Scan Policy Options
Scan policy options specify granular configurations for your active scans.
When you create a custom scan policy, you can configure any scan policy option. When you configure a template-based scan policy, you can configure the options included for the template type. For more information about Tenable-provided scan policy templates, see Scan Policy Templates.
Option | Description |
---|---|
General | |
Name |
A unique name for the policy. |
Description |
(Optional) A description for the policy. |
Tag | A tag for the policy. For more information, see Tags. |
Option | Description |
---|---|
General Settings |
|
Enable safe checks |
Tenable Nessus attempts to identify remote vulnerabilities by interpreting banner information and attempting to exercise a vulnerability. When Enable safe checks is enabled, Tenable Nessus does not attempt to exercise any vulnerabilities. This is not as reliable as a full probe, but is less likely to negatively impact a targeted system. |
Scan for unpatched vulnerabilities (no patches or mitigations available) |
Determines whether the scan searches for unpatched vulnerabilities. This includes CVEs marked as "Will Not Fix" by the related vendor. Enabling this setting may increase your overall findings count; each platform and package combination results in an individual plugin. If additional CVEs are found to affect a platform and package combination, the CVEs are added to the existing plugin. This setting is disabled by default.
Note: If you configure a scan to produce findings for unpatched vulnerabilities and then the setting is unchecked, Tenable Security Center remediates unpatched findings in the next scan. Additionally, if multiple scans target the same device and one has enabled findings for unpatched vulnerabilities and another does not, the findings results may vary per scan. |
Stop scanning hosts that become unresponsive during the scan |
During a scan, hosts may become unresponsive after a period of time. Enabling this setting stops scan attempts against hosts that stop sending results. |
Automatically accept detected SSH disclaimer prompts |
When enabled, if a credentialed scan tries to connect via SSH to a FortiOS host that presents a disclaimer prompt, the scanner provides the necessary text input to accept the disclaimer prompt and continue the scan. The scan initially sends a bad ssh request to the target in order to retrieve the supported authorization methods. This allows you to determine how to connect to the target, which is helpful when you configure a custom ssh banner and then try to determine how to connect to the host. When disabled, credentialed scans on hosts that present a disclaimer prompt fail because the scanner cannot connect to the device and accept the disclaimer. The error appears in the plugin output. |
Scan targets with multiple domain names in parallel |
When disabled, to avoid overwhelming a host, Tenable Nessus prevents against simultaneously scanning multiple targets that resolve to a single IP address. Instead, Tenable Nessus scanners serialize attempts to scan the IP address, whether it appears more than once in the same scan task or in multiple scan tasks on that scanner. Scans may take longer to complete. When enabled, a Tenable Nessus scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but hosts could potentially become overwhelmed, causing timeouts and incomplete results. |
Create unique identifier on hosts scanned using credentials |
When enabled, the scanner creates a unique identifier (Tenable UUID) . Tenable Vulnerability Management and Tenable Security Center use the Tenable UUID to merge incoming scan data with historical results for the asset and ensure that license counts are accurately reflected. For more information, see Why Tenable Tags and Agent IDs are created during authenticated scans. |
Performance Options |
|
Slow down the scan when network congestion is detected |
When Tenable Nessus detects congestion during a scan, it will slow the speed of the scan in an attempt to ease the burden on the affected segment(s). |
Network timeout (in seconds) |
Determines the amount of time, in seconds, to determine if there is an issue communicating over the network. |
Max simultaneous checks per host |
This setting limits the maximum number of checks a Tenable Nessus scanner performs against a single host at one time. The default value of this option is 5 simultaneous checks per host. Type an integer greater than 0. If you enter 0, enter a negative integer, or delete the value in the field, Tenable Security Center does not perform any checks and scans will not complete. |
This setting limits the maximum number of hosts that a single Tenable Nessus scanner scans at the same time. The default value of this option is 30 hosts per scan. If the scan is using a zone with multiple scanners, each scanner will accept up to the amount specified in the Max simultaneous hosts per scan option. For example, if the Max simultaneous hosts per scan is set to 5 and there are 5 scanners per zone, each scanner will accept 5 hosts to scan, allowing a total of 25 hosts to be scanned between the 5 scanners. If you set Max Simultaneous hosts per scan to more than the Nessus scanner’s max_hosts value, the following message appears in the scanner's nessusd.messages: Tried to raise the maximum hosts number - 150. Using 100. Change 'max_hosts' in the server configuration if you believe this is incorrect. You can ignore this message; Tenable Security Center send scans to the scanner into scan chunks of up to eight IPs and will not reach the scanner's max_hosts, which must be nine or greater. |
|
Max number of concurrent TCP sessions per host |
Specifies the maximum number of established TCP sessions for a single host. This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. For example, if this option is set to 15, the SYN scanner sends 150 packets per second at most. Type an integer between 1-2000. If you leave the box empty or enter 0, Tenable Security Center does not enforce a limit. |
Max number of concurrent TCP sessions per scan |
This setting limits the maximum number of TCP sessions established by any of the active scanners during a scan. Type an integer between 1-2000. If you leave the box empty or enter 0, Tenable Security Center does not enforce a limit. |
Unix find command Options |
|
Command Timeout |
The maximum number of seconds the find command is allowed to run on Unix systems. Not all Find commands use this timeout. Default value is 240. Note: For all Find command executions in the plugin to complete, and to prevent the plugin from timing out, its plugin timeout should be adjusted with timeout_<plugin ID> in the scanner's Advanced Settings, |
Exclude Filepath |
A plain text file containing a list of filepaths to exclude from all plugins that search using the find command on Unix systems. In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page. |
Exclude Filesystem |
A plain text file containing a list of filesystems to exclude from all plugins that search using the find command on Unix systems. In the file, enter one filesystem per line, using filesystem types supported by the Unix find command -fstype argument. For more information, see the find command man page. |
Include Filepath |
A plain text file containing a list of filepaths to include from all plugins that search using the find command on Unix systems. In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page. Including filepaths increases the locations that are searched by plugins, which extends the duration of the scan. Make your inclusions as specific as possible. Tip: Avoid having the same filepaths in Include Filepath and Exclude Filepath. This conflict may result in the filepath being excluded from the search, though results may vary by operating system. |
Agent Performance Options | |
Use Tenable supplied binaries for 'find' and 'unzip' |
When enabled, instead of running native operating system commands of find and unzip, plugins use binaries included within the plugin feed for agent-based scanning. This allows CPU consumption to be controlled for the Tenable Nessus Agentfind command. Another benefit to enabling this setting is that if find or unzip are not found natively on the operating system, using the commands from the feed allows full plugin execution with these commands to continue. This setting works in tandem with the Scan Performance setting, which you can set locally on the agent. If you enable this setting and have adjusted the Scan Performance to a setting other than the default (High), the resulting scan findings may be different than previous scans with the same configuration. This is because the scan may experience timeouts in finding files due to the lower CPU resources. Note: Due to the need for thorough and complete results, audits do not leverage the find or unzip binaries from the Tenable feed.
Note: With this setting enabled, CPU usage may spike up or close to 100% when the plugin requests a batch of results to process. The CPU then drops down to a lower level until the next batch is requested for processing. |
Windows file search Options | |
Windows Exclude Filepath |
A plain text file containing a list of filepaths to exclude from all plugins that search using Tenable's unmanaged software directory scans. In the file, enter one absolute or partial filepath per line, formatted as the literal strings you want to exclude. You can include absolute or relative directory names, examples such as E:\, E:\Testdir\, and \Testdir\. Tip: The default exclusion paths include \Windows\WinSxS\ and \Windows\servicing\ if you do not configure this setting. If you configure this setting, Tenable recommends adding those two paths to the file; those directories are very slow and do not contain unmanaged software. |
Windows Include Filepath |
A plain text file containing a list of filepaths to include in all plugins that search using Tenable's unmanaged software directory scans. In the file, enter one absolute or partial filepath per line, formatted as the literal strings you want to exclude. You can only include absolute directory names, examples such as E:\, E:\Testdir\, and C:\. Caution: Avoid having the same filepaths in the Windows Include Filepath and Windows Exclude Filepath settings. This conflict results in the filepath being excluded from the search. |
Compliance Output Settings |
|
Maximum Compliance Output Length in KB | Controls the maximum output length in kilobytes for each individual compliance check value that the target returns. If a compliance check value that is greater than this setting's value, Tenable Security Center truncates the result. The default value is 128000. |
Maximum Compliance Check Timeout in Seconds |
Controls the maximum timeout duration for compliance checks. This setting is used by checks with long run times, especially checks that run commands on remote targets for Windows and Unix audits. This timeout setting overrides all other timeout settings when it is available. The default value is 300 seconds. |
Generate Gold Image Audit |
Attaches a compliance gold image .audit established by generated compliance scan results. For more information, see Compliance Export Gold Image. |
Generate XCCDF Result File |
Attaches XCCDF result files generated from compliance .audit scans. For more information, see Compliance Export XCCDF Results. |
Generate JSON Result File |
Attaches .audit JSON result files. For more information, see Compliance Export JSON Results. Note: You cannot download the JSON file directly from Tenable Security Center. |
Debug Settings Note:Tenable does not recommend enabling debug settings in production environments. Debug settings generate a substantial amount of data, and can alter the overall scan time and performance. Tenable only recommends the settings for specific debugging instances, and not for constant use. |
|
Always Report SSH Commands |
When enabled, Tenable Security Center generates a report of all the commands run over SSH on the host in a machine-readable format. You can view the reported commands under plugin 168017. Note: The setting does not function correctly if you disable plugin 168017. |
Enumerate Launched Plugins | Shows a list of plugins that were launched during the scan. You can view the list in scan results under plugin 112154. |
Stagger scan start | |
Maximum delay (minutes) |
(Agents 8.2 and later) If set, each agent in the agent group delays starting the scan for a random number of minutes, up to the specified maximum. Staggered starts can reduce the impact of agents that use a shared resource, such as virtual machine CPU. If the maximum delay you set exceeds your scan window, Tenable shortens your maximum delay to ensure that agents begin scanning at least 30 minutes before the scan window closes. |
Option | Description |
---|---|
Ping the remote host |
When enabled, Tenable Nessus attempts to ping the hosts in the scan to determine if the host is alive or not. |
General Settings (available when Ping the remote host is enabled) |
|
Test the local Tenable Nessus host |
This option allows you to include or exclude the local Tenable Nessus host from the scan. This is used when the Tenable Nessus host falls within the target network range for the scan. |
Use fast network discovery |
When Tenable Nessus pings a remote IP address and receives a reply, it performs extra checks to make sure that it is not a transparent proxy or a load balancer that would return noise but no result (some devices answer to every port 1 - 65535 even when there is no service behind the device). Such checks can take some time, especially if the remote host is firewalled. If Use fast network discovery is enabled, Tenable Nessus does not perform these checks. |
Ping Methods (available when Ping the remote host is enabled) |
|
ARP |
Ping a host using its hardware address via Address Resolution Protocol (ARP). This only works on a local network. |
TCP |
Ping a host using TCP. |
Destination ports |
Destination ports can be configured to use specific ports for TCP ping. This option specifies the list of ports that are checked via TCP ping. Type one of the following:
|
ICMP |
Ping a host using the Internet Control Message Protocol (ICMP). |
Assume ICMP unreachable means the host is down |
When a ping is sent to a host that is down, its gateway may return an ICMP unreachable message. When enabled, this option considers this to mean the host is dead. This is to help speed up discovery on some networks. Some firewalls and packet filters use this same behavior for hosts that are up but are connecting to a port or protocol that is filtered. With this option enabled, this leads to the scan considering the host is down when it is indeed up. |
Maximum number of retries |
(If you enabled ICMP) Allows you to specify the number of attempts to try to ping the remote host. The default is two attempts. |
UDP |
Ping a host using the User Datagram Protocol (UDP). Tip: UDP is a stateless protocol, meaning that communication is not performed with handshake dialogues. UDP-based communication is not always reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable. |
Fragile Devices |
|
Scan Network Printers |
Instructs the Tenable Nessus scanner not to scan network printers if unselected. Since many printers are prone to denial of service conditions, Tenable Nessus can skip scanning them once identified. This is recommended if scanning is performed on production networks. |
Scan Novell Netware hosts |
Instructs the Tenable Nessus scanner not to scan Novel Netware hosts if unselected. Since many Novell Netware hosts are prone to denial of service conditions, Tenable Nessus can skip scanning them once identified. This is recommended if scanning is performed on production networks. |
Scan Operational Technology devices |
When enabled, Tenable Security Center performs a full scan of Operational Technology (OT) devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs) that monitor environmental factors and the activity and state of machinery. When disabled, Tenable Security Center uses ICS/SCADA Smart Scanning to identify OT devices cautiously and stops scanning them once they are discovered. |
Wake-on-LAN |
|
List of MAC addresses |
Wake on Lan (WOL) packets will be sent to the hosts listed, one on each line, in an attempt to wake the specified host(s) during a scan. |
Boot time wait (in minutes) |
The number of minutes Tenable Nessus will wait to attempt a scan of hosts sent a WOL packet. |
The Service Discovery tab specifies how the scanner looks for services running on the target’s ports.
Option | Description |
---|---|
Probe all ports to find services |
When enabled, the scanner attempts to map each open port with the service that is running on that port, as defined by the Port scan range option. Caution: In some rare cases, probing might disrupt some services and cause unforeseen side effects. |
Search for SSL/TLS services |
Controls how the scanner tests SSL-based services. Caution: Testing for SSL capability on all ports may be disruptive for the tested host. |
Search for SSL/TLS on |
Specifies which ports on target hosts the scanner searches for SSL/TLS services. This setting has two options:
|
Search for DTLS on |
Specifies which ports on target hosts the scanner searches for DTLS services. This setting has the following options:
|
Identify certificates expiring within x days |
Identifies SSL certificates that age out within the specified timeframe. Type a value to set a timeframe (in days). |
Enumerate all SSL/TLS ciphers |
When Tenable Security Center performs an SSL scan, it tries to determine the SSL ciphers used by the remote server by attempting to establish a connection with each different documented SSL cipher, regardless of what the server says is available. |
Enable CRL checking (connects to the Internet) |
Direct Tenable Nessus to check SSL certificates against known Certificate Revocation Lists (CRL). Enabling this option makes a connection and query one or more servers on the internet. |
The Assessment tab specifies how the scanner tests for information during the scan.
Value | Description |
---|---|
Accuracy |
|
Override normal accuracy |
In some cases, Tenable Nessus cannot remotely determine whether a flaw is present or not. If report paranoia is set to Paranoid then a flaw is reported every time, even when there is a doubt about the remote host being affected. Conversely, a paranoia setting of Avoid false alarms will cause Tenable Nessus to not report any flaw whenever there is a hint of uncertainty about the remote host. Normal is a middle ground between these two settings. |
Perform thorough tests (may disrupt your network or impact scan speed) |
Causes various plugins to use more aggressive settings. For example, when looking through SMB file shares, a plugin can analyze 3 directory levels deep instead of its default of 1. This could cause much more network traffic and analysis in some cases. Note that by being more thorough, the scan will be more intrusive and is more likely to disrupt the network, while potentially providing better audit results. |
Antivirus |
|
Antivirus definition grace period (in days) |
This option determines the delay in the number of days of reporting the software as being outdated. The valid values are between 0 (no delay, default) and 7. |
SMTP |
|
Third party domain |
Tenable Nessus attempts to send spam through each SMTP device to the address listed in this option. This third party domain address must be outside the range of the site being scanned or the site performing the scan. Otherwise, the test may be aborted by the SMTP server. |
From address |
The test messages sent to the SMTP server(s) will appear as if they originated from the address specified in this option. |
To Address |
Tenable Nessus attempts to send messages addressed to the mail recipient listed in this option. The postmaster address is the default value since it is a valid address on most mail servers. |
The Brute Force tab specifies options for brute force login testing.
Additionally, if Hydra is installed on the same host as a Tenable Nessus server linked to Tenable Security Center, the Hydra section is enabled. Hydra extends brute force login testing for the following services: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, S7-300, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
Option | Description |
---|---|
General Settings |
|
Only use credentials provided by the user |
In some cases, Tenable Nessus can test default accounts and known default passwords. This can cause the account to be locked out if too many consecutive invalid attempts trigger security protocols on the operating system or application. By default, this setting is enabled to prevent Tenable Nessus from performing these tests. |
Oracle Database |
|
Test default Oracle accounts (slow) |
Test for known default accounts in Oracle software. |
Hydra | |
Always enable Hydra (slow) | Enables Hydra whenever the scan is performed. |
Logins file | A file that contains user names that Hydra will use during the scan. |
Passwords file | A file that contains passwords for user accounts that Hydra will use during the scan. |
Number of parallel tasks |
The number of simultaneous Hydra tests that you want to execute. By default, this value is 16. |
Timeout (in seconds) | The number of seconds per login attempt. |
Try empty passwords | If enabled, Hydra will additionally try user names without using a password. |
Try login as password | If enabled, Hydra will additionally try a user name as the corresponding password. |
Stop brute forcing after the first success | If enabled, Hydra will stop brute forcing user accounts after the first time an account is successfully accessed. |
Add accounts found by other plugins to the login file | If disabled, only the user names specified in the logins file will be used for the scan. Otherwise, additional user names discovered by other plugins will be added to the logins file and used for the scan. |
PostgreSQL database name | The database that you want Hydra to test. |
SAP R3 Client ID (0 - 99) | The ID of the SAP R3 client that you want Hydra to test. |
Windows accounts to test | Can be set to Local accounts, Domain Accounts, or Either. |
Interpret passwords as NTLM hashes | If enabled, Hydra will interpret passwords as NTLM hashes. |
Cisco login password | This password is used to login to a Cisco system before brute forcing enable passwords. If no password is provided here, Hydra will attempt to login using credentials that were successfully brute forced earlier in the scan. |
Web page to brute force | Type a web page that is protected by HTTP basic or digest authentication. If a web page is not provided here, Hydra will attempt to brute force a page discovered by the Tenable Nessus web crawler that requires HTTP authentication. |
HTTP proxy test website | If Hydra successfully brute forces an HTTP proxy, it will attempt to access the website provided here via the brute forced proxy. |
LDAP DN | The LDAP Distinguish Name scope that Hydra will authenticate against. |
The Malware tab specifies options for DNS Resolution, hash, and allowlist files and file system scanning.
Option | Description |
---|---|
Malware Scan Settings | |
Malware scan | When enabled, displays the General Settings, Hash and Allowlist Files, and File System Scanning sections. |
Hash and Allowlist Files (available when Malware scan is enabled) |
|
Provide your own list of known bad MD5/SHA1/SHA256 hashes |
Additional known bad MD5 hashes can be uploaded via a text file that contains one MD5 hash per line. If you want to add a description for each hash, type a comma after the hash, followed by the description. If any matches are found when scanning a target and a description was provided for the hash, the description will show up in the scan results. |
Provide your own list of known good MD5/SHA1/SHA256 hashes |
Additional known good MD5 hashes can be uploaded via a text file that contains one MD5 hash per line. If you want to add a description for each hash, type a comma after the hash, followed by the description. If any matches are found when scanning a target and a description was provided for the hash, the description will show up in the scan results. |
Hosts file allowlist |
Tenable Nessus checks system hosts files for signs of a compromise (e.g., Plugin ID 23910). This option allows you to upload a file containing a list of IPs and hostnames that will be ignored by Tenable Nessus during a scan. Include one IP address and hostname (formatted identically to your hosts file on the target) per line in a regular text file. |
File System Scanning (available when Malware scan is enabled) | |
Scan file system |
Turning on this option allows you to scan system directories and files on host computers.
Caution: Enabling this setting in scans targeting 10 or more hosts could result in performance degradation.
|
Directories (available when File System Scanning is enabled) | |
Scan %Systemroot% | Enable file system scanning to scan %Systemroot%. |
Scan %ProgramFiles% | Enable file system scanning to scan %ProgramFiles%. |
Scan %ProgramFiles(x86)% | Enable file system scanning to scan %ProgramFiles(x86)%. |
Scan %ProgramData% | Enable file system scanning to scan %ProgramData%. |
Scan User Profiles | Enable file system scanning to scan user profiles. |
Custom Filescan Directories |
A custom file that lists directories for malware file scanning. List each directory on one line.
Caution: Root directories such as C:\ or D:\ are not accepted.
|
Yara Rules Files |
A .yar file containing the YARA rules to be applied in the scan. You can only upload one file per scan, so include all rules in a single file. For more information, see yara.readthedocs.io. |
The SCADA tab specifies how the scanner tests for information against SCADA systems.
Option | Description |
---|---|
Modbus/TCP Coil Access |
|
Start at register End at register |
These options are available for commercial users. This drop-down box item is dynamically generated by the SCADA plugins available with the commercial version of Tenable Nessus. Modbus uses a function code of 1 to read coils in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a write coil message. The defaults for this are 0 for the Start at register value and 16 for the End at register value. |
ICCP/COTP TSAP Addressing Weakness |
|
Start COTP TSAP Stop COTP TSAP |
The ICCP/COTP TSAP Addressing menu determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values. The start and stop values are set to 8 by default. |
The Web Applications tab specifies how the scanner tests for information against web server applications.
Value | Description |
---|---|
Web Application Settings | |
Scan web applications | When enabled, displays the General Settings, Web Crawler, and Application Test Settings sections. |
Use a custom User-Agent |
Specifies which type of web browser Tenable Nessus will impersonate while scanning. |
Web Crawler (available when Scan web applications is enabled) |
|
Start crawling from |
The URL of the first page that will be tested. If multiple pages are required, use a colon delimiter to separate them (e.g., /:/php4:/base). |
Excluded pages (regex) |
Enable exclusion of portions of the web site from being crawled. For example, to exclude the /manual directory and all Perl CGI, set this option to: (^/manual)|(\.pl(\?.*)?$). Tenable Nessus supports POSIX regular expressions for string matching and handling, as well as Perl-compatible regular expressions (PCRE). |
Maximum pages to crawl |
The maximum number of pages to crawl. |
Maximum depth to crawl |
Limit the number of links Tenable Nessus will follow for each start page. |
Follow dynamically generated pages |
When enabled, Tenable Nessus will follow dynamic links and may exceed the parameters set above. |
Application Test Settings (available when Scan web applications is enabled) |
|
Enable generic web application tests |
Enables the Application Test Settings options. |
Abort web application tests if HTTP login fails |
If Tenable Nessus cannot login to the target via HTTP, then do not run any web application tests. |
Try all HTTP Methods |
This option will instruct Tenable Nessus to also use POST requests for enhanced web form testing. By default, the web application tests will only use GET requests, unless this option is enabled. Generally, more complex applications use the POST method when a user submits data to the application. This setting provides more thorough testing, but may considerably increase the time required. When selected, Tenable Nessus will test each script/variable with both GET and POST requests. This setting provides more thorough testing, but may considerably increase the time required. |
Attempt HTTP Parameter Pollution |
When performing web application tests, attempt to bypass filtering mechanisms by injecting content into a variable while supplying the same variable with valid content as well. For example, a normal SQL injection test may look like /target.cgi?a='&b=2. With HTTP Parameter Pollution (HPP) enabled, the request may look like /target.cgi?a='&a=1&b=2. |
Test embedded web servers |
Embedded web servers are often static and contain no customizable CGI scripts. In addition, embedded web servers may be prone to crash or become non-responsive when scanned. Tenable recommends scanning embedded web servers separately from other web servers using this option. |
Test more than one parameter at a time per form |
This option manages the combination of argument values used in the HTTP requests. The default, without checking this option, is testing one parameter at a time with an attack string, without trying non-attack variations for additional parameters. For example, Tenable Nessus attempts /test.php?arg1=XSS&b=1&c=1 where b and c allows other values, without testing each combination. This is the quickest method of testing with the smallest result set generated. This drop-down box has five selections:
|
Do not stop after the first flaw is found per web page |
This option determines when a new flaw is targeted. This applies at the script level; finding an XSS flaw will not disable searching for SQL injection or header injection, but you will have at most one report for each type on a given port, unless thorough tests is set. Note that several flaws of the same type (e.g., XSS, SQLi, etc.) may be reported sometimes, if they were caught by the same attack. The drop-down has four options:
|
URL for Remote File Inclusion |
During Remote File Inclusion (RFI) testing, this option specifies a file on a remote host to use for tests. By default, Tenable Nessus will use a safe file hosted by Tenable for RFI testing. If the scanner cannot reach the Internet, using an internally hosted file is recommended for more accurate RFI testing. |
Maximum run time (minutes) |
This option manages the amount of time in minutes spent performing web application tests. This option defaults to 60 minutes and applies to all ports and CGIs for a given web site. Scanning the local network for web sites with small applications will typically complete in under an hour, however web sites with large applications may require a higher value. |
The Windows tab specifies basic Windows SMB domain options.
Option | Description |
---|---|
General Settings | |
Request information about the SMB Domain |
When enabled, Tenable Nessus queries domain users instead of local users. |
User Enumeration Methods | |
SAM Registry | When enabled, Tenable Nessus enumerates users via the Security Account Manager (SAM) registry. |
ADSI Query | When enabled, Tenable Nessus enumerates users via Active Directory Service Interfaces (ADSI). To use ADSI, you must also configure ADSI authentication options. |
WMI Query | When enabled, Tenable Nessus enumerates users via Windows Management Interface (WMI). |
RID Brute Forcing | When enabled, Tenable Nessus enumerates users via relative identifier (RID) brute forcing. Enabling this setting enables the Enumerate Domain User and Enumerate Local User options. |
Enumerate Domain Users (available when RID Brute Forcing is enabled) | |
Start UID |
1000 |
End UID | 1200 |
Enumerate Local Users (available when RID Brute Forcing is enabled) | |
Start UID | 1000 |
End UID |
1200 |
The Report tab specifies information to include in the scan’s report.
Option | Description |
---|---|
Processing |
|
Override normal verbosity |
Determines the verbosity of the detail in the output of the scan results:
|
Show missing patches that have been superseded | Show patches in the report that have not been applied but have been superseded by a newer patch if enabled. |
Hide results from plugins initiated as a dependency | If a plugin is only run due to it being a dependency of a selected plugin, hide the results if enabled. |
Output |
|
Designate hosts by their DNS name | When possible, designate hosts by their DNS name rather than IP address in the reports. |
Display hosts that respond to ping | When enabled, show a list of hosts that respond to pings sent as part of the scan. |
Display unreachable hosts | Display a list of hosts within the scan range that were not able to be reached during the scan, if enabled. |
Display Unicode characters |
When enabled, Unicode characters appear in plugin output such as usernames, installed application names, and SSL certificate information. Note: Plugin output may sometimes incorrectly parse or truncate strings with Unicode characters. If this issue causes problems with regular expressions in plugins or custom audits, disable this setting and scan again. |
Generate SCAP XML Results | Generate a SCAP XML results file as a part of the report output for the scan. |
The Authentication tab specifies authentication options during a scan.
Option | Description |
---|---|
Authentication |
|
Type |
Specifies the type of authentication you want scanners to use for credentialed access to scan targets. Credentialed access gathers more complete data about a target. |
SNMP |
|
UDP Port Additional UDP port #1 Additional UDP port #2 Additional UDP port #3 |
This is the UDP port that will be used when performing certain SNMP scans. Up to four different ports may be configured, with the default port being 161. |
SSH |
|
known_hosts file |
If an SSH known_hosts file is provided for the scan policy, Tenable Nessus will only attempt to log in to hosts defined in this file. This helps to ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a login to a system that may not be under your control. |
Preferred port |
This option is set to direct the scan to connect to a specific port if SSH is known to be listening on a port other than the default of 22. |
Client version |
Specifies which type of SSH client to impersonate while performing scans. |
Attempt least privilege (experimental) |
Enables or disables dynamic privilege escalation. When enabled, if the scan target credentials include privilege escalation, Tenable Nessus first attempts to run commands without privilege escalation. If running commands without privilege escalation fails, Tenable Nessus retries the commands with privilege escalation. Plugins 102095 and 102094 report whether plugins ran with or without privilege escalation. Note: Enabling this option may increase the time required to perform scans by up to 30%. |
Windows |
|
Never send credentials in the clear |
By default, Windows credentials are not sent to the target host in the clear. |
Do not use NTLMv1 authentication |
When disabled, it is theoretically possible to trick Tenable Nessus into attempting to log in to a Windows server with domain credentials via the NTLM version 1 protocol. This provides the remote attacker with the ability to use a hash obtained from Tenable Nessus. This hash can be potentially cracked to reveal a username or password. It may also be used to directly log in to other servers. Because NTLMv1 is an insecure protocol, this option is enabled by default. |
Start the Remote Registry service during the scan |
This option tells Tenable Nessus to start the Remote Registry service on computers being scanned if it is not running. This service must be running in order for Tenable Nessus to execute some Windows local check plugins. |
Enable administrative shares during the scan |
This option will allow Tenable Nessus to access certain registry entries that can be read with administrator privileges. |
Start the Server service during the scan |
When enabled, the scanner temporarily enables the Windows Server service, which allows the computer to share files and other devices on a network. The service is disabled after the scan completes. By default, Windows systems have the Windows Server service enabled, which means you do not need to enable this setting. However, if you disable the Windows Server service in your environment, and want to scan using SMB credentials, you must enable this setting so that the scanner can access files remotely. |
Plaintext Authentication |
|
Perform patch audits over telnet |
When enabled, Tenable Security Center uses telnet to connect to the host device for patch audits. Note: This protocol is sent in cleartext and could contain unencrypted usernames and passwords. |
Perform patch audits over rsh |
When enabled, Tenable Security Center permits patch audits over a rsh connection. Note: This protocol is sent in cleartext and could contain unencrypted usernames and passwords. |
Perform patch audits over rexec |
When enabled, Tenable Security Center permits patch audits over a rexec connection. Note: This protocol is sent in cleartext and could contain unencrypted usernames and passwords. |
HTTP |
|
Login method |
Specify whether the login action is performed via a GET or POST request. |
Re-authenticate delay (seconds) |
The delay between authentication attempts, in seconds. Tip: A time delay can help prevent triggering brute force lockout mechanisms. |
Follow 30x redirections (# of levels) |
If a 30x redirect code is received from a web server, this directs Tenable Nessus to follow the link provided or not. |
Invert authenticated regex |
The regex pattern you want Tenable Security Center to look for on the login page that, if found, denies authentication. Tip: Tenable Security Center can attempt to match a given string, such as Authentication failed. |
Use authenticated regex on HTTP headers |
When enabled, Tenable Security Center searches the HTTP response headers for a given regex pattern instead of searching the body of a response to better determine authentication state. |
Case insensitive authenticated regex |
When enabled, Tenable Security Center ignores case in regex. |
The Compliance tab specifies compliance the audit files to reference in a scan policy. The options available depend on the type of audit file selected.
For more information, see Audit Files and Configure Compliance Options.
Option | Description |
---|---|
Generic SSH Escalation command |
(Generic SSH audits only) The command to use for accomplishing the privilege escalation. This is similar to the enable command for Cisco devices. |
Generic SSH Escalation success check |
(Generic SSH audits only) A regular expression that must match after the escalation has succeeded. This can be the prompt or any other message notifying the success of privilege escalation. |
The Plugins tab specifies which plugins are used during the policy’s Tenable Nessus scan. You can enable or disable plugins in the plugin family view or in the plugin view for more granular control.
For more information, see Configure Plugin Options.
Caution: The Denial of Service plugin family contains plugins that could cause outages on network hosts if the Safe Checks option is not enabled, but it also contains useful checks that do not cause any harm. The Denial of Service plugin family can be used in conjunction with Safe Checks to ensure that any potentially dangerous plugins are not run. However, Tenable does not recommend enabling the Denial of Service plugin family in production environments.