Configuring Exceptions in the MBSA Management Pack

  • Article

You can configure exceptions for security vulnerability and patch scanning by:

  • Disabling rules for specific security vulnerabilities.

  • Configuring the MBSA Patch Scan Parser script to exclude specific security patches.

  • Configuring overrides to exclude specific computers from scanning.

Disabling Rules for Specific Security Vulnerabilities

The MBSA Management Pack includes rules that check for specific vulnerabilities related to:

  • Internet Explorer

  • Internet Information Services

  • SQL Server

  • Windows Operating System

The Management Pack includes a rule group for each of these technologies. You can exclude monitoring for any of the specific vulnerabilities by disabling the associated rule within one of these rule groups.

To disable a rule for a specific security vulnerabilities:

  1. In the MOM Administrator console, navigate to the desired rule within the MBSA Management Pack.

  2. Right-click the rule and click Properties.

  3. On the General tab, clear This rule is enabled.

Note

After making changes to rules, you can apply the changes immediately by right-clicking on the Management Packs node and clicking Commit Configuration Change.

Configuring the MBSA Patch Scan Parser Script to Exclude Specific Security Patches

You can exclude specific security patches from the MBSA scanning results by adding the BulletinID of the specific patch to the ExcludeList script parameter. To determine the BulletinID of a security script, view the Microsoft Knowledge Base Article associated with the security bulletin. The following is an example of a BulletinID: MS04-011.

To exclude specific security patches:

  1. In the MOM Administrator console, navigate to the following rule: Microsoft Baseline Security Analyzer\Baseline Security Analyzer 1.2\MOM Agent\Event Rules\Process patch scan results.

  2. Right-click on this rule, and click Properties.

  3. On the Responses tab, highlight the MBSA Patch Scan Parser script and click Edit.

  4. In the Script parameters box, highlight ExcludeList and click Edit Parameter.

  5. On the Edit Script Parameter dialog box, enter the BulletinID of the security patch. Separate multiples BulletinIDs with a comma.

  6. Click OK, click OK, and then click Apply.

Configuring Overrides to Exclude Specific Computers from Scanning

You can configure rule overrides to either exclude computers or computer groups from either:

  • Running the MBSA scans.

  • Running specific rules that search for specific vulnerabilities.

To exclude computers from running the MBSA scans altogether, configure rule overrides for the following rule: Microsoft Baseline Security Analyzer\Baseline Security Analyzer 1.2\MOM Agent\Event Rules\Run vulnerability and security patch scan.

To exclude computers from being scanned for specific vulnerabilities, configure rule overrides for the corresponding event rule in the MBSA Management Pack.

To configure rule overrides:

  1. In the MOM Administrator console, navigate to the desired rule.

  2. Right-click on the rule, and then click Properties.

  3. On the General tab, select Enable rule-disable overrides for this rule.

  4. Modify the override name, if desired.

  5. Click Set Criteria.

  6. In the Set Override Criteria dialog box, click Add and complete the following three steps:

    1. Specify a target computer or computer group.

    2. Select the Disable (0) value.

    3. Click OK.

  7. Repeat the previous step for each override criteria that you want to create for the threshold rule.

  8. Click OK, and then click Apply.