Plugin Updates

Tenable Agent keeps its plugin set current by checking its linked manager (Tenable Vulnerability Management or Tenable Nessus Manager) for updates. Under normal operation, the agent checks for plugin updates approximately every 24 hours.

Event Triggered Updates

While the standard cycle is 24 hours, specific events trigger the agent to check for updates immediately:

Initial Link — The agent downloads plugins immediately upon first linking to the manager.
Service Restart — If the host server is powered down or rebooted, the agent checks for updates immediately when the agent service starts.
Wake Events — If a host device (such as a laptop) enters sleep mode, the agent checks for updates immediately upon waking or when the service resumes.

Connectivity and Retry Logic

If the agent attempts to update but cannot connect to the plugin feed (due to network issues or feed availability), it employs an exponential retry strategy:

The agent attempts to update.
If the connection fails, the agent retries repeatedly over a 24-hour period, increasing the wait time between attempts (for example, 30 seconds, 60 seconds, 90 seconds).
If the agent cannot connect after 24 hours of retry attempts, it reverts to checking once every 24 hours.

Differential vs. Full Updates

When the agent successfully connects, it performs either a differential or a full update depending on the linked manager and the age of the current plugin set.

Linked Manager	Differential Update	Full Update
Tenable Vulnerability Management	The agent performs a differential update when any of the agent plugin sets are 15 days or less behind the Tenable Vulnerability Management plugin sets.	The agent performs a full plugin update at scan time for any required plugin set if the agent does not have any plugins for that plugin set. For this reason, when you perform an agent vulnerability or inventory collection scan for the first time, expect the scan to use more bandwidth than the subsequent vulnerability or inventory scans. The agent also performs a full plugin update when any of the agent plugin sets are more than 15 days behind the Tenable Vulnerability Management plugin sets. The agent deletes unused plugin sets after a configurable amount of time (for more information, see the days_to_keep_unused_plugins advanced setting). After the amount of time passes, the agent deletes the unused plugin sets.
Tenable Nessus Manager	The agent performs a differential plugin update when the agent plugin set is 5 days or less behind the Tenable Nessus Manager plugin set.	The agent performs a full plugin update when the agent plugin set is more than 5 days behind the Tenable Nessus Manager plugin set.

Linked Manager

Differential Update

Full Update

Tenable Vulnerability Management

The agent performs a differential update when any of the agent plugin sets are 15 days or less behind the Tenable Vulnerability Management plugin sets.

The agent performs a full plugin update at scan time for any required plugin set if the agent does not have any plugins for that plugin set. For this reason, when you perform an agent vulnerability or inventory collection scan for the first time, expect the scan to use more bandwidth than the subsequent vulnerability or inventory scans.

The agent also performs a full plugin update when any of the agent plugin sets are more than 15 days behind the Tenable Vulnerability Management plugin sets.

The agent deletes unused plugin sets after a configurable amount of time (for more information, see the days_to_keep_unused_plugins advanced setting). After the amount of time passes, the agent deletes the unused plugin sets.

Tenable Nessus Manager

The agent performs a differential plugin update when the agent plugin set is 5 days or less behind the Tenable Nessus Manager plugin set.

The agent performs a full plugin update when the agent plugin set is more than 5 days behind the Tenable Nessus Manager plugin set.