MORE INFORMATION

Use the Enterprise Scan Tool

The Enterprise Scan Tool that is specific to each security bulletin release cycle may have its own command-line switches and XML output schema. The following steps apply to all Enterprise Scan Tool releases. To use the tool, follow these steps:

1. Run the package that you obtained from the Download Center or from Microsoft Product Support.
2. When you are prompted to specify a location to extract the files to, specify a location.
   

In the folder where you extracted the files, you can see the following files:

1. • Readme.rtf
   • Updatescan.exe
   • Updatescan.xml
2. Run the Updatescan.exe file by using the command-line switches that are described in the readme file. This file is packaged with the Enterprise Scan Tool.
   

The Enterprise Scan Tool releases are associated with certain bulletins during an MSRC release cycle. These command-line switches may differ for different Enterprise Scan Tool releases. Always see the readme file that is associated with the Enterprise Scan Tool release for the latest information.

1. To see the results of the scan, review the log that is created by using an optional switch. Then, review the Results.xml file.
   

The log is written to the current working directory. However, the Results.xml file is written to the folder that the tool is run from. The XML output schema may be different for different Enterprise Scan Tool releases. For more information, see the "Analyze the tool output" section of the readme file that is associated with the Enterprise Scan Tool release.

Available Enterprise Scan Tools

October 9, 2007 Enterprise Scan Tool (MS07-056)

To obtain the October 9, 2007 Enterprise Scan Tool (MS07-056), visit the following Microsoft Web site:

September 11, 2007 Enterprise Scan Tool (MS07-052, MS07-053)

To obtain the September 11, 2007 Enterprise Scan Tool (MS07-052, MS07-053), visit the following Microsoft Web site:

August 14, 2007 Enterprise Scan Tool (MS07-043, MS07-047, MS07-049, MS07-050)

To obtain the August 14, 2007 Enterprise Scan Tool (MS07-043, MS07-047, MS07-049, MS07-050), visit the following Microsoft Web site:

July 10, 2007 Enterprise Scan Tool (MS07-040)

To obtain the July 10, 2007 Enterprise Scan Tool (MS07-040), visit the following Microsoft Web site:

June 12, 2007 Enterprise Scan Tool (MS07-034)

To obtain the June 12, 2007 Enterprise Scan Tool (MS07-034), visit the following Microsoft Web site:

May 8, 2007 Enterprise Scan Tool (MS07-028)

To obtain the May 8, 2007 Enterprise Scan Tool (MS07-028), visit the following Microsoft Web site:

February 13, 2007 Enterprise Scan Tool (MS07-005, MS07-009, MS07-012)

To obtain the February 13, 2007 Enterprise Scan Tool (MS07-005, MS07-009, MS07-012), visit the following Microsoft Web site:

January 9, 2007 Enterprise Scan Tool (MS07-004)

To obtain the January 9, 2007 Enterprise Scan Tool (MS07-004), visit the following Microsoft Web site:

December 12, 2006 Enterprise Scan Tool (MS06-073, MS06-076, MS06-077, MS06-078)

To obtain the December 12, 2006 Enterprise Scan Tool (MS06-073, MS06-076, MS06-077, MS06-078), visit the following Microsoft Web site:

November 14, 2006 Enterprise Scan Tool (MS06-069)

To obtain the November 14, 2006 Enterprise Scan Tool (MS06-069), visit the following Microsoft Web site:

October 10, 2006 Enterprise Scan Tool (MS06-056)

To obtain the October 10, 2006 Enterprise Scan Tool (MS06-056), visit the following Microsoft Web site:

September 26, 2006 Enterprise Scan Tool (MS06-055)

To obtain the September 26, 2006 Enterprise Scan Tool (MS06-055), visit the following Microsoft Web site:

August 8, 2006 Enterprise Scan Tool (MS06-043)

To obtain the August 8, 2006 Enterprise Scan Tool (MS06-043), visit the following Microsoft Web site:

July 11, 2006 Enterprise Scan Tool (MS06-033)

To obtain the July 11, 2006 Enterprise Scan Tool (MS06-033), visit the following Microsoft Web site:

June 13, 2006 Enterprise Scan Tool (MS06-023, MS06-024)

To obtain the June 13, 2006 Enterprise Scan Tool (MS06-023, MS06-024), visit the following Microsoft Web site:

May 9, 2006 Enterprise Scan Tool (MS06-020)

To obtain the May 9, 2006 Enterprise Scan Tool (MS06-020), visit the following Microsoft Web site:

April 11, 2006 Enterprise Scan Tool (MS06-014, MS06-016, MS06-017)

To obtain the April 11, 2006 Enterprise Scan Tool (MS06-014, MS06-016, MS06-017), visit the following Microsoft Web site:

February 14, 2006 Enterprise Scan Tool (MS06-005)

To obtain the February 14, 2006 Enterprise Scan Tool (MS06-005), visit the following Microsoft Web site:

October 11, 2005 Enterprise Scan Tool (MS05-044, MS05-050)

To obtain the October 11, 2005 Enterprise Scan Tool (MS05-044, MS05-050), visit the following Microsoft Web site:

June 14, 2005 Enterprise Scan Tool (MS05-029, MS05-030, MS05-031, MS05-033, MS05-034)

To obtain the June 14, 2005 Enterprise Scan Tool (MS05-029, MS05-030, MS05-031, MS05-033, MS05-034), visit the following Microsoft Web site:

April 12, 2005 Enterprise Scan Tool (MS05-022, MS05-023)

To obtain the April 12, 2005 Enterprise Scan Tool (MS05-022, MS05-023), visit the following Microsoft Web site:

February 8, 2005 Enterprise Scan Tool (MS05-004, MS05-006, MS05-009)

To obtain the February 8, 2005 Enterprise Scan Tool, visit the following Microsoft Web site:

October 12, 2004 Enterprise Scan Tool (MS04-028)

To obtain the October 12, 2004 Enterprise Scan Tool (MS04-028), visit the following Microsoft Web site:

Analyze the Results.xml file

This file is located in the folder on the computer where you run the scan tool. You can use the Results.xml file to aggregate data about updates across an enterprise. In particular, the Status field indicates whether a particular update is applicable or installed. If an update is labeled as applicable, the security update is required and is not installed. If the update is labeled as installed, the security update is installed and is present on the destination computer. The format of the output resembles the following. Any change to the output format in a future release would be documented.

<ScanResults>
   <ScanDateTime>9/16/2004 2:40:30 PM</ScanDateTime>
   <XMLDataVersion>2004.12.14.0</XMLDataVersion>
   <ScannedBy>COMPUTER_A \ SYSTEM</ScannedBy>
   <Machine>
      <MachineName>COMPUTER_A</MachineName>
      <Domain>MYDOMAIN</Domain>
      <Product>
         <ProductName>WINDOWS 2000 ADVANCED SERVER</ProductName>
         <Item>
            <LocaleID>1033</LocaleID>
            <ItemClass>Patch</ItemClass>
            <BulletinID>MS0x-00x</BulletinID>
            <BulletinTitle>Buffer Overrun Could Allow Code Execution (999999)</BulletinTitle>
            <SQNumber>999999</SQNumber>
            <BulletinUrl>http://www.microsoft.com/technet/security/bulletin/MS0x-00x.mspx</BulletinUrl>
            <DownloadURL>n/a</DownloadURL>
            <Description></Description>
            <Status>Applicable</Status>
            <ItemType></ItemType>
            <DatePosted></DatePosted>
            <DateRevised></DateRevised>
            <UnattendSyntax>/q /z</UnattendSyntax>
         </Item>
      </Product>
   </Machine>
</ScanResults>

Consolidate the output data from multiple computers

Enterprise customers may want to consolidate the output data from multiple computers into an easy-to-read report, a database, or another format for reporting or compliance checking. Because of diverse customer requirements, Microsoft does not provide a centralized reporting solution with the tool. However, you can import the XML files that are saved by the scan tool into a database for centralized reporting.

Uninstall the Enterprise Scan Tool

To uninstall the tool from client computers, delete the folder that you used when you originally installed the tool.

Limitations

• You must run the Enterprise Scan Tool under an account that has local administrative rights or system context.
• This tool has been tested only on products and configurations that are supported. If you run the tool on an operating system that is not supported, you receive the following message:

  No checks apply to this system

• This tool produces results in English. However, detection capability is provided for each language that is affected by the monthly updates that are released.
• This tool performs local scans.
• This tool does not provide detection for third-party applications that may use a vulnerable version of the component that is affected.
• Any modification or customization of the tool or the detection manifest is not permitted under Microsoft Software License Terms.
  
  Note The detection manifest is the XML file.
• The tool has been tested only on operating systems that are supported and with the versions of the affected products that are supported. The tool may report inaccurate information or may not report information about products that are not supported. For more information about product versions that are supported, visit the following Microsoft Web site:

  http://www.microsoft.com/windows/lifecycle/default.mspx

• Microsoft XML Parser (MSXML) 3.0 must be present on any computer where you run the tool. MSXML 3.0 is installed by Microsoft Internet Explorer 6 and by Internet Explorer 6 Service Pack 1. MSXML 3.0 is also part of Microsoft Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  269238 List of Microsoft XML Parser (MSXML) versions

Frequently asked questions

General FAQ

• What is the Enterprise Scan Tool?
  
  As part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool for the bulletins in an MSRC release cycle that cannot be detected by the Microsoft Baseline Security Analyzer (MBSA) or the Office Detection Tool (ODT). This stand-alone tool is referred to as the Enterprise Scan Tool (EST). This tool is designed for enterprise administrators. When a detection tool is created for a specific bulletin, customers can run the tool at a command prompt and then view the results of the XML output file. Detailed documentation is provided with the tool. There is also a version of the tool that System Management Server (SMS) customers can obtain that offers an integrated experience for SMS administrators.
• Why does this tool exist?
  
  Microsoft delivers this tool for certain bulletins in an MSRC release cycle that cannot be detected by the MBSA or the ODT. Each tool is specific to an MSRC release cycle.
• Will the tool be updated every time? Will the tool stay the same? And will new XML be published?
  
  No. Each Enterprise Scan Tool is a stand-alone tool that is associated with a specific MSRC release cycle. Enterprise Scan Tools are only created when the MBSA or the ODT do not offer detection for a bulletin. If the MBSA or the ODT can detect the bulletin, an Enterprise Scan Tool is not released for that bulletin. The XML output schema and the tool are intertwined. Command-line switches may be different for different Enterprise Scan Tools. Therefore, customers must download the Enterprise Scan Tool that is associated with each MSRC release cycle.
• How long does Microsoft plan to support the tool?
  
  The Enterprise Scan Tool is part of the Microsoft commitment to provide detection tools for bulletin-class security updates. The tool is used when the MBSA or the ODT do not offer detection. In the future, the security update infrastructure will be consolidated on Microsoft Windows Update Server. Eventually, Microsoft will be able to offer full detection by using the Microsoft catalog across all scan tools that use the Windows Update Server infrastructure. These tools include the MBSA version 2.0, Microsoft Operations Manager (MOM), and the Microsoft Systems Management Server 2003 Inventory Tool for Microsoft Updates. When the Microsoft catalog is fully populated, there will no longer be a need for the Enterprise Scan Tool.
• Why do the MBSA and the ODT not detect this update?
  
  The MBSA and the ODT may not offer full detection for certain bulletins in an MSRC release cycle. Full detection may not be available because of a limitation of the detection engine or because the product that is affected is not supported by the MBSA or the ODT. We are working to resolve this issue in future versions of the MBSA through the Windows Update Server infrastructure. In the meantime, the Enterprise Scan Tool is designed to complement the MBSA and the ODT for security update detection. Whenever MBSA or ODT cannot offer detection, we plan to release an Enterprise Scan Tool.
• How do I obtain support for the Enterprise Scan Tool?
  
  The Enterprise Scan Tool is supported through Microsoft Product Support Services (PSS). To contact Microsoft PSS, visit the following Microsoft Web site:

  http://support.microsoft.com/default.aspx?scid=fh;[LN;CNTACTMS]

• How is the Enterprise Scan Tool different from the MBSA?
  
  The Enterprise Scan Tool complements the scanning ability of the MBSA. An Enterprise Scan Tool is only released when the MBSA or the ODT cannot detect certain bulletins in an MSRC release cycle. The MBSA is designed for the information technology generalist and is designed with an easy-to-use interface. The MBSA also has built-in reporting capabilities and offers cumulative security update scanning. An Enterprise Scan Tool can only be used for specific bulletins. This tool does not provide a user interface for reporting. The Enterprise Scan Tool is designed for use by enterprise administrators within a scripting solution or with SMS.
• How do I verify that all updates have been applied to a computer?
  
  After you run the tool to detect the updates that you need, and after the updates are installed, run the tool again to verify that the updates are installed. The Results.xml file should contain the following information when all the updates that are applicable are successfully installed on the computer:

  No missing updates detected

  Note If an update requires that you restart the computer, the tool only indicates that the update is installed after you restart the computer.

FAQ for the bulletin-specific versions of the Enterprise Scan Tool

• Where do I obtain the tool?
  
  Links to the download center are provided in the MSRC bulletins that an Enterprise Scan Tool applies to.
• What are the command-line switches for the tool?
  
  Each Enterprise Scan Tool release may have different command-line switches. The command-line switches that are available for each Enterprise Scan Tool release are documented in the readme file for each release.
• How do I use the stand-alone tool on one computer?
  
  You run the Enterprise Scan Tool at a command prompt, and you use the appropriate switches if any apply. The XML output has to be parsed to determine whether a computer is missing an important update.
• How do I interpret the output?
  
  The schema of the XML output file may change from one Enterprise Scan Tool release to the next. You must see the readme file for each Enterprise Scan Tool release for guidance on how to interpret output. Generally, if the XML output indicates that an update is applicable, the update that is referenced is not installed and is required. If the XML output indicates that the update is installed, the update is installed.
• Can I use the tool on multiple computers?
  
  The tool is not designed to run on multiple computers. You must script the running of the Enterprise Scan Tool on each computer. Then, you have to consolidate the output data from multiple computers into a database or another format for reporting or compliance checking. If you use SMS for security update detection, you can download a version that is compatible with SMS. To obtain this version, visit the following Microsoft Web site:

  http://technet.microsoft.com/en-us/sms/bb676766.aspx

• Can I obtain sample code from Microsoft?
  
  The readme file for each Enterprise Scan Tool release contains sample XML output. Any scripting language that can run command-line programs can run an Enterprise Scan Tool. However, Microsoft does not provide sample code for automating the Enterprise Scan Tool so that it can scan multiple computers and aggregate the reporting from those computers.
• What are common errors, and how do I troubleshoot?
  
  The readme file documents the common errors and the ways to troubleshoot. You can resolve the most common errors by reviewing and by complying with the system requirements that are described in the readme file. The tool creates a log file that you can use to troubleshoot errors.

FAQ for the Microsoft System Management Server version of the Enterprise Scan Tool

• Where do I obtain the tool?
  
  A System Management Server (SMS) version of the tool is available from the SMS Web site for each release cycle. SMS lets you run multiple scan tools together in the same SMS package.
• How does the tool integrate with SMS?
  
  The installer for the SMS version lets the SMS administrator install the tool on the SMS site server. The installer also lets the SMS administrator automatically update the SMS package for the new scanning content. SMS runs the scan on a schedule and consumes the results in a way that resembles the other tools that are used by SMS. These tools include the Security Update Inventory Tool, the Office Inventory Tool for Updates, and other tools.
• How do I use the SMS Distribute Software Updates Wizard to approve the updates into SMS?
  
  After the scan occurs, the inventory automatically appears in SMS. Then, the administrator can approve the updates for deployment, configure command-line options, and implement enforcement schedules.
• Do people understand the URL for locating the deployment updates?
  
  Whenever it is possible, the URL for the update package is provided so that the Distribute Software Updates Wizard can automatically obtain the update and then include it in the SMS package. Occasionally, these locations cannot be provided at the same time as the release. Therefore, a manual method must be used. The documentation in the bulletin, on the Microsoft Web site, or in the Microsoft Download Center provides instructions.
• What are the special issues that I should worry about when I use an Enterprise Scan Tool?
  
  Occasionally, the Enterprise Scan Tool provides detection for updates that can also be detected by the Security Updates Inventory Tool or by the Office Inventory Tool for Updates. In these rare cases, the Distribute Software Updates Wizard should be used to approve only one of the updates. Also, the data that is provided by these existing tools should be preferred over the results from the Enterprise Scan Tool. This data lets you manage computer restarts by grouping many updates into the least number of packages.
• How are multiple packages or computer restarts handled?
  
  The SMS agent processes all the updates that are contained in the same SMS deployment package. The SMS agent automatically chains the updates together so that the computer only has to be restarted one time after the updates are installed. If an update is approved in the Security Update Inventory Tool, and a different update is approved in the SMS version of the Enterprise Scan Tool, you cannot consolidate the number of computer restarts. That is why you should prefer the standard SMS tools to the Enterprise Scan Tool when the Enterprise Scan Tool offers overlapping detection.
• Where can I obtain support?
  
  Support is provided through the same channels as all SMS product support issues.
• What are common errors?
  
  A technical FAQ is provided on the Microsoft Systems Management Server Web site. Common errors include the following:
  • Using incorrect command-line switches on updates.
  • Downloading the wrong update when you try to perform the manual download procedure.

  For more information, visit the following Microsoft Web site:

  http://www.microsoft.com/smserver/

FAQ for known issues

• Why does my Results.xml report say "No checks apply to this system?"
  
  You may receive the following message if the vulnerable products that are listed in bulletins MS05-004, MS05-006, and MS05-009 are not installed on this system. Or you may receive the following messsage if you are running the tool on an operating system that is not listed in the bulletin:

  No checks apply to this system.

  You receive this message when the combination of operating system and service pack is not supported or not vulnerable.
  
  

  Important You must verify that you are running an operating system that is supported if you receive this message. You may have vulnerable products installed that are not updated by the tool if you are running an operating system that is not supported by the tool.
• Why is the tool not producing output?
  
  Make sure that the client computer meets all the prerequisites that are listed in the "Limitations" section.