Review: Microsoft Baseline Security Analyzer

  • Comments posted to this topic are about the content posted at

  • I have found that the tool will sometimes return a false negative. After using the tool to find the missing patches, I have applied the patch and re-run the scan. It will still report that the patch I just installed is missing.

    Because of the false negatives and some of the other unalterable parameters (e.g., No more than two administrators), I don't get my servers to "pass" inspection. I use it to establish the baseline and then analyze the results to determine our acceptable levels.

    I agree with you that the security patch notification service is a life-saver. It's sometimes scary when you receive a flood of notifications, but better to know than not.

    Steve Hendricks
    Data Matrix
    (949) 588-9800 x15

  • Hadn't noticed that, but I didn't try to apply the patches. Still trying to get a handle on the servers here.

    Which patch failed?

    Steve Jones

  • I have also installed all patches and rerurn tool.But I got the same warnings.In my case , patches were :8.00.0578,8.00.0608,8.00.0636,8.00.0650,8.00.0655

  • There has been a bit of traffic off and on in the Usenet group of false positives. I don't see any recently, but then again, traffic on that group is rather light. Most of the comments are from the early-mid June timeline.

    The report from Microsoft is they should be corrected in version 1.1. I believe there is also an issue for some users specifying the .xml file instead of the .cab file if you don't autodownload.

    K. Brian Kelley

    K. Brian Kelley

  • I also find few false negatives, but even positives. The more you use custom setting of security in registry / filesystem / group policies, the higher possibility of misses.

    I am very disappointed by combination of these tools: hfnetchk, windows update and MBSA. Many times I found "no problems - OK" using windows update - well, even Microsoft says it is not suited for servers, but... And I found in the meantime that hfnetchk is alerting about some problems - I applied some fixes, but in final I realized that security analyzer misses 5 hotfixes. Who the hell must know what hotfixes I miss except MS? The tools above all have problem with localized software (czech version windows, english version SQL server and combinations alike...)

    Plug & Play, Hotfix & Pray, Update & Hope


  • Amazing. I was just starting to use this to get a feel for my new environment and, while not perfect, it handled a number of my needs. I guess it's some custom code for me.

    Steve Jones

  • Keep in mind, MBSA is built upon a customized version of HFNetChk. So it will show similar issues to HFNetChk.

    None of these tools are intended as a catch all. They are to give a sysadmin a good idea what's going on. Hence the need for an old concept: server logs.

    K. Brian Kelley

    K. Brian Kelley

  • It's a good start for MS but they still have alot of work to do. We have been using this and hfnetcheck for a while now... I have seen the false positive issue quite a bit, very annoying... hope they fix it soon.

    The other major dislike is the fact that you have to be sysadmin to run the tool. It's due to the fact that the tool doesn't check for any vulnerabilities, it just checks for the patches. If you want to perform a REAL security scan you need to check for the holes, not the plugs. If this tool sparks your security interest I would suggest trying out a real tool like Nessus.

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply