Advanced Settings

The Advanced Settings page allows you to configure Tenable Nessus manually. You can configure advanced settings from the Tenable Nessus user interface, or from the command-line interface. Tenable Nessus validates your input values to ensure only valid configurations.

Note: You need the System Administrator role to configure Tenable Nessus settings. For more information, see Users.

Tenable Nessus groups the advanced settings into the following categories:

Details

  • Advanced settings apply globally across your Tenable Nessus instance.

  • To configure advanced settings, you must use a Tenable Nessus administrator user account.
  • Tenable Nessus does not automatically update all advanced settings.
  • Changes may take several minutes to take effect.
  • Tenable Nessus indicates the settings that require restarting for the change to apply with the icon.
  • Custom policy settings supersede the global advanced settings.

User Interface

Setting

Description

Default Valid Values Restart Required?

Allow Post-Scan Editing (allow_post_scan_editing)

Allows a user to make edits to scan results after the scan is complete.

yes yes or no no
Disable API (disable_api) Disables the API, including inbound HTTP connections. Users cannot access Tenable Nessus via the user interface or the API.

no

yes or no

yes
Disable Frontend (disable_frontend) Disables the Tenable Nessus user interface. Users can still use the API.

no

yes or no

yes
Login Banner (login_banner)

A text banner that appears after you attempt to log in to Tenable Nessus.

Note: The banner only appears the first time you log in on a new browser or computer.

None String no

Maximum Concurrent Web Users (global.max_web_users)

Maximum web users who can connect simultaneously.

1024

Integers.

If set to 0, there is no limit.

no
Nessus Web Server IP ( listen_address)

IPv4 address to listen for incoming connections. If set to 127.0.0.1, this restricts access to local connections only.

0.0.0.0 String in the format of an IP address yes
Nessus Web Server Port (xmlrpc_listen_port) The port that the Tenable Nessus web server listens on. 8834 Integers yes
UI Theme (ui_theme)

When enabled, changes user interface color theme to dark mode.

Note: The UI Theme setting may not function properly if you have SELinux enabled.

Track Os Setting Light, Dark, or Track Os Setting no
Use Mixed Vulnerability Groups (scan_vulnerability_groups_mixed) When enabled, Tenable Nessus shows the severity level as Mixed for vulnerability groups, unless all the vulnerabilities in a group have the same severity. When disabled, Tenable Nessus shows the highest severity indicator of a vulnerability in a group yes Yes or No no
Use Vulnerability Groups (scan_vulnerability_groups) When enabled, Tenable Nessus groups vulnerabilities in scan results by common attributes, giving you a shorter list of results. yes yes or no no

Scanning

Setting

Description

Default Valid Values Restart Required?
Audit Trail Verbosity (audit_trail) Controls verbosity of the plugin audit trail. Full audit trails include the reason why Tenable Nessus did not include certain plugins in the scan. full full, partial, none no
Auto Enable Plugin Dependencies (auto_enable_dependencies)

Automatically activates the plugins that are depended on by other plugins. The setting does not enable plugins that are depended on by scan template settings.

If disabled, not all plugins may run despite being selected in a scan policy.

yes yes or no no
CGI Paths for Web Scans (cgi_path)

A colon-delimited list of CGI paths to use for web server scans.

/cgi-bin:/scripts

String no
Engine Thread Idle Time (engine.idle_wait) Number of seconds a scan engine remains idle before shutting itself down. 60 Integers 0-600 no
Max Plugin Output Size (plugin_output_max_size_kb)

The maximum size, in KB, of plugin output that Tenable Nessus includes in the exported scan results with the .nessus format. If the output exceeds the maximum size, Tenable Nessus truncates the output in the report.

1000

Integers.

If set to 0, there is no limit.

no
Maximum Ports in Scan Reports (report.max_ports) The maximum number of allowable ports. If there are more ports in the scan results than this value, Tenable Nessus discards the port scan results. This limit helps guard against fake targets that may have thousands of reported ports, but can also result in the deletion of valid results from the scan results database, so you may want to increase the default if this is a problem. 1024 Integers no
Maximum Ports Reported by Portscanner Plugins (portscanner.max_ports) The maximum number of ports that the Tenable Nessus port-scanning plugins can mark as open. This includes the port scanners proper and any plugin that calls NASL function scanner_add_port(). 1024 Integers 0-65535 no
Maximum Size for E-mailed Reports (attached_report_maximum_size) Specifies the maximum size, in MB, of any report attachment. If the report exceeds the maximum size, then it is not attached to the email. Tenable Nessus does not support report attachments larger than 50 MB. 25 Integers 0-50 no
Nessus Rules File Location (rules)

Location of the Tenable Nessus rules file (nessusd.rules).

The following are the defaults for each operating system:

Linux:

/opt/nessus/etc/nessus/nessusd.rules

macOS:

/Library/Nessus/run/var/nessus/conf/nessusd.rules

Windows:

C:\ProgramData\Tenable\Nessus\nessus\conf\nessusd.rules

Nessus config directory for your operating system String no
Non-Simultaneous Ports (non_simult_ports) Specifies ports against which two plugins you cannot run simultaneously. 139, 445, 3389 String no
Paused Scan Timeout (paused_scan_timeout) The duration, in minutes, that a scan can remain in the paused state before Tenable Nessus terminates it. 0 Integers 0-10080 no
PCAP Snapshot Length (pcap.snaplen) The snapshot size used for packet capture; the maximum size of a captured network packet. Typically, Tenable Nessus sets this value automatically based on the scanner's NIC. However, depending on your network configuration, Tenable Nessus may truncate the packages, resulting in the following message in your scan report: "The current snapshot length of ### for interface X is too small." You can increase the length to avoid packet truncation. 0 Integers 0-262144 no
Port Range (port_range) The default range of ports that the scanner plugins probe. default

default, all, a range of ports, a comma-separated list of ports and/or port ranges.

Specify UDP and TCP ports by prefixing each range by T: or U:.

no
Reverse DNS Lookups (reverse_lookup) When enabled, Tenable Nessus identifies targets by their fully qualified domain name (FQDN) in the scan report. When disabled, the report identifies the target by hostname or IP address. no yes or no no
Safe Checks (safe_checks)

When enabled, Tenable Nessus uses safe checks, which use banner grabbing rather than active testing for a vulnerability.

yes yes or no no
Silent Plugin Dependencies (silent_dependencies) When enabled, Tenable Nessus does not include the list of plugin dependencies and their output in the report. You can select a plugin as part of a policy that depends on other plugins to run. By default, Tenable Nessus runs those plugin dependencies, but does not include their output in the report. When disabled, Tenable Nessus includes both the selected plugin and any plugin dependencies in the report. yes yes or no no
Slice Network Addresses (slice_network_addresses) If you set this option, Tenable Nessus does not scan a network incrementally (10.0.0.1, then 10.0.0.2, then 10.0.0.3, and so on) but attempts to slice the workload throughout the whole network (for example, it scans 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128, and so on). no yes or no no
System Default Severity Basis (severity_basis)

In Tenable Nessus scanners and Tenable Nessus Professional, you can choose whether Tenable Nessus calculates the severity of vulnerabilities using CVSSv2 or CVSSv3 scores (when available) by configuring your default severity base setting. In Tenable Nessus scanners and Tenable Nessus Professional, you can choose whether Tenable Nessus calculates the severity of vulnerabilities using CVSSv2, CVSSv3, or CVSSv4 scores (when available) by configuring your default severity base setting.

When you change the default severity base, the change applies to all existing scans that are configured with the default severity base. Future scans also use the default severity base.

For more information about CVSS scores and severity ranges, see CVSS Scores vs. VPR.

Note: This setting is not available for Tenable Nessus Manager.
On a new installation of Tenable Nessuscvss_v3

On preexisting upgraded instance: cvss_v2

cvss_v2 or cvss_v3 no

Logging

Setting

Description

Default Valid Values Restart Required?
Log Additional Scan Details (log_details) When enabled, scan logs include the username, scan name, and current plugin name in addition to the base information. You may not see these additional details unless you also enable log_whole_attack. no yes or no no
Log Verbose Scan Details (log_whole_attack) Logs verbose details of the scan. Helpful for debugging issues with the scan, but this may be disk intensive. To add more details, enable log_details. no yes or no no
Nessus Dump File Location (dumpfile)

Location of nessusd.dump, a log file for debugging output if generated.

The following are the defaults for each operating system:

Linux:

/opt/nessus/var/nessus/logs/nessusd.dump

macOS:

/Library/Nessus/run/var/nessus/logs/nessusd.dump

Windows:

C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.dump

Nessus log directory for your operating system

String yes
Nessus Dump File Log Level (nasl_log_type)

The type of NASL engine output in nessusd.dump.

normal normal, none, trace, or full. yes
Nessus Dump File Max Files (dumpfile_max_files) The maximum number of the nessusd.dump files kept on disk. If the number exceeds the specified value, Tenable Nessus deletes the oldest dump file. 100 Integers 1-1000 yes
Nessus Dump File Max Size (dumpfile_max_size) The maximum size of the nessusd.dump files in MB. If file size exceeds the maximum size, Tenable Nessus creates a new dump file. 512 Integers 1-2048 yes
Nessus Dump File Rotation Time (dumpfile_rotation_time) Determines how often Tenable Nessus dump files are rotated in days. 1 Integers 1-365 yes
Nessus Dump File Rotation (dumpfile_rot)

Determines whether Tenable Nessus rotates dump files based on maximum rotation size or rotation time.

size sizeTenable Nessusrotates dump files based on size, as specified in dumpfile_max_size.

timeTenable Nessus rotates dump files based on time, as specified in dumpfile_rotation_time.

yes
Nessus Log Level (backend_log_level)

The logging level of the backend.log log file, as indicated by a set of log tags that determine what information to include in the log.

If you manually edited log.json to set a custom set of log tags for backend.log, this setting overwrites that content.

For more information, see Manage Logs.

normal
  • normal — sets log tags to log, info, warn, error, trace
  • debug — sets log tags to log, info, warn, error, trace, debug
  • verbose — sets log tags tolog, info, warn, error, trace, debug, verbose
yes
Nessus Scanner Log Location (logfile)

Location where Tenable Nessus stores its scanner log file.

The following are the defaults for each operating system:

Linux:

/opt/nessus/var/nessus/logs/nessusd.messages

macOS:

/Library/Nessus/run/var/nessus/logs/nessusd.messages

Windows:

C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.messages

Nessus log directory for your operating system String yes
Log File Maximum Files (logfile_max_files) Determines the maximum number of nessusd.messages files that Tenable Nessus keeps on the disk. If the number of nessusd.messages log files exceeds the specified value, Tenable Nessus deletes the oldest log files.

Tenable Nessus — 100

Tenable Nessus Agent — 2

Integers 1-1000

yes
Log File Maximum Size (logfile_max_size) Determines the maximum size of the nessusd.messages file in MB. If the file size exceeds the maximum size, Tenable Nessus creates a new messages log file.

Tenable Nessus —512

Tenable Nessus Agent — 10

Integers 1-2048

yes
Log File Rotation Time (logfile_rotation_time) Determines how often Tenable Nessus messages log files are rotated in days. 1 Integers 1-365 yes
Log File Rotation (logfile_rot)

Determines whether Tenable Nessus rotates messages log files based on maximum rotation size or rotation time.

size

sizeTenable Nessus rotates log files based on size, as specified in logfile_max_size.

timeTenable Nessus rotates log files based on time, as specified in logfile_rotation_time.

yes
Scanner Metric Logging (scanner.metrics) Enables scanner performance metrics data gathering. 0

0 (off), 0x3f (full data except plugin metrics), 0x7f (full data including plugin metrics)

Note: Including plugin metrics greatly increases the size of the log file. Tenable Nessus does not automatically clean up log files.

no
Use Milliseconds in Logs (logfile_msec) When enabled, nessusd.messages and nessusd.dump log timestamps are in milliseconds. When disabled, log timestamps are in seconds. no yes or no yes

Performance

Setting

Description

Default Valid Values Restart Required?
Database Synchronous Setting (db_synchronous_setting)

Control how database updates are synchronized to disk.

NORMAL is faster, with some risk of data loss during unexpected system shutdowns (for example, during a power outage or crash).

FULL is safer, with some performance cost.

NORMAL NORMAL or FULL yes
Engine Logging (global.log.engine_details) When enabled, logs additional information about which scan engine you assigned each target to during scanning. no yes or no no
Global Max Hosts Concurrently Scanned (global.max_hosts)

Maximum number of hosts that Tenable Nessus can scan simultaneously across all scans.

Varies depending on hardware

Integers no
Global Max Port Scanners (global.max_portscanners) Maximum number of port scanners. 100 Integers 0-1024 no
Global Max TCP Sessions (global.max_simult_tcp_sessions) Maximum number of simultaneous TCP sessions across all scans.

50 for desktop operating systems (for example, Windows 10).

50000 for other operating systems (for example, Windows Server 2016).

Integers

no
Max Concurrent Checks Per Host (max_checks)

Maximum number of simultaneous plugins that can run concurrently on each host.

5

Integers

no
Max Concurrent Hosts Per Scan (max_hosts) Maximum number of hosts checked at one time during a scan. Varies, up to 100.

Integers.

If set to 0, defaults to 100.

no
Max Concurrent Scans (global.max_scans) Maximum number of simultaneous scans that the scanner can run. 0

Integers 0-1000

If set to 0, there is no limit.

no
Max Engine Checks (engine.max_checks)

Maximum number of simultaneous plugins that can run concurrently on a single scan engine.

64 Integers no
Max Engine Threads (engine.max) Maximum number of scan engines that run in parallel. Each scan engine scans multiple targets concurrently from one or more scans (see engine.max_hosts). 8 times the number of CPU cores on the machine Integers no
Max Hosts Per Engine Thread (engine.max_hosts) Maximum number of targets that run concurrently on a single scan engine. 16 Integers no
Max HTTP Connections (max_http_connections) The number of simultaneous connection attempts before the web server responds with HTTP code 503 (Service Unavailable, Too Many Connections). 600 Integers yes
Max HTTP Connections Hard (max_http_connections_hard)

The number of simultaneous connection attempts before the web server does not allow further connections.

3000 Integers yes
Max TCP Sessions Per Host (host.max_simult_tcp_sessions)

Maximum number of simultaneous TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. For example, if you set this option to 15, the SYN scanner sends 150 packets per second at most.

0

Integers.

If set to 0, there is no limit.

no
Max TCP Sessions Per Scan (max_simult_tcp_sessions) Maximum number of simultaneous TCP sessions for the entire scan, regardless of the number of hosts the scanner is scanning. 0

Integers 0-2000.

If set to 0, there is no limit.

no
Engine Thread Pool Minimum Size (thread_pool.min) The minimum size of the pool of threads available for use by the scan engine. You can defer asynchronous tasks to these threads, and this value controls the maximum number of threads. 2 Integers 0-100 no
Engine Thread Pool Maximum Size (thread_pool.max) The maximum size of the pool of threads available for use by the scan engine. You can defer asynchronous tasks to these threads, and this value controls the maximum number of threads. 200 Integers 0-500 no
Minimum Engine Threads (engine.min) The number of scan engines that start initially as Tenable Nessus scans the targets. After the engine reaches engine.optimal_hosts number of targets, Tenable Nessus adds more scan engines up to engine.max. 2 times the number of CPU cores on the machine Integers no
Optional Hosts Per Engine Thread (engine.optimal_hosts) The minimum number of targets that are running on each scan engine before Tenable Nessus adds more engines (up to engine.max). 2 Integers no
Optimize Tests (optimize_test) Optimizes the test procedure. If you disable this setting, scans may take longer and typically generate more false positives. yes yes or no no
Plugin Check Optimization Level (optimization_level)

Determines the type of check that Tenable Nessus performs before a plugin runs.

If you set this setting to open_ports, then Tenable Nessus checks that required ports are open; if they are not, the plugin does not run.

If you set this setting to required_keys, then Tenable Nessus performs the open port check, and also checks that required keys (KB entries) exist, ignoring the excluded key check.

None open_ports or required_keys no
Plugin Timeout (plugins_timeout) Maximum lifetime of a plugin’s activity in seconds. 320 Integers 0-1000 no
QDB Memory Usage (qdb_mem_usage) Directs Tenable Nessus to use more or less memory when idle. If Tenable Nessus is running on a dedicated server, setting this to high uses more memory to increase performance. If Tenable Nessus is running on a shared machine, setting this to low uses considerably less memory, but has a moderate performance impact. low low or high no
Reduce TCP Sessions on Network Congestion (reduce_connections_on_congestion) Reduces the number of TCP sessions in parallel when the network appears to be congested. no yes or no no
Remediations Limit (remediations_limit)

Limits the number of remediations that Tenable Nessus generates and shows in a scan result.

500 Integers > 0 no
Scan Check Read Timeout (checks_read_timeout)

Read timeout for the sockets of the tests.

5 Integers 0-1000 no
Stop Scan on Host Disconnect (stop_scan_on_disconnect) When enabled, Tenable Nessus stops scanning a host that disconnects during the scan. no yes or no no
XML Enable Plugin Attributes (xml_enable_plugin_attributes) When enabled, Tenable Nessus includes plugin attributes in exported scans to Tenable Security Center. no yes or no no
Webserver Thread Pool Minimum Size (www.thread_pool.min) The minimum thread pool size for the webserver/backend. 2 Integers 0-100 no
Webserver Thread Pool Maximum Size (www.thread_pool.max) The maximum thread pool size for the webserver/backend. 200 Integers 0-500 no

Security

Setting

Description

Default Valid Values Restart Required?
Always Validate SSL Server Certificates (strict_certificate_validation)

Always validate SSL server certificates, even during initial remote link (requires manager to use a trusted root CA).

no yes or no no
Cipher Files on Disk (cipher_files_on_disk) Encipher files that Tenable Nessus writes. yes yes or no yes
Force Public Key Authentication (force_pubkey_auth) Force logins for Tenable Nessus to use public key authentication. no yes or no yes
Max Concurrent Sessions Per User (max_sessions_per_user) Maximum concurrent sessions per user 0

Integers 0-2000.

If set to 0, there is no limit.

no
SSL Cipher List (ssl_cipher_list)

Cipher list to use for Tenable Nessus backend connections. You can use a preconfigured list of cipher strings, or enter a custom cipher list or cipher strings.

Note: This setting only sets ciphers for TLS 1.2.

compatible

  • legacy - A list of ciphers that can integrate with older and insecure browsers and APIs.
  • compatible - A list of secure ciphers that is compatible with all browsers, including Internet Explorer 11. May not include all the latest ciphers.

  • modern - A list of the latest and most secure ciphers. May not be compatible with older browsers, such as Internet Explorer 11.

  • custom - A custom OpenSSL cipher list. For more information on valid cipher list formats, see the OpenSSL documentation.
  • niap - A list of ciphers that conforms to NIAP standards.

    ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384

yes
SSL Mode (ssl_mode)

Minimum supported version of TLS.

tls_1_2
  • compat - TLS v1.0+
  • ssl_3_0 - SSL v3+
  • tls_1_1 - TLS v1.1+
  • tls_1_2 - TLS v1.2+
  • niap - TLS v1.2
yes

Agents & Scanners

Note: The following settings are only available in Tenable Nessus Manager.

Name

Setting

Description

Default Valid Values Restart Required?
Agent Auto Delete agent_auto_delete Controls whether agents are automatically deleted after they have been inactive for the duration of time set for agent_auto_delete_threshold. no yes or no no
Agent Auto Delete Threshold agent_auto_delete_threshold The number of days after which inactive agents are automatically deleted if agent_auto_delete is set to yes. 60 Integers 1-365 no
Agent Auto Unlink agent_auto_unlink

Controls whether agents are automatically unlinked after they have been inactive for the duration of time set for agent_auto_unlink_threshold.

no yes or no no
Agent Auto Unlink Threshold agent_auto_unlink_threshold

The number of days after which inactive agents are automatically unlinked if agent_auto_unlink is set to yes.

Note: This value must be less than the agent_auto_delete_threshold.

30 Integers 30-90 no
Agents Progress agents_progress_viewable When a scan gathers information from agents, Tenable Nessus Manager does not show detailed agents information if the number of agents exceeds this setting. Instead, a message indicates that results are being gathered and will be viewable when the scan is complete. 100

Integers.

If set to 0, this defaults to 100.

no
Automatically Download Agent Updates agent_updates_from_feed

When enabled, new Tenable Nessus Agent software updates are automatically downloaded.

yes yes or no yes
Concurrent Agent Software Updates cloud.manage.download_max The maximum concurrent agent update downloads. 10 Integers no
Include Audit Trail Data agent_merge_audit_trail

Controls whether or not agent scan result audit trail data is included in the main agent database. Excluding audit trail data can significantly improve agent result processing performance.

If this setting is set to false, the Audit Trail Verbosity setting in an individual scan or policy defaults to No audit trail.

false true or false no
Include KB Data agent_merge_kb

Includes the agent scan result KB data in the main agent database. Excluding KB data can significantly improve agent result processing performance.

If this setting is set to false, the Include the KB setting in an individual scan or policy defaults to Exclude KB.

false true or false no
Result Processing Journal Mode agent_merge_journal_mode

Sets the journaling mode to use when processing agent results. Depending on the environment, this can somewhat improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation.

DELETE

MEMORY

TRUNCATE

DELETE

no
Result Processing Sync Mode agent_merge_synchronous_setting

Sets the filesystem sync mode to use when processing agent results. Turning this off will significantly improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation.

FULL

OFF

NORMAL

FULL

no
Track Unique Agents track_unique_agents When enabled, Tenable Nessus Manager checks if MAC addresses of agents trying to link match MAC addresses of currently linked agents with the same hostname, platform, and distro. Tenable Nessus Manager deletes duplicates that it finds. no yes or no no

Cluster

Note: The following settings are only available in Tenable Nessus Manager with clustering enabled.

Setting

Description

Default Valid Values
Agent Blacklist Duration Days (agent_blacklist_duration_days)

The number of days that an agent remains blocked from relinking to a cluster node.

For example, Tenable Nessus blocks an agent if it tries to link with a UUID that matches an existing agent in a cluster.

Note: Tenable Nessus blocks an agent after Tenable Nessus deletes or removes the agent due to inactivity. However, Tenable Nessus places the agent back in good standing if an administrator manually unlinks and relinks the agent.

7

Integers > 0

Agent Clustering Scan Cutoff (agent_cluster_scan_cutoff) Tenable Nessus aborts scans after running this many seconds without a child node update. 3600 Integers > 299
Agent Node Global Maximum Default (agent_node_global_max_default)

The global default maximum number of agents allowed per cluster node.

If you set an individual maximum for a child node, that setting overrides this setting.

10000 Integers 0-20000

Miscellaneous

Setting

Description

Default Valid Values Restart Required?
Allow Special Characters in User Names (allow_special_chars_in_username) Determines whether Tenable Nessus usernames can include parentheses: ( and ). true true or false no
Automatic Update Delay (auto_update_delay) Number of hours that Tenable Nessus waits between automatic updates. 24

Integers > 0

no
Automatic Updates (auto_update)

Automatically updates plugins. If you enable this setting and register Tenable Nessus, Tenable Nessus automatically gets the newest plugins from Tenable when they are available. If your scanner is on an isolated network that is not able to reach the internet, disable this setting.

Note: This setting does not work for Tenable Nessus scanners that you connected to Tenable Vulnerability Management. Scanners linked to Tenable Vulnerability Management automatically receive updates from cloud.tenable.com. For more information, see the knowledge base article.

yes yes or no yes
Automatically Update Nessus (auto_update_ui)

Automatically download and apply Tenable Nessus updates.

Note: This setting does not work for Tenable Nessus scanners that you connected to Tenable Vulnerability Management. Scanners linked to Tenable Vulnerability Management automatically receive updates from cloud.tenable.com. For more information, see the knowledge base article.

yes yes or no no
Child Node Port (child_node_listen_port) Allows Tenable Nessus child nodes to communicate to the parent node on a different port. none Any valid port value yes
Initial Sleep Time (ms_agent_sleep) (Tenable Nessus Manager only) Sleep time between managed scanner and agent requests. You can override this setting in Tenable Nessus Manager or Tenable Vulnerability Management. 30 Integers 5-3300 no
Java Heap Size (java_heap_size)

Determines Java heap size (the system memory used to store objects instantiated by applications running on the Java virtual machine) Tenable Nessus uses when exporting PDF reports.

auto auto or Integers > 0 yes
Max HTTP Client Requests (max_http_client_requests) Determines the maximum number of concurrent outbound HTTP connections on managed scanners and agents. 4 Integers > 0 yes
Nessus Debug Port (dbg_port) The port on which nessusd listens for ndbg client connections. If left empty, Tenable Nessus does not establish a debug port. None String in one of the following formats:  port or localhost:port or ip:port no
Nessus Preferences Database (config_file)

Location of the configuration file that contains the engine preference settings.

The following are the defaults for each operating system:

Linux:

/opt/nessus/etc/nessus/nessusd.db

macOS:

/Library/Nessus/run/etc/nessus/conf/nessusd.db

Windows:

C:\ProgramData\Tenable\Nessus\conf\nessusd.db

Tenable Nessus database directory for your operating system String yes
Non-User Scan Result Cleanup Threshold (report_cleanup_threshold_days) The age threshold (in days) for removing old system-user scan reports. 30 Integers > 0 no
Old User Files Cleanup (old_user_files_cleanup_hours) The number of hours after which Tenable Nessus removes old user files from the file system. If set to 0, Tenable Nessus does not perform a cleanup. 0 Integers > 0 no
Orphaned Scan History Cleanup (orphaned_scan_cleanup_days)

The number of days after which Tenable Nessus removes orphaned Tenable Security Center scans. For example, an orphaned scan could be a scan executed via Tenable Security Center that was not properly removed.

If set to 0, Tenable Nessus does not perform a cleanup.

Note: This setting only applies to network scans launched from Tenable Security Center. It does not apply to agent or web application scans.

30 Integers > 0 no
Packet Capture Archive Cleanup (packet_capture_archive_cleanup_days) The number of days after which Tenable Nessus removes packet capture archives from the filesystem. If set to 0, Tenable Nessus does not perform a cleanup. 30 Integers > 0 no
Plugin Integrity Check Frequency (Minutes) (plugin_healthcheck_frequency) Determines the frequency, in minutes, at which Tenable Nessus runs a full plugin integrity check. 10080 Integers 1440-10080 yes
Remote Scanner Port (remote_listen_port) This setting allows Tenable Nessus to operate on different ports: one dedicated to communicating with remote agents and scanners (comms port) and the other for user logins (management port). By adding this setting, you can link your managed scanners and agents a different port (for example, 9000) instead of the port defined in xmlrpc_listen_port (default 8834). None Integer yes
Report Crashes to Tenable (report_crashes) When enabled, Tenable Nessus sends crash information to Tenable, Inc. automatically to identify problems. Tenable Nessus does not send personal or system-identifying information to Tenable, Inc.. yes yes or no no
Scan Source IP(s) (source_ip) Source IPs to use when running on a multi-homed host. If you provide multiple IPs, Tenable Nessus cycles through them whenever it performs a new connection. None IP address or comma-separated list of IP addresses. yes
Send Telemetry (send_telemetry)

When enabled, Tenable Nessus periodically and securely sends non-confidential product usage data to Tenable.

Usage statistics include, but are not limited to, data about your visited pages within the Tenable Nessus interface, your used reports and dashboards, your Tenable Nessus license, and your configured features. Tenable uses the data to improve your user experience in future Tenable Nessus releases. You can disable this option at any time to stop sharing usage statistics with Tenable.

yes yes or no yes
User Scan Result Deletion Threshold (scan_history_expiration_days)

The number of days after which Tenable Nessus deletes the scan history and data for completed scans permanently.

Note: This setting affects any scanner, agent, and web application scans launched from Tenable Security Center.

0

0 or integers larger than or equal to 3.

If set to 0, Tenable Nessus retains the history.

no
Windows Minidump (windows_minidump) Determines whether Tenable Nessus generates a Windows minidump file in the log folder if Tenable Nessus for Windows crashes. no yes or no no

Custom

Not all advanced settings are populated in the Tenable Nessus user interface, but you can set some settings in the command-line interface. If you create a custom setting, it appears in the Custom tab.

The following table lists the advanced settings that you can configure, even though Tenable Nessus does not list them by default.

Identifier

Description

Default Valid Values
acas_classification

Adds a classification banner to the top and bottom of the Tenable Nessus user interface, and turns on last successful and failed login notification.

None UNCLASSIFIED (green banner), CONFIDENTIAL (blue banner), SECRET (red banner), or a custom value (orange banner).
multi_scan_same_host

When disabled, to avoid overwhelming a host, Tenable Vulnerability Management prevents a single scanner from simultaneously scanning multiple targets that resolve to a single IP address. Instead, Tenable Vulnerability Management scanners serialize attempts to scan the IP address, whether it appears more than once in the same scan task or in multiple scan tasks on that scanner. Scans may take longer to complete.

When enabled, a Tenable Vulnerability Management scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but scan targets could potentially become overwhelmed, causing timeouts and incomplete results.

no yes or no
merge_plugin_results

Supports merging plugin results for plugins that generate multiple findings with the same host, port, and protocol. Tenable recommends enabling this option for scanners linked to Tenable Security Center.

no yes or no
nessus_syn_scanner.global_throughput.max Sets the max number of SYN packets that Tenable Nessus sends per second during its port scan (no matter how many hosts Tenable Nessus scans in parallel). Adjust this setting based on the sensitivity of the remote device to large numbers of SYN packets. 65536 Integers
login_banner

A text banner shows that appears after you attempt to log in to Tenable Nessus. The banner only appears the first time you log in on a new browser or computer.

None String

timeout.<plugin ID>

Enter the plugin ID in place of <plugin ID>. The maximum time, in seconds, that Tenable Nessus permits the <pluginID> to run before Tenable Nessus stops it. If you set this option for a plugin, this value supersedes plugins_timeout. None Integers 0-86400