Advanced Scan Settings

Note: If a scan is based on a policy, you cannot configure Advanced settings in the scan. You can only modify these settings in the related policy.

The Advanced settings provide increased control over scan efficiency and the operations of a scan, as well as the ability to enable plugin debugging.

Certain Tenable-provided scanner templates include preconfigured advanced settings.

If you select the Custom preconfigured setting option, or if you are using a scanner template that does not include preconfigured advanced settings, you can manually configure Advanced settings in the following categories:

Note: The following tables include settings for the Advanced Scan template. Depending on the template you select, certain settings may not be available, and default values may vary.

Setting Default Value Description
General Settings
Enable Safe Checks Enabled

When enabled, disables all plugins that may have an adverse effect on the remote host.

Stop scanning hosts that become unresponsive during the scan Disabled

When enabled, Nessus stops scanning if it detects that the host has become unresponsive. This may occur if users turn off their PCs during a scan, a host has stopped responding after a denial of service plugin, or a security mechanism (for example, an IDS) has started to block traffic to a server. Normally, continuing scans on these machines sends unnecessary traffic across the network and delay the scan.

Scan IP addresses in a random order Disabled

By default, Nessus scans a list of IP addresses in sequential order. When this option is enabled, Nessus scans the list of hosts in a random order within an IP address range. This approach is typically useful in helping to distribute the network traffic during large scans.

Automatically accept detected SSH disclaimer prompts Disabled

When enabled, if a credentialed scan tries to connect via SSH to a FortiOS host that presents a disclaimer prompt, the scanner provides the necessary text input to accept the disclaimer prompt and continue the scan.

When disabled, credentialed scans on hosts that present a disclaimer prompt fail because the scanner cannot connect to the device and accept the disclaimer. The error appears in the plugin output.

Scan targets with multiple domain names in parallel Disabled

When disabled, to avoid overwhelming a host, Nessus prevents against simultaneously scanning multiple targets that resolve to a single IP address. Instead, Nessus scanners serialize attempts to scan the IP address, whether it appears more than once in the same scan task or in multiple scan tasks on that scanner. Scans may take longer to complete.

When enabled, a Nessus scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but hosts could potentially become overwhelmed, causing timeouts and incomplete results.


Slow down the scan when network congestion is detected


When enabled, Nessus detects when it is sending too many packets and the network pipe is approaching capacity. If network congestion is detected, Nessus throttles the scan to accommodate and alleviate the congestion. Once the congestion has subsided, Nessus automatically attempts to use the available space within the network pipe again.

Network timeout (in seconds)


Specifies the time that Nessus waits for a response from a host unless otherwise specified within a plugin. If you are scanning over a slow connection, you may want to set this to a higher number of seconds.

Max simultaneous checks per host


Specifies the maximum number of checks a Nessus scanner will perform against a single host at one time.

Max simultaneous hosts per scan

30, or the Nessus scanner advanced setting max_hosts, whichever is smaller.

Specifies the maximum number of hosts that a Nessus scanner will scan at the same time.

Max number of concurrent TCP sessions per host


Specifies the maximum number of established TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. For example, if this option is set to 15, the SYN scanner sends 150 packets per second at most.

Max number of concurrent TCP sessions per scan


Specifies the maximum number of established TCP sessions for the entire scan, regardless of the number of hosts being scanned.

Debug Settings
Log scan details Disabled Logs the start and finish time for each plugin used during a scan to nessusd.messages.

Enable plugin debugging


Attaches available debug logs from plugins to the vulnerability output of this scan.