Discovery Scan Settings

The Discovery scan settings relate to discovery and port scanning, including port ranges and methods.

Note: Configuration items that are required by a particular scan or policy are indicated in the Nessus interface.

The Discovery settings include the following sections:

The following tables list by section all available settings. When you select any template other than Advanced Network Scan, the Scan Type setting also appears.

Scan Type

The Scan Type setting appears for all templates that have Discovery settings, except Advanced Network Scan. The options that are available for the Scan Type setting vary from template to template. The following table describes the options that are available per template. If a template is not listed in the table, no Discovery settings are available for that template.

The Nessus user interface provides descriptions of each option.

Note: When Custom is selected, the following sections appear: Host Discovery, Port Scanning, and Service Discovery.

Template Available Options

Badlock Detection

Bash Shellshock Detection

DROWN Detection

Four options are available:

  • Quick
  • Normal (default)
  • Thorough
  • Custom

Basic Network Scan

Basic Web App Scan

Credentialed Patch Audit

Internal PCI Network Scan

Web Application Tests

Three options are available:

  • Port scan (common ports) (default)
  • Port scan (all ports)
  • Custom
Host Discovery

Five options are available:

  • Host enumeration (default)
  • OS Identification
  • Port scan (common ports)
  • Port scan (all ports)
  • Custom
Malware Scan

Three options are available:

  • Host enumeration (default)
  • Host enumeration (include fragile hosts)
  • Custom
Policy Compliance Auditing

Two options are available:

  • Default (default)
  • Custom
SCAP and OVAL Auditing

Two options are available:

  • Host enumeration (default)
  • Custom

Host Discovery

By default, some settings in the Host Discovery section are enabled. When you first access the Host Discovery section, the Ping the remote host item appears and is set to On.

The Host Discovery section includes the following groups of settings:

Setting Default Value Description
Ping the remote host On

This option enables Nessus to ping remote hosts on multiple ports to determine if they are alive. When set to On, General Settings and Ping Methods appear.

Note: To scan VMware guest systems, Ping the remote host must be set to Off.

General Settings

Use Fast Network Discovery


If a host responds to ping, Nessus attempts to avoid false positives, performing additional tests to verify the response did not come from a proxy or load balancer. Fast network discovery bypasses those additional tests.

Ping Methods



Ping a host using its hardware address via Address Resolution Protocol (ARP). This only works on a local network.



Ping a host using TCP.

Destination ports (TCP)


Destination ports can be configured to use specific ports for TCP ping. This specifies the list of ports that are checked via TCP ping.

Type one of the following: built-in, a single port, or a comma-separated list of ports.

For more information about which ports built-in specifies, see the knowledge base article.



Ping a host using the Internet Control Message Protocol (ICMP).

Assume ICMP unreachable from the gateway means the host is down Disabled

Assume ICMP unreachable from the gateway means the host is down When a ping is sent to a host that is down, its gateway may return an ICMP unreachable message. When this option is enabled, when Nessus receives an ICMP Unreachable message, it considers the targeted host dead. This is to help speed up discovery on some networks.

Note: Some firewalls and packet filters use this same behavior for hosts that are up, but connected to a port or protocol that is filtered. With this option enabled, this leads to the scan considering the host is down when it is indeed up.

Maximum number of retries 2

Specifies the number of attempts to retry pinging the remote host.


Disabled Ping a host using the User Datagram Protocol (UDP).
UDP is a stateless protocol, meaning that communication is not performed with handshake dialogues. UDP-based communication is not always reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable.
Fragile Devices

Scan Network Printers


When enabled, Nessus scans network printers.

Scan Novell Netware hosts


When enabled, Nessus scans Novell NetWare hosts.

Scan Operational Technology devices Disabled When enabled, Nessus performs a full scan of Operational Technology (OT) devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs) that monitor environmental factors and the activity and state of machinery. When disabled, Nessus uses ICS/SCADA Smart Scanning to cautiously identify OT devices and stops scanning them once they are discovered.

List of MAC Addresses


The Wake-on-LAN (WOL) menu controls which hosts to send WOL magic packets to before performing a scan.

Hosts that you want to start prior to scanning are provided by uploading a text file that lists one MAC address per line.

For example:



Boot time wait (in minutes)


The amount of time to wait for hosts to start before performing the scan.

Network Type

Network Type

Mixed (use RFC 1918)

Specifies if you are using publicly routable IPs, private non-internet routable IPs, or a mix of these.

This setting has three options:

  • Mixed (use RFC 1918)
  • Private LAN
  • Public WAN (internet)

The default value, Mixed, should be selected if you are using RFC 1918 addresses and have multiple routers within your network.

Port Scanning

The Port Scanning section includes settings that define how the port scanner behaves and which ports to scan.

The Port Scanning section includes the following groups of settings:

Setting Default Value Description
Consider Unscanned Ports as Closed Disabled

If a port is not scanned with a selected port scanner (for example, the port falls outside of the specified range), Nessus considers it closed.

Port Scan Range Default

Two keywords can be typed into the Port scan range box.

  • default instructs Nessus to scan approximately 4,790 commonly used ports. The list of ports can be found in the nessus-services file.
  • all instructs Nessus to scan all 65,536 ports, including port 0.

Additionally, you can type a custom range of ports by using a comma-delimited list of ports or port ranges. For example, 21,23,25,80,110 or 1-1024,8080,9000-9200. If you wanted to scan all ports excluding port 0, you would type 1-65535.

The custom range specified for a port scan is applied to the protocols you have selected in the Network Port Scanners group of settings.

If scanning both TCP and UDP, you can specify a split range specific to each protocol. For example, if you want to scan a different range of ports for TCP and UDP in the same policy, you would type T:1-1024,U:300-500.

You can also specify a set of ports to scan for both protocols, as well as individual ranges for each separate protocol. For example, 1-1024,T:1024-65535,U:1025.

Local Port Enumerators
SSH (netstat) Enabled

This option uses netstat to check for open ports from the local machine. It relies on the netstat command being available via an SSH connection to the target. This scan is intended for Linux-based systems and requires authentication credentials.

WMI (netstat) Enabled

A WMI-based scan uses netstat to determine open ports.

Note: If enabled, any custom range typed in the Port Scan Range box is ignored.

If any port enumerator (netstat or SNMP) is successful, the port range becomes all. Nessus still treats unscanned ports as closed if the Consider unscanned ports as closed check box is selected.

SNMP Enabled

When enabled, if the appropriate credentials are provided by the user, Nessus can better test the remote host and produce more detailed audit results. For example, there are many Cisco router checks that determine the vulnerabilities present by examining the version of the returned SNMP string. This information is necessary for these audits.

Only run network port scanners if local port enumeration failed Enabled

Rely on local port enumeration first before relying on network port scans.

Verify open TCP ports found by local port enumerators Disabled

If a local port enumerator (e.g., WMI or netstat) finds a port, Nessus also verifies that it is open remotely. This helps determine if some form of access control is being used (e.g., TCP wrappers, firewall).

Network Port Scanners
TCP Disabled

On some platforms (e.g., Windows and Mac OS X), enabling this scanner causes Nessus to use the SYN scanner to avoid serious performance issues native to those operating systems.

Override automatic firewall detection Disabled

When enabled, this setting overrides automatic firewall detection.

This setting has three options:

  • Use aggressive detection attempts to run plugins even if the port appears to be closed. It is recommended that this option not be used on a production network.
  • Use soft detection disables the ability to monitor how often resets are set and to determine if there is a limitation configured by a downstream network device.

  • Disable detection disables the Firewall detection feature.

This description also applies to the Override automatic firewall detection setting that is available following SYN.

SYN Enabled

Use the Nessus SYN scanner to identify open TCP ports on the target hosts. SYN scans are generally considered to be less intrusive than TCP scans depending on the security monitoring device, such as a firewall or Intrusion Detection System (IDS). The scanner sends a SYN packet to the port, waits for SYN-ACK reply, and determines the port state based on a reply or lack of reply.

UDP Disabled

This option engages Nessus built-in UDP scanner to identify open UDP ports on the targets.

Due to the nature of the protocol, it is generally not possible for a port scanner to tell the difference between open and filtered UDP ports. Enabling the UDP port scanner may dramatically increase the scan time and produce unreliable results. Consider using the netstat or SNMP port enumeration options instead if possible.

Service Discovery

The Service Discovery section includes settings that attempt to map each open port with the service that is running on that port.

The Service Discovery section includes the following groups of settings:


Default Value

General Settings
Probe all ports to find services Enabled

Attempts to map each open port with the service that is running on that port.

Caution: In some rare cases, probing might disrupt some services and cause unforeseen side effects.

Search for SSL based services On

Controls how Nessus will test SSL-based services.

Caution: Testing for SSL capability on all ports may be disruptive for the tested host.

Search for SSL/TLS Services (enabled)
Search for SSL/TLS on Known SSL/TLS ports

This setting has two options:

  • Known SSL/TLS ports
  • All ports
Identify certificates expiring within x days 60

Identifies SSL and TLS certificates that are within the specified number of days of expiring.

Enumerate all SSL ciphers True

When enabled, Nessus ignores the list of ciphers advertised by SSL/TLS services and enumerates them by attempting to establish connections using all possible ciphers.

Enable CRL checking (connects to internet) False When enabled, Nessus checks that none of the identified certificates have been revoked.