Plugin Updates

Before any plugin updates occur, Tenable Agent performs an initial plugin download from its linked manager (Tenable Vulnerability Management or Tenable Nessus Manager).

Tenable Nessus Manager — The agent performs the initial plugin download upon successfully linking to Tenable Nessus Manager.
Tenable Vulnerability Management — The agent performs the initial plugin download when the agent receives its first scan job or when you assign the agent a triggered scan.

After the initial plugin download, Tenable Agent keeps its plugin set current by checking its linked manager (Tenable Vulnerability Management or Tenable Nessus Manager) for updates. The agent checks for plugin updates no less than every 24 hours since the previous update.

Differential vs. Full Updates

When the agent successfully checks in with the manager, it performs either a differential or a full update depending on the linked manager and the age of the current plugin set.

Linked Manager	Differential Update	Full Update
Tenable Vulnerability Management	The agent performs a differential update when any of the agent plugin sets are 15 days or less behind the Tenable Vulnerability Management plugin sets.	The agent performs a full plugin update at scan time for any required plugin set only if the agent has no plugins at all for that plugin set (that is, the plugin set is completely absent). If the agent already has plugins for the required plugin set — even if those plugins are outdated — the agent does not perform a scan-time update; it receives plugin updates through the regular check-in process instead. For this reason, when you perform an agent vulnerability or inventory collection scan before the agent has completed its initial plugin download, expect the scan to use more bandwidth than subsequent vulnerability or inventory scans. The agent also performs a full plugin update when any of the agent plugin sets are more than 15 days behind the Tenable Vulnerability Management plugin sets.
Tenable Nessus Manager	The agent performs a differential plugin update when the agent plugin set is 5 days or less behind the Tenable Nessus Manager plugin set.	The agent performs a full plugin update when the agent plugin set is more than 5 days behind the Tenable Nessus Manager plugin set.

Linked Manager

Differential Update

Full Update

Tenable Vulnerability Management

The agent performs a differential update when any of the agent plugin sets are 15 days or less behind the Tenable Vulnerability Management plugin sets.

The agent performs a full plugin update at scan time for any required plugin set only if the agent has no plugins at all for that plugin set (that is, the plugin set is completely absent).

If the agent already has plugins for the required plugin set — even if those plugins are outdated — the agent does not perform a scan-time update; it receives plugin updates through the regular check-in process instead. For this reason, when you perform an agent vulnerability or inventory collection scan before the agent has completed its initial plugin download, expect the scan to use more bandwidth than subsequent vulnerability or inventory scans.

The agent also performs a full plugin update when any of the agent plugin sets are more than 15 days behind the Tenable Vulnerability Management plugin sets.

Tenable Nessus Manager

The agent performs a differential plugin update when the agent plugin set is 5 days or less behind the Tenable Nessus Manager plugin set.

The agent performs a full plugin update when the agent plugin set is more than 5 days behind the Tenable Nessus Manager plugin set.

Connectivity and Retry Logic

If the agent attempts to update but cannot connect to the plugin feed (due to network issues or feed availability), it employs an exponential retry strategy:

The agent attempts to update.
If the connection fails, the agent retries repeatedly over a 24-hour period, increasing the wait time between attempts (for example, 30 seconds, 60 seconds, 90 seconds).
If the agent cannot connect after 24 hours of retry attempts, it reverts to checking once every 24 hours.