Advanced Scan Settings
Note: If a scan is based on a policy, you cannot configure Advanced settings in the scan. You can only modify these settings in the related policy.
The Advanced settings provide increased control over scan efficiency and the operations of a scan, as well as the ability to enable plugin debugging.
Certain Tenable-provided scanner templates include
If you select the Custom preconfigured setting option, or if you are using a Nessus Scanner template that does not include preconfigured advanced settings, you can manually configure Advanced settings in the following categories:
- General Settings
- Performance
- Unix Find Command Exclusions
- Agent Performance (Agent scans only)
- Windows File Search Options
- Debug Settings
- Stagger Scan Start
- Compliance Output Options
- Vulnerability Options
Note: The following tables include settings for the Advanced Scan template. Depending on the template you select, certain settings may not be available, and default values may vary.
Setting | Default Value | Description |
---|---|---|
General Settings | ||
Enable Safe Checks | Enabled |
When enabled, disables all plugins that may have an adverse effect on the remote host. |
Stop scanning hosts that become unresponsive during the scan | Disabled |
When enabled, Tenable Nessus stops scanning if it detects that the host has become unresponsive. This may occur if users turn off their PCs during a scan, a host has stopped responding after a denial of service plugin, or a security mechanism (for example, an IDS) has started to block traffic to a server. Normally, continuing scans on these machines sends unnecessary traffic across the network and delay the scan. |
Scan IP addresses in a random order | Disabled |
By default, Tenable Nessus scans a list of IP addresses in sequential order. When this option is enabled, Tenable Nessus scans the list of hosts in a random order within an IP address range. This approach is typically useful in helping to distribute the network traffic during large scans. |
Automatically accept detected SSH disclaimer prompts | Disabled |
When enabled, if a credentialed scan tries to connect via SSH to a FortiOS host that presents a disclaimer prompt, the scanner provides the necessary text input to accept the disclaimer prompt and continue the scan. The scan initially sends a bad ssh request to the target in order to retrieve the supported authorization methods. This allows you to determine how to connect to the target, which is helpful when you configure a custom ssh banner and then try to determine how to connect to the host. When disabled, credentialed scans on hosts that present a disclaimer prompt fail because the scanner cannot connect to the device and accept the disclaimer. The error appears in the plugin output. |
Scan targets with multiple domain names in parallel | Disabled |
When disabled, to avoid overwhelming a host, When enabled, a Tenable Nessus scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but hosts could potentially become overwhelmed, causing timeouts and incomplete results. |
Trusted CAs | none |
Determines the certificate authorities (CAs) that Tenable Nessus allows for the scan. In the Trusted CAs box, enter the text of your CA or CAs. Note: Include the beginning text -----BEGIN CERTIFICATE----- and ending text -----END CERTIFICATE-----. Tip: You can save more than one certificate in a single text file, including the beginning and ending text for each one. You can also determine trusted CAs at the scanner level. For more information, see Trust a Custom CA. |
Performance | ||
Slow down the scan when network congestion is detected |
Disabled |
When enabled, Tenable detects when it is sending too many packets and the network pipe is approaching capacity. If network congestion is detected, throttles the scan to accommodate and alleviate the congestion. Once the congestion has subsided, Tenable automatically attempts to use the available space within the network pipe again. |
5 |
Specifies the time that Tenable waits for a response from a host unless otherwise specified within a plugin. If you are scanning over a slow connection, you may want to set this to a higher number of seconds. |
|
Max simultaneous checks per host |
5 |
Specifies the maximum number of checks a Tenable scanner will perform against a single host at one time. |
Max simultaneous hosts per scan |
30, or the Tenable Nessus scanner advanced setting max_hosts value, whichever is smaller. |
Specifies the maximum number of hosts that a scanner scans at the same time. If you set Max simultaneous hosts per scan to more than scanner’s max_hosts setting, Nessus caps Max simultaneous hosts per scan at the max_hosts value. For example, if you set the Max simultaneous hosts per scan to 150 and scanner's max_hosts is set to 100, with more than 100 targets, Nessus scans 100 hosts simultaneously. |
Max number of concurrent TCP sessions per host |
none |
Specifies the maximum number of established TCP sessions for a single host. |
Max number of concurrent TCP sessions per scan |
none |
Specifies the maximum number of established TCP sessions the entire scan, regardless of the number of hosts being scanned.
Note: The MAX NUMBER OF CONCURRENT TCP SESSIONS PER SCAN setting is not enforceable in a Discovery scan. The global.max_simult_tcp_sessions Nessus Engine setting (that you set on each scanner) is an absolute cap that applies across all running scans on a scanner. (For example, if you have four scanners and do not want them to generate more than 10000 simultaneous TCP sessions in total at any point in time, you can set that global setting to 2500 for each individual scanner.) |
Unix Find Command Options | ||
Command Timeout |
240 |
The maximum number of seconds the find command is allowed to run on Unix systems. Not all Find commands use this timeout. Note: For all Find command executions in the plugin to complete, and to prevent the plugin from timing out, its plugin timeout should be adjusted with timeout_<plugin ID> in the scanner's Advanced Settings, |
Exclude Filepath | none |
A plain text file containing a list of filepaths to exclude from all plugins that search using the find command on Unix systems. In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page. |
Exclude Filesystem | none |
A plain text file containing a list of filesystems to exclude from all plugins that search using the find command on Unix systems. In the file, enter one filesystem per line, using filesystem types supported by the Unix find command -fstype argument. For more information, see the find command man page. |
Include Filepath | none |
A plain text file containing a list of filepaths to include from all plugins that search using the find command on Unix systems. In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page. Including filepaths increases the locations that are searched by plugins, which extends the duration of the scan. Make your inclusions as specific as possible. Tip: Avoid having the same filepaths in Include Filepath and Exclude Filepath. This conflict may result in the filepath being excluded from the search, though results may vary by operating system. |
Agent Performance Options | ||
Use Tenable supplied binaries for 'find' and 'unzip' | Disabled |
When enabled, instead of running native operating system commands of find and unzip, plugins use binaries included within the plugin feed for agent-based scanning. This allows CPU consumption to be controlled for the Tenable Nessus Agent find command. Another benefit to enabling this setting is that if find or unzip are not found natively on the operating system, using the commands from the feed allows full plugin execution with these commands to continue. This setting works in tandem with the Scan Performance setting, which you can set locally on the agent. If you enable this setting and have adjusted the Scan Performance to a setting other than the default (High), the resulting scan findings may be different than previous scans with the same configuration. This is because the scan may experience timeouts in finding files due to the lower CPU resources. Note: Due to the need for thorough and complete results, audits do not leverage the find or unzip binaries from the Tenable feed.
Note: With this setting enabled, CPU usage may spike up or close to 100% when the plugin requests a batch of results to process. The CPU then drops down to a lower level until the next batch is requested for processing. |
Windows File Search Options | ||
Windows Exclude Filepath | none |
A plain text file containing a list of filepaths to exclude from all plugins that search using Tenable's unmanaged software directory scans. In the file, enter one absolute or partial filepath per line, formatted as the literal strings you want to exclude. You can include absolute or relative directory names, examples such as E:\, E:\Testdir\, and \Testdir\. Tip: The default exclusion paths include \Windows\WinSxS\ and \Windows\servicing\ if you do not configure this setting. If you configure this setting, Tenable recommends adding those two paths to the file; those directories are very slow and do not contain unmanaged software. |
Windows Include Filepath | none |
A plain text file containing a list of filepaths to include from all plugins that search using Tenable's unmanaged software directory scans. In the file, enter one absolute or partial filepath per line, formatted as the literal strings you want to exclude. You can only include absolute directory names, examples such as E:\, E:\Testdir\, and C:\. Note: The Windows Include Filepath overrides the default included directory (for example, the drive on Windows). Therefore, if you want to include the default directory in addition to other directories, you must list the default directory in an additional filepath line.Caution: Avoid having the same filepaths in the Windows Include Filepath and Windows Exclude Filepath settings. This conflict results in the filepath being excluded from the search. |
Debug Settings | ||
Log scan details | Disabled | Logs the start and finish time for each plugin used during a scan to nessusd.messages. |
Enable plugin debugging |
Disabled |
Attaches available debug logs from plugins to the vulnerability output of this scan. |
Audit Trail Verbosity | |
Controls verbosity of the plugin audit trail. All audit trail data includes the reason why plugins were not included in the scan.
|
Include the KB | Default |
Controls whether to include the scan KB, which includes more debugging data, in the scan results. For Tenable Nessus scans, Default includes the KB. For agent scans, Default uses the global setting Include KB Data (agent_merge_kb) set in Advanced Settings. |
Enumerate launched plugins | Disabled |
Shows a list of plugins that Tenable Nessus launched during the scan. You can view the list in scan results under plugin 112154. Note: The setting does not function correctly if you disable plugin 112154. |
Stagger scan start | ||
Maximum delay (minutes) | 0 |
(Agents 8.2 and later) If set, each agent in the agent group delays starting the scan for a random number of minutes, up to the specified maximum. Staggered starts can reduce the impact of agents that use a shared resource, such as virtual machine CPU. If the maximum delay you set exceeds your scan window, Tenable shortens your maximum delay to ensure that agents begin scanning at least 30 minutes before the scan window closes. |
Compliance Output Settings | ||
Maximum Compliance Output Length in KB | 128,000 KB |
Controls the maximum output length for each individual compliance check value that the target returns. If a compliance check value that is greater than this setting's value, Tenable Nessus truncates the result. Note: If you notice that your compliance scan processing is slow, Tenable recommends reducing this setting to increase the processing speed.
|
Maximum Compliance Check Timeout in Seconds | 300 seconds |
Controls the maximum timeout duration for compliance checks. This setting is used by checks with long run times, especially checks that run commands on remove targets for Windows and Unix audits. This timeout setting overrides all other timeout settings when it is available. |
Vulnerability Options | ||
Scan for unpatched vulnerabilities (no patches or mitigations available) | Disabled |
Determines whether the scan searches for unpatched vulnerabilities. This includes CVEs marked as Will Not Fix by the related vendor. Enabling this setting may increase your overall findings count; each platform and package combination results in an individual plugin. If additional CVEs are found to affect a platform and package combination, the CVEs are added to the existing plugin.
Note: If you configure a scan to produce findings for unpatched vulnerabilities and then the setting is unchecked, Tenable Nessus remediates unpatched findings in the next scan. Additionally, if multiple scans target the same device and one has enabled findings for unpatched vulnerabilities and another does not, the findings results may vary per scan. |