Assessment Scan Settings
The Assessment scan settings are used for configuring how a scan identifies vulnerabilities, as well as what vulnerabilities are identified. This includes identifying malware, assessing the vulnerability of a system to brute force attacks, and the susceptibility of web applications.
The Assessment settings include the following sections:
The Nessus interface provides descriptions of each option. The Custom option displays different Assessment settings depending on the selected template.
Basic Network Scan
Basic Web App Scan
Internal PCI Network Scan
Four options are available:
|Modbus/TCP Coil Access||
Modbus uses a function code of 1 to read coils in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a write coil message.
Start at Register
The register at which to start scanning.
|End at Register||16||The register at which to stop scanning.|
|ICCP/COTP TSAP Addressing Weakness||
The ICCP/COTP TSAP Addressing menu determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values.
|Start COTP TSAP||8||Specifies the starting TSAP value to try.|
|Stop COTP TSAP||8||Specifies the ending TSAP value to try. All values between the Start and Stop values are tried.|
By default, web applications are not scanned. When you first access the Web Application section, the Scan Web Applications setting appears and is set to Off. To modify the Web Application settings listed on the following table, click the Off button. The rest of the settings appear.
The Web Applications section includes the following groups of settings:
|Disable DNS resolution||Disabled||Checking this option prevents Nessus from using the cloud to compare scan findings against known malware.|
|Hash and Whitelist Files|
|Custom Netstat IP Threat List||None||
A text file that contains a list of known bad IP addresses that you want to detect.
Each line in the file must begin with an IPv4 address. Optionally, you can add a description by adding a comma after the IP address, followed by the description. You can also use hash-delimited comments (e.g., #) in addition to comma-delimited comments.
|Provide your own list of known bad MD5 hashes||None||
Additional known bad MD5 hashes can be uploaded via a text file that contains one MD5 hash per line. Optionally, you can include a description for a hash by adding a comma after the hash, followed by the description. If any matches are found when scanning a target, the description appears in the scan results. Hash-delimited comments (e.g., #) can also be used in addition to the comma-delimited ones.
|Provide your own list of known good MD5 hashes||None||Additional known good MD5 hashes can be uploaded via a text file that contains one MD5 hash per line. It is possible to (optionally) add a description for each hash in the uploaded file. This is done by adding a comma after the hash, followed by the description. If any matches are found when scanning a target, and a description was provided for the hash, the description appears in the scan results. Standard hash-delimited comments (e.g., # ) can optionally be used in addition to the comma-delimited ones.|
|Hosts file whitelist||None||
Nessus checks system hosts files for signs of a compromise (e.g., Plugin ID 23910 titled Compromised Windows System (hosts File Check)). This option allows you to upload a file containing a list of IPs and hostnames to be ignored by Nessus during a scan. Include one IP and one hostname (formatted identically to your hosts file on the target) per line in a regular text file.
A .yar file containing the YARA rules to be applied in the scan. You can only upload one file per scan, so include all rules in a single file. For more information, see yara.readthedocs.io.
|File System Scanning|
|Scan file system||Off||
Enabling this option allows you to scan system directories and files on host computers.
Caution: Enabling this setting in scans targeting 10 or more hosts could result in performance degradation.
|Scan %Systemroot%||Off||Enables file system scanning to scan %Systemroot%.|
|Scan %ProgramFiles%||Off||Enables file system scanning to scan %ProgramFiles%.|
|Scan %ProgramFiles(x86)%||Off||Enables file system scanning to scan %ProgramFiles(x86)%.|
|Scan %ProgramData%||Off||Enables file system scanning to scan %ProgramData%.|
|Scan User Profiles||Off||Enables file system scanning to scan user profiles.|
|Scan $PATH||Off||Enable file system scanning to scan for $PATH locations.|
|Scan /home||Off||Enable file system scanning to scan /home.|
|Scan $PATH||Off||Enable file system scanning to scan $PATH locations.|
|Scan /Users||Off||Enable file system scanning to scan /Users.|
|Scan /Applications||Off||Enable file system scanning to scan /Applications.|
|Scan /Library||Off||Enable file system scanning to scan /Library.|
|Custom Filescan Directories||None||A custom file that lists directories to be scanned by malware file scanning. In the file, list each directory on a new line. Root directories such as 'C:\' or '/' are not accepted, nor are variables such as %Systemroot%.|