TOC & Recently Viewed

Recently Viewed Topics

Advanced Scan Settings

The Advanced scan settings provide increased control over scan efficiency and the operations of a scan, as well as the ability to enabled plugin debugging.

The Advanced settings include the following sections:

Scan Type

The Scan Type setting appears for the following templates:

  • Basic Network Scan
  • Basic Web App Scan
  • Credentialed Patch Audit
  • Internal PCI Network Scan
  • Malware Scan
  • PCI Quarterly External Scan
  • Policy Compliance Auditing
  • SCAP and OVAL Auditing

All templates that include the Scan Type setting have the same options:

  • Default
  • Scan low bandwidth links
  • Custom

The Nessus interface provides descriptions of each option.

Note: When Custom is selected, the General section appears. The General section includes the settings that appear on the following table.

The following table includes the default values for the Advanced Network Scan template. Depending on the template you select, certain default values may vary.

Setting Default Value Description
General Settings
Enable Safe Checks Enabled When enabled, disables all plugins that may have an adverse effect on the remote host.
Stop scanning hosts that become unresponsive during the scan Disabled When enabled, Nessus stops scanning if it detects that the host has become unresponsive. This may occur if users turn off their PCs during a scan, a host has stopped responding after a denial of service plugin, or a security mechanism (for example, an IDS) has started to block traffic to a server. Normally, continuing scans on these machines sends unnecessary traffic across the network and delay the scan.
Scan IP addresses in a random order Disabled

By default, Nessus scans a list of IP addresses in sequential order. When enabled, Nessus scans the list of hosts in a random order within an IP address range. This is typically useful in helping to distribute the network traffic during large scans.


Slow down the scan when network congestion is detected


This enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity. If detected, Nessus throttles the scan to accommodate and alleviate the congestion. Once the congestion has subsided, Nessus automatically attempts to use the available space within the network pipe again.

Network timeout (in seconds)

5 Specifies the time that Nessus waits for a response from a host unless otherwise specified within a plugin. If you are scanning over a slow connection, you may want to set this to a higher number of seconds.

Max simultaneous checks per host

5 Specifies the maximum number of checks a Nessus scanner will perform against a single host at one time.

Max simultaneous hosts per scan

30, or the Nessus scanner advanced setting max_hosts, whichever is smaller.

Specifies the maximum number of hosts that a Nessus scanner will scan at the same time.

Max number of concurrent TCP sessions per host

none Specifies the maximum number of established TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. E.g., if this option is set to 15, the SYN scanner sends 150 packets per second at most.

Max number of concurrent TCP sessions per scan


This setting limits the maximum number of established TCP sessions for the entire scan, regardless of the number of hosts being scanned.

Unix find command exclusions
Custom filepath exclusions for Unix find command none

A plain text file containing a list of filepaths to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.

Custom filesystem exclusions for Unix find command none

A plain text file containing a list of filesystems to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filesystem per line, using filesystem types supported by the Unix find command -fstype argument. For more information, see the find command man page.

Debug Settings
Log scan details Disabled Logs the start and finish time for each plugin used during a scan to nessusd.messages.

Enable plugin debugging


Attaches available debug logs from plugins to the vulnerability output of this scan.

Audit Trail Verbosity Default

Controls verbosity of the plugin audit trail. All audit trail data includes the reason why plugins were not included in the scan.

Default uses the audit trail verbosity global setting set in Advanced Settings. For Nessus scans, the scan uses the advanced setting Audit Trail Verbosity (audit_trail). For agent scans, the scan uses the advanced setting Include Audit Trail Data (agent_merge_audit_trail).

Include the KB Default

Controls whether to include the scan KB, which includes additional debugging data, in the scan results.

For Nessus scans, Default includes the KB. For agent scans, Default uses the global setting Include KB Data (agent_merge_kb) set in Advanced Settings.

Enumerate launched plugins Disabled Displays a list of plugins that were launched during the scan. You can view the list in scan results under plugin 112154.

Copyright © 2020 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable,Inc., Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.