Windows cab file usage

When performing its scanning scripts, Cyberwatch will sometimes require the upload of a file containing updates dependencies provided by Microsoft known as wsusscn2.cab.

This file offers the possibility to launch a Windows Update analysis in an offline way.

The cab file contains information about most patches for Windows and Microsoft applications distributed through Windows Update.

The main challenge regarding using this file for analysis is its size. It currently weighs more than 900 MB, therefore distributing this file on every asset can be a complex task.

Assets on which a WUA analysis is recommended

Analyses using WUA (Windows Update Agent) bring useful information on available Microsoft KBs for some assets.

The analysis of Windows assets responding to some specific configurations requires WUA to be complete. This is the case for Windows assets that respond to at least one of these conditions:

• old server systems, Windows Server 2012 or anterior;
• old desktop systems, Windows 7 or anterior;
• any Windows system on which a Microsoft application was installed by MSI and for which updates are handled by KB.

Conditions under which the cab file is required for Cyberwatch scans

Cyberwatch analyses only require the cab file to scan some specific configurations of Windows assets. This file transfer, when it is necessary, does not depend on the scanning method used (with agent, agentless, air gap).

The cab file is only necessary to scan assets that do not have access to Internet or for which a Windows Update analysis is not possible.

In case the WUA analysis is not possible and the cab file transfer is not desirable or also impossible, this will result in:

• for older systems, incomplete analysis of missing KBs related to the operating system or Microsoft applications;
• for recent systems with Microsoft applications, incomplete analysis of missing KBs related to these applications.

Cab file location

Scans with agent or in agentless mode

In case of an analysis using the agent or an agentless connection, the cab file will be saved in the directory C:\Windows\System32\config\systemprofile\AppData\Roaming\Cyberwatch.

Air gap scans

For air gap analyses, the Cyberwatch interface offers an option to “Download offline Windows analysis file”. This option will download the Microsoft cab file for use with air gap analyses.

Execution of the WUA script with cab file up to the user’s choice, and will ensure a complete system analysis for previously mentioned cases.

Disabling the cab file transfer in Cyberwatch

Disabling the cab file transfer on one or several assets can be done using scanning policies, by disabling the execution of the Windows vulnerabilities scan with WUA.

Disabling this transfer requires the activation of the custom analyses feature.

Here is a step by step example procedure to disable the Windows vulnerabilities scan with WUA on some assets:

1. Create a scanning policy, from the view Settings > Scanning policies by clicking on the button Add.
2. Define the name and the authorized analysis period.
3. In the “Analysis scripts” section, click on the button “Add a custom analysis”.
4. Select “Windows vulnerabilities scan with WUA” as the analysis.
5. Define the period to “Never”.
6. Click on the button “Save”

Once assigned to your assets, this policy will disable the execution of the analysis script responsible for the cab file transfer.

Please, see the scanning policies documentation for more details about scanning policies.