Once you select the scan template to use for your scan, there are several configurations that you can use to tune the scan configuration's performance. The following topics describe each of the scan configuration sections—Settings, Credentials, Compliance, and Plugins—and how you can configure each section to maximize your scan's performance.
A scan configuration's settings greatly affect the scan's capabilities, performance, and scan time. Use the settings to configure when and how often Tenable Vulnerability Management launches the scan, discovery options, debugging capabilities, assessment methods, performance options, and other scan behavior. Tenable Vulnerability Management divides the configuration Settings into five categories: Basic, Discovery, Assessment, Report, and Advanced.
Some of the scan configuration settings are informational or do not affect scan performance (for example, Name, Description, and Notification settings). This section describes all the settings that do affect scan performance and how to tune them for better scan performance.
Click the following setting categories to learn more about them and how to tune them:
Use the Basic settings to choose which sensors perform the scan, what targets/assets the sensors scan, and the schedule on which Tenable Vulnerability Management launches the scan. All three of these aspects greatly impact the scope and performance of the scan.
|General (Nessus Scanner templates only)|
|Scanner Type||Specifies whether a local, internal scanner or a cloud-managed scanner performs the scan, and determines whether the Scanner setting lists local or cloud-managed scanners to choose from.||Your internal Nessus scanners always have the potential to provide better performance and tuning capabilities than Tenable's cloud scanners.|
Specifies the scanner that performs the scan.
Select a scanner based on the location of the targets you want to scan. For example:
|Targeting a scanner group and using multiple scanners provides faster scans and the option for scanners to failover if a scanner is unresponsive.|
|Network, Target Groups, Targets, Upload Targets, and Tags||The Network, Target Groups, Targets, Upload Targets, and Tags options are all different methods you can use to specify which hosts the scan runs against.||Targeting specific assets provides faster scan results than scans that target IP ranges or CIDR notation.|
Specifies the timeframe after which the scan automatically stops. Use the drop-down box to select an interval of time, or click to type a custom scan window.
Note: The scan window timeframe only applies to the scan job. After the scan job completes within the timeframe, or once the scan job stops due to the scan window ending, Tenable Vulnerability Management may still need to index the scan job for up to 24 hours. This can cause the scan not to show as Completed after the scan window is complete. Once Tenable Vulnerability Management indexes the scan, it shows as Completed.
|The Scan Window can be useful to limit scans in specialized environments or during maintenance windows.|
|Scan Type (Nessus Agent templates only)|
Specifies whether the agent scans occur based on a scan window or triggers:
Specifies how often Tenable Vulnerability Management launches the scan.
|Tenable recommends running full vulnerability scans against most types of assets at least twice a week.|
Specifies the exact date and time when a scan launches.
The starting date defaults to the date when you are creating the scan. The starting time is the nearest half-hour interval. For example, if you create your scan on 09/31/2018 at 9:12 AM, Tenable Vulnerability Management sets the default starting date and time to 09/31/2018 and 09:30.
|Time Zone||Specifies the timezone of the value set for Starts.|
For more information, see Basic Settings in Vulnerability Management Scans .
The Discovery settings determine the scan configuration's discovery-related capabilities: host discovery, port scanning, and service discovery.
Discovery settings are limited for Nessus Agent scan templates because agents cannot perform remote checks or scan the network. You can only set the WMI and SSH settings for agent scans.
|Ping the remote host||
If set to On, the scanner pings remote hosts on multiple ports to determine if they are alive. Additional options General Settings and Ping Methods appear.
If set to Off, the scanner does not ping remote hosts on multiple ports during the scan.
Note: To scan VMware guest systems, Ping the remote host must be set to Off.
|Scan Unresponsive Hosts||
Specifies whether the Nessus scanner scans hosts that do not respond to any ping methods. This option is only available for scans using the PCI Quarterly External Scan template.
|Use fast network discovery (available if Ping the remote host is enabled)||
When disabled, if a host responds to ping, Tenable Vulnerability Management attempts to avoid false positives, performing additional tests to verify the response did not come from a proxy or load balancer. These checks can take some time, especially if the remote host is firewalled.
When enabled, Tenable Vulnerability Management does not perform these checks.
|This setting can increase scan speeds, but it may not be appropriate in all environments due to target configurations.|
|Ping Methods (available if Ping the remote host is enabled)||Specifies the sensor's pinging method.||In most environments, Tenable recommends using the default ping methods. Enabling UDP can greatly increase scan times. For more information, see the Ping Type Order/Hierarchy community article.|
|Fragile Devices||Determines which fragile devices the scanner or scanners detect. You can enable scanning for network printers, Novell NetWare hosts, and Operational Technology (OT) devices.||
Tenable does not recommend scanning fragile devices in a production environment because it may cause an operational impact. If you have a need to assess OT devices, consider using Tenable OT Security to perform in-depth assessments.
|Wake-on-LAN||The Wake-on-LAN (WOL) menu controls which hosts to send WOL magic packets to before performing a scan. You can provide a list of hosts that you want to start before scanning by uploading a text file that lists one MAC address per line.|
|Consider Unscanned Ports as Closed||
When enabled, if a port is not scanned with a selected port scanner (for example, the port falls outside of the specified range), the scanner considers it closed.
|Port Scan Range||
Specifies the range of ports to be scanned.
Supported keyword values are:
Additionally, you can indicate a custom list of ports by using a comma-separated list of ports or port ranges. For example,
The custom range specified for a port scan is applied to the protocols you have selected in the Network Port Scanners group of settings.
If scanning both TCP and UDP, you can specify a split range specific to each protocol. For example, if you want to scan a different range of ports for TCP and UDP in the same policy, you would type
You can also specify a set of ports to scan for both protocols, as well as individual ranges for each separate protocol. For example,
|If you have insight into local cross-traffic in your network, you can refine this setting to only include the active listening services on your network, but this may cause the scan to miss unused services.|
When enabled, the scanner uses netstat to determine open ports while performing an authenticated SSH-based scan.
In addition, the scanner:
If any port enumerator (netstat or SNMP) is successful, the port range becomes all.
When enabled, the scanner uses netstat to check for open ports from the local machine. It relies on the netstat command being available via a WMI connection to the target.
When enabled, the scanner uses SNMP details to determine open ports while performing a SNMP-based scan.
|Only run network port scanners if local port enumeration failed||
If a local port enumerator runs, all network port scanners will be disabled for that asset.
|Verify open TCP ports found by local port enumerators||
When enabled, if a local port enumerator (for example, WMI or netstat) finds a port, the scanner also verifies that the port is open remotely. This approach helps determine if some form of access control is being used (for example, TCP wrappers or a firewall).
If enabled, this setting will increase scan duration.
Use the built-in Tenable Nessus TCP scanner to identify open TCP ports on the targets, using a full TCP three-way handshake. If you enable this option, you can also set the Override Automatic Firewall Detection option.
Use the built-in Tenable Nessus SYN scanner to identify open TCP ports on the target hosts. SYN scans do not initiate a full TCP three-way handshake. The scanner sends a SYN packet to the port, waits for SYN-ACK reply, and determines the port state based on a response or lack of response.
If you enable this option, you can also set the Override Automatic Firewall Detection option.
|SYN scanning is more efficient than TCP scanning in most circumstances due to less network traffic.|
|Override automatic firewall detection||
This setting can be enabled if you enable either the TCP or SYN option.
When enabled, this setting overrides automatic firewall detection.
This setting has three options:
This option engages the built-in Tenable Nessus UDP scanner to identify open UDP ports on the targets.
Due to the nature of the protocol, it is generally not possible for a port scanner to tell the difference between open and filtered UDP ports.
|Enabling the UDP port scanner may dramatically increase the scan time and produce unreliable results. Consider using the local port enumeration options instead if possible.|
|Probe all ports to find services||
When enabled, the scanner attempts to map each open port with the service that is running on that port, as defined by the Port scan range option.
Caution: In some rare cases, probing might disrupt some services and cause unforeseen side effects.
|Search for SSL/TLS/DTLS services||
Controls how the scanner tests SSL-based services.
Caution: Testing for SSL capability on all ports may be disruptive for the tested host.
|Enabling CRL checking increases scan times.|
For more information, see Discovery Settings in Vulnerability Management Scans. To learn more about the preconfigured Discovery scan template settings, see Preconfigured Discovery Settings.
The Assessment section allows you to configure how the scan identifies vulnerabilities and which vulnerabilities the sensors identify. This includes identifying malware, assessing the vulnerability of a system to brute force attacks, and the susceptibility of web applications.
|Setting or Settings Group||Description||Tuning Tips|
|Override normal accuracy||
In some cases, Tenable Vulnerability Management cannot remotely determine whether a flaw is present or not. If report paranoia is set to Show potential false alarms, a flaw is reported every time, even when there is a doubt about the remote host being affected. Conversely, a paranoia setting of Avoid potential false alarms causes Tenable Vulnerability Management to not report any flaw whenever there is a hint of uncertainty about the remote host. As a middle ground between these two settings, disable this setting.
|Perform thorough tests (may disrupt your network or impact scan speed)||Causes various plugins to work harder. For example, when looking through SMB file shares, a plugin analyzes 3 directory levels deep instead of 1. This could cause much more network traffic and analysis in some cases. By being more thorough, the scan is more intrusive and is more likely to disrupt the network, while potentially providing better audit results.||Enabling this setting increases scan times.|
|Antivirus definition grace period (in days)||Configure the delay of the Antivirus software check for a set number of days (0-7). The Antivirus Software Check menu allows you to direct Tenable to allow for a specific grace time in reporting when antivirus signatures are out of date. By default, Tenable considers signatures out of date regardless of how long ago an update became available (for example, a few hours ago). You can configure this option to allow for up to 7 days before reporting them out of date.|
|SMTP||(Nessus Scanner templates only) Allows you to enable SMTP testing on the scan configuration.|
|Brute Force (Nessus Scanner templates only)|
|Only use credentials provided by the user||In some cases, Tenable can test for default accounts and known default passwords. This can cause the account to lock if too many consecutive invalid attempts trigger security protocols on the operating system or application. By default, this setting is enabled to prevent Tenable from performing these tests.|
|Test default accounts (slow)||Test for known default accounts in Oracle software.|
SCADA (Nessus Scanner templates only)
This is a legacy configuration and should not be altered in most environments. You can use Tenable OT Security to assess SCADA systems.
|Modbus/TCP Coil Access||Modbus uses a function code of 1 to read coils in a Modbus child. Coils represent binary output settings and are mapped to actuators typically. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a write coil message.||
|ICCP/COTP TSAP Addressing Weakness||The ICCP/COTP TSAP Addressing menu determines a Connection-Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values.|
|Web Applications (Nessus Scanner templates only)|
|Scan web applications||If enabled, Nessus enables web application-level checks.||This setting can be useful for scanning network services running web applications. To scan for more generic web application vulnerabilities like Cross Site Scripting or SQL Injection, Tenable recommends using the Tenable Web App Scanning module. For more information, see Tenable Web App Scanning Scanning Overview.|
|Request information about the SMB Domain||If enabled, domain users are queried instead of local users.|
|User Enumeration Methods||You can enable as many of the user enumeration methods as appropriate for user discovery.|
|Scan for malware||Configures the policy to scan for malware on the target hosts. Enable this setting to view the remaining Malware options.|
|Disable DNS resolution||Checking this option prevents Tenable from using the cloud to compare scan findings against known malware.|
|Custom Netstat IP Threat List||
A text file that contains a list of known bad IP addresses that you want to detect.
Each line in the file must begin with an IPv4 address. Optionally, you can add a description by adding a comma after the IP address, followed by the description. You can also use hash-delimited comments (e.g., #) in addition to comma-delimited comments.
Note: Tenable does not detect private IP ranges in the text file.
|Provide your own list of known bad MD5 hashes||
A text file with one MD5 hash per line that specifies more known bad MD5 hashes.
Optionally, you can include a description for a hash by adding a comma after the hash, followed by the description. If the sensor finds any matches when scanning a target, the description appears in the scan results. You can also use hash-delimited comments (for example, fop) in addition to comma-separated comments.
|Provide your own list of known good MD5 hashes||
A text file with one MD5 hash per line that specifies more known good MD5 hashes.
Optionally, you can include a description for each hash by adding a comma after the hash, followed by the description. If the sensor finds any matches when scanning a target, and you provide a description for the hash, the description appears in the scan results. You can also use hash-delimited comments (for example, #) in addition to comma-separated comments.
|Hosts file allow list||
Tenable checks system hosts files for signs of a compromise (for example, Plugin ID 23910 titled Compromised Windows System (hosts File Check)). This option allows you to upload a file containing a list of IPs and hostnames you want Tenable to ignore during a scan. Include one IP and one hostname (formatted identically to your hosts file on the target) per line in a regular text file.
A .yar file containing the YARA rules to be applied in the scan. You can only upload one file per scan, so include all rules in a single file. For more information, see yara.readthedocs.io.
|Tenable supports all the YARA 3.4 built-in keywords including those defined in the PE and ELF sub-modules, excluding hash functionality. Tenable products do not support Yara imphash checks.|
|Scan file system||
If enabled, Tenable can scan system directories and files on host computers.
Caution: Enabling this setting in scans targeting 10 or more hosts could result in performance degradation.
|Enabling this setting increases scan times.|
|Windows Directories (available with Scan file system enabled)||Enables file system scanning for certain Windows directories and user profiles.|
|Linux Directories (available with Scan file system enabled)||Enables file system scanning for certain Linux directories.|
|MacOS Directories (available with Scan file system enabled)||Enables file system scanning for certain macOS directories.|
|Custom Directories (available with Scan file system enabled)||A custom file that lists directories to scan with malware file scanning. List each directory on one line. You cannot list root directories (for example, C://) and you cannot use variables (for example, %Systemroot%).|
|Databases (Nessus Scanner templates only)|
|Use detected SIDs||
When enabled, if at least one host credential and one Oracle database credential are configured, the scanner authenticates to scan targets using the host credentials, and then attempts to detect Oracle System IDs (SIDs) locally. The scanner then attempts to authenticate using the specified Oracle database credentials and the detected SIDs.
If the scanner cannot authenticate to scan targets using host credentials or does not detect any SIDs locally, the scanner authenticates to the Oracle database using the manually specified SIDs in the Oracle database credentials.
For more information, see Assessment Settings in Vulnerability Management Scans. To learn more about the preconfigured Assessment scan template settings, see Preconfigured Assessment Settings.
The Report settings affect the verbosity and formatting of scan reports you can create for the scan configuration. Report settings do not affect scan performance. However, Tenable recommends reviewing and configuring them per your organization's needs. For more information, see Report Settings in Vulnerability Management Scans.
The Advanced section allows you to configure more general settings, performance options, and debugging capabilities.
|General Settings (Nessus Scanner templates only)|
|Enable safe checks||When enabled, disables all plugins that may have an adverse effect on the remote host.||Tenable does not recommend disabling this setting in production environments; the plugins could crash services or targets. However, disabling the setting may provide more insight for systems likely to be under attack (for example, internet-facing systems).|
|Stop scanning hosts that become unresponsive during the scan||When enabled, Tenable stops scanning if it detects that the host has become unresponsive. This may occur if users turn off their PCs during a scan, a host has stopped responding after a denial of service plugin, or a security mechanism (for example, an IDS) has started to block traffic to a server. Normally, continuing scans on these machines sends unnecessary traffic across the network and delay the scan.|
|Scan IP addresses in a random order||By default, Tenable scans a list of IP addresses in sequential order. When you enable this option, Tenable scans the list of hosts in a random order within an IP address range. This approach is typically useful in helping to distribute the network traffic during large scans.|
|Automatically accept detected SSH disclaimer prompts||
When enabled, if a credentialed scan tries to connect via SSH to a FortiOS host that presents a disclaimer prompt, the scanner provides the necessary text input to accept the disclaimer prompt and continue the scan.
|Scan targets with multiple domain names in parallel||
When disabled, to avoid overwhelming a host, Tenable prevents a single scanner from simultaneously scanning multiple targets that resolve to a single IP address. Instead, Tenable scanners serialize attempts to scan the IP address, whether it appears more than once in the same scan task or in multiple scan tasks on that scanner. Scans may take longer to complete.
When enabled, a Tenable scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but hosts could potentially become overwhelmed, causing timeouts and incomplete results.
|Create unique identifier on hosts scanned using credentials||When enabled, the scanner creates a unique identifier for credentialed scans.|
|Trusted CAs||Specifies CA certificates that the scan considers as trusted. This allows you to use self-signed certificates for SSL authentication without triggering plugin 51192 as a vulnerability in your Tenable Vulnerability Management environment.|
|Performance Options (Nessus Scanner templates only)|
|Slow down the scan when network congestion is detected||
When enabled, Tenable detects when it is sending too many packets and the network pipe is approaching capacity. If network congestion is detected, throttles the scan to accommodate and alleviate the congestion. Once the congestion has subsided, Tenable automatically attempts to use the available space within the network pipe again.
|Use Linux kernel congestion detection||When enabled, Tenable uses the Linux kernel to detect when it sends too many packets and the network pipe approaches capacity. If detected, Tenable throttles the scan to accommodate and alleviate the congestion. Once the congestion subsides, Tenable automatically attempts to use the available space within the network pipe again.|
|Network timeout (in seconds)||
Specifies the time that Tenable waits for a response from a host unless otherwise specified within a plugin. If you are scanning over a slow connection, you may want to set this to a higher number of seconds.
|Be cautious when increasing this setting as it impacts every check that relies on a timeout. It can increase scan times by an order of magnitude.|
|Max simultaneous checks per host||
Specifies the maximum number of checks a Tenable scanner will perform against a single host at one time.
|Tenable recommends that you monitor scan target performance when adjusting this setting.|
|Max simultaneous hosts per scan||Increasing this setting's value can decrease scan times, but doing so increases the load on your Nessus scanners. After a certain point, dependent on the available resources on the Nessus scanner and the number of systems being scanned, increasing this setting can make scans slower as it tries to make the scanners do more than they are capable of.|
|Max number of concurrent TCP sessions per host||
Specifies the maximum number of established TCP sessions for a single host.
|Max number of concurrent TCP sessions per scan||
Specifies the maximum number of established TCP sessions for each scan task, regardless of the number of hosts being scanned.
For scanners installed on any Windows host, you must set this value to 19 or less to get accurate results.
|Unix find command Options|
A plain text file containing a list of filepaths to exclude from all plugins that search using the find command on Unix systems.
In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.
A plain text file containing a list of filesystems to exclude from all plugins that search using the find command on Unix systems.
In the file, enter one filesystem per line, using filesystem types supported by the Unix find command -fstype argument. For more information, see the find command man page.
A plain text file containing a list of filepaths to include from all plugins that search using the find command on Unix systems.
In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.
Including filepaths increases the locations that are searched by plugins, which extends the duration of the scan. Make your inclusions as specific as possible.
Tip: Avoid having the same filepaths in Include Filepath and Exclude Filepath. This conflict may result in the filepath being excluded from the search, though results may vary by operating system.
Note: Tenable does not recommend enabling debug settings in production environments. Debug settings generate a substantial amount of data, and can alter the overall scan time and performance. Tenable only recommends the settings for specific debugging instances, and not for constant use.
|Always report SSH commands||
When enabled, Tenable generates a report of all the commands run over SSH on the host in a machine-readable format. You can view the reported commands under plugin 168017.
Note: The setting does not function correctly if you disable plugin 168017.
|Enable plugin debugging||Attaches available debug logs from plugins to the vulnerability output of this scan.|
|Debug Log Level||Controls the verbosity and content of debug log statements.||Unless Tenable Support instructs your organization otherwise, set Debug Log Level to Level 3:.|
|Enumerate launched plugins||
Shows a list of plugins that Tenable launched during the scan. You can view the list in scan results under plugin 112154.
Note: The setting does not function correctly if you disable plugin 112154.
|Audit Trail Verbosity||
Controls verbosity of the plugin audit trail.
|Stagger scan start (Nessus Agent templates only)|
|Maximum delay (minutes)||
(Agents 8.2 and later) If set, each agent in the agent group delays starting the scan for a random number of minutes, up to the specified maximum. Staggered starts can reduce the impact of agents that use a shared resource, such as virtual machine CPU.
If the maximum delay you set exceeds your scan window, Tenable shortens your maximum delay to ensure that agents begin scanning at least 30 minutes before the scan window closes.
|This setting is useful for preventing resource overuse in shared infrastructure (for example, virtual hosts).|
|Compliance Output Settings|
|Maximum compliance output length in KB||
Controls the maximum output length for each individual compliance check value that the target returns. If a compliance check value that is greater than this setting's value, Tenable Vulnerability Management truncates the result.
Note: If you notice that your compliance scan processing is slow, Tenable recommends reducing this setting to increase the processing speed.
For more information, see Advanced Settings in Vulnerability Management Scans. To learn more about the preconfigured Advanced scan template settings, see Preconfigured Advanced Settings.
For more information about Vulnerability Management scan settings, see Scan Settings.