Scan Policy Settings

Ping the remote host

If set to On, the scanner pings remote hosts on multiple ports to determine if they are alive. Additional options General Settings and Ping Methods appear.

If set to Off, the scanner does not ping remote hosts on multiple ports during the scan.

Note: To scan VMware guest systems, Ping the remote host must be set to Off.

Use fast network discovery (available if Ping the remote host is enabled)

When disabled, if a host responds to ping, Tenable Security Center attempts to avoid false positives, performing additional tests to verify the response did not come from a proxy or load balancer. These checks can take some time, especially if the remote host is firewalled.

When enabled, Tenable Security Center does not perform these checks.

This setting can increase scan speed, but it may not be appropriate in all environments due to target configurations.

Ping Methods (available if Ping the remote host is enabled)

Specifies the sensor's pinging method.

In most environments, Tenable recommends using the default ping methods. Enabling UDP decreases scan speed. For more information, see the Ping Type Order/Hierarchy community article.

Fragile Devices

Determines which fragile devices the scanner or scanners detect. You can enable scanning for network printers, Novell NetWare hosts, and Operational Technology (OT) devices.

Tenable does not recommend scanning fragile devices in a production environment because it may cause an operational impact. If you have a need to assess OT devices, consider using OT Security to perform in-depth assessments.

Wake-on-LAN

The Wake-on-LAN (WOL) menu controls which hosts to send WOL magic packets to before performing a scan. You can provide a list of hosts that you want to start before scanning by uploading a text file that lists one MAC address per line.

Consider Unscanned Ports as Closed

When enabled, if a port is not scanned with a selected port scanner (for example, the port falls outside of the specified range), the scanner considers it closed.

Port Scan Range

Specifies the range of ports to be scanned.

Supported keyword values are:

• default instructs the scanner to scan approximately 4,790 commonly used ports. The list of ports can be found in the nessus-services file on the Nessus scanner.
• all instructs the scanner to scan all 65,536 ports, excluding port 0.

Additionally, you can indicate a custom list of ports by using a comma-separated list of ports or port ranges. For example, 21,23,25,80,110 or 1-1024,8080,9000-9200.

Scanning more ports will decrease scan speed.

If you have insight into local cross-traffic in your network, you can refine this setting to only include the active listening services on your network, but this may cause the scan to miss unknown services.

For more information, see Port Scanning Options in the Tenable Security Center User Guide.

SSH (netstat)

When enabled, the scanner uses the local netstat command to determine open ports while performing an authenticated SSH-based scan.

When the SSH, WMI, or SNMP settings are enabled, the scanner:

• ignores any custom range specified in the Port Scan Range setting, and

• continues to treat unscanned ports as closed if the Consider unscanned ports as closed setting is enabled.

If any port enumerator (netstat or SNMP) is successful, the port range becomes all.

WMI (netstat)

When enabled, the scanner uses netstat to check for open ports from the local machine. It relies on the netstat command being available via a WMI connection to the target.

SNMP

When enabled, the scanner uses SNMP details to determine open ports while performing an authenticated SNMP-based scan.

Only run network port scanners if local port enumeration failed

If a local port enumerator runs, all network port scanners will be disabled for that asset. (This is per scan target, and the effect is network port enumeration scan is disabled, not delayed.)

Enabling this setting decreases scan speed.

Verify open TCP ports found by local port enumerators

When enabled, if a local port enumerator (for example, WMI or netstat) finds a port, the scanner also verifies that the port is open remotely. This approach helps determine if some form of access control is being used (for example, TCP wrappers or a firewall).

Enabling this setting decreases scan speed.

TCP

Use the built-in Tenable Nessus TCP scanner to identify open TCP ports on the targets, using a full TCP three-way handshake. If you enable this option, you can also set the Override Automatic Firewall Detection option.

TCP scanning is less efficient than SYN scanning. In most cases, enabling the TCP scanner decreases scan speed.

SYN

Use the built-in Tenable Nessus SYN scanner to identify open TCP ports on the target hosts. SYN scans do not initiate a full TCP three-way handshake. The scanner sends a SYN packet to the port, waits for SYN-ACK reply, and determines the port state based on a response or lack of response.

If you enable this option, you can also set the Override Automatic Firewall Detection option.

SYN scanning is more efficient than TCP scanning in most circumstances due to less network traffic.

Override automatic firewall detection

When enabled, this setting overrides automatic firewall detection. To use this setting, you must enable the TCP or SYN option.

This setting has three options:

• Ignore closed ports (aggressive) attempts to run plugins even if the port appears to be closed. It is recommended that this option not be used on a production network.

• Do not detect RST rate (soft) disables the ability to monitor how often resets are set and to determine if there is a limitation configured by a downstream network device.

• Disabled (softer) disables the firewall detection feature.

By default, Nessus will not test ports it detects as closed. This setting allows more control over that firewall detection method. Enabling this setting decreases scan speed.

UDP

This option engages the built-in Tenable Nessus UDP scanner and attempts to identify open UDP ports on the targets.

Due to the nature of the protocol, it is generally not possible for a port scanner to tell the difference between open and filtered UDP ports.

Enabling the UDP port scanner may dramatically decreases scan speed and produce unreliable results. Consider using the local port enumeration options instead if possible.

Probe all ports to find services

When enabled, the scanner attempts to map each open port with the service that is running on that port, as defined by the Port scan range option.

Caution: In some rare cases, probing might disrupt some services and cause unforeseen side effects.

Search for SSL/TLS/DTLS services

Controls how the scanner tests SSL-based services.

Caution: Testing for SSL capability on all ports may be disruptive for the tested host.

Enabling CRL checking increases scan speed.

Override normal accuracy

In some cases, Tenable Security Center cannot remotely determine whether a flaw is present or not. If report paranoia is set to Show potential false alarms, a flaw is reported every time, even when there is a doubt about the remote host being affected. Conversely, a paranoia setting of Avoid potential false alarms causes Tenable Security Center to not report any flaw whenever there is a hint of uncertainty about the remote host. As a middle ground between these two settings, disable this setting.

Perform thorough tests (may disrupt your network or impact scan speed)

Causes various plugins to work harder. For example, when looking through SMB file shares, a plugin analyzes 3 directory levels deep instead of 1. This could cause much more network traffic and analysis in some cases. By being more thorough, the scan is more intrusive and is more likely to disrupt the network, while potentially providing better audit results.

Enabling this setting decreases scan speed.

Antivirus definition grace period (in days)

Configure the delay of the Antivirus software check for a set number of days (0-7). The Antivirus Software Check menu allows you to direct Tenable to allow for a specific grace time in reporting when antivirus signatures are out of date. By default, Tenable considers signatures out of date regardless of how long ago an update became available (for example, a few hours ago). You can configure this option to allow for up to 7 days before reporting them out of date.

SMTP

Allows you to enable SMTP testing on the scan configuration.

Only use credentials provided by the user

In some cases, Tenable can test for default accounts and known or default passwords. This can cause a default account or an account with a common name (for example, admin or root) to lock as a result of consecutive well-known passwords, resulting in invalid attempts that trigger security protocols on the operating system or application. By default, this setting is enabled to prevent Tenable from performing these tests.

Enabling this setting decreases scan speed.

Test default accounts (slow)

Test for known default accounts in Oracle software.

Enabling this setting decreases scan speed.

Modbus/TCP Coil Access

Modbus uses a function code of 1 to read coils in a Modbus child. Coils represent binary output settings and are mapped to actuators typically. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a write coil message.

ICCP/COTP TSAP Addressing Weakness

The ICCP/COTP TSAP Addressing menu determines a Connection-Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values.

Scan web applications

If enabled, Nessus enables web application-level checks.

This setting can be useful for scanning network services running web applications. To scan for more generic web application vulnerabilities like Cross Site Scripting or SQL Injection, Tenable recommends using the Tenable Web App Scanning module. For more information, see Tenable Web App Scanning Scanning Overview.

Enabling this setting decreases scan speed.

Request information about the SMB Domain

If enabled, domain users are queried instead of local users.

Enabling this setting decreases scan speed.

User Enumeration Methods

You can enable as many of the user enumeration methods as appropriate for user discovery.

Enabling this setting decreases scan speed.

Malware Scan

Configures the policy to scan for malware on the target hosts. Enable this setting to view the remaining Malware options.

Enabling this setting decreases scan speed.

Disable DNS resolution

Checking this option prevents Tenable from using the cloud to compare scan findings against known malware.

Provide your own list of known bad MD5 hashes

A text file with one MD5 hash per line that specifies more known bad MD5 hashes.

Optionally, you can include a description for a hash by adding a comma after the hash, followed by the description. If the sensor finds any matches when scanning a target, the description appears in the scan results. You can also use hash-delimited comments (for example, fop) in addition to comma-separated comments.

Enabling this setting decreases scan speed.

Provide your own list of known good MD5 hashes

A text file with one MD5 hash per line that specifies more known good MD5 hashes.

Optionally, you can include a description for each hash by adding a comma after the hash, followed by the description. If the sensor finds any matches when scanning a target, and you provide a description for the hash, the description appears in the scan results. You can also use hash-delimited comments (for example, #) in addition to comma-separated comments.

Hosts file allow list

Tenable checks system hosts files for signs of a compromise (for example, Plugin ID 23910 titled Compromised Windows System (hosts File Check)). This option allows you to upload a file containing a list of IPs and hostnames you want Tenable to ignore during a scan. Include one IP and one hostname (formatted identically to your hosts file on the target) per line in a regular text file.

Yara Rules

A .yar file containing the YARA rules to be applied in the scan. You can only upload one file per scan, so include all rules in a single file. For more information, see yara.readthedocs.io.

Tenable supports all the YARA 3.4 built-in keywords including those defined in the PE and ELF sub-modules, excluding hash functionality. Tenable products do not support Yara imphash checks.

Scan file system

If enabled, Tenable can scan system directories and files on host computers.

Caution: Enabling this setting in scans targeting 10 or more hosts could result in performance degradation.

Enabling this setting decreases scan speed.

Directories

Enables file system scanning for certain Windows directories and user profiles.

Increasing the number of directories scanned will decrease assessment speed.

Custom Directories (available with Scan file system enabled)

A custom file that lists directories to scan with malware file scanning. List each directory on one line. You cannot list root directories (for example, C://) and you cannot use variables (for example, %Systemroot%).

Use detected SIDs

When enabled, if at least one host credential and one Oracle database credential are configured, the scanner authenticates to scan targets using the host credentials, and then attempts to detect Oracle System IDs (SIDs) locally. The scanner then attempts to authenticate using the specified Oracle database credentials and the detected SIDs.

If the scanner cannot authenticate to scan targets using host credentials or does not detect any SIDs locally, the scanner authenticates to the Oracle database using the manually specified SIDs in the Oracle database credentials.

Enable safe checks

When enabled, disables all plugins that may have an adverse effect on the remote host.

Tenable does not recommend disabling this setting in production environments; the plugins could crash services or targets. However, disabling the setting may provide more insight for systems likely to be under attack (for example, internet-facing systems).

Stop scanning hosts that become unresponsive during the scan

When enabled, Tenable stops scanning if it detects that the host has become unresponsive. This may occur if users turn off their PCs during a scan, a host has stopped responding after a denial of service plugin, or a security mechanism (for example, an IDS) has started to block traffic to a server. Normally, continuing scans on these machines sends unnecessary traffic across the network and delay the scan.

Scan IP addresses in a random order

By default, Tenable scans a list of IP addresses in sequential order. When you enable this option, Tenable scans the list of hosts in a random order within an IP address range. This approach is typically useful in helping to distribute the network traffic during large scans.

Automatically accept detected SSH disclaimer prompts

When enabled, if a credentialed scan tries to connect via SSH to a FortiOS host that presents a disclaimer prompt, the scanner provides the necessary text input to accept the disclaimer prompt and continue the scan.

Scan targets with multiple domain names in parallel

When disabled, to avoid overwhelming a host, Tenable prevents a single scanner from simultaneously scanning multiple targets that resolve to a single IP address. Instead, Tenable scanners serialize attempts to scan the IP address, whether it appears more than once in the same scan task or in multiple scan tasks on that scanner. Scans may take longer to complete.

When enabled, a Tenable scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but hosts could potentially become overwhelmed, causing timeouts and incomplete results.

Create unique identifier on hosts scanned using credentials

When enabled, the scanner creates a unique identifier for credentialed scans.

Slow down the scan when network congestion is detected

When enabled, Tenable detects when it is sending too many packets and the network pipe is approaching capacity. If network congestion is detected, throttles the scan to accommodate and alleviate the congestion. Once the congestion has subsided, Tenable automatically attempts to use the available space within the network pipe again.

Use Linux kernel congestion detection

When enabled, Tenable uses the Linux kernel to detect when it sends too many packets and the network pipe approaches capacity. If detected, Tenable throttles the scan to accommodate and alleviate the congestion. Once the congestion subsides, Tenable automatically attempts to use the available space within the network pipe again.

Network timeout (in seconds)

Specifies the time that Tenable waits for a response from a host unless otherwise specified within a plugin. If you are scanning over a slow connection, you may want to set this to a higher number of seconds.

Be cautious when increasing this setting as it impacts every check that relies on a timeout. It can increase scan times by an order of magnitude.

Max simultaneous checks per host

Specifies the maximum number of checks a Tenable scanner will perform against a single host at one time.

Tenable recommends that you monitor scan target performance when adjusting this setting.

Specifies the maximum number of hosts that each Nessus scanner scans per scan chunk. The number of scan chunks is determined by the available resources on each Nessus scanner.

Note: This setting does not apply to Tenable Vulnerability Management cloud scanners.

Increasing this setting's value can decrease scan times, but doing so increases the load on your Nessus scanners. After a certain point, dependent on the available resources on the Nessus scanner and the number of systems being scanned, increasing this setting can make scans slower as it tries to make the scanners do more than they are capable of.

Specifies the maximum number of established TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. For example, if this option is set to 15, the SYN scanner sends 150 packets per second at most.

Specifies the maximum number of established TCP sessions the entire scan, regardless of the number of hosts being scanned.

For scanners installed on any Windows host, you must set this value to 19 or less to get accurate results.

A plain text file containing a list of filepaths to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.

A plain text file containing a list of filesystems to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filesystem per line, using filesystem types supported by the Unix find command -fstype argument. For more information, see the find command man page.

A plain text file containing a list of filepaths to include from all plugins that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.

Including filepaths increases the locations that are searched by plugins, which extends the duration of the scan. Make your inclusions as specific as possible.

Tip: Avoid having the same filepaths in Include Filepath and Exclude Filepath. This conflict may result in the filepath being excluded from the search, though results may vary by operating system.

(Agents 8.2 and later) If set, each agent in the agent group delays starting the scan for a random number of minutes, up to the specified maximum. Staggered starts can reduce the impact of agents that use a shared resource, such as virtual machine CPU.

If the maximum delay you set exceeds your scan window, Tenable shortens your maximum delay to ensure that agents begin scanning at least 30 minutes before the scan window closes.