Advanced Scan Settings

Note: If a scan is based on a policy, you cannot configure Advanced settings in the scan. You can only modify these settings in the related policy.

The Advanced settings provide increased control over scan efficiency and the operations of a scan, as well as the ability to enable plugin debugging.

Certain Tenable-provided scanner templates include preconfigured advanced settings.

If you select the Custom preconfigured setting option, or if you are using a Nessus Scanner template that does not include preconfigured advanced settings, you can manually configure Advanced settings in the following categories:

Note: The following tables include settings for the Advanced Scan template. Depending on the template you select, certain settings may not be available, and default values may vary.

Setting Default Value Description
General Settings
Enable Safe Checks Enabled

When enabled, disables all plugins that may have an adverse effect on the remote host.

Stop scanning hosts that become unresponsive during the scan Disabled

When enabled, Tenable Nessus stops scanning if it detects that the host has become unresponsive. This may occur if users turn off their PCs during a scan, a host has stopped responding after a denial of service plugin, or a security mechanism (for example, an IDS) has started to block traffic to a server. Normally, continuing scans on these machines sends unnecessary traffic across the network and delay the scan.

Scan IP addresses in a random order Disabled

By default, Tenable Nessus scans a list of IP addresses in sequential order. When this option is enabled, Tenable Nessus scans the list of hosts in a random order within an IP address range. This approach is typically useful in helping to distribute the network traffic during large scans.

Automatically accept detected SSH disclaimer prompts Disabled

When enabled, if a credentialed scan tries to connect via SSH to a FortiOS host that presents a disclaimer prompt, the scanner provides the necessary text input to accept the disclaimer prompt and continue the scan.

The scan initially sends a bad ssh request to the target in order to retrieve the supported authorization methods. This allows you to determine how to connect to the target, which is helpful when you configure a custom ssh banner and then try to determine how to connect to the host.

When disabled, credentialed scans on hosts that present a disclaimer prompt fail because the scanner cannot connect to the device and accept the disclaimer. The error appears in the plugin output.

Scan targets with multiple domain names in parallel Disabled

When disabled, to avoid overwhelming a host, Tenable Nessus prevents against simultaneously scanning multiple targets that resolve to a single IP address. Instead, Tenable Nessus scanners serialize attempts to scan the IP address, whether it appears more than once in the same scan task or in multiple scan tasks on that scanner. Scans may take longer to complete.

When enabled, a Tenable Nessus scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but hosts could potentially become overwhelmed, causing timeouts and incomplete results.

Trusted CAs none

Determines the certificate authorities (CAs) that Tenable Nessus allows for the scan. In the Trusted CAs box, enter the text of your CA or CAs.

Note: Include the beginning text -----BEGIN CERTIFICATE----- and ending text -----END CERTIFICATE-----.

Tip: You can save more than one certificate in a single text file, including the beginning and ending text for each one.

You can also determine trusted CAs at the scanner level. For more information, see Trust a Custom CA.

Performance

Slow down the scan when network congestion is detected

Disabled

When enabled, Tenable detects when it is sending too many packets and the network pipe is approaching capacity. If network congestion is detected, throttles the scan to accommodate and alleviate the congestion. Once the congestion has subsided, Tenable automatically attempts to use the available space within the network pipe again.

Network timeout (in seconds)

5

Specifies the time that Tenable waits for a response from a host unless otherwise specified within a plugin. If you are scanning over a slow connection, you may want to set this to a higher number of seconds.

Max simultaneous checks per host

5

Specifies the maximum number of checks a Tenable scanner will perform against a single host at one time.

Max simultaneous hosts per scan

30, or the Tenable Nessus scanner advanced setting max_hosts value, whichever is smaller.

Specifies the maximum number of hosts that a scanner scans at the same time.

If you set Max simultaneous hosts per scan to more than scanner’s max_hosts setting, Nessus caps Max simultaneous hosts per scan at the max_hosts value. For example, if you set the Max simultaneous hosts per scan to 150 and scanner's max_hosts is set to 100, with more than 100 targets, Nessus scans 100 hosts simultaneously.

Max number of concurrent TCP sessions per host

none

Specifies the maximum number of established TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. For example, if this option is set to 15, the SYN scanner sends 150 packets per second at most.

Max number of concurrent TCP sessions per scan

none

Specifies the maximum number of established TCP sessions the entire scan, regardless of the number of hosts being scanned.

Unix find command exclusions
Exclude Filepath none

A plain text file containing a list of filepaths to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.

Exclude Filesystem none

A plain text file containing a list of filesystems to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filesystem per line, using filesystem types supported by the Unix find command -fstype argument. For more information, see the find command man page.

Include Filepath none

A plain text file containing a list of filepaths to include from all plugins that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.

Including filepaths increases the locations that are searched by plugins, which extends the duration of the scan. Make your inclusions as specific as possible.

Tip: Avoid having the same filepaths in Include Filepath and Exclude Filepath. This conflict may result in the filepath being excluded from the search, though results may vary by operating system.

Windows file search Options
Windows Exclude Filepath none

A plain text file containing a list of filepaths to exclude from all plugins that search using Tenable's unmanaged software directory scans.

In the file, enter one absolute or partial filepath per line, formatted as the literal strings you want to exclude. You can include absolute or relative directory names, examples such as E:\, E:\Testdir\, and \Testdir\.

Tip: The default exclusion paths include \Windows\WinSxS\ and \Windows\servicing\ if you do not configure this setting. If you configure this setting, Tenable recommends adding those two paths to the file; those directories are very slow and do not contain unmanaged software.

Windows Include Filepath none

A plain text file containing a list of filepaths to include from all plugins that search using Tenable's unmanaged software directory scans.

In the file, enter one absolute or partial filepath per line, formatted as the literal strings you want to exclude. You can only include absolute directory names, examples such as E:\, E:\Testdir\, and C:\.

Caution: Avoid having the same filepaths in the Windows Include Filepath and Windows Exclude Filepath settings. This conflict results in the filepath being excluded from the search.

Debug Settings
Log scan details Disabled Logs the start and finish time for each plugin used during a scan to nessusd.messages.

Enable plugin debugging

Disabled

Attaches available debug logs from plugins to the vulnerability output of this scan.

Audit Trail Verbosity Default

Controls verbosity of the plugin audit trail. All audit trail data includes the reason why plugins were not included in the scan.

Default uses the audit trail verbosity global setting set in Advanced Settings. For Tenable Nessus scans, the scan uses the advanced setting Audit Trail Verbosity (audit_trail). For agent scans, the scan uses the advanced setting Include Audit Trail Data (agent_merge_audit_trail).

Include the KB Default

Controls whether to include the scan KB, which includes more debugging data, in the scan results.

For Tenable Nessus scans, Default includes the KB. For agent scans, Default uses the global setting Include KB Data (agent_merge_kb) set in Advanced Settings.

Enumerate launched plugins Disabled

Shows a list of plugins that Tenable Nessus launched during the scan. You can view the list in scan results under plugin 112154.

Note: The setting does not function correctly if you disable plugin 112154.

Compliance Output Settings
Maximum Compliance Output Length in KB 128,000 KB

Controls the maximum output length for each individual compliance check value that the target returns. If a compliance check value that is greater than this setting's value, Tenable Nessus truncates the result.

Note: If you notice that your compliance scan processing is slow, Tenable recommends reducing this setting to increase the processing speed.
Stagger scan start
Maximum delay (minutes) 0

(Agents 8.2 and later) If set, each agent in the agent group delays starting the scan for a random number of minutes, up to the specified maximum. Staggered starts can reduce the impact of agents that use a shared resource, such as virtual machine CPU.

If the maximum delay you set exceeds your scan window, Tenable shortens your maximum delay to ensure that agents begin scanning at least 30 minutes before the scan window closes.

Web App Template Advanced Settings

The following sections describe the advanced settings that you can configure in Tenable Nessus Web App scan templates. For more information, see Web Application Scanning in Tenable Nessus.

The Advanced Settings options allow you to control the efficiency and performance of the scan.

General

You can configure General options in scans and user-defined scan templates based on the Web App Overview and Scan templates only.

Setting Default Description
Target Scan Max Time (HH:MM:SS) 08:00:00

Specifies the maximum duration the scanner runs a scan job runs before stopping, displayed in hours, minutes, and seconds.

(missing or bad snippet)
Maximum Queue Time (HH:MM:SS) 08:00:00

Specifies the maximum duration the scan remains in the Queued state, displayed in hours, minutes, and seconds.

(missing or bad snippet)

Enable Debug logging for this scan

disabled Specifies whether the scanner attaches available debug logs from plugins to the vulnerability output of this scan.

Debug Flags

disabled (Only visible when you enable the Enable Debug logging for this scan feature). Allows you to specify key and value pairs, provided by support, for debugging.

HTTP Settings

These settings specify the user-agent you want the scanner to identify and the HTTP response headers you want the scanner to include in requests to the web application.

Setting Default Description
Use a different User Agent to identify scanner disabled

Specifies whether you want the scanner to use a user-agent header other than Chrome when sending an HTTP request.

User Agent Chrome's user-agent

Specifies the name of the user-agent header you want the scanner to use when sending an HTTP request.

You can configure this option only after you select the Use a different User Agent to identify scanner check box.

By default, Tenable Web App Scanning in Tenable Nessus uses the user-agent that Chrome uses for the operating system and platform that corresponds to your machine's operating system and platform. For more information about Chrome's user-agents, see the Google Chrome documentation.

Note: Not all requests from scanner are guaranteed to have the user-agent sent.
Add Scan ID HTTP Header disabled

Specifies whether the scanner adds an additional X-Tenable-Was-Scan-Id header (set with the scan ID) to all HTTP requests sent to the target, which allows you to identify scan jobs in web server logs and modify your scan configurations to secure your sites.

Custom Headers none

Specifies the custom headers you want to inject into each HTTP request, in request and response format.

You can add additional custom headers by clicking the add button and typing the values for each additional header.

Note: If you enter a custom User-Agent header, that value overrides the value entered in the User Agent setting box.

Limits

You can configure Limits options in scans and user-defined scan templates based on the Web App Overview and Scan templates only.

Setting Default Description
Number of URLS to Crawl and Browse 10000 Specifies the maximum number of URLs the scanner attempts to crawl.
Path Directory Depth 10

Specifies the maximum number of sub-directories the scanner crawls.

For example, if your target is www.example.com, and you want the scanner to crawl www.example.com/users/myname, type 2 in the text box.

Page DOM Element Depth 5 Specifies the maximum number of HTML nested element levels the scanner crawls.
Max Response Size 500000 Specifies the maximum load size of a page, in bytes, the scanner analyzes.

If the scanner crawls a URL and the response exceeds the limit, the scanner does not analyze the page for vulnerabilities.

Request Direct Limit 1 Specifies the number of redirects the scanner follows before it stops trying to crawl the page.

Screen Settings

You can configure Screen Settings options in scans and user-defined scan templates based on the Web App Overview and Scan templates only.

Setting Default Description

Screen Width

1600

Specifies the screen width, in pixels, of the browser embedded in the scanner.

Screen Height

1200

Specifies the screen height, in pixels, of the browser embedded in the scanner.

Ignore Images

disabled

Specifies if the browser embedded in the scanner crawls or ignores images on your target web pages.

Selenium Settings

These settings specify how the scanner behaves when it attempts to authenticate to a web application using your recorded Selenium credentials.

Configure these options if you configured your scan to authenticate to the web application with Selenium credentials. For more information see Credentials.

You can configure Selenium Settings options in scans and user-defined scan templates based on the Web App Overview and Scan templates only.

Setting Default Description
Page Rendering Delay 30000 Specifies the time, in milliseconds, the scanner waits for the page to render.
Command Execution Delay 500

Specifies the time, in milliseconds, the scanner waits after processing a command before proceeding to the next command.

Script Completion Delay 5000 Specifies the time, in milliseconds, the scanner waits for all commands to render new content to finish processing.

Performance Settings

Setting Default Description
Max Number of Concurrent HTTP Connections 10 Specifies the maximum number of established HTTP sessions allowed for a single host.
Max Number of HTTP Requests Per Second 25 Specifies the maximum number of HTTP requests allowed for a single host for the duration of the scan.
Slow down the scan when network congestion is detected disabled Specifies whether the scanner throttles the scan in the event of network congestion.
Network Timeout (In Seconds) 5

Specifies the time, in seconds, the scanner waits for a response from a host before aborting the scan, unless otherwise specified in a plugin.

If your internet connection is slow, Tenable recommends that you specify a longer wait time.

Browser Timeout (In Seconds) 30

Specifies the time, in seconds, the scanner waits for a response from a browser before aborting the scan, unless otherwise specified in a plugin.

If your internet connection is slow, Tenable recommends that you specify a longer wait time.

Timeout Threshold 100 Specifies the number of consecutive timeouts allowed before the scanner aborts the scan.