How to obtain and use the Enterprise Scan Tool (894193)

MORE INFORMATION

Using the Enterprise Scan Tool

1. Run the package that you obtained from the Download Center or from Microsoft Product Support.
2. When you are prompted to specify a location to extract the files to, specify a location.
   
   In the folder where you extracted the files, you can see the following files:
   • Readme.rtf
   • Updatescan.exe
   • Updatescan.xml
3. Run the Updatescan.exe file by using the command-line switches that are described in the readme file that is packaged with the Enterprise Scan Tool.
   
   The Enterprise Scan Tool releases are associated with certain bulletins during an MSRC release cycle. These command-line switches may be different for different Enterprise Scan Tool releases. Always see the readme file that is associated with the Enterprise Scan Tool release for the latest information.
4. To see the results of the scan, review the log that is created by using an optional switch, and then review the Results.xml file.
   
   The log is written to the current working directory. However, the Results.xml file is written to the folder that the tool is run from. The XML output schema may be different for different Enterprise Scan Tool releases. For more information, see the "Analyze the tool output" section of the readme file that is associated with the Enterprise Scan Tool release.

Currently available Enterprise Scan Tool

October 10, 2006 Enterprise Scan Tool (MS06-066)

September 26, 2006 Enterprise Scan Tool (MS06-055)

August 8, 2006 Enterprise Scan Tool (MS06-043)

July 11, 2006 Enterprise Scan Tool (MS06-033)

June 13, 2006 Enterprise Scan Tool (MS06-023, MS06-024)

May 9, 2006 Enterprise Scan Tool (MS06-020)

April 11, 2006 Enterprise Scan Tool (MS06-014, MS06-016, MS06-017)

February 14, 2006 Enterprise Scan Tool (MS06-005)

October 11, 2005 Enterprise Scan Tool (MS05-044, MS05-050)

June 14, 2005 Enterprise Scan Tool (MS05-029, MS05-030, MS05-031, MS05-033, MS05-034)

April 12, 2005 Enterprise Scan Tool (MS05-022, MS05-023)

February 8, 2005 Enterprise Scan Tool (MS05-004, MS05-006, MS05-009)

October 12, 2004 Enterprise Scan Tool (MS04-028)

Analyzing the Results.xml file

<ScanResults>
   <ScanDateTime>9/16/2004 2:40:30 PM</ScanDateTime>
   <XMLDataVersion>2004.12.14.0</XMLDataVersion>
   <ScannedBy>COMPUTER_A \ SYSTEM</ScannedBy>
   <Machine>
      <MachineName>COMPUTER_A</MachineName>
      <Domain>MYDOMAIN</Domain>
      <Product>
         <ProductName>WINDOWS 2000 ADVANCED SERVER</ProductName>
         <Item>
            <LocaleID>1033</LocaleID>
            <ItemClass>Patch</ItemClass>
            <BulletinID>MS0x-00x</BulletinID>
            <BulletinTitle>Buffer Overrun Could Allow Code Execution (999999)</BulletinTitle>
            <SQNumber>999999</SQNumber>
            <BulletinUrl>http://www.microsoft.com/technet/security/bulletin/MS0x-00x.mspx</BulletinUrl>
            <DownloadURL>n/a</DownloadURL>
            <Description></Description>
            <Status>Applicable</Status>
            <ItemType></ItemType>
            <DatePosted></DatePosted>
            <DateRevised></DateRevised>
            <UnattendSyntax>/q /z</UnattendSyntax>
         </Item>
      </Product>
   </Machine>
</ScanResults>

Consolidating the output data from multiple computers

Uninstalling the Enterprise Scan Tool

Limitations

• You must run the Enterprise Scan Tool under an account that has local administrative rights or system context.
• This tool has been tested only on products and configurations that are supported. If you run the tool on an operating system that is not supported, you receive the following message:No checks apply to this system
• This tool produces results in English. However, detection capability is provided for each language that is affected by the monthly updates that are released.
• This tool performs local scans.
• This tool does not provide detection for third-party applications that may use a vulnerable version of the component that is affected.
• Any modification or customization of the tool or the detection manifest is not permitted under the End-User License Agreement (EULA). (The detection manifest is the XML file.)
• The tool has been tested only on operating systems that are supported and with the versions of the affected products that are supported. The tool may report inaccurate information or may not report information about products that are not supported. For more information about product versions that are supported, see the following Microsoft Web site:

  http://www.microsoft.com/windows/lifecycle/default.mspx

• Microsoft XML Parser (MSXML) 3.0 must be present on any computer where you run the tool. MSXML 3.0 is installed by Microsoft Internet Explorer 6 and by Internet Explorer 6 Service Pack 1. MSXML 3.0 is also part of Microsoft Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  269238 Version list for the Microsoft XML parser

Frequently asked questions

General FAQ

• What is the Enterprise Scan Tool?
  As part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool for the bulletins in an MSRC release cycle that cannot be detected by the Microsoft Baseline Security Analyzer (MBSA) or the Office Detection Tool (ODT). This stand-alone tool is referred to as the Enterprise Update Scan Tool (EST). This tool is designed for enterprise administrators. When a detection tool is created for a specific bulletin, customers can run the tool at a command prompt and then view the results of the XML output file. Detailed documentation is provided with the tool. There is also a version of the tool that System Management Server (SMS) customers can obtain that offers an integrated experience for SMS administrators.
• Why does this tool exist?
  Microsoft delivers this tool for certain bulletins in an MSRC release cycle that cannot be detected by the MBSA or the ODT. Each tool is specific to an MSRC release cycle.
• Will the tool be updated every time? Will the tool stay the same? And will new XML be published?
  No. Each Enterprise Scan Tool is a stand-alone tool that is associated with a specific MSRC release cycle. Enterprise Scan Tools are only created when the MBSA or the ODT do not offer detection for a bulletin. If the MBSA or the ODT can detect the bulletin, an Enterprise Scan Tool is not released for that bulletin. The XML output schema and the tool are intertwined. Command-line switches may be different for different Enterprise Scan Tools. Therefore, customers must download the Enterprise Scan Tool that is associated with each MSRC release cycle.
• How long does Microsoft plan to support the tool?
  The Enterprise Scan Tool is part of the Microsoft commitment to provide detection tools for bulletin-class security updates. The tool is used when the MBSA or the ODT do not offer detection. In the future, the security update infrastructure will be consolidated on Microsoft Windows Update Server. Eventually, Microsoft will be able to offer full detection by using the Microsoft catalog across all scan tools that use the Windows Update Server infrastructure. These tools include the MBSA version 2.0, Microsoft Operations Manager (MOM), and the Microsoft Systems Management Server 2003 Inventory Tool for Microsoft Updates. When the Microsoft catalog is fully populated, there will no longer be a need for the Enterprise Scan Tool.
• Why do the MBSA and the ODT not detect this update?
  The MBSA and the ODT may not offer full detection for certain bulletins in an MSRC release cycle. Full detection may not be available because of a limitation of the detection engine or because the product that is affected is not supported by the MBSA or the ODT. We are working to resolve this issue in future versions of the MBSA through the Windows Update Server infrastructure. In the meantime, the Enterprise Scan Tool is designed to complement the MBSA and the ODT for security update detection. Whenever MBSA or ODT cannot offer detection, we plan to release an Enterprise Scan Tool.
• When will Windows Update Server, MBSA 2.0, and the SMS 2003 Inventory Tool for Microsoft Updates be released?
  Windows Update Server is scheduled to be released by the end of the second quarter of 2005. The MBSA version 2.0 and the SMS 2003 Inventory Tool for Microsoft Updates are scheduled to follow the release of Windows Update Server.
• How do I obtain support for the Enterprise Scan Tool?
  The Enterprise Scan Tool is supported through Microsoft Product Support Services (PSS). To contact Microsoft PSS, visit the following Microsoft Web site:

  http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS

• How is the Enterprise Scan Tool different from the MBSA?
  The Enterprise Scan Tool complements the scanning ability of the MBSA. An Enterprise Scan Tool is only released when the MBSA or the ODT cannot detect certain bulletins in an MSRC release cycle. The MBSA is designed for the information technology generalist and is designed with an easy-to-use interface. The MBSA also has built-in reporting capabilities and offers cumulative security update scanning. An Enterprise Scan Tool can only be used for specific bulletins. This tool does not provide a user interface for reporting. The Enterprise Scan Tool is designed to be used by enterprise administrators within a scripting solution or with SMS.
• How do I verify that all updates have been applied to a computer?
  After you run the tool to detect the updates that you need, and after the updates are installed, run the tool again to verify that the updates are installed. The Results.xml file should contain the following information when all the updates that are applicable are successfully installed on the computer:No missing updates detected
  Note If an update requires that you restart the computer, the tool only indicates that the update is installed after you restart the computer.

FAQ for the bulletin-specific versions of the Enterprise Scan Tool

• Where do I obtain the tool?
  Links to the download center are provided in the MSRC bulletins that an Enterprise Scan Tool applies to.
• What are the command-line switches for the tool?
  Each Enterprise Scan Tool release may have different command-line switches. The command-line switches that are available for each Enterprise Scan Tool release are documented in the readme file for each release.
• How do I use the stand-alone tool on one computer?
  You run the Enterprise Scan Tool at a command prompt, and you use the appropriate switches if any apply. The XML output has to be parsed to determine whether a computer is missing an important update.
• How do I interpret the output?
  The schema of the XML output file may change from one Enterprise Scan Tool release to the next. You must see the readme file for each Enterprise Scan Tool release for guidance on how to interpret output. Generally, if the XML output indicates that an update is applicable, the update that is referenced is not installed and is required. If the XML output indicates that the update is installed, the update is installed.
• Can I use the tool on multiple computers?
  The tool is not designed to run on multiple computers. You must script the running of the Enterprise Scan Tool on each computer. Then, you have to consolidate the output data from multiple computers into a database or another format for reporting or compliance checking. If you use SMS for security update detection, you can download a version that is compatible with SMS. To obtain this version, visit the following Microsoft Web site:

  http://www.microsoft.com/smserver/downloads/2003/default.asp

• Can I obtain sample code from Microsoft?
  The readme file for each Enterprise Scan Tool release contains sample XML output. Any scripting language that can run command-line programs can run an Enterprise Scan Tool. However, Microsoft does not provide sample code for automating the Enterprise Scan Tool so that it can scan multiple computers and aggregate the reporting from those computers.
• What are common errors, and how do I troubleshoot?
  The readme file documents the common errors and the ways to troubleshoot. You can resolve the most common errors by reviewing and by complying with the system requirements that are described in the readme file. The tool creates a log file that you can use to troubleshoot errors.

FAQ for the System Management Server version of the Enterprise Scan Tool

• Where do I obtain the tool?
  A System Management Server (SMS) version of the tool is available from the SMS Web site for each release cycle. SMS lets you run multiple scan tools together in the same SMS package.
• How does the tool integrate with SMS?
  The installer for the SMS version lets the SMS administrator install the tool on the SMS site server. The installer also lets the SMS administrator automatically update the SMS package for the new scanning content. SMS runs the scan on a schedule and consumes the results in a way that is similar to the other tools that are used by SMS. These tools include the Security Update Inventory Tool, the Office Inventory Tool for Updates, and other tools.
• How do I use the SMS Distribute Software Updates Wizard to approve the updates into SMS?
  After the scan occurs, the inventory automatically appears in SMS. The administrator can then approve the updates for deployment, configure command-line options, and implement enforcement schedules.
• Do people understand the URL for locating the deployment updates?
  Whenever it is possible, the URL for the update package is provided so that the Distribute Software Updates Wizard can automatically obtain the update and then include it in the SMS package. Occasionally, these locations cannot be provided at the same time as the release. Therefore, a manual method must be used. The documentation in the bulletin, on the Microsoft Web site, or in the Microsoft Download Center provides instructions.
• What are the special issues that I should worry about when I use an Enterprise Scan Tool?
  Occasionally, the Enterprise Scan Tool provides detection for updates that can also be detected by the Security Updates Inventory Tool or by the Office Inventory Tool for Updates. In these rare cases, the Distribute Software Updates Wizard should be used to approve only one of the updates. Also, the data that is provided by these existing tools should be preferred over the results from the Enterprise Scan Tool. This data lets you manage computer restarts by grouping many updates into the least number of packages.
• How are multiple packages or computer restarts handled?
  The SMS agent processes all the updates that are contained in the same SMS deployment package. The SMS agent automatically chains the updates together so that the computer only has to be restarted one time after the updates are installed. If an update is approved in the Security Update Inventory Tool, and a different update is approved in the SMS version of the Enterprise Scan Tool, you cannot consolidate the number of computer restarts. That is why you should prefer the standard SMS tools to the Enterprise Scan Tool when the Enterprise Scan Tool offers overlapping detection.
• Where can I obtain support?
  Support is provided through the same channels as all SMS product support issues.
• What are common errors?
  A technical FAQ is provided on the Microsoft Systems Management Server Web site. Common errors include the following:
  • Using incorrect command-line switches on updates.
  • Downloading the wrong update when you try to perform the manual download procedure.
  For more information, visit the following Microsoft Web site:

  http://www.microsoft.com/smserver/

FAQ for known issues

• Why does my Results.xml report say "No checks apply to this system?
  You may receive the following message if none of the vulnerable products that are listed in bulletins MS05-004, MS05-006, and MS05-009 are installed on this system, or if you are running the tool on an operating system that is not listed in the bulletin:No checks apply to this system.You receive this message when the combination of operating system and service pack is not supported or not vulnerable.
  
  Important You must verify that you are running an operating system that is supported if you receive this message. You may have vulnerable products installed that are not updated by the tool if you are running an operating system that is not supported by the tool.
• Why is the tool not producing output?
  Make sure that the client computer meets all the prerequisites that are listed in the "Limitations" section.