Create Nessus Plugin Scans

The Nessus Plugin Scan launches an advanced Nessus scan that executes a user-defined list of plugins on the assets specified in the list of CIDRs and IP addresses.

The OT Security executes the scan on responsive assets within the designated CIDRs. However, to protect your OT devices, OT Security scans only confirmed network assets in the given range (non-PLCs). OT Security excludes assets of the type Endpoint from the scan.

Note: Tenable Nessus is an invasive tool which works best in IT environments. Tenable does not recommend Tenable Nessus for use on OT devices, as it may interfere with their normal operation.

To run a basic Nessus scan on any one asset, see Perform Asset-Specific Tenable Nessus Scan.

Note: You can run the basic scan on assets of type Endpoint.

To create a Nessus Plugin Scan:

  1. Go to Active Queries > Queries Management.

    The Active Queries Management page appears.

  2. Click the Nessus Scans tab.

  3. In the upper-right corner, click Create Scan.

    The Create Nessus Plugin List Scan panel appears.

  4. In the Name box, type a name for the Nessus scan.

  5. In the IP Ranges box, type a range of IPs or CIDRs.

  6. Click Next.

    The Plugins pane appears.

    Note: OT Security lists only those plugins that are specific to the device. Your license must be up to date to receive new Plugins. To update your license, see Update the License.

  7. In the Plugin Family Name column, select the required Plugin Families to include them in the scan. In the right column, clear the checkboxes for individual plugins as needed.

    Note: For more information about Tenable Nessus Plugin Families, see https://www.tenable.com/plugins/nessus/families.

  8. Click Save.

    The new Nessus scan appears on the Nessus Scans page.

    Note: To edit or delete an existing Tenable Nessus scan, right-click the scan, then select Edit or Delete.

 

To run a Nessus Plugin Scan:

  1. On the Nessus Scans page, do one of the following:

    • Right-click the scan, then select Run now.

    • Select the scan you want to run, then click Actions > Run now.

    The Approve Nessus Scan dialog appears.

  2. If you know there are no OT devices included in the scan, click Proceed Anyway.

    The dialog closes and OT Security saves the scan.

  3. To run the scan, right-click the scan row again and select Run now.

    The Approve Nessus Scan dialog appears again.

  4. Click Proceed Anyway.

    OT Security now runs the scan. You can pause/resume, stop, or kill scans depending on their current status.