Scan Templates

You can use scan templates to create custom policies for your organization. Then, you can run scans based on Tenable's scan templates or your custom policies' settings. For more information, see Create a Policy.

When you first create a scan or policy, the Scan Templates section or Policy Templates section appears, respectively. Nessus provides separate templates for scanners and agents, depending on which sensor you want to use for scanning:

Scanner Templates
Agent Templates (Nessus Manager only)

Note: Agent templates are only available in Nessus Manager.

If you have custom policies, they appear in the User Defined tab.

When you configure a Tenable-provided scan template, you can modify only the settings included for the scan template type. When you create a user-defined scan template, you can modify a custom set of settings for your scan.

For descriptions of all the scanner and agent template settings, see Settings.

Note: If a plugin requires authentication or settings to communicate with another system, the plugin is not available on agents. This includes, but is not limited to:

Patch management
Mobile device management
Cloud infrastructure audit
Database checks that require authentication

Scanner Templates

There are three scanner template categories in Nessus:

Discovery — Tenable recommends using discovery scans to see what hosts are on your network, and associated information such as IP address, FQDN, operating systems, and open ports, if available. After you have a list of hosts, you can choose what hosts you want to target in a specific vulnerability scan.
Vulnerabilities — Tenable recommends using vulnerability scan templates for most of your organization's standard, day-to-day scanning needs. Tenable also publishes vulnerability scan templates that allow you to scan your network for a specific vulnerability or group of vulnerabilities. Tenable frequently updates the Nessus scan template library with templates that detect the latest vulnerabilities of public interest, such as Log4Shell.
Compliance — Tenable recommends using configuration scan templates to check whether host configurations are compliant with various industry standards. Compliance scans are sometimes referred to as configuration scans. For more information about the checks that compliance scans can perform, see Compliance and SCAP Settings.

The following table describes the available scanner templates.

Tip: In the Nessus user interface, use the search box to find a template quickly.

Note: If you configure Nessus Manager for agent management, Tenable does not recommend using Nessus Manager as a local scanner. For example, do not configure Tenable.sc scan zones to include Nessus Manager and avoid running network-based scans directly from Nessus Manager. These configurations can negatively impact agent scan performance. In most cases, use agent scan templates when working in Nessus Manager.

Template	Description
Discovery
Host Discovery	Performs a simple scan to discover live hosts and open ports. Launch this scan to see what hosts are on your network and associated information such as IP address, FQDN, operating systems, and open ports, if available. After you have a list of hosts, you can choose what hosts you want to target in a specific vulnerability scan. Tenable recommends that organizations who do not have a passive network monitor, such as Nessus Network Monitor, run this scan weekly to discover new assets on your network. Note: Assets identified by discovery scans do not count toward your license.
Vulnerabilities
Basic Network Scan	Performs a full system scan that is suitable for any host. Use this template to scan an asset or assets with all of Nessus's plugins enabled. For example, you can perform an internal vulnerability scan on your organization's systems.
Advanced Network Scan	The most configurable scan type. You can configure this scan template to match any policy. This template has the same default settings as the basic scan template, but it allows for additional configuration options. Note: Advanced scan templates allow you to scan more deeply using custom configuration, such as faster or slower checks, but misconfigurations can cause asset outages or network saturation. Use the advanced templates with caution.
Advanced Dynamic Scan	An advanced scan without any recommendations, where you can configure dynamic plugin filters instead of manually selecting plugin families or individual plugins. As Tenable releases new plugins, any plugins that match your filters are automatically added to the scan or policy. This allows you to tailor your scans for specific vulnerabilities while ensuring that the scan stays up to date as new plugins are released.
Malware Scan	Scans for malware on Windows and Unix systems. Nessus detects malware using a combined allow list and block list approach to monitor known good processes, alert on known bad processes, and identify coverage gaps between the two by flagging unknown processes for further inspection.
Mobile Device Scan	(Nessus Manager only) Assesses mobile devices via Microsoft Exchange or an MDM. Use this template to scan what is installed on the targeted mobile devices and report on the installed applications or application versions' vulnerabilities. The Mobile Device Scan plugins allow you to obtain information from devices registered in a Mobile Device Manager (MDM) and from Active Directory servers that contain information from Microsoft Exchange Servers. To query for information, the Nessus scanner must be able to reach the Mobile Device Management servers. Ensure no screening devices block traffic to these systems from the Nessus scanner. In addition, you must give Nessus administrative credentials (for example, domain administrator) to the Active Directory servers. To scan for mobile devices, you must configure Nessus with authentication information for the management server and the mobile plugins. Since Nessus authenticates directly to the management servers, you do not need to configure a scan policy to scan specific hosts. For ActiveSync scans that access data from Microsoft Exchange servers, Nessus retrieves information from phones that have been updated in the last 365 days.
Web Application Tests	Scan for published and unknown web vulnerabilities.
Credentialed Patch Audit	Authenticates hosts and enumerates missing updates. Use this template with credentials to give Nessus direct access to the host, scan the target hosts, and enumerate missing patch updates.
Intel AMT Security Bypass	Performs remote and local checks for CVE-2017-5689.
Spectre and Meltdown	Performs remote and local checks for CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.
WannaCry Ransomeware	Scans for the WannaCry ransomware (MS17-010).
Ripple20 Remote Scan	Detects hosts running the Treck stack in the network, which may be affected by Ripple20 vulnerabilities.
Zerologon Remote Scan	Detects Microsoft Netlogon elevation of privilege vulnerability (Zerologon).
Solarigate	Detects SolarWinds Solorigate vulnerabilities using remote and local checks.
ProxyLogon: MS Exchange	Performs remote and local checks to detect Microsoft Exchange Server vulnerabilities related to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
PrintNightmare	Performs local checks for CVE-2021-34527, the PrintNightmare Windows Print Spooler vulnerability.
Active Directory Starter Scan	Scans for misconfigurations in Active Directory. Note: Active Directory Starter Scans require ADSI credentials. For more information, see Miscellaneous. Use this template to check Active Directory for Kerberoasting, Weak Kerberos encryption, Kerberos pre-authentication validation, non-expiring account passwords, unconstrained delegation, null sessions, Kerberos KRBTGT, dangerous trust relationships, Primary Group ID integrity, and blank passwords.
Log4Shell	Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j via local checks.
Log4Shell Remote Checks	Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j via remote checks.
Log4Shell Vulnerability Ecosystem	Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j via local and remote checks. This template is dynamic and is regularly updated with new plugins as third-party vendors patch their software.
2022 Threat Landscape Retrospective (TLR)	Detects vulnerabilities featured in Tenable's 2022 Threat Landscape Retrospective report.
CISA Alerts AA22-011A and AA22-047A	Performs remote and local checks for vulnerabilities from CISA alerts AA22-011A and AA22-047A.
ContiLeaks	Performs remote and local checks for ContiLeaks vulnerabilities.
Ransomware Ecosystem	Performs remote and local checks for common ransomware vulnerabilities.
Compliance
Audit Cloud Infrastructure	Audits the configuration of third-party cloud services. You can use this template to scan the configuration of Amazon Web Service (AWS), Google Cloud Platform, Microsoft Azure, Rackspace, Salesforce.com, and Zoom, given that you provide credentials for the service you want to audit.
Internal PCI Network Scan	Performs an internal PCI DSS (11.2.1) vulnerability scan. This template creates scans that you can use to satisfy internal (PCI DSS 11.2.1) scanning requirements for ongoing vulnerability management programs that satisfy PCI compliance requirements. You can use these scans for ongoing vulnerability management and to perform rescans until passing or clean results are achieved. You can provide credentials to enumerate missing patches and client-side vulnerabilities. Note: While the PCI DSS requires you to provide evidence of passing or "clean" scans on at least a quarterly basis, you must also perform scans after any significant changes to your network (PCI DSS 11.2.3).
MDM Config Audit	Audits the configuration of mobile device managers. The MDM Config Audit template reports on a variety of MDM vulnerabilities, such as password requirements, remote wipe settings, and the use of insecure features, such as tethering and Bluetooth.
Offline Config Audit	Audits the configuration of network devices. Offline configuration audits allow Nessus to scan hosts without the need to scan over the network or use credentials. Organizational policies may not allow you to scan devices or know credentials for devices on the network for security reasons. Offline configuration audits use host configuration files from hosts to scan instead. Through scanning these files, you can ensure that devices' settings comply with audits without the need to scan the host directly. Tenable recommends using offline configuration audits to scan devices that do not support secure remote access and devices that scanners cannot access.
Unofficial PCI Quarterly External Scan	Performs quarterly external scans as required by PCI. You can use this template to simulate an external scan (PCI DSS 11.2.2) to meet PCI DSS quarterly scanning requirements. However, you cannot submit the scan results from this template to Tenable for PCI Validation. Only Tenable.io customers can submit their PCI scan results to Tenable for PCI ASV validation.
Policy Compliance Auditing	Audits system configurations against a known baseline. The compliance checks can audit against custom security policies, such as password complexity, system settings, or registry values on Windows operating systems. For Windows systems, the compliance audits can test for a large percentage of anything that can be described in a Windows policy file. For Unix systems, the compliance audits test for running processes, user security policy, and content of files.
SCAP and OVAL Auditing	Audits systems using SCAP and OVAL definitions. The National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) is a set of policies for managing vulnerabilities and policy compliance in government agencies. It relies on multiple open standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies. SCAP compliance auditing requires sending an executable to the remote host. Systems running security software (for example, McAfee Host Intrusion Prevention), may block or quarantine the executable required for auditing. For those systems, you must make an exception for either the host or the executable sent. When using the SCAP and OVAL Auditing template, you can perform Linux and Windows SCAP CHECKS to test compliance standards as specified in NIST’s Special Publication 800-126.

Agent Templates (Nessus Manager only)

There are two agent template categories in Nessus Manager:

Vulnerabilities — Tenable recommends using vulnerability scan templates for most of your organization's standard, day-to-day scanning needs.
Compliance — Tenable recommends using configuration scan templates to check whether host configurations are compliant with various industry standards. Compliance scans are sometimes referred to as configuration scans. For more information about the checks that compliance scans can perform, see Compliance and SCAP Settings.

The following table describes the available agent templates.

Tip: In the Nessus user interface, use the search box to find a template quickly.

Template	Description
Vulnerabilities
Basic Agent Scan	Performs a full system scan that is suitable for any host. Use this template to scan an asset or assets with all of Nessus's plugins enabled. For example, you can perform an internal vulnerability scan on your organization's systems.
Advanced Agent Scan	The most configurable scan type. You can configure this scan template to match any policy. This template has the same default settings as the basic scan template, but it allows for additional configuration options. Note: Advanced scan templates allow you to scan more deeply using custom configuration, such as faster or slower checks, but misconfigurations can cause asset outages or network saturation. Use the advanced templates with caution.
Malware Scan	Scans for malware on Windows and Unix systems. Nessus Agent detects malware using a combined allow list and block list approach to monitor known good processes, alert on known bad processes, and identify coverage gaps between the two by flagging unknown processes for further inspection.
Agent Log4Shell	Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j via local checks.
Compliance
Policy Compliance Auditing	Audits system configurations against a known baseline. The compliance checks can audit against custom security policies, such as password complexity, system settings, or registry values on Windows operating systems. For Windows systems, the compliance audits can test for a large percentage of anything that can be described in a Windows policy file. For Unix systems, the compliance audits test for running processes, user security policy, and content of files.
SCAP and OVAL Auditing	Audits systems using SCAP and OVAL definitions. The National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) is a set of policies for managing vulnerabilities and policy compliance in government agencies. It relies on multiple open standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies. SCAP compliance auditing requires sending an executable to the remote host. Systems running security software (for example, McAfee Host Intrusion Prevention), may block or quarantine the executable required for auditing. For those systems, you must make an exception for either the host or the executable sent. When using the SCAP and OVAL Auditing template, you can perform Linux and Windows SCAP CHECKS to test compliance standards as specified in NIST’s Special Publication 800-126.