Discussion:
2 scanning questions
(too old to reply)
Gis Bun
2009-03-24 17:39:03 UTC
Permalink
Raw Message
Hi,

1) Is there a way to scan a range of systems but exclude certain IP addresses?

2) We have the Windows XP turned on for our network. The MBSA 2.1 always
gives an incomplete message for the systems. Without turning off the
firewall, any way of ignoring this message or bypassing?

Thanks
Mercy Dworzak [MSFT]
2009-03-26 18:51:01 UTC
Permalink
Raw Message
Hi Gis,

Thanks for posting the issue.

1. Although there is no specific way to exclude IP addresses within an IP
address range, there are two features that can be used from the command-line
interface.
a. You can perform multiple scans using smaller IP address ranges that
work around the IP addresses you do not want to scan. In fact, you could
even script this using the /r parameter to scan each range you want to scan.
b. If IP address ranges are too tedious you could use the /listfile
option from the command-line to list the NetBIOS machine names of the
machines you want to scan.

2. When an "Incomplete Scan" error is displayed please check for the
following.
This is often the case when the C$ share and the remote registry of a target
machine are unavailable to the MBSA machine performing the scan. This
prevents MBSA 2.0 from pushing down the necessary catalog file (usually
WSUSSCN2.CAB) and potentially an updated version of the WUA client bits to
the target machine.
a. Verify firewall ports and COM+ are configured correctly on both
target and host machines.
b. The Server service, Remote Registry service, and File and Print
Sharing service must be running on the remote computer.
c. The Windows Update Agent must be installed and the Automatic
Updates service must not be disabled.

Here is some more information on firewall ports and COM+ configuration:
a. See the MBSA 2.0 FAQ under the section titled, “How can I scan a
computer that is protected by a firewall?”
b. Check and update DCOM settings on the target computer. On the
remote (target) computer, use the following steps:
• From a command prompt, type DCOMCNFG (or alternatively, open Component
Services from an MMC console)
• Expand Component Services | Computers | My Computer
• From the My Computer node, right click the ‘My Computer’ node and choose
Properties
• From the ‘Properties’ dialog, confirm the option to ‘Enable Distributed
COM on this computer’ is selected – then click OK
• From the My Computer node, expand the DCOM Config node
• Right-click the 'Windows Update Agent - Remote Access' object and select
Properties
• From the ‘Windows Update Agent – Remote Access’ Properties dialog, select
the ‘Security’ tab
• In the Security tab, choose EDIT to select each node to ensure the
appropriate workgroup or domain credentials that will be used by the scanning
MBSA 2.x machine are included in each of the 3 sections.

Hope this answers your questions.

Mercy Dworzak [MSFT]
***@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Gis Bun
Hi,
1) Is there a way to scan a range of systems but exclude certain IP addresses?
2) We have the Windows XP turned on for our network. The MBSA 2.1 always
gives an incomplete message for the systems. Without turning off the
firewall, any way of ignoring this message or bypassing?
Thanks
Gis Bun
2009-03-27 19:10:01 UTC
Permalink
Raw Message
Hi Mercy.

Thanks for the answers.

A nice feature to add would be something like an exception file for IPs.
Already there for administrator accounts.

We're on a domain and we use WSUS. It gets the latest update agent when
released by MS.

Every system [other than mine where I scanned] failed because of the
firewall. Remote registry service is enabled as I can access the registries
[I did for some recently] and the F&PS is enabled as well for admins to
access the C$ shares. The firewalls on our systems are turned on [but I
didn't force by GPOs]. I'd have to check about the COM+.

Gis
Post by Mercy Dworzak [MSFT]
Hi Gis,
Thanks for posting the issue.
1. Although there is no specific way to exclude IP addresses within an IP
address range, there are two features that can be used from the command-line
interface.
a. You can perform multiple scans using smaller IP address ranges that
work around the IP addresses you do not want to scan. In fact, you could
even script this using the /r parameter to scan each range you want to scan.
b. If IP address ranges are too tedious you could use the /listfile
option from the command-line to list the NetBIOS machine names of the
machines you want to scan.
2. When an "Incomplete Scan" error is displayed please check for the
following.
This is often the case when the C$ share and the remote registry of a target
machine are unavailable to the MBSA machine performing the scan. This
prevents MBSA 2.0 from pushing down the necessary catalog file (usually
WSUSSCN2.CAB) and potentially an updated version of the WUA client bits to
the target machine.
a. Verify firewall ports and COM+ are configured correctly on both
target and host machines.
b. The Server service, Remote Registry service, and File and Print
Sharing service must be running on the remote computer.
c. The Windows Update Agent must be installed and the Automatic
Updates service must not be disabled.
a. See the MBSA 2.0 FAQ under the section titled, “How can I scan a
computer that is protected by a firewall?”
b. Check and update DCOM settings on the target computer. On the
• From a command prompt, type DCOMCNFG (or alternatively, open Component
Services from an MMC console)
• Expand Component Services | Computers | My Computer
• From the My Computer node, right click the ‘My Computer’ node and choose
Properties
• From the ‘Properties’ dialog, confirm the option to ‘Enable Distributed
COM on this computer’ is selected – then click OK
• From the My Computer node, expand the DCOM Config node
• Right-click the 'Windows Update Agent - Remote Access' object and select
Properties
• From the ‘Windows Update Agent – Remote Access’ Properties dialog, select
the ‘Security’ tab
• In the Security tab, choose EDIT to select each node to ensure the
appropriate workgroup or domain credentials that will be used by the scanning
MBSA 2.x machine are included in each of the 3 sections.
Hope this answers your questions.
Mercy Dworzak [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Gis Bun
Hi,
1) Is there a way to scan a range of systems but exclude certain IP addresses?
2) We have the Windows XP turned on for our network. The MBSA 2.1 always
gives an incomplete message for the systems. Without turning off the
firewall, any way of ignoring this message or bypassing?
Thanks
Loading...