Settings Configuration

Specifies the scanner that performs the scan.

Specifies the timeframe after which the scan automatically stops. Use the drop-down box to select an interval of time, or click to type a custom scan window.

Note: The scan window timeframe only applies to the scan job. After the scan job completes within the timeframe, or once the scan job stops due to the scan window ending, Tenable Vulnerability Management may still need to index the scan job for up to 24 hours. This can cause the scan not to show as Completed after the scan window is complete. Once Tenable Vulnerability Management indexes the scan, it shows as Completed.

Specifies whether the agent scans occur based on a scan window or triggers:

• Scan Window — Specifies the timeframe during which agents must report to be used in vulnerability reports. Use the drop-down box to select an interval of time, or click to type a custom scan window.

  You have to launch Window scans explicitly or schedule them to launch at a particular time.

• Triggered Scan — Specifies the triggers that cause agents to report in. Use the drop-down boxes to select from the following trigger types:

  • Interval — The time interval (hours) between each scan (for example, every 12 hours).

  • File Name — The file name that triggers the agent scan. The scan triggers when Tenable Vulnerability Management detects the file name in the trigger directory.

  Tip: You can set multiple triggers for a single scan, and the scan searches for the triggers in their listed order (in other words, if the scan is not triggered by the first trigger, it searches for the second trigger).

  Note: Agents perform triggered scans automatically, and do not require an admin to launch or schedule them to launch at a particular time. Triggered scans also do not generate a scan DB or UUID.

Specifies how often Tenable Vulnerability Management launches the scan.

• Once — Schedule the scan at a specific time.
• Daily —Schedule the scan to occur every 1-20 days, at a specific time.
• Weekly — Schedule the scan to occur every 1-20 weeks, by time and day or days of the week.
• Monthly — Schedule the scan to occur every 1-20 months, by:
  • Day of Month — The scan repeats monthly on a specific day of the month at the selected time. For example, if you select a start date of October 3, the scan repeats on the 3rd of each subsequent month at the selected time.
  • Week of Month — The scan repeats monthly on a specific day of the week. For example, if you select a start date of the first Monday of the month, the scan runs on the first Monday of each subsequent month at the selected time.

  Note: If you schedule your scan to recur monthly and by time and day of the month, Tenable recommends setting a start date no later than the 28th day. If you select a start date that does not exist in some months (for example, the 29th), Tenable Vulnerability Management cannot run the scan on those days.

• Yearly — Schedule the scan to occur every 1-20 years, by time and date.

Specifies the exact date and time when a scan launches.

The starting date defaults to the date when you are creating the scan. The starting time is the nearest half-hour interval. For example, if you create your scan on 09/31/2018 at 9:12 AM, Tenable Vulnerability Management sets the default starting date and time to 09/31/2018 and 09:30.

If set to On, the scanner pings remote hosts on multiple ports to determine if they are alive. Additional options General Settings and Ping Methods appear.

If set to Off, the scanner does not ping remote hosts on multiple ports during the scan.

Note: To scan VMware guest systems, Ping the remote host must be set to Off.

Specifies whether the Nessus scanner scans hosts that do not respond to any ping methods. This option is only available for scans using the PCI Quarterly External Scan template.

When disabled, if a host responds to ping, Tenable Vulnerability Management attempts to avoid false positives, performing additional tests to verify the response did not come from a proxy or load balancer. These checks can take some time, especially if the remote host is firewalled.

When enabled, Tenable Vulnerability Management does not perform these checks.

Tenable does not recommend scanning fragile devices in a production environment because it may cause an operational impact. If you have a need to assess OT devices, consider using OT Security to perform in-depth assessments.

When enabled, if a port is not scanned with a selected port scanner (for example, the port falls outside of the specified range), the scanner considers it closed.

Specifies the range of ports to be scanned.

Supported keyword values are:

• default instructs the scanner to scan approximately 4,790 commonly used ports.
• all instructs the scanner to scan all 65,536 ports, including port 0.

Additionally, you can indicate a custom list of ports by using a comma-separated list of ports or port ranges. For example, 21,23,25,80,110 or 1-1024,8080,9000-9200. If you wanted to scan all ports excluding port 0, you would type 1-65535.

The custom range specified for a port scan is applied to the protocols you have selected in the Network Port Scanners group of settings.

If scanning both TCP and UDP, you can specify a split range specific to each protocol. For example, if you want to scan a different range of ports for TCP and UDP in the same policy, you would type T:1-1024,U:300-500.

You can also specify a set of ports to scan for both protocols, as well as individual ranges for each separate protocol. For example, 1-1024,T:1024-65535,U:1025.

When enabled, the scanner uses netstat to determine open ports while performing an authenticated SSH-based scan.

In addition, the scanner:

• Ignores any custom range specified in the Port Scan Range setting.
• Continues to treat unscanned ports as closed if the Consider unscanned ports as closed setting is enabled.

If any port enumerator (netstat or SNMP) is successful, the port range becomes all.

When enabled, the scanner uses netstat to check for open ports from the local machine. It relies on the netstat command being available via a WMI connection to the target.

When enabled, the scanner uses SNMP details to determine open ports while performing a SNMP-based scan.

If a local port enumerator runs, all network port scanners will be disabled for that asset.

When enabled, if a local port enumerator (for example, WMI or netstat) finds a port, the scanner also verifies that the port is open remotely. This approach helps determine if some form of access control is being used (for example, TCP wrappers or a firewall).

If enabled, this setting will increase scan duration.

Use the built-in Tenable Nessus TCP scanner to identify open TCP ports on the targets, using a full TCP three-way handshake. If you enable this option, you can also set the Override Automatic Firewall Detection option.

Use the built-in Tenable Nessus SYN scanner to identify open TCP ports on the target hosts. SYN scans do not initiate a full TCP three-way handshake. The scanner sends a SYN packet to the port, waits for SYN-ACK reply, and determines the port state based on a response or lack of response.

If you enable this option, you can also set the Override Automatic Firewall Detection option.

This setting can be enabled if you enable either the TCP or SYN option.

When enabled, this setting overrides automatic firewall detection.

This setting has three options:

• Use aggressive detection attempts to run plugins even if the port appears to be closed. It is recommended that this option not be used on a production network.

• Use soft detection disables the ability to monitor how often resets are set and to determine if there is a limitation configured by a downstream network device.

• Disable detection disables the firewall detection feature.

This option engages the built-in Tenable Nessus UDP scanner to identify open UDP ports on the targets.

Due to the nature of the protocol, it is generally not possible for a port scanner to tell the difference between open and filtered UDP ports.

When enabled, the scanner attempts to map each open port with the service that is running on that port, as defined by the Port scan range option.

Caution: In some rare cases, probing might disrupt some services and cause unforeseen side effects.

Specifies which ports on target hosts the scanner searches for SSL/TLS services.

This setting has two options:

• Known SSL/TLS ports
• All TCP ports

In some cases, Tenable Vulnerability Management cannot remotely determine whether a flaw is present or not. If report paranoia is set to Show potential false alarms, a flaw is reported every time, even when there is a doubt about the remote host being affected. Conversely, a paranoia setting of Avoid potential false alarms causes Tenable Vulnerability Management to not report any flaw whenever there is a hint of uncertainty about the remote host. As a middle ground between these two settings, disable this setting.

A text file that contains a list of known bad IP addresses that you want to detect.

Each line in the file must begin with an IPv4 address. Optionally, you can add a description by adding a comma after the IP address, followed by the description. You can also use hash-delimited comments (e.g., #) in addition to comma-delimited comments.

Note: Tenable does not detect private IP ranges in the text file.

A text file with one MD5 hash per line that specifies more known bad MD5 hashes.

Optionally, you can include a description for a hash by adding a comma after the hash, followed by the description. If the sensor finds any matches when scanning a target, the description appears in the scan results. You can also use hash-delimited comments (for example, fop) in addition to comma-separated comments.

A text file with one MD5 hash per line that specifies more known good MD5 hashes.

Optionally, you can include a description for each hash by adding a comma after the hash, followed by the description. If the sensor finds any matches when scanning a target, and you provide a description for the hash, the description appears in the scan results. You can also use hash-delimited comments (for example, #) in addition to comma-separated comments.

Tenable checks system hosts files for signs of a compromise (for example, Plugin ID 23910 titled Compromised Windows System (hosts File Check)). This option allows you to upload a file containing a list of IPs and hostnames you want Tenable to ignore during a scan. Include one IP and one hostname (formatted identically to your hosts file on the target) per line in a regular text file.

A .yar file containing the YARA rules to be applied in the scan. You can only upload one file per scan, so include all rules in a single file. For more information, see yara.readthedocs.io.

If enabled, Tenable can scan system directories and files on host computers.

Caution: Enabling this setting in scans targeting 10 or more hosts could result in performance degradation.

When enabled, if at least one host credential and one Oracle database credential are configured, the scanner authenticates to scan targets using the host credentials, and then attempts to detect Oracle System IDs (SIDs) locally. The scanner then attempts to authenticate using the specified Oracle database credentials and the detected SIDs.

If the scanner cannot authenticate to scan targets using host credentials or does not detect any SIDs locally, the scanner authenticates to the Oracle database using the manually specified SIDs in the Oracle database credentials.

When enabled, if a credentialed scan tries to connect via SSH to a FortiOS host that presents a disclaimer prompt, the scanner provides the necessary text input to accept the disclaimer prompt and continue the scan.

When disabled, to avoid overwhelming a host, Tenable prevents a single scanner from simultaneously scanning multiple targets that resolve to a single IP address. Instead, Tenable scanners serialize attempts to scan the IP address, whether it appears more than once in the same scan task or in multiple scan tasks on that scanner. Scans may take longer to complete.

When enabled, a Tenable scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but hosts could potentially become overwhelmed, causing timeouts and incomplete results.

When enabled, Tenable detects when it is sending too many packets and the network pipe is approaching capacity. If network congestion is detected, throttles the scan to accommodate and alleviate the congestion. Once the congestion has subsided, Tenable automatically attempts to use the available space within the network pipe again.

Specifies the time that Tenable waits for a response from a host unless otherwise specified within a plugin. If you are scanning over a slow connection, you may want to set this to a higher number of seconds.

Specifies the maximum number of checks a Tenable scanner will perform against a single host at one time.

Specifies the maximum number of established TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. For example, if this option is set to 15, the SYN scanner sends 150 packets per second at most.

Specifies the maximum number of established TCP sessions for each scan task, regardless of the number of hosts being scanned.

For scanners installed on any Windows host, you must set this value to 19 or less to get accurate results.

A plain text file containing a list of filepaths to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.

A plain text file containing a list of filesystems to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filesystem per line, using filesystem types supported by the Unix find command -fstype argument. For more information, see the find command man page.

A plain text file containing a list of filepaths to include from all plugins that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.

Including filepaths increases the locations that are searched by plugins, which extends the duration of the scan. Make your inclusions as specific as possible.

Tip: Avoid having the same filepaths in Include Filepath and Exclude Filepath. This conflict may result in the filepath being excluded from the search, though results may vary by operating system.

When enabled, Tenable generates a report of all the commands run over SSH on the host in a machine-readable format. You can view the reported commands under plugin 168017.

Note: The setting does not function correctly if you disable plugin 168017.

Shows a list of plugins that Tenable launched during the scan. You can view the list in scan results under plugin 112154.

Note: The setting does not function correctly if you disable plugin 112154.

(Agents 8.2 and later) If set, each agent in the agent group delays starting the scan for a random number of minutes, up to the specified maximum. Staggered starts can reduce the impact of agents that use a shared resource, such as virtual machine CPU.

If the maximum delay you set exceeds your scan window, Tenable shortens your maximum delay to ensure that agents begin scanning at least 30 minutes before the scan window closes.

Controls the maximum output length for each individual compliance check value that the target returns. If a compliance check value that is greater than this setting's value, Tenable Vulnerability Management truncates the result.

Note: If you notice that your compliance scan processing is slow, Tenable recommends reducing this setting to increase the processing speed.