ross bellinger

I've been performing a few tests comparing the speed at which MBSA
performs a scan with the speed at which MBSACLI can perform it scan. I'm
noticing that the full GUI version MBSA is much faster at performing a scan
against a remote computer. In my tests against the same machine under the
same network conditions MBSA is completing its scan within 2 minutes,
however when doing the same scan with MBSACLI (both by windows network name
and by IP address) I'm seeing the scans take around 8 minutes. MBSA (seems
to me) is roughly 4 times faster than the command line version.

In both cases I've done complete scans, as far as I can tell I'm using
each tool to do the same thing in the same way. Are there any suggestions


shocked by the wait time for the results.

Thanks.

doug neal [msft]

Thank you for writing to us concerning MBSA!

Although you didn't indicate the command-line options you used for your
MBSACLI attempts, it's likely that the performance difference is due to the
fact that MBSACLI - by default - performs checksum checking, which MBSA (the
GUI) does not. This checksum checking affords an even more stringent
confirmation that the applied patch files are the authorized versions from
Microsoft.

Since MBSA (the GUI) does not perform checksum checking, there is a
significantly less network traffic and detection checks that are performed
when using MBSACLI. This difference is do***ented both in the help file and
briefly in the command-line help (using MBSACLI /?)

The MBSA V1.2 graphical interface default parameters are:
For scans: /nosum
For reports: /v

I suspect it's the checksum (/sum, /nosum) difference that accounts for this
performance difference. I hope that helps..

--


Doug Neal [MSFT]
dugn@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for the Microsoft Baseline
Security ****yzer (MBSA) at the following link:
http://support.microsoft.com/default.aspx?scid=fh;en-us;Prodoffer20a

This e-mail address does not receive e-mail, but is used for newsgroup
postings only.

cam

If you use SUS, and have approved just the patches that are relevant to your
environment, then using "mbsacli /sus http://yoursussserver" further reduces
network traffic, hence speeding it up. It appears (from my tests and netmon
traffic) that "/nosum" is the default if "/sus" is used with mbsacli.
Typical stats I see against a WinXP Pro SP1 box at present (with /n
os+Password+SQL+IIS)
mbsacli => 90MB
mbsacli /sus /sum => 35MB
mbsacli /sus => 5MB

You can reduce this even further if you make a custom mssecure.xml file. If,
for example, you're just trying to figure out who hasn't installed MS04-025
yet, just edit the mssecure.xml file and remove all the bulletins from
MS04-024 back. Then set the xml file read-only so that mbsacli doesn't
over-write it. (Don't forget to remove the read-only flag when you're
finished. Since you're doing this with automated tools, you should be able
to script the modifying resetting of the xml file)

Good luck
Cam