Assessment Scan Settings
Note: If a scan is based on a policy, you cannot configure Assessment settings in the scan. You can only modify these settings in the related policy.
You can use Assessment settings to configure how a scan identifies vulnerabilities, as well as what vulnerabilities are identified. This includes identifying malware, assessing the vulnerability of a system to brute force attacks, and the susceptibility of web applications.
Certain Tenable-provided scanner templates include
If you select the Custom preconfigured setting option, or if you are using a scanner template that does not include preconfigured assessment settings, you can manually configure Assessment settings in the following categories:
Note: The following tables include settings for the Advanced Scan template. Depending on the template you select, certain settings may not be available, and default values may vary.
The General section includes the following groups of settings:
The Brute Force section includes the following groups of settings:
|Modbus/TCP Coil Access||
Modbus uses a function code of 1 to read coils in a Modbus server. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a write coil message.
Start at Register
The register at which to start scanning.
|End at Register||16||The register at which to stop scanning.|
|ICCP/COTP TSAP Addressing Weakness||
The ICCP/COTP TSAP Addressing menu determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values.
|Start COTP TSAP||8||Specifies the starting TSAP value to try.|
|Stop COTP TSAP||8||Specifies the ending TSAP value to try. Nessus tries all values between the Start and Stop.|
By default, Nessus does not scan web applications. When you first access the Web Application section, the Scan Web Applications setting appears and is Off. To modify the Web Application settings listed on the following table, click the Off button. The rest of the settings appear.
The Web Applications section includes the following groups of settings:
The Windows section contains the following groups of settings:
|Request information about the SMB Domain||Disabled||
If enabled, the sensor queries domain users instead of local users. Enabling this setting allows plugins 10892 and 10398 to run and plugins 72684 and 10907 to query domain users.
|User Enumeration Methods|
You can enable as many of the user enumeration methods as appropriate for user discovery.
|SAM Registry||Enabled||Nessus enumerates users via the Security Account Manager (SAM) registry.|
|ADSI Query||Enabled||Nessus enumerates users via Active Directory Service Interfaces (ADSI). To use ADSI, you must configure credentials under Credentials > Miscellaneous > ADSI.|
|WMI Query||Enabled||Nessus enumerates users via Windows Management Interface (WMI).|
|RID Brute Forcing||Disabled||Nessus enumerates users via relative identifier (RID) brute forcing. Enabling this setting enables the Enumerate Domain Users and Enumerate Local User settings.|
|Enumerate Domain Users
|Start UID||1000||The beginning of a range of IDs where Nessus attempts to enumerate domain users.|
|End UID||1200||The end of a range of IDs where Nessus attempts to enumerate domain users.|
|Enumerate Local User
|Start UID||1000||The beginning of a range of IDs where Nessus attempts to enumerate local users.|
|End UID||1200||The end of a range of IDs where Nessus attempts to enumerate local users.|
The Malware section contains the following groups of settings:
|Disable DNS resolution||Disabled||Checking this option prevents Nessus from using the cloud to compare scan findings against known malware.|
|Hash and Allowlist Files|
|Custom Netstat IP Threat List||None||
A text file that contains a list of known bad IP addresses that you want to detect.
Each line in the file must begin with an IPv4 address. Optionally, you can add a description by adding a comma after the IP address, followed by the description. You can also use hash-delimited comments (e.g., #) in addition to comma-delimited comments.
Note: Tenable does not detect private IP ranges in the text file.
|Provide your own list of known bad MD5 hashes||None||
You can upload any additional bad MD5 hashes via a text file that contains one MD5 hash per line. Optionally, you can include a description for a hash by adding a comma after the hash, followed by the description. If Nessus finds any matches while scanning a target, the description appears in the scan results. You can use standard hash-delimited comments (for example, #) in addition to the comma-separated comments.
|Provide your own list of known good MD5 hashes||None||You can upload any additional good MD5 hashes via a text file that contains one MD5 hash per line. It is possible to (optionally) add a description for each hash in the uploaded file. This is done by adding a comma after the hash, followed by the description. If Nessus finds any matches while scanning a target, and a description was provided for the hash, the description appears in the scan results. You can use standard hash-delimited comments (for example, #) in addition to the comma-separated comments.|
|Hosts file allowlist||None||
Nessus checks system hosts files for signs of a compromise (for example, Plugin ID 23910 titled Compromised Windows System (hosts File Check)). This option allows you to upload a file containing a list of IPs and hostnames that Nessus will ignore during the scan. Include one IP and one hostname (formatted identically to your hosts file on the target) per line in a regular text file.
A .yar file containing the YARA rules to be applied in the scan. You can only upload one file per scan, so include all rules in a single file. For more information, see yara.readthedocs.io.
|File System Scanning|
|Scan file system||Off||
Enabling this option allows you to scan system directories and files on host computers.
Caution: Enabling this setting in scans targeting 10 or more hosts could result in performance degradation.
|Scan %Systemroot%||Off||Enables file system scanning to scan %Systemroot%.|
|Scan %ProgramFiles%||Off||Enables file system scanning to scan %ProgramFiles%.|
|Scan %ProgramFiles(x86)%||Off||Enables file system scanning to scan %ProgramFiles(x86)%.|
|Scan %ProgramData%||Off||Enables file system scanning to scan %ProgramData%.|
|Scan User Profiles||Off||Enables file system scanning to scan user profiles.|
|Scan $PATH||Off||Enable file system scanning to scan for $PATH locations.|
|Scan /home||Off||Enable file system scanning to scan /home.|
|Scan $PATH||Off||Enable file system scanning to scan $PATH locations.|
|Scan /Users||Off||Enable file system scanning to scan /Users.|
|Scan /Applications||Off||Enable file system scanning to scan /Applications.|
|Scan /Library||Off||Enable file system scanning to scan /Library.|
|Custom Filescan Directories||None||A custom file that lists directories to be scanned by malware file scanning. In the file, list each directory on a new line. Nessus does not accept root directories (such as C:\ or /) or variables (such as %Systemroot%).|
|Use detected SIDs||Disabled||
When enabled, if at least one host credential and one Oracle database credential are configured, the scanner authenticates to scan targets using the host credentials, and then attempts to detect Oracle System IDs (SIDs) locally. The scanner then attempts to authenticate using the specified Oracle database credentials and the detected SIDs.
If the scanner cannot authenticate to scan targets using host credentials or does not detect any SIDs locally, the scanner authenticates to the Oracle database using the manually specified SIDs in the Oracle database credentials.