Safe Mode

Note: Further documentation about agent safe mode will be published once the supporting user interfaces for safe mode have been released in Tenable Vulnerability Management and Tenable Nessus Manager.

Safe mode is a feature that allows Tenable Agent to stay connected to Tenable Vulnerability Management or Tenable Nessus Manager for monitoring and remediation while agents are experiencing plugin compilation, scanning, host memory, and environmental issues.

When agents are in safe mode, they maintain communication with Tenable Vulnerability Management or Tenable Nessus Manager but are blocked from compiling plugins and scanning. This allows your organization to safely and remotely monitor, troubleshoot, and recover your agents. Safe mode is particularly useful for large-scale agent deployments in that you no longer need to manually manage individual agents when they encounter issues.

Safe mode activation

An agent automatically enters safe mode when it detects one of the following errors:

  • The agent crashes during a scan.

  • The agent crashes or hangs during plugin compilation or in response to plugin set changes.

  • The agent becomes unusable due to failed plugin updates.

  • The agent becomes unusable due to a bug.

  • The agent is repeatedly terminated due to host memory issues.

  • The agent is repeatedly terminated by antivirus or endpoint security software.

The agent then informs its manager that it has activated safe mode, and you are notified in Tenable Vulnerability Management or Tenable Nessus Manager via the agent user interface. The agent maintains connection with the manager to be monitored and accept plugin commands from a user, but it is otherwise blocked from scheduled plugin tasks and scanning.

Remediate and recover agents in safe mode

To remediate and recover agents that are in safe mode, you can report agents that are in safe mode on connect.tenable.com for Tenable Support assistance, or you can use the Linked Agents menu to self-remediate.

Note: Tenable strongly recommends submitting a support ticket when one or more agents go into safe mode. Do this before attempting one of the following remediation actions and make sure to include a debug file for one of the agents that has entered safe mode. Doing so allows Tenable Support to identify the root cause of the issue and plan any fixes. Without a debug file, the root cause of the issue will remain unknown and unable to be addressed.

Caution: If you choose to self-remediate without assistance from Tenable, Tenable highly recommends trying remediation methods on small subset of your agents before attempting them on large groups or all of your agents.

For more information about responding to agents in safe mode, see the Agent Safe Mode topics in the Tenable Vulnerability Management and Tenable Nessus User Guides.