Tenable Nessus Agent 2025 Release Notes

The following are security updates included in Tenable Nessus Agent 10.7.4:

• Addressed an issue where Tenable Nessus Agent fails to properly set ACLs of installation directory tree.

• Addressed an issue where Tenable Nessus Agent was permitted to install in a directory with improperly-set ACLs.

  For more information, see the Tenable Product Security Advisory.

• If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners, Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Nessus Network Monitors (NNM) located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of sensor.cloud.tenable.com.

• New Tenable Vulnerability Management Domain - As a part of continuous security and scalability improvements to Tenable infrastructure, we have added a new sensor.cloud.tenable.com domain that Tenable Vulnerability Management-linked Tenable Nessus Agents communicate with.

  • Tenable Vulnerability Management-linked Tenable Nessus Agents communicate with Tenable Vulnerability Management using sensor.cloud.tenable.com. If agents versions 8.1.0 through 10.3.1 are not able to connect to the new domain, they fall back to using cloud.tenable.com. Tenable Nessus Agent 10.3.2 and later do not fall back using the cloud.tenable.com domain.

  • Recommended Action: If you use domain allow lists for firewalls, Tenable recommends adding *.cloud.tenable.com (with the wildcard character) to the allow list. This ensures communication with sensor.cloud.tenable.com and all future subdomains, reducing operational overhead. Contact your network administrator for assistance with making necessary changes to your allow list.
• You can upgrade to the latest version of Tenable Nessus Agent from any previously supported version.
• If your upgrade path skips versions of the Tenable Nessus Agent, Tenable recommends reviewing the release notes for all skipped versions to learn about new features and bug fixes.

The following enhancements are included in Tenable Nessus Agent 10.8.3:

• Updated agents to perform a full plugin compilation after every plugin update.

• Changed the default Plugin Compilation Performance (plugin_load_performance_mode) value from high to medium. This increases full plugin set load times but reduces the maximum percentage of CPU utilization to ~50% on multi-core systems.

  • If your organization has explicitly set Plugin Compilation Performance to high, medium, or low, this upgrade does not overwrite your configuration.

  • If your organization uses the default value, upgrading to 10.8.3 changes the setting from high to medium.

  For more information about the setting, see Agent CPU Resource Control. For more technical information about this setting update, see the related knowledge base article.

The following are security updates included in Tenable Nessus Agent 10.8.3:

• Addressed an issue where Tenable Nessus Agent fails to properly set ACLs of installation directory tree.

• Addressed an issue where Tenable Nessus Agent was permitted to install in a directory with improperly-set ACLs.

  For more information, see the Tenable Product Security Advisory.

• If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners, Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Nessus Network Monitors (NNM) located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of sensor.cloud.tenable.com.

• New Tenable Vulnerability Management Domain - As a part of continuous security and scalability improvements to Tenable infrastructure, we have added a new sensor.cloud.tenable.com domain that Tenable Vulnerability Management-linked Tenable Nessus Agents communicate with.

  • Tenable Vulnerability Management-linked Tenable Nessus Agents communicate with Tenable Vulnerability Management using sensor.cloud.tenable.com. If agents versions 8.1.0 through 10.3.1 are not able to connect to the new domain, they fall back to using cloud.tenable.com. Tenable Nessus Agent 10.3.2 and later do not fall back using the cloud.tenable.com domain.

  • Recommended Action: If you use domain allow lists for firewalls, Tenable recommends adding *.cloud.tenable.com (with the wildcard character) to the allow list. This ensures communication with sensor.cloud.tenable.com and all future subdomains, reducing operational overhead. Contact your network administrator for assistance with making necessary changes to your allow list.
• You can upgrade to the latest version of Tenable Nessus Agent from any previously supported version.
• If your upgrade path skips versions of the Tenable Nessus Agent, Tenable recommends reviewing the release notes for all skipped versions to learn about new features and bug fixes.

• There is a known issue which can cause Tenable Nessus Agent 10.8.0 and 10.8.1 to go offline when a plugin update triggers simultaneous compilation of mutually dependent libraries. To prevent further impact, Tenable has disabled the Tenable Vulnerability Management plugin updates for these two agent versions. Additionally, Tenable has disabled the 10.8.0 and 10.8.1 versions.

  This issue was caused initially by plugin compiler performance improvements released in 10.8.0 which introduced a race condition that can surface when mutually dependent libraries are compiled simultaneously. This issue was triggered by a plugin update released on December 31, 2024, that contained this unusually rare set of conditions.

  To fix the above issue, Tenable Nessus Agent version 10.8.0 or 10.8.1 must either be upgraded to agent version 10.8.2 or downgraded to 10.7.3.

  There are two methods you can use to recover the offline agents. Choose the method that follows your organization's agent management standards:

  • Upgrade to 10.8.2 or downgrade to 10.7.3

    If your organization uses internal automation or manually updates using install packages, use the following steps to bring agents back online:

    1. Download the Tenable Nessus Agent 10.8.2 or 10.7.3 install package.

    2. Upgrade agents with the 10.8.2 package or downgrade agents with the 10.7.3 package.

       No further action is required once you upgrade or downgrade using this method.

  • Perform a plugin reset

    If your organization uses automated channels or agent profiles to upgrade agents, use the following steps to bring agents back online. Once you complete the steps, the agents resume running and download the necessary updates once they are back online.

    Note: Triggering a plugin reset on a large number of agents will result in a large spike in network traffic.

    Additionally, after performing a plugin reset, agents will download a full plugin set as soon as the agents launch a scan or are assigned a triggered scan. When a large number of agents perform this full plugin set download simultaneously, it results in a large spike in network traffic.

    If your organization has a large agent deployment and wants to avoid potential network spikes, Tenable recommends staggering the plugin resets to spread out the plugin downloads. There are multiple ways to do this, depending on your organization's scanning setup, including the following:

    • If you have agents that are assigned triggered agent scans, stagger the plugin reset:

      • If you run the Nessus 10.8.0 / 10.8.1 Agent Reset scan to perform the plugin reset (step 2 in the following process), configure the Stagger Scan Start scan setting before running the scan.

      • If you manually run the provided script or scripts to perform the plugin reset (step 2 in the following process), stagger the commands according to your organization's infrastructure management.

    • Reset subsets of agents and launch an immediate scan on those agents afterward.

    • Reset all agents but stagger subsequent scan launches.

    1. If your organization uses agent profiles in Tenable Vulnerability Management or Tenable Nessus Manager and the agent profiles are set to version 10.8.0 or 10.8.1, update your agent profiles to 10.8.2 or 10.7.3. If your organization does not use agent profiles, skip this step.

    2. Do one of the following:

       • Create and run a scan with the Nessus 10.8.0 / 10.8.1 Agent Reset credentialed scan template in Tenable Vulnerability Management, Tenable Security Center, or Tenable Nessus Manager. Target any of your agents that need to be reset.

         

         For more information on this scan template, see the related Tenable Research Release Highlight.

       • Alternatively, if you do not run the Nessus 10.8.0 / 10.8.1 Agent Reset scan, run one of the following scripts manually to reset the agent plugins, depending on your operating system:

         • Windows (PowerShell)

           Copy

           $ServiceName="Tenable Nessus Agent";if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {Write-Host "This Script Must Be Ran as Administrator."} else {try {Write-Host "Stopping Nessus Agent"; Stop-Service $ServiceName; $service=(Get-Service -Name $ServiceName -ErrorAction Stop); timeout /T 5; if ($service.Status -eq "Stopped"){cd "C:\Program Files\Tenable\Nessus Agent"; .\Nessuscli.exe plugins --reset; .\Nessuscli.exe plugins --info; Start-Service $ServiceName; Get-Service -Name $ServiceName; Write-Host "Plugin Reset and Agent Started"} else {Write-Host "Nessus Agent Not Stopped"}} catch {Write-Host "Plugin Refresh Unsuccessful"}}

         • Windows (32-bit)

           Copy

           $ServiceName="Tenable Nessus Agent";if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {Write-Host "This Script Must Be Ran as Administrator."} else {try {Write-Host "Stopping Nessus Agent"; Stop-Service $ServiceName; $service=(Get-Service -Name $ServiceName -ErrorAction Stop); timeout /T 5; if ($service.Status -eq "Stopped"){cd "C:\Program Files (x86)\Tenable\Nessus Agent"; .\Nessuscli.exe plugins --reset; .\Nessuscli.exe plugins --info; Start-Service $ServiceName; Get-Service -Name $ServiceName; Write-Host "Plugin Reset and Agent Started"} else {Write-Host "Nessus Agent Not Stopped"}} catch {Write-Host "Plugin Refresh Unsuccessful"}}

         • Unix (run as root)

           Copy

           systemctl stop nessusagent && /opt/nessus_agent/sbin/nessuscli plugins --reset && systemctl start nessusagent

         • Unix (for systems that require sudo)

           Copy

           sudo systemctl stop nessusagent && sudo /opt/nessus_agent/sbin/nessuscli plugins --reset && sudo systemctl start nessusagent

         • macOS (run as root)

           Copy

           launchctl stop com.tenablesecurity.nessusagent && /Library/NessusAgent/run/sbin/nessuscli plugins --reset && launchctl start com.tenablesecurity.nessusagent

         • macOS (for systems that require sudo)

           Copy

           sudo launchctl stop com.tenablesecurity.nessusagent && sudo /Library/NessusAgent/run/sbin/nessuscli plugins --reset && sudo launchctl start com.tenablesecurity.nessusagent

    You can also reset and upgrade the agent plugins manually via nessuscli:

    1. If your organization uses agent profiles in Tenable Vulnerability Management or Tenable Nessus Manager and the agent profiles are set to version 10.8.0 or 10.8.1, update your agent profiles to 10.8.2 or 10.7.3. If your organization does not use agent profiles, skip this step.

    2. Stop the agent service.

    3. Run the following plugin reset command in nessuscli:

       Copy

       # nessuscli plugins --reset

       Note: This reset command should have the full path to nessuscli based on the operating system that the agent is installed on. See Tenable Nessus Agent CLI Commands to view the full nessuscli path per operating system.

    4. Start the agent service.

• If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners, Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Nessus Network Monitors (NNM) located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of sensor.cloud.tenable.com.

• New Tenable Vulnerability Management Domain - As a part of continuous security and scalability improvements to Tenable infrastructure, we have added a new sensor.cloud.tenable.com domain that Tenable Vulnerability Management-linked Tenable Nessus Agents communicate with.

  • Tenable Vulnerability Management-linked Tenable Nessus Agents communicate with Tenable Vulnerability Management using sensor.cloud.tenable.com. If agents versions 8.1.0 through 10.3.1 are not able to connect to the new domain, they fall back to using cloud.tenable.com. Tenable Nessus Agent 10.3.2 and later do not fall back using the cloud.tenable.com domain.

  • Recommended Action: If you use domain allow lists for firewalls, Tenable recommends adding *.cloud.tenable.com (with the wildcard character) to the allow list. This ensures communication with sensor.cloud.tenable.com and all future subdomains, reducing operational overhead. Contact your network administrator for assistance with making necessary changes to your allow list.
• You can upgrade to the latest version of Tenable Nessus Agent from any previously supported version.
• If your upgrade path skips versions of the Tenable Nessus Agent, Tenable recommends reviewing the release notes for all skipped versions to learn about new features and bug fixes.