALS~1\Temp\nsz10D.tmp


I am using NSIS 2.06.  I can run mbsacli.exe from the "build" directory
just fine, using the exact command in the nsi script.  I did some
googling for the error but didn't find anything helpful.

Thanks for any tips you can provide.


> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Mike Wiseman
> Sent: Monday, May 16, 2005 9:28 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Server based scan for student computers
> Hello,
> We did a lot of work in this area also but mainly focused on 
> vulnerability 
> detection/remediation. We took the SWU Netreg and combined it 
> with Nessus but were 
> unsatisfied with the limited detection capability due to the 
> unmanaged nature of residence 
> and wireless networks. So we went further and replaced Nessus 
> with a wizard-like utility 
> that end users are required to run as part of the 
> registration process. This utility is a 
> wrapper for Microsoft's MBSA critical update detection tool 
> and it is not installed - just 
> run once. The user must be up to date with updates get full 
> network access. If the user 
> fails the test, they are directed to WindowsUpdate. This 
> system (called Endpoint Security 
> Policy system, ESP for short) has been in service with over 
> 3000 users for a year now and 
> it works pretty well. We're about to add a similar utility to 
> check for AV install 
> status - readily available in XP SP2 Service Centre and a 
> password audit check.
> See  
> http://www.utoronto.ca/security/UTORprotect/ESP/index.htm for 
> info/download. Note: 
> the docs aren't the best yet.
> Mike
> Mike Wiseman
> Manager - Computer Security Administration
> Computing and Networking Services
> University of Toronto
> ----- Original Message ----- 
> From: "scott hollatz" <shollatz at d.umn.edu>
> To: "UNIversity Security Operations Group" <unisog at lists.sans.org>
> Sent: Friday, May 13, 2005 5:22 PM
> Subject: Re: [unisog] Server based scan for student computers
> >> > Can some of you who do this tell me what your using?
> >>
> >> NetReg is one of the more popular open-source ways of 
> going about that :
> >>
> >> http://www.net.cmu.edu/netreg/
> >
> > We've been using a modified NetReg to quarantine systems 
> not passing a
> > Nessus scan (of several vulnerabilites, not all Nessus knows of).
> >
> > This has been working fine in the reshalls and we've been 
> slowly deploying
> > across campus.
> >
> > A Nessus hook is also in our wireless authentication 
> gateway (also used for
> > public etherjacks) but is not yet in production (has been 
> ready for a few
> > years, but no cycles available for rollout...).
> >
> > -- 
> > scott hollatz                                        net 
> shollatz at d.UMn.eDu
> > information technology systems and services          tel +1 
> 218 726 8851
> > university of minnesota duluth mn usa                fax +1 
> 218 726 7674
> >                                                             
>             --
> >                                            "gabba gabba 
> hey" - the ramones
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> > 

More information about the unisog mailing list