Advanced Settings

The Advanced Settings page allows you to configure Tenable Nessus manually. You can configure advanced settings from the Tenable Nessus user interface, or from the command-line interface. Tenable Nessus validates your input values to ensure only valid configurations.

Note: You need the System Administrator role to configure Tenable Nessus settings. For more information, see Users.

Tenable Nessus groups the advanced settings into the following categories:

User Interface
Scanning
Logging
Performance
Security
Agents and Scanners
Cluster
Miscellaneous
Custom

Details

Advanced settings apply globally across your Tenable Nessus instance.
To configure advanced settings, you must use a Tenable Nessus administrator user account.
Tenable Nessus does not automatically update all advanced settings.
Changes may take several minutes to take effect.
Tenable Nessus indicates the settings that require restarting for the change to apply with the icon.
Custom policy settings supersede the global advanced settings.

User Interface

Setting	Identifier	Description	Default	Valid Values
Allow Post-Scan Editing	allow_post_scan_editing	Allows a user to make edits to scan results after the scan is complete.	yes	yes or no
Disable API	disable_api	Disables the API, including inbound HTTP connections. Users cannot access Tenable Nessus via the user interface or the API.	no	yes or no
Disable Frontend	disable_frontend	Disables the Tenable Nessus user interface. Users can still use the API.	no	yes or no
Disable Tenable News	disable_rss	In Tenable Nessus Essentials or Tenable Nessus Professional trial, the left navigation bar shows a Tenable news widget. Use this setting to disable the widget.	no	yes or no
Login Banner	login_banner	A text banner that appears after you attempt to log in to Tenable Nessus. Note: The banner only appears the first time you log in on a new browser or computer.	None	String
Maximum Concurrent Web Users	global.max_web_users	Maximum web users who can connect simultaneously.	1024	Integers. If set to 0, there is no limit.
Nessus Web Server IP	listen_address	IPv4 address to listen for incoming connections. If set to 127.0.0.1, this restricts access to local connections only.	0.0.0.0	String in the format of an IP address
Nessus Web Server Port	xmlrpc_listen_port	The port that the Tenable Nessus web server listens on.	8834	Integers
UI Theme	ui_theme	When enabled, changes user interface color theme to dark mode.	Track Os Setting	Light, Dark, or Track Os Setting
Use Mixed Vulnerability Groups	scan_vulnerability_groups_mixed	When enabled, Tenable Nessus shows the severity level as Mixed for vulnerability groups, unless all the vulnerabilities in a group have the same severity. When disabled, Tenable Nessus shows the highest severity indicator of a vulnerability in a group	yes	Yes or No
Use Vulnerability Groups	scan_vulnerability_groups	When enabled, Tenable Nessus groups vulnerabilities in scan results by common attributes, giving you a shorter list of results.	yes	yes or no

Scanning

Setting	Identifier	Description	Default	Valid Values
Audit Trail Verbosity	audit_trail	Controls verbosity of the plugin audit trail. Full audit trails include the reason why Tenable Nessus did not include certain plugins in the scan.	full	full, partial, none
Auto Enable Plugin Dependencies	auto_enable_dependencies	Automatically activates the plugins that are depended on by other plugins. The setting does not enable plugins that are depended on by scan template settings. If disabled, not all plugins may run despite being selected in a scan policy.	yes	yes or no
CGI Paths for Web Scans	cgi_path	A colon-delimited list of CGI paths to use for web server scans.	/cgi-bin:/scripts	String
Engine Thread Idle Time	engine.idle_wait	Number of seconds a scan engine remains idle before shutting itself down.	60	Integers 0-600
Max Plugin Output Size	plugin_output_max_size_kb	The maximum size, in KB, of plugin output that Tenable Nessus includes in the exported scan results with the .nessus format. If the output exceeds the maximum size, Tenable Nessus truncates the output in the report.	1000	Integers. If set to 0, there is no limit.
Maximum Ports in Scan Reports	report.max_ports	The maximum number of allowable ports. If there are more ports in the scan results than this value, Tenable Nessus discards the port scan results. This limit helps guard against fake targets that may have thousands of reported ports, but can also result in the deletion of valid results from the scan results database, so you may want to increase the default if this is a problem.	1024	Integers
Maximum Size for E-mailed Reports	attached_report_maximum_size	Specifies the maximum size, in MB, of any report attachment. If the report exceeds the maximum size, then it is not attached to the email. Tenable Nessus does not support report attachments larger than 50 MB.	25	Integers 0-50
Nessus Rules File Location	rules	Location of the Tenable Nessus rules file (nessusd.rules). The following are the defaults for each operating system: Linux: /opt/nessus/etc/nessus/nessusd.rules macOS: /Library/Nessus/run/var/nessus/conf/nessusd.rules Windows: C:\ProgramData\Tenable\Nessus\nessus\conf\nessusd.rules	Nessus config directory for your operating system	String
Non-Simultaneous Ports	non_simult_ports	Specifies ports against which two plugins you cannot run simultaneously.	139, 445, 3389	String
Paused Scan Timeout	paused_scan_timeout	The duration, in minutes, that a scan can remain in the paused state before Tenable Nessus terminates it.	0	Integers 0-10080
PCAP Snapshot Length	pcap.snaplen	The snapshot size used for packet capture; the maximum size of a captured network packet. Typically, Tenable Nessus sets this value automatically based on the scanner's NIC. However, depending on your network configuration, Tenable Nessus may truncate the packages, resulting in the following message in your scan report: "The current snapshot length of ### for interface X is too small." You can increase the length to avoid packet truncation.	0	Integers 0-262144
Port Range	port_range	The default range of ports that the scanner plugins probe.	default	default, all, a range of ports, a comma-separated list of ports and/or port ranges. Specify UDP and TCP ports by prefixing each range by T: or U:.
Reverse DNS Lookups	reverse_lookup	When enabled, Tenable Nessus identifies targets by their fully qualified domain name (FQDN) in the scan report. When disabled, the report identifies the target by hostname or IP address.	no	yes or no
Safe Checks	safe_checks	When enabled, Tenable Nessus uses safe checks, which use banner grabbing rather than active testing for a vulnerability.	yes	yes or no
Silent Plugin Dependencies	silent_dependencies	When enabled, Tenable Nessus does not include the list of plugin dependencies and their output in the report. You can select a plugin as part of a policy that depends on other plugins to run. By default, Tenable Nessus runs those plugin dependencies, but does not include their output in the report. When disabled, Tenable Nessus includes both the selected plugin and any plugin dependencies in the report.	yes	yes or no
Slice Network Addresses	slice_network_addresses	If you set this option, Tenable Nessus does not scan a network incrementally (10.0.0.1, then 10.0.0.2, then 10.0.0.3, and so on) but attempts to slice the workload throughout the whole network (for example, it scans 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128, and so on).	no	yes or no
System Default Severity Basis	severity_basis	In Tenable Nessus scanners and Tenable Nessus Professional, you can choose whether Tenable Nessus calculates the severity of vulnerabilities using CVSSv2 or CVSSv3 scores (when available) by configuring your default severity base setting. In Tenable Nessus scanners and Tenable Nessus Professional, you can choose whether Tenable Nessus calculates the severity of vulnerabilities using CVSSv2, CVSSv3, or CVSSv4 scores (when available) by configuring your default severity base setting. When you change the default severity base, the change applies to all existing scans that are configured with the default severity base. Future scans also use the default severity base. For more information about CVSS scores and severity ranges, see CVSS Scores vs. VPR. Note: This setting is not available for Tenable Nessus Manager.	On a new installation of Tenable Nessus: cvss_v3 On preexisting upgraded instance: cvss_v2	cvss_v2 or cvss_v3

Logging

Setting	Identifier	Description	Default	Valid Values
Log Additional Scan Details	log_details	When enabled, scan logs include the username, scan name, and current plugin name in addition to the base information. You may not see these additional details unless you also enable log_whole_attack.	no	yes or no
Log Verbose Scan Details	log_whole_attack	Logs verbose details of the scan. Helpful for debugging issues with the scan, but this may be disk intensive. To add more details, enable log_details.	no	yes or no
Nessus Dump File Location	dumpfile	Location of nessusd.dump, a log file for debugging output if generated. The following are the defaults for each operating system: Linux: /opt/nessus/var/nessus/logs/nessusd.dump macOS: /Library/Nessus/run/var/nessus/logs/nessusd.dump Windows: C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.dump	Nessus log directory for your operating system	String
Nessus Dump File Log Level	nasl_log_type	The type of NASL engine output in nessusd.dump.	normal	normal, none, trace, or full.
Nessus Dump File Max Files	dumpfile_max_files	The maximum number of the nessusd.dump files kept on disk. If the number exceeds the specified value, Tenable Nessus deletes the oldest dump file.	100	Integers 1-1000
Nessus Dump File Max Size	dumpfile_max_size	The maximum size of the nessusd.dump files in MB. If file size exceeds the maximum size, Tenable Nessus creates a new dump file.	512	Integers 1-2048
Nessus Log Level	backend_log_level	The logging level of the backend.log log file, as indicated by a set of log tags that determine what information to include in the log. If you manually edited log.json to set a custom set of log tags for backend.log, this setting overwrites that content. For more information, see Manage Logs.	normal	normal — sets log tags to log, info, warn, error, trace debug — sets log tags to log, info, warn, error, trace, debug verbose — sets log tags tolog, info, warn, error, trace, debug, verbose
Nessus Scanner Log Location	logfile	Location where Tenable Nessus stores its scanner log file. The following are the defaults for each operating system: Linux: /opt/nessus/var/nessus/logs/nessusd.messages macOS: /Library/Nessus/run/var/nessus/logs/nessusd.messages Windows: C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.messages	Nessus log directory for your operating system	String
Log File Rotation	logfile_rot	Determines whether Tenable Nessus rotates messages log files based on maximum rotation size or rotation time.	size	size — Tenable Nessus rotates log files based on size, as specified in logfile_max_size. time — Tenable Nessus rotates log files based on time, as specified in logfile_rotation_time.
Scanner Metric Logging	scanner.metrics	Enables scanner performance metrics data gathering.	0	0 (off), 0x3f (full data except plugin metrics), 0x7f (full data including plugin metrics) Note: Including plugin metrics greatly increases the size of the log file. Tenable Nessus does not automatically clean up log files.
Use Milliseconds in Logs	logfile_msec	When enabled, nessusd.messages and nessusd.dump log timestamps are in milliseconds. When disabled, log timestamps are in seconds.	no	yes or no

Performance

Setting	Identifier	Description	Default	Valid Values
Database Synchronous Setting	db_synchronous_setting	Control how database updates are synchronized to disk. NORMAL is faster, with some risk of data loss during unexpected system shutdowns (for example, during a power outage or crash). FULL is safer, with some performance cost.	NORMAL	NORMAL or FULL
Engine Logging	global.log.engine_details	When enabled, logs additional information about which scan engine you assigned each target to during scanning.	no	yes or no
Engine Thread Pool Size	thread_pool_size	The size of the pool of threads available for use by the scan engine. You can defer asynchronous tasks to these threads, and this value controls the maximum number of threads.	200	Integers 0-500
Global Max Hosts Concurrently Scanned	global.max_hosts	Maximum number of hosts that Tenable Nessus can scan simultaneously across all scans.	Varies depending on hardware	Integers
Global Max Port Scanners	global.max_portscanners	Maximum number of port scanners.	100	Integers 0-1024
Global Max TCP Sessions	global.max_simult_tcp_sessions	Maximum number of simultaneous TCP sessions across all scans.	50 for desktop operating systems (for example, Windows 10). 50000 for other operating systems (for example, Windows Server 2016).	Integers
Max Concurrent Checks Per Host	max_checks	Maximum number of simultaneous plugins that can run concurrently on each host.	5	Integers
Max Concurrent Hosts Per Scan	max_hosts	Maximum number of hosts checked at one time during a scan.	Varies, up to 100.	Integers. If set to 0, defaults to 100.
Max Concurrent Scans	global.max_scans	Maximum number of simultaneous scans that the scanner can run.	0	Integers 0-1000 If set to 0, there is no limit.
Max Engine Checks	engine.max_checks	Maximum number of simultaneous plugins that can run concurrently on a single scan engine.	64	Integers
Max Engine Threads	engine.max	Maximum number of scan engines that run in parallel. Each scan engine scans multiple targets concurrently from one or more scans (see engine.max_hosts).	8 times the number of CPU cores on the machine	Integers
Max Hosts Per Engine Thread	engine.max_hosts	Maximum number of targets that run concurrently on a single scan engine.	16	Integers
Max HTTP Connections	max_http_connections	The number of simultaneous connection attempts before the web server responds with HTTP code 503 (Service Unavailable, Too Many Connections).	600	Integers
Max HTTP Connections Hard	max_http_connections_hard	The number of simultaneous connection attempts before the web server does not allow further connections.	3000	Integers
Max TCP Sessions Per Host	host.max_simult_tcp_sessions	Maximum number of simultaneous TCP sessions for a single host. This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. For example, if you set this option to 15, the SYN scanner sends 150 packets per second at most.	0	Integers. If set to 0, there is no limit.
Max TCP Sessions Per Scan	max_simult_tcp_sessions	Maximum number of simultaneous TCP sessions for the entire scan, regardless of the number of hosts the scanner is scanning.	0	Integers 0-2000. If set to 0, there is no limit.
Minimum Engine Threads	engine.min	The number of scan engines that start initially as Tenable Nessus scans the targets. After the engine reaches engine.optimal_hosts number of targets, Tenable Nessus adds more scan engines up to engine.max.	2 times the number of CPU cores on the machine	Integers
Optional Hosts Per Engine Thread	engine.optimal_hosts	The minimum number of targets that are running on each scan engine before Tenable Nessus adds more engines (up to engine.max).	2	Integers
Optimize Tests	optimize_test	Optimizes the test procedure. If you disable this setting, scans may take longer and typically generate more false positives.	yes	yes or no
Plugin Check Optimization Level	optimization_level	Determines the type of check that Tenable Nessus performs before a plugin runs. If you set this setting to open_ports, then Tenable Nessus checks that required ports are open; if they are not, the plugin does not run. If you set this setting to required_keys, then Tenable Nessus performs the open port check, and also checks that required keys (KB entries) exist, ignoring the excluded key check.	None	open_ports or required_keys
Plugin Timeout	plugins_timeout	Maximum lifetime of a plugin’s activity in seconds.	320	Integers 0-1000
QDB Memory Usage	qdb_mem_usage	Directs Tenable Nessus to use more or less memory when idle. If Tenable Nessus is running on a dedicated server, setting this to high uses more memory to increase performance. If Tenable Nessus is running on a shared machine, setting this to low uses considerably less memory, but has a moderate performance impact.	low	low or high
Reduce TCP Sessions on Network Congestion	reduce_connections_on_congestion	Reduces the number of TCP sessions in parallel when the network appears to be congested.	no	yes or no
Remediations Limit	remediations_limit	Limits the number of remediations that Tenable Nessus generates and shows in a scan result.	500	Integers > 0
Scan Check Read Timeout	checks_read_timeout	Read timeout for the sockets of the tests.	5	Integers 0-1000
Stop Scan on Host Disconnect	stop_scan_on_disconnect	When enabled, Tenable Nessus stops scanning a host that disconnects during the scan.	no	yes or no
XML Enable Plugin Attributes	xml_enable_plugin_attributes	When enabled, Tenable Nessus includes plugin attributes in exported scans to Tenable Security Center.	no	yes or no
Webserver Thread Pool Size	www_thread_pool_size	The thread pool size for the webserver/backend.	100	Integers 0-500

Security

Setting	Identifier	Description	Default	Valid Values
Always Validate SSL Server Certificates	strict_certificate_validation	Always validate SSL server certificates, even during initial remote link (requires manager to use a trusted root CA).	no	yes or no
Cipher Files on Disk	cipher_files_on_disk	Encipher files that Tenable Nessus writes.	yes	yes or no
Force Public Key Authentication	force_pubkey_auth	Force logins for Tenable Nessus to use public key authentication.	no	yes or no
Max Concurrent Sessions Per User	max_sessions_per_user	Maximum concurrent sessions per user	0	Integers 0-2000. If set to 0, there is no limit.
SSL Cipher List	ssl_cipher_list	Cipher list to use for Tenable Nessus backend connections. You can use a preconfigured list of cipher strings, or enter a custom cipher list or cipher strings. Note: This setting only sets ciphers for TLS 1.2.	compatible	legacy - A list of ciphers that can integrate with older and insecure browsers and APIs. compatible - A list of secure ciphers that is compatible with all browsers, including Internet Explorer 11. May not include all the latest ciphers. modern - A list of the latest and most secure ciphers. May not be compatible with older browsers, such as Internet Explorer 11. custom - A custom OpenSSL cipher list. For more information on valid cipher list formats, see the OpenSSL documentation. niap - A list of ciphers that conforms to NIAP standards. ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSL Mode	ssl_mode	Minimum supported version of TLS.	tls_1_2	compat - TLS v1.0+ ssl_3_0 - SSL v3+ tls_1_1 - TLS v1.1+ tls_1_2 - TLS v1.2+ niap - TLS v1.2

Agents & Scanners

Note: The following settings are only available in Tenable Nessus Manager.

Name	Setting	Description	Default	Valid Values
Agent Auto Delete	agent_auto_delete	Controls whether agents are automatically deleted after they have been inactive for the duration of time set for agent_auto_delete_threshold.	no	yes or no
Agent Auto Delete Threshold	agent_auto_delete_threshold	The number of days after which inactive agents are automatically deleted if agent_auto_delete is set to yes.	60	Integers 1-365
Agent Auto Unlink	agent_auto_unlink	Controls whether agents are automatically unlinked after they have been inactive for the duration of time set for agent_auto_unlink_threshold.	no	yes or no
Agent Auto Unlink Threshold	agent_auto_unlink_threshold	The number of days after which inactive agents are automatically unlinked if agent_auto_unlink is set to yes. Note: This value must be less than the agent_auto_delete_threshold.	30	Integers 30-90
Agents Progress	agents_progress_viewable	When a scan gathers information from agents, Tenable Nessus Manager does not show detailed agents information if the number of agents exceeds this setting. Instead, a message indicates that results are being gathered and will be viewable when the scan is complete.	100	Integers. If set to 0, this defaults to 100.
Automatically Download Agent Updates	agent_updates_from_feed	When enabled, new Tenable Nessus Agent software updates are automatically downloaded.	yes	yes or no
Concurrent Agent Software Updates	cloud.manage.download_max	The maximum concurrent agent update downloads.	10	Integers
Include Audit Trail Data	agent_merge_audit_trail	Controls whether or not agent scan result audit trail data is included in the main agent database. Excluding audit trail data can significantly improve agent result processing performance. If this setting is set to false, the Audit Trail Verbosity setting in an individual scan or policy defaults to No audit trail.	false	true or false
Include KB Data	agent_merge_kb	Includes the agent scan result KB data in the main agent database. Excluding KB data can significantly improve agent result processing performance. If this setting is set to false, the Include the KB setting in an individual scan or policy defaults to Exclude KB.	false	true or false
Result Processing Journal Mode	agent_merge_journal_mode	Sets the journaling mode to use when processing agent results. Depending on the environment, this can somewhat improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation.	DELETE	MEMORY TRUNCATE DELETE
Result Processing Sync Mode	agent_merge_synchronous_setting	Sets the filesystem sync mode to use when processing agent results. Turning this off will significantly improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation.	FULL	OFF NORMAL FULL
Track Unique Agents	track_unique_agents	When enabled, Tenable Nessus Manager checks if MAC addresses of agents trying to link match MAC addresses of currently linked agents with the same hostname, platform, and distro. Tenable Nessus Manager deletes duplicates that it finds.	no	yes or no

Cluster

Note: The following settings are only available in Tenable Nessus Manager with clustering enabled.

Setting	Identifier	Description	Default	Valid Values
Agent Blacklist Duration Days	agent_blacklist_duration_days	The number of days that an agent remains blocked from relinking to a cluster node. For example, Tenable Nessus blocks an agent if it tries to link with a UUID that matches an existing agent in a cluster. Note: Tenable Nessus blocks an agent after Tenable Nessus deletes or removes the agent due to inactivity. However, Tenable Nessus places the agent back in good standing if an administrator manually unlinks and relinks the agent.	7	Integers > 0
Agent Clustering Scan Cutoff	agent_cluster_scan_cutoff	Tenable Nessus aborts scans after running this many seconds without a child node update.	3600	Integers > 299
Agent Node Global Maximum Default	agent_node_global_max_default	The global default maximum number of agents allowed per cluster node. If you set an individual maximum for a child node, that setting overrides this setting.	10000	Integers 0-20000

Setting

Identifier

Description

Default

Valid Values

Agent Blacklist Duration Days

agent_blacklist_duration_days

The number of days that an agent remains blocked from relinking to a cluster node.

For example, Tenable Nessus blocks an agent if it tries to link with a UUID that matches an existing agent in a cluster.

Note: Tenable Nessus blocks an agent after Tenable Nessus deletes or removes the agent due to inactivity. However, Tenable Nessus places the agent back in good standing if an administrator manually unlinks and relinks the agent.

Integers > 0

Agent Clustering Scan Cutoff

agent_cluster_scan_cutoff

Tenable Nessus aborts scans after running this many seconds without a child node update.

3600

Integers > 299

Agent Node Global Maximum Default

agent_node_global_max_default

The global default maximum number of agents allowed per cluster node.

If you set an individual maximum for a child node, that setting overrides this setting.

10000

Integers 0-20000

Miscellaneous

Setting	Identifier	Description	Default	Valid Values
Automatic Update Delay	auto_update_delay	Number of hours that Tenable Nessus waits between automatic updates.	24	Integers > 0
Automatic Updates	auto_update	Automatically updates plugins. If you enable this setting and register Tenable Nessus, Tenable Nessus automatically gets the newest plugins from Tenable when they are available. If your scanner is on an isolated network that is not able to reach the internet, disable this setting. Note: This setting does not work for Tenable Nessus scanners that you connected to Tenable Vulnerability Management. Scanners linked to Tenable Vulnerability Management automatically receive updates from cloud.tenable.com. For more information, see the knowledge base article.	yes	yes or no
Automatically Update Nessus	auto_update_ui	Automatically download and apply Tenable Nessus updates. Note: This setting does not work for Tenable Nessus scanners that you connected to Tenable Vulnerability Management. Scanners linked to Tenable Vulnerability Management automatically receive updates from cloud.tenable.com. For more information, see the knowledge base article.	yes	yes or no
Child Node Port	child_node_listen_port	Allows Tenable Nessus child nodes to communicate to the parent node on a different port.	none	Any valid port value
Initial Sleep Time	ms_agent_sleep	(Tenable Nessus Manager only) Sleep time between managed scanner and agent requests. You can override this setting in Tenable Nessus Manager or Tenable Vulnerability Management.	30	Integers 5-3300
Java Heap Size	java_heap_size	Determines Java heap size (the system memory used to store objects instantiated by applications running on the Java virtual machine) Tenable Nessus uses when exporting PDF reports.	auto	auto or Integers > 0
Max HTTP Client Requests	max_http_client_requests	Determines the maximum number of concurrent outbound HTTP connections on managed scanners and agents.	4	Integers > 0
Nessus Debug Port	dbg_port	The port on which nessusd listens for ndbg client connections. If left empty, Tenable Nessus does not establish a debug port.	None	String in one of the following formats: port or localhost:port or ip:port
Nessus Preferences Database	config_file	Location of the configuration file that contains the engine preference settings. The following are the defaults for each operating system: Linux: /opt/nessus/etc/nessus/nessusd.db macOS: /Library/Nessus/run/etc/nessus/conf/nessusd.db Windows: C:\ProgramData\Tenable\Nessus\conf\nessusd.db	Tenable Nessus database directory for your operating system	String
Non-User Scan Result Cleanup Threshold	report_cleanup_threshold_days	The age threshold (in days) for removing old system-user scan reports.	30	Integers > 0
Old User Files Cleanup	old_user_files_cleanup_hours	The number of hours after which Tenable Nessus removes old user files from the file system. If set to 0, Tenable Nessus does not perform a cleanup.	0	Integers > 0
Orphaned Scan History Cleanup	orphaned_scan_cleanup_days	The number of days after which Tenable Nessus removes orphaned Tenable Security Center scans. For example, an orphaned scan could be a scan executed via Tenable Security Center that was not properly removed. If set to 0, Tenable Nessus does not perform a cleanup. Note: This setting only applies to network scans launched from Tenable Security Center. It does not apply to agent or web application scans.	30	Integers > 0
Packet Capture Archive Cleanup	packet_capture_archive_cleanup_days	The number of days after which Tenable Nessus removes packet capture archives from the filesystem. If set to 0, Tenable Nessus does not perform a cleanup.	30	Integers > 0
Plugin Integrity Check Frequency (Minutes)	plugin_healthcheck_frequency	Determines the frequency, in minutes, at which Tenable Nessus runs a full plugin integrity check.	10080	Integers 1440-10080
Remote Scanner Port	remote_listen_port	This setting allows Tenable Nessus to operate on different ports: one dedicated to communicating with remote agents and scanners (comms port) and the other for user logins (management port). By adding this setting, you can link your managed scanners and agents a different port (for example, 9000) instead of the port defined in xmlrpc_listen_port (default 8834).	None	Integer
Report Crashes to Tenable	report_crashes	When enabled, Tenable Nessus sends crash information to Tenable, Inc. automatically to identify problems. Tenable Nessus does not send personal or system-identifying information to Tenable, Inc..	yes	yes or no
Scan Source IP(s)	source_ip	Source IPs to use when running on a multi-homed host. If you provide multiple IPs, Tenable Nessus cycles through them whenever it performs a new connection.	None	IP address or comma-separated list of IP addresses.
Send Telemetry	send_telemetry	When enabled, Tenable Nessus periodically and securely sends non-confidential product usage data to Tenable. Usage statistics include, but are not limited to, data about your visited pages within the Tenable Nessus interface, your used reports and dashboards, your Tenable Nessus license, and your configured features. Tenable uses the data to improve your user experience in future Tenable Nessus releases. You can disable this option at any time to stop sharing usage statistics with Tenable.	yes	yes or no
User Scan Result Deletion Threshold	scan_history_expiration_days	The number of days after which Tenable Nessus deletes the scan history and data for completed scans permanently. Note: This setting affects any scanner, agent, and web application scans launched from Tenable Security Center.	0	0 or integers larger than or equal to 3. If set to 0, Tenable Nessus retains the history.
Windows Minidump	windows_minidump	Determines whether Tenable Nessus generates a Windows minidump file in the log folder if Tenable Nessus for Windows crashes.	no	yes or no

Custom

Not all advanced settings are populated in the Tenable Nessus user interface, but you can set some settings in the command-line interface. If you create a custom setting, it appears in the Custom tab.

The following table lists the advanced settings that you can configure, even though Tenable Nessus does not list them by default.

Identifier	Description	Default	Valid Values
acas_classification	Adds a classification banner to the top and bottom of the Tenable Nessus user interface, and turns on last successful and failed login notification.	None	UNCLASSIFIED (green banner), CONFIDENTIAL (blue banner), SECRET (red banner), or a custom value (orange banner).
multi_scan_same_host	When disabled, to avoid overwhelming a host, Tenable Vulnerability Management prevents a single scanner from simultaneously scanning multiple targets that resolve to a single IP address. Instead, Tenable Vulnerability Management scanners serialize attempts to scan the IP address, whether it appears more than once in the same scan task or in multiple scan tasks on that scanner. Scans may take longer to complete. When enabled, a Tenable Vulnerability Management scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but scan targets could potentially become overwhelmed, causing timeouts and incomplete results.	no	yes or no
merge_plugin_results	Supports merging plugin results for plugins that generate multiple findings with the same host, port, and protocol. Tenable recommends enabling this option for scanners linked to Tenable Security Center.	no	yes or no
nessus_syn_scanner.global_throughput.max	Sets the max number of SYN packets that Tenable Nessus sends per second during its port scan (no matter how many hosts Tenable Nessus scans in parallel). Adjust this setting based on the sensitivity of the remote device to large numbers of SYN packets.	65536	Integers
login_banner	A text banner shows that appears after you attempt to log in to Tenable Nessus. The banner only appears the first time you log in on a new browser or computer.	None	String
timeout.<plugin ID>	Enter the plugin ID in place of <plugin ID>. The maximum time, in seconds, that Tenable Nessus permits the <pluginID> to run before Tenable Nessus stops it. If you set this option for a plugin, this value supersedes plugins_timeout.	None	Integers 0-86400