TOC & Recently Viewed

Recently Viewed Topics

Custom Scan Policy Options

Path: Scans > Policies

Setup Options

Option Description

Name

A unique name for the policy.

Description

(Optional) A description for the policy.

Tag A logical grouping for policy objects. Tags can be reused as desired and previously created tags will display in the tag field when subsequent assets are added.

Advanced Options

Option Description

General Settings

Enable Safe Checks

Nessus attempts to identify remote vulnerabilities by interpreting banner information and attempting to exercise a vulnerability. When Enable Safe Checks is enabled, the second step is skipped. This is not as reliable as a full probe, but is less likely to negatively impact a targeted system.

Stop scanning hosts that become unresponsive during the scan

During a scan hosts may become unresponsive after a period of time. Enabling this setting stops scan attempts against hosts that stop sending results.

Performance Options

Slow down the scan when network congestion is detected

When Nessus detects congestion during a scan, it will slow the speed of the scan in an attempt to ease the burden on the affected segment(s).

Use Linux kernel congestion detection

Use Linux kernel congestion detection during the scan to help alleviate system lockups on the Nessus scanner server.

Network Timeout (in seconds)

Determines the amount of time, in seconds, to determine if there is an issue communicating over the network.

Max Simultaneous Checks Per Host

This setting limits the maximum number of checks a Nessus scanner will perform against a single host at one time.

Max Simultaneous Hosts Per Scan

This setting limits the maximum number of hosts that a single Nessus scanner will scan at the same time. If the scan is using a zone with multiple scanners, each scanner will accept up to the amount specified in the Max Hosts Per Scan option. For example, if the Max Simultaneous Hosts Per Scan is set to 5 and there are five scanners per zone, each scanner will accept five hosts to scan, allowing a total of 25 hosts to be scanned between the five scanners.

Max number of concurrent TCP sessions per host

This setting limits the maximum number of TCP sessions established by any of the active scanners while scanning a single host.

Max number of concurrent TCP sessions per scan

This setting limits the maximum number of TCP sessions established by any of the active scanners during a scan.

Host Discovery Options

Option Description

Ping the remote host

When enabled, Nessus attempts to ping the hosts in the scan to determine if the host is alive or not.

General Settings (available when Ping the remote host is enabled)

Test the local Nessus host

This option allows you to include or exclude the local Nessus host from the scan. This is used when the Nessus host falls within the target network range for the scan.

Use Fast Network Discovery

When Nessus “pings” a remote IP and receives a reply, it performs extra checks to make sure that it is not a transparent proxy or a load balancer that would return noise but no result (some devices answer to every port 1 - 65535 even when there is no service behind the device). Such checks can take some time, especially if the remote host is firewalled. If the “Use Fast Network Discovery” option is enabled, Nessus will not perform these checks.

Ping Methods (available when Ping the remote host is enabled)

ARP

Ping a host using its hardware address via Address Resolution Protocol (ARP). This only works on a local network.

TCP

Ping a host using TCP.

Destination ports

Destination ports can be configured to use specific ports for TCP ping. This specifies the list of ports that will be checked via TCP ping. If you are not sure of the ports, leave this setting on built-in.

ICMP

Ping a host using the Internet Control Message Protocol (ICMP).

Assume ICMP unreachable means the host is down

When a ping is sent to a host that is down, its gateway may return an ICMP unreachable message. When enabled, this option will consider this to mean the host is dead. This is to help speed up discovery on some networks.

 

Note that some firewalls and packet filters use this same behavior for hosts that are up but are connecting to a port or protocol that is filtered. With this option enabled, this will lead to the scan considering the host is down when it is indeed up.

Maximum Number of Retries (ICMP enable)

Allows you to specify the number of attempts to try to ping the remote host. The default is two attempts.

UDP

Ping a host using the User Datagram Protocol (UDP).

Tip: UDP is a “stateless” protocol, meaning that communication is not performed with handshake dialogues. UDP-based communication is not always reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable.

Fragile Devices

Scan Network Printers

Instructs the Nessus scanner not to scan network printers if unselected. Since many printers are prone to denial of service conditions, Nessus can skip scanning them once identified. This is particularly recommended if scanning is performed on production networks.

Scan Novell Netware Hosts

Instructs the Nessus scanner not to scan Novel Netware hosts if unselected. Since many Novell Netware hosts are prone to denial of service conditions, Nessus can skip scanning them once identified. This is particularly recommended if scanning is performed on production networks.

Wake-on-LAN

List of MAC addresses

Wake on Lan (WOL) packets will be sent to the hosts listed, one on each line, in an attempt to wake the specified host(s) during a scan.

Boot time wait (in minutes)

The number of minutes Nessus will wait to attempt a scan of hosts sent a WOL packet.

Network Type

Network Type

Allows you to specify if you are using publicly routable IPs, private non-Internet routable IPs or a mix of these. Click Mixed if you are using RFC 1918 addresses and have multiple routers within your network.

Port Scanning Options

Option Description

Ports

Consider Unscanned Ports as Closed

If a port is not scanned with a selected port scanner (e.g., out of the range specified), The scanner will consider it closed.

Port scan range

Directs the scanner to target a specific range of ports. Accepts “default” (a list of approximately 4,790 common ports found in the Nessus-services file) or a custom list of ports specified by the user. The custom list may contain individual ports and ranges; for example, “21,23,25,80,110” and “1-1024,8080,9000-9200” are valid values. Specifying “1-65535” will scan all ports.

Local Port Enumerators

SSH (netstat)

This option uses netstat to check for open ports on the target host. It relies on the netstat command being available via a SSH connection to the target. This scan is intended for Unix-based systems and requires authentication credentials.

WMI (netstat)

This option uses netstat to check for open ports from the local machine. It relies on the netstat command being available via a WMI connection to the target. This scan is intended for Windows-based systems and requires authentication credentials

SNMP

Direct Nessus to scan targets for a SNMP service. Nessus will guess relevant SNMP settings during a scan. If the settings are provided by the user under “Preferences”, this will allow Nessus to better test the remote host and produce more detailed audit results. For example, there are many Cisco router checks that determine the vulnerabilities present by examining the version of the returned SNMP string. This information is necessary for these audits.

Override automatic firewall detection

Rely on local port enumeration first before relying on network port scans.

Verify open TCP ports found by local port enumerators

If a local port enumerator (e.g., WMI or netstat) finds a port, Nessus will also verify it is open remotely. This helps determine if some form of access control is being used (e.g., TCP wrappers, firewall).

Network Port Scanners

TCP

Use Nessus’ built-in TCP scanner to identify open TCP ports on the targets. This scanner is optimized and has some self-tuning features.

Note: On some platforms (e.g., Windows and Mac OS X), if the operating system is causing serious performance issues using the TCP scanner, Nessus will launch the SYN scanner instead.

 

SYN

Use Nessus’ built-in SYN scanner to identify open TCP ports on the targets. SYN scans are a popular method for conducting port scans and generally considered to be a bit less intrusive than TCP scans. The scanner sends a SYN packet to the port, waits for SYN-ACK reply, and then determines port state based on a reply – or lack of.

Only run network port scanners if local port enumeration failed

Rely on local port enumeration first before relying on network port scans.

UDP

This option engages Nessus’ built-in UDP scanner to identify open UDP ports on the targets.

Tip: UDP is a “stateless” protocol, meaning that communication is not done with handshake dialogues. UDP based communication is not reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable. Utilizing the UDP scanner will noticeably increase scanning time.

 

Service Discovery Options

The Service Discovery tab specifies how the scanner looks for services running on the target’s ports.

Option Description

Probe all ports to find services

Attempts to map each open port with the service that is running on that port. Note that in some rare cases, this might disrupt some services and cause unforeseen side effects.

Search for SSL based services

Controls how Nessus will test SSL based services: known SSL ports (e.g., 443), all ports, or none. Testing for SSL capability on all ports may be disruptive for the tested host.

Search for SSL on

If selected, choose between Known SSL ports (e.g., 443) and All ports. Testing for SSL capability on all ports may be disruptive for the tested host.

Identify certificates expiring within x days

Identifies SSL certificates that will expire within the specified timeframe. Type a value to set a timeframe (in days).

Enumerate all SSL ciphers

When SecurityCenter performs an SSL scan, it tries to determine the SSL ciphers used by the remote server by attempting to establish a connection with each different documented SSL cipher, regardless of what the server says is available.

Enable CRL checking (connects to the Internet)

Direct Nessus to check SSL certificates against known Certificate Revocation Lists (CRL). Enabling this option will make a connection and query one or more servers on the internet.

Assessment Options

The Assessment tab specifies how the scanner tests for information during the scan.

Value Description

Accuracy

Override normal accuracy

In some cases, Nessus cannot remotely determine whether a flaw is present or not. If report paranoia is set to “Paranoid” then a flaw will be reported every time, even when there is a doubt about the remote host being affected. Conversely, a paranoia setting of “Avoid false alarms” will cause Nessus to not report any flaw whenever there is a hint of uncertainty about the remote host. Not changing from “Normal” is a middle ground between these two settings.

Perform thorough tests (may disrupt your network or impact scan speed)

Causes various plugins to use more aggressive settings. For example, when looking through SMB file shares, a plugin can analyze 3 directory levels deep instead of its default of 1. This could cause much more network traffic and analysis in some cases. Note that by being more thorough, the scan will be more intrusive and is more likely to disrupt the network, while potentially providing better audit results.

Antivirus

Antivirus definition grace period (in days)

This option determines the delay in the number of days of reporting the software as being outdated. The valid values are between 0 (no delay, default) and 7.

SMTP

Third Party Domain

Nessus will attempt to send spam through each SMTP device to the address listed in this option. This third party domain address must be outside the range of the site being scanned or the site performing the scan. Otherwise, the test may be aborted by the SMTP server.

From address

The test messages sent to the SMTP server(s) will appear as if they originated from the address specified in this option.

To Address

Nessus will attempt to send messages addressed to the mail recipient listed in this option. The postmaster address is the default value since it is a valid address on most mail servers.

Brute Force Options

The Brute Force tab specifies how the scanner tests for information against SCADA systems.

Additionally, if Hydra is installed on the same host as a Nessus server linked to SecurityCenter, the Hydra section will be enabled. Hydra extends brute force logon testing for the following services: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, S7-300, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Option Description

General Settings

Only use credentials provided by the user

In some cases, Nessus can test default accounts and known default passwords. This can cause the account to be locked out if too many consecutive invalid attempts trigger security protocols on the operating system or application. By default, this setting is enabled to prevent Nessus from performing these tests.

Oracle Database

Test default Oracle accounts (slow)

Test for known default accounts in Oracle software.

Hydra
Always enable Hydra (slow) Enables Hydra whenever the scan is performed.
Logins file A file that contains user names that Hydra will use during the scan.
Passwords file A file that contains passwords for user accounts that Hydra will use during the scan.
Number of parallel tasks

The number of simultaneous Hydra tests that you want to execute. By default, this value is 16.

Timeout (in seconds) The number of seconds per logon attempt.
Try empty passwords If enabled, Hydra will additionally try user names without using a password.
Try login as password If enabled, Hydra will additionally try a user name as the corresponding password.
Stop brute forcing after the first success If enabled, Hydra will stop brute forcing user accounts after the first time an account is successfully accessed.
Add accounts found by other plugins to the login file If disabled, only the user names specified in the logins file will be used for the scan. Otherwise, additional user names discovered by other plugins will be added to the logins file and used for the scan.
PostgreSQL database name The database that you want Hydra to test.
SAP R3 Client ID (0 - 99) The ID of the SAP R3 client that you want Hydra to test.
Windows accounts to test Can be set to Local accounts, Domain Accounts, or Either.
Interpret passwords as NTLM hashes If enabled, Hydra will interpret passwords as NTLM hashes.
Cisco login password This password is used to login to a Cisco system before brute forcing enable passwords. If no password is provided here, Hydra will attempt to login using credentials that were successfully brute forced earlier in the scan.
Web page to brute force Type a web page that is protected by HTTP basic or digest authentication. If a web page is not provided here, Hydra will attempt to brute force a page discovered by the Nessus web crawler that requires HTTP authentication.
HTTP proxy test website If Hydra successfully brute forces an HTTP proxy, it will attempt to access the website provided here via the brute forced proxy.
LDAP DN The LDAP Distinguish Name scope that Hydra will authenticate against.

Malware Options

The Malware tab specifies options for DNS Resolution, hash, and whitelist files and file system scanning.

Option Description
Malware Scan Settings
Malware scan When enabled, displays the General Settings, Hash and Whitelist Files, File System Scanning, and Directories options.
General Settings
Disable DNS Resolution Checking this option will prevent Nessus from using the cloud to compare scan findings against known malware.

Hash and Whitelist Files

Provide your own list of known bad MD5 hashes

Additional known bad MD5 hashes can be uploaded via a text file that contains one MD5 hash per line.

It is possible to (optionally) add a description for each hash in the uploaded file. This is done by adding a comma after the hash, followed by the description. If any matches are found when scanning a target and a description was provided for the hash the description will show up in the scan results.

Provide your own list of known good MD5 hashes

Additional known good MD5 hashes can be uploaded via a text file that contains one MD5 hash per line.

It is possible to (optionally) add a description for each hash in the uploaded file. This is done by adding a comma after the hash, followed by the description. If any matches are found when scanning a target, and a description was provided for the hash, the description will show up in the scan results.

Hosts file whitelist

Nessus checks system hosts files for signs of a compromise (e.g., Plugin ID 23910 titled Compromised Windows System (hosts File Check). This option allows you to upload a file containing a list of IPs and hostnames that will be ignored by Nessus during a scan. Include one IP and hostname (formatted identically to your hosts file on the target) per line in a regular text file.

File System Scanning
Scan File System

Turning on this option allows you to scan system directories and files on host computers.

Caution: Enabling this setting in scans targeting 10 or more hosts could result in performance degradation.

Directories
Scan %Systemroot% Enable file system scanning to scan %Systemroot%
Scan %ProgramFiles% Enable file system scanning to scan %ProgramFiles%
Scan %ProgramFiles(x86)% Enable file system scanning to scan %ProgramFiles(x86)%
Scan %ProgramData% Enable file system scanning to scan %ProgramData%
Scan User Profiles Enable file system scanning to scan user profiles
Custom Filescan Directories

Add File Add a custom file that list directories for malware file scanning. List each directory on one line.

Caution: Root directories such as 'C:\' or 'D:\' are not accepted.

SCADA Options

The SCADA tab specifies how the scanner tests for information against SCADA systems.

Option Description

Modbus/TCP Coil Access

Start at register

End at register

These options are available for commercial users. This drop-down box item is dynamically generated by the SCADA plugins available with the commercial version of Nessus. Modbus uses a function code of 1 to read “coils” in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a “write coil” message. The defaults for this are “0” for the “Start reg” and “16” for the “End reg”.

ICCP/COTP TSAP Addressing Weakness

Start COTP TSAP

Stop COTP TSAP

The “ICCP/COTP TSAP Addressing” menu determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values. The start and stop values are set to “8” by default.

Web Applications Options

The Web Applications tab specifies how the scanner tests for information against web server applications.

Value Description
Web Application Settings
Scan web applications Enables the General Settings, Web Crawler, and Application Test Settings sections.

General Settings

Use a custom User-Agent

Specifies which type of web browser Nessus will impersonate while scanning.

Web Crawler

Start crawling from

The URL of the first page that will be tested. If multiple pages are required, use a colon delimiter to separate them (e.g., “/:/php4:/base”).

Excluded pages (regex)

Enable exclusion of portions of the web site from being crawled. For example, to exclude the “/manual” directory and all Perl CGI, set this option to: (^/manual)|(\.pl(\?.*)?$). Nessus supports POSIX regular expressions for string matching and handling, as well as Perl-compatible regular expressions (PCRE).

Maximum pages to crawl

The maximum number of pages to crawl.

Maximum depth to crawl

Limit the number of links Nessus will follow for each start page.

Follow dynamically generated pages

If selected, Nessus will follow dynamic links and may exceed the parameters set above.

Application Test Settings

Enable generic web application tests

Enables the options listed below.

Abort web application tests if HTTP login fails

If Nessus cannot login to the target via HTTP, then do not run any web application tests.

Try all HTTP Methods

This option will instruct Nessus to also use “POST requests” for enhanced web form testing. By default, the web application tests will only use GET requests, unless this option is enabled. Generally, more complex applications use the POST method when a user submits data to the application. This setting provides more thorough testing, but may considerably increase the time required. When selected, Nessus will test each script/variable with both GET and POST requests. This setting provides more thorough testing, but may considerably increase the time required.

Attempt HTTP Parameter Pollution

When performing web application tests, attempt to bypass filtering mechanisms by injecting content into a variable while supplying the same variable with valid content as well. For example, a normal SQL injection test may look like “/target.cgi?a='&b=2”. With HTTP Parameter Pollution (HPP) enabled, the request may look like “/target.cgi?a='&a=1&b=2”.

Test embedded web servers

Embedded web servers are often static and contain no customizable CGI scripts. In addition, embedded web servers may be prone to crash or become non-responsive when scanned. Tenable recommends scanning embedded web servers separately from other web servers using this option.

Test more than one parameter at a time per form

This option manages the combination of argument values used in the HTTP requests. The default, without checking this option, is testing one parameter at a time with an attack string, without trying “non-attack” variations for additional parameters. For example, Nessus would attempt “/test.php?arg1=XSS&b=1&c=1” where “b” and “c” allow other values, without testing each combination. This is the quickest method of testing with the smallest result set generated.

This drop-down box has five selections:

  • One value - This tests one parameter at a time with an attack string, without trying “non-attack” variations for additional parameters. For example, Nessus would attempt “/test.php?arg1=XSS&b=1&c=1” where “b” and “c” allow other values, without testing each combination. This is the quickest method of testing with the smallest result set generated.
  • Some pairs – This form of testing will randomly check a combination of random pairs of parameters. This is the fastest way to test multiple parameters.
  • All pairs (slower but efficient) – This form of testing is slightly slower but more efficient than the “one value” test. While testing multiple parameters, it will test an attack string, variations for a single variable and then use the first value for all other variables. For example, Nessus would attempt “/test.php?a=XSS&b=1&c=1&d=1” and then cycle through the variables so that one is given the attack string, one is cycled through all possible values (as discovered during the mirror process) and any other variables are given the first value. In this case, Nessus would never test for “/test.php?a=XSS&b=3&c=3&d=3” when the first value of each variable is “1”.
  • Some combinations – This form of testing will randomly check a combination of three or more parameters. This is more thorough than testing only pairs of parameters. Note that increasing the amount of combinations by three or more increases the web application test time.
  • All combinations (extremely slow) – This method of testing will do a fully exhaustive test of all possible combinations of attack strings with valid input to variables. Where “All-pairs” testing seeks to create a smaller data set as a tradeoff for speed, “all combinations” makes no compromise on time and uses a complete data set of tests. This testing method may take a long time to complete.

Do not stop after the first flaw is found per web page

This option determines when a new flaw is targeted. This applies at the script level; finding an XSS flaw will not disable searching for SQL injection or header injection, but you will have at most one report for each type on a given port, unless “thorough tests” is set. Note that several flaws of the same type (e.g., XSS, SQLi, etc.) may be reported sometimes, if they were caught by the same attack. The drop-down has four options:

Per CGI – As soon as a flaw is found on a CGI by a script, Nessus switches to the next known CGI on the same server, or if there is no other CGI, to the next port/server. This is the default option.

Per port (quicker) – As soon as a flaw is found on a web server by a script, Nessus stops and switches to another web server on a different port.

Per parameter (slow) – As soon as one type of flaw is found in a parameter of a CGI (e.g., XSS), Nessus switches to the next parameter of the same CGI, or the next known CGI, or to the next port/server.

Look for all flaws (slower) – Perform extensive tests regardless of flaws found. This option can produce a very verbose report and is not recommend in most cases.

URL for Remote File Inclusion

During Remote File Inclusion (RFI) testing, this option specifies a file on a remote host to use for tests. By default, Nessus will use a safe file hosted by Tenable for RFI testing. If the scanner cannot reach the Internet, using an internally hosted file is recommended for more accurate RFI testing.

Maximum run time (minutes)

This option manages the amount of time in minutes spent performing web application tests. This option defaults to 60 minutes and applies to all ports and CGIs for a given web site. Scanning the local network for web sites with small applications will typically complete in under an hour, however web sites with large applications may require a higher value.

Windows Options

The Windows tab specifies basic Windows SMB domain options.

Option Description
General Setting

Request information about the SMB Domain

If the option Request information about the domain is set, then domain users will be queried instead of local users.

Enumerate Domain User

Start UID

1000

End UID 1200
Enumerate Local User
Start UID 1000
End UID

1200

Report Options

The Report tab specifies information to include in the scan’s report.

Option Description

Processing

Override normal verbosity Determines the verbosity of the detail in the output of the scan results as Normal, Quiet, or Verbose.
Show missing patches that have been superseded Show patches in the report that have not been applied but have been superseded by a newer patch if enabled.
Hide results from plugins initiated as a dependency If a plugin is only run due to it being a dependency of a selected plugin, hide the results if enabled.

Output

Designate hosts by their DNS name When possible, designate hosts by their DNS name rather than IP address in the reports.
Display hosts that respond to ping When enabled, show a list of hosts that respond to pings sent as part of the scan.
Display unreachable hosts Display a list of hosts within the scan range that were not able to be reached during the scan, if enabled.
Generate SCAP XML Results Generate a SCAP XML results file as a part of the report output for the scan.

Authentication Options

The Authentication tab specifies authentication options during a scan.

Option Description

Add Authentication Settings

When added, authentication methods may be used to login to the scan target machines to gather more complete results of the host’s status. The authentication types include host, database, miscellaneous, plaintext authentication, and patch management. For each type, various relevant options are presented such as SNMPv3, MongoDB, VMWare APIs, and similar.

SNMP

UDP Port

Additional UDP port #1

Additional UDP port #2

Additional UDP port #3

This is the UDP port that will be used when performing certain SNMP scans. Up to four different ports may be configured, with the default port being 161.

SSH

known_hosts file

If an SSH known_hosts file is provided for the scan policy in the “known_hosts file” option, Nessus will only attempt to log in to hosts defined in this file. This helps to ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a login to a system that may not be under your control.

Preferred port

This option is set to direct the scan to connect to a specific port if SSH is known to be listening on a port other than the default of 22.

Client Version

Specifies which type of SSH client to impersonate while performing scans.

Attempt least privilege (experimental)

Enables or disables dynamic privilege escalation. When enabled, if the scan target credentials include privilege escalation, Nessus first attempts to run commands without privilege escalation. If running commands without privilege escalation fails, Nessus retries the commands with privilege escalation.

You must be running Nessus 6.11 or later to perform dynamic privilege escalation. Plugins 102095 and 102094 report whether plugins ran with or without privilege escalation.

Note: Enabling this option may increase the time required to perform scans by up to 30%.

Windows

Never send credentials in the clear

By default, Windows credentials are not sent to the target host in the clear.

Do not use NTLMv1 authentication

If the “Do not use NTLMv1 authentication” option is disabled, then it is theoretically possible to trick Nessus into attempting to log in to a Windows server with domain credentials via the NTLM version 1 protocol. This provides the remote attacker with the ability to use a “hash” obtained from Nessus. This “hash” can be potentially cracked to reveal a username or password. It may also be used to directly log in to other servers.

 

Because NTLMv1 is an insecure protocol this option is enabled by default.

Start the Remote Registry service during the scan

This option tells Nessus to start the Remote Registry service on computers being scanned if it is not running. This service must be running in order for Nessus to execute some Windows local check plugins.

Enable administrative shares during the scan

This option will allow Nessus to access certain registry entries that can be read with administrator privileges.

Plaintext Authentication

Perform patch audits over telnet

When enabled, patch audits will be permitted over a telnet connection. However this protocol is cleartext and usernames and passwords are unencrypted and are able to be intercepted. This option is therefore disabled by default.

Perform patch audits over rsh

When enabled, patch audits will be permitted over a rsh connection. However this protocol is cleartext and usernames and passwords are unencrypted and are able to be intercepted. This option is therefore disabled by default.

Perform patch audits over rexec

When enabled, patch audits will be permitted over a rexec connection. However this protocol is cleartext and usernames and passwords are unencrypted and are able to be intercepted. This option is therefore disabled by default.

HTTP

Login method

Specify if the login action is performed via a GET or POST request.

Re-authenticate delay (seconds)

The time delay between authentication attempts. This is useful to avoid triggering brute force lockout mechanisms.

Follow 30x redirections (# of levels)

If a 30x redirect code is received from a web server, this directs Nessus to follow the link provided or not.

Invert authenticated regex

A regex pattern to look for on the login page, that if found, tells Nessus authentication was not successful (e.g., “Authentication failed!”).

Use authenticated regex on HTTP headers

Rather than search the body of a response, Nessus can search the HTTP response headers for a given regex pattern to better determine authentication state.

Case insensitive authenticated regex

The regex searches are case sensitive by default. This instructs Nessus to ignore case.

Compliance Options

The Compliance section allows for adding compliance audit files to the scan. Once the type of Unix or Windows File Content is selected from the drop-down box, a list of available audit files of that type will be available in the second drop-down box. The list of audit files may be searched by entering text into the option or scrolling the list of available names. Hovering over a name will enable an information icon which, when hovered over, will display the name, description, and type of the audit file. Selecting the check mark to the right will add the chosen audit file to the policy. Clicking the X will remove it.

When an audit file exists in a policy, it may be edited to select a new compliance file or deleted by selecting the appropriate icon when hovered over.

Plugins Options

The Plugins tab specifies which plugins are used during the policy’s Nessus scan. You can enable or disable plugins in the plugin family view or in the plugin view for more granular control.

The plugin family view:

The plugin family view allows you to enable or disable all plugins in a family.

The plugin view (accessed by clicking on the Plugin Family name):

Caution: The Denial of Service plugin family contains plugins that could cause outages on network hosts if the Safe Checks option is not enabled, but it also contains useful checks that will not cause any harm. The Denial of Service plugin family can be used in conjunction with Safe Checks to ensure that any potentially dangerous plugins are not run. However, Tenable™ does not recommend enabling the Denial of Service plugin family in production environments.

To configure plugin options in the plugin family view:

  1. Begin configuring a scan policy as described in Add a Scan Policy.
  2. Click Plugins in the left navigation bar.

    The Plugins page appears with the plugin family view displayed.

  3. In the Status column, view the plugin family status and the number of enabled plugins within the plugin family:

    • Enabled — All plugins in the family are enabled. The scan will target the parameters in the plugins.
    • Disabled — All plugins in the family are disabled. The scan will not target the parameters in the plugins.

      Note: Disabling a plugin family reduces the time and resources required to run the scan.

    • Mixed — The plugin family contains a combination of Enabled and Disabled plugins.

  4. In the Total column, view the number of plugins in the family.
  5. To enable or disable all plugins in the family, click the Status box.
  6. To filter the plugin families listed on the page, use the Select a Filter drop-down box to build and apply a filter.

    The Total column becomes the Matched column and indicates the number of plugins in the family that match the current filter.

  7. To hide all disabled plugin families, click Hide Disabled.

  8. If you hid all disabled plugin families and you want to show them again, click Show All.
  9. To sort the plugin families listed on the page, click the Status, Plugin Family, or Total column title.
  10. To perform a bulk action on all of the plugin families displayed on the page, click Enable Shown or Disable Shown.

    SecurityCenter enables or disables all plugins within the plugin families shown on the page, not just the number of plugins in the Total or Matched column. For more granular control, set plugin statuses in the plugin view.

  11. To enable or disable individual plugins within a family, click the Plugin Family name to access the plugin view.

    The plugin view appears.

To configure plugin options in the plugin view:

  1. Begin configuring a scan policy as described in Add a Scan Policy.
  2. Click Plugins in the left navigation bar.

    The Plugins page appears.

  3. Click the Plugin Family name.

    The plugin view appears.

  4. In the Status column, view the plugin status:

    • Enabled — The plugin is enabled. The scan will target the parameters in the plugins.
    • Disabled — The plugin is disabled. The scan will not target the parameters in the plugins.

      Disabling a plugin family reduces the time and resources required to run the scan.

  5. In the Plugin ID column, click the information icon to display the plugin details.

  6. To enable or disable a plugin, click the Status box.
  7. To filter the plugins listed on the page, use the Select a Filter drop-down box to build and apply a filter.

  8. To hide all disabled plugins, click Hide Disabled.

  9. If you hid all disabled plugins and you want to show them again, click Show All.
  10. To sort the plugins listed on the page, click the Status, Plugin Name, or Plugin ID column title.
  11. To perform a bulk action on all of the plugins displayed on the page, click Enable Shown or Disable Shown.

    SecurityCenter enables or disables all plugins shown on the page.

  12. To return to the plugin family view, click the Back option.

  13. To view the plugins in a different family, click the drop-down box and select a different plugin family.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.