Scan Policy Options

Scan policy options specify granular configurations for your active scans.

When you create a custom scan policy, you can configure any scan policy option. When you configure a template-based scan policy, you can configure the options included for the template type.

For more information about Tenable-provided scan policy templates, see Scan Policy Templates.

Setup Options

Option Description

Name

A unique name for the policy.

Description

(Optional) A description for the policy.

Tag A tag for the policy. For more information, see Tags.

Advanced Options

Option Description

General Settings

Enable safe checks

Tenable Nessus attempts to identify remote vulnerabilities by interpreting banner information and attempting to exercise a vulnerability. When Enable safe checks is enabled, the second step is skipped. This is not as reliable as a full probe, but is less likely to negatively impact a targeted system.

Stop scanning hosts that become unresponsive during the scan

During a scan, hosts may become unresponsive after a period of time. Enabling this setting stops scan attempts against hosts that stop sending results.

Automatically accept detected SSH disclaimer prompts

When enabled, if a credentialed scan tries to connect via SSH to a FortiOS host that presents a disclaimer prompt, the scanner provides the necessary text input to accept the disclaimer prompt and continue the scan.

The scan initially sends a bad ssh request to the target in order to retrieve the supported authorization methods. This allows you to determine how to connect to the target, which is helpful when you configure a custom ssh banner and then try to determine how to connect to the host.

When disabled, credentialed scans on hosts that present a disclaimer prompt fail because the scanner cannot connect to the device and accept the disclaimer. The error appears in the plugin output.

Performance Options

Slow down the scan when network congestion is detected

When Tenable Nessus detects congestion during a scan, it will slow the speed of the scan in an attempt to ease the burden on the affected segment(s).

Use Linux kernel congestion detection

Use Linux kernel congestion detection during the scan to help alleviate system lockups on the Tenable Nessus scanner server.

Network timeout (in seconds)

Determines the amount of time, in seconds, to determine if there is an issue communicating over the network.

Max simultaneous checks per host

This setting limits the maximum number of checks a Tenable Nessus scanner will perform against a single host at one time. The default value of this option is 5 simultaneous checks per host.

Type an integer greater than 0. If you enter 0, enter a negative integer, or delete the value in the field, Tenable.sc does not perform any checks and scans will not complete.

Max simultaneous hosts per scan

This setting limits the maximum number of hosts that a single Tenable Nessus scanner will scan at the same time. The default value of this option is 30 hosts per scan.

If the scan is using a zone with multiple scanners, each scanner will accept up to the amount specified in the Max simultaneous hosts per scan option. For example, if the Max simultaneous hosts per scan is set to 5 and there are 5 scanners per zone, each scanner will accept 5 hosts to scan, allowing a total of 25 hosts to be scanned between the 5 scanners.

If you set Max Simultaneous hosts per scan to more than the Nessus scanner’s max_hosts value, the following message appears in the scanner's nessusd.messages: Tried to raise the maximum hosts number - 150. Using 100. Change 'max_hosts' in the server configuration if you believe this is incorrect. You can ignore this message; Tenable Security Center send scans to the scanner into scan chunks of up to eight IPs and will not reach the scanner's max_hosts, which must be nine or greater.

Max number of concurrent TCP sessions per host

Specifies the maximum number of established TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. For example, if this option is set to 15, the SYN scanner sends 150 packets per second at most.

Type an integer between 1-2000. If you leave the box empty or enter 0, Tenable.sc does not enforce a limit.

Max number of concurrent TCP sessions per scan

This setting limits the maximum number of TCP sessions established by any of the active scanners during a scan.

Type an integer between 1-2000. If you leave the box empty or enter 0, Tenable.sc does not enforce a limit.

Unix find command Options

Exclude Filepath

A plain text file containing a list of filepaths to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.

Exclude Filesystem

A plain text file containing a list of filesystems to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filesystem per line, using filesystem types supported by the Unix find command -fstype argument. For more information, see the find command man page.

Include Filepath

A plain text file containing a list of filepaths to include from all plugins that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.

Including filepaths increases the locations that are searched by plugins, which extends the duration of the scan. Make your inclusions as specific as possible.

Tip: Avoid having the same filepaths in Include Filepath and Exclude Filepath. This conflict may result in the filepath being excluded from the search, though results may vary by operating system.

Debug Settings
Always Report SSH Commands

When enabled, Tenable.sc generates a report of all the commands run over SSH on the host in a machine-readable format. You can view the reported commands under plugin 168017.

Note: The setting does not function correctly if you disable plugin 168017.

Enumerate Launched Plugins Shows a list of plugins that were launched during the scan. You can view the list in scan results under plugin 112154.
Stagger scan start
Maximum delay (minutes)

(Agents 8.2 and later) If set, each agent in the agent group delays starting the scan for a random number of minutes, up to the specified maximum. Staggered starts can reduce the impact of agents that use a shared resource, such as virtual machine CPU.

If the maximum delay you set exceeds your scan window, Tenable shortens your maximum delay to ensure that agents begin scanning at least 30 minutes before the scan window closes.

Host Discovery Options

Option Description

Ping the remote host

When enabled, Tenable Nessus attempts to ping the hosts in the scan to determine if the host is alive or not.

General Settings (available when Ping the remote host is enabled)

Test the local Tenable Nessus host

This option allows you to include or exclude the local Tenable Nessus host from the scan. This is used when the Tenable Nessus host falls within the target network range for the scan.

Use fast network discovery

When Tenable Nessus pings a remote IP address and receives a reply, it performs extra checks to make sure that it is not a transparent proxy or a load balancer that would return noise but no result (some devices answer to every port 1 - 65535 even when there is no service behind the device). Such checks can take some time, especially if the remote host is firewalled. If Use fast network discovery is enabled, Tenable Nessus does not perform these checks.

Ping Methods (available when Ping the remote host is enabled)

ARP

Ping a host using its hardware address via Address Resolution Protocol (ARP). This only works on a local network.

TCP

Ping a host using TCP.

Destination ports

Destination ports can be configured to use specific ports for TCP ping. This option specifies the list of ports that are checked via TCP ping. Type one of the following:

  • a single port
  • a comma-separated list of ports
  • built-in

    For more information about which ports built-in specifies, see the knowledge base article.

ICMP

Ping a host using the Internet Control Message Protocol (ICMP).

Assume ICMP unreachable means the host is down

When a ping is sent to a host that is down, its gateway may return an ICMP unreachable message. When enabled, this option considers this to mean the host is dead. This is to help speed up discovery on some networks.

Some firewalls and packet filters use this same behavior for hosts that are up but are connecting to a port or protocol that is filtered. With this option enabled, this leads to the scan considering the host is down when it is indeed up.

Maximum number of retries

(If you enabled ICMP) Allows you to specify the number of attempts to try to ping the remote host. The default is two attempts.

UDP

Ping a host using the User Datagram Protocol (UDP).

Tip: UDP is a stateless protocol, meaning that communication is not performed with handshake dialogues. UDP-based communication is not always reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable.

Fragile Devices

Scan Network Printers

Instructs the Tenable Nessus scanner not to scan network printers if unselected. Since many printers are prone to denial of service conditions, Tenable Nessus can skip scanning them once identified. This is recommended if scanning is performed on production networks.

Scan Novell Netware hosts

Instructs the Tenable Nessus scanner not to scan Novel Netware hosts if unselected. Since many Novell Netware hosts are prone to denial of service conditions, Tenable Nessus can skip scanning them once identified. This is recommended if scanning is performed on production networks.

Scan Operational Technology devices

When enabled, Tenable.sc performs a full scan of Operational Technology (OT) devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs) that monitor environmental factors and the activity and state of machinery.

When disabled, Tenable.sc uses ICS/SCADA Smart Scanning to identify OT devices cautiously and stops scanning them once they are discovered.

Wake-on-LAN

List of MAC addresses

Wake on Lan (WOL) packets will be sent to the hosts listed, one on each line, in an attempt to wake the specified host(s) during a scan.

Boot time wait (in minutes)

The number of minutes Tenable Nessus will wait to attempt a scan of hosts sent a WOL packet.

Port Scanning Options

Option Description

Ports

Consider unscanned ports as closed

If a port is not scanned with a selected port scanner (for example, out of the range specified), the scanner will consider it closed.

Port scan range

Specifies a keyword (default) or a custom port range that you want the scanner to target.

  • Type default to instruct the scanners to scan approximately 4,790 commonly used ports. The list of ports can be found in the nessus-services file.
  • Type all to instruct the scanner to scan all 65,536 ports, including port 0.
  • Type a custom port range to instruct the scanners to scan the custom range of ports. Type a custom port range as a comma-separated list of ports or port ranges. For example, 21,23,25,80,110 or 1-1024,8080,9000-9200.

    Tenable.sc applies the custom range to the protocols you specify in the Local Port Enumerators section. If you want to scan both TCP and UDP, you can specify a split range specific to each protocol. For example, if you want to scan a different range of ports for TCP and UDP in the same policy, type T:1-1024,U:300-500. You can also specify a set of ports to scan for both protocols, as well as individual ranges for each separate protocol. For example, 1-1024,T:1024-65535,U:1025.

Local Port Enumerators

SSH (netstat)

When enabled, the scanner uses netstat to check for open ports from the local machine. It relies on the netstat command being available via an SSH connection to the target. This scan is intended for Linux-based systems and requires authentication credentials.

WMI (netstat)

When enabled, the scanner uses netstat to determine open ports while performing a WMI-based scan.

In addition, the scanner:

  • Ignores any custom range specified in the Port Scan Range setting.
  • Continues to treat unscanned ports as closed if the Consider unscanned ports as closed setting is enabled.

If any port enumerator (netstat or SNMP) is successful, the port range becomes all.

SNMP

When enabled, if the appropriate credentials are provided by the user, the scanner can better test the remote host and produce more detailed audit results. For example, there are many Cisco router checks that determine the vulnerabilities present by examining the version of the returned SNMP string. This information is necessary for these audits.

Only run network port scanners if local port enumeration failed

If a local port enumerator runs, all network port scanners will be disabled for that asset.

Verify open TCP ports found by local port enumerators

When enabled, if a local port enumerator (for example, WMI or netstat) finds a port, the scanner also verifies that the port is open remotely. This approach helps determine if some form of access control is being used (for example, TCP wrappers or a firewall).

Network Port Scanners

TCP

Use the built-in Tenable Nessus TCP scanner to identify open TCP ports on the targets, using a full TCP three-way handshake. TCP scans are only possible if you are using Linux or FreeBSD. On Windows or macOS, the scanner does not do a TCP scan and instead uses the SYN scanner to avoid performance issues native to those operating systems.If you enable this option, you can also set the Override Automatic Firewall Detection option.

Note: On some platforms (for example, Windows and Mac OS X), if the operating system is causing serious performance issues using the TCP scanner, Tenable Nessus launches the SYN scanner instead.

SYN

Use the built-in Tenable Nessus SYN scanner to identify open TCP ports on the target hosts. SYN scans do not initiate a full TCP three-way handshake. The scanner sends a SYN packet to the port, waits for SYN-ACK reply, and determines the port state based on a response or lack of response.

If you enable this option, you can also set the Override Automatic Firewall Detection option.

Override automatic firewall detection

Rely on local port enumeration first before relying on network port scans.

UDP

This option engages the built-in Tenable Nessus UDP scanner to identify open UDP ports on the targets.

Due to the nature of the protocol, it is generally not possible for a port scanner to tell the difference between open and filtered UDP ports. Enabling the UDP port scanner may dramatically increase the scan time and produce unreliable results. Consider using the netstat or SNMP port enumeration options instead if possible.

Service Discovery Options

The Service Discovery tab specifies how the scanner looks for services running on the target’s ports.

Option Description

Probe all ports to find services

When enabled, the scanner attempts to map each open port with the service that is running on that port, as defined by the Port scan range option.

Caution: In some rare cases, probing might disrupt some services and cause unforeseen side effects.

Search for SSL/TLS services

Controls how the scanner tests SSL-based services.

Caution: Testing for SSL capability on all ports may be disruptive for the tested host.

Search for SSL/TLS on

Specifies which ports on target hosts the scanner searches for SSL/TLS services.

This setting has two options:

  • Known SSL/TLS ports
  • All ports

Search for DTLS on

Specifies which ports on target hosts the scanner searches for DTLS services.

This setting has the following options:

  • None

  • Known SSL/TLS ports

  • All TCP ports

Identify certificates expiring within x days

Identifies SSL certificates that age out within the specified timeframe. Type a value to set a timeframe (in days).

Enumerate all SSL/TLS ciphers

When Tenable.sc performs an SSL scan, it tries to determine the SSL ciphers used by the remote server by attempting to establish a connection with each different documented SSL cipher, regardless of what the server says is available.

Enable CRL checking (connects to the Internet)

Direct Tenable Nessus to check SSL certificates against known Certificate Revocation Lists (CRL). Enabling this option makes a connection and query one or more servers on the internet.

Assessment Options

The Assessment tab specifies how the scanner tests for information during the scan.

Value Description

Accuracy

Override normal accuracy

In some cases, Tenable Nessus cannot remotely determine whether a flaw is present or not. If report paranoia is set to Paranoid then a flaw is reported every time, even when there is a doubt about the remote host being affected. Conversely, a paranoia setting of Avoid false alarms will cause Tenable Nessus to not report any flaw whenever there is a hint of uncertainty about the remote host. Normal is a middle ground between these two settings.

Perform thorough tests (may disrupt your network or impact scan speed)

Causes various plugins to use more aggressive settings. For example, when looking through SMB file shares, a plugin can analyze 3 directory levels deep instead of its default of 1. This could cause much more network traffic and analysis in some cases. Note that by being more thorough, the scan will be more intrusive and is more likely to disrupt the network, while potentially providing better audit results.

Antivirus

Antivirus definition grace period (in days)

This option determines the delay in the number of days of reporting the software as being outdated. The valid values are between 0 (no delay, default) and 7.

SMTP

Third party domain

Tenable Nessus attempts to send spam through each SMTP device to the address listed in this option. This third party domain address must be outside the range of the site being scanned or the site performing the scan. Otherwise, the test may be aborted by the SMTP server.

From address

The test messages sent to the SMTP server(s) will appear as if they originated from the address specified in this option.

To Address

Tenable Nessus attempts to send messages addressed to the mail recipient listed in this option. The postmaster address is the default value since it is a valid address on most mail servers.

Brute Force Options

The Brute Force tab specifies how the scanner tests for information against SCADA systems.

Additionally, if Hydra is installed on the same host as a Tenable Nessus server linked to Tenable.sc, the Hydra section is enabled. Hydra extends brute force login testing for the following services: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, S7-300, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Option Description

General Settings

Only use credentials provided by the user

In some cases, Tenable Nessus can test default accounts and known default passwords. This can cause the account to be locked out if too many consecutive invalid attempts trigger security protocols on the operating system or application. By default, this setting is enabled to prevent Tenable Nessus from performing these tests.

Oracle Database

Test default Oracle accounts (slow)

Test for known default accounts in Oracle software.

Hydra
Always enable Hydra (slow) Enables Hydra whenever the scan is performed.
Logins file A file that contains user names that Hydra will use during the scan.
Passwords file A file that contains passwords for user accounts that Hydra will use during the scan.
Number of parallel tasks

The number of simultaneous Hydra tests that you want to execute. By default, this value is 16.

Timeout (in seconds) The number of seconds per login attempt.
Try empty passwords If enabled, Hydra will additionally try user names without using a password.
Try login as password If enabled, Hydra will additionally try a user name as the corresponding password.
Stop brute forcing after the first success If enabled, Hydra will stop brute forcing user accounts after the first time an account is successfully accessed.
Add accounts found by other plugins to the login file If disabled, only the user names specified in the logins file will be used for the scan. Otherwise, additional user names discovered by other plugins will be added to the logins file and used for the scan.
PostgreSQL database name The database that you want Hydra to test.
SAP R3 Client ID (0 - 99) The ID of the SAP R3 client that you want Hydra to test.
Windows accounts to test Can be set to Local accounts, Domain Accounts, or Either.
Interpret passwords as NTLM hashes If enabled, Hydra will interpret passwords as NTLM hashes.
Cisco login password This password is used to login to a Cisco system before brute forcing enable passwords. If no password is provided here, Hydra will attempt to login using credentials that were successfully brute forced earlier in the scan.
Web page to brute force Type a web page that is protected by HTTP basic or digest authentication. If a web page is not provided here, Hydra will attempt to brute force a page discovered by the Tenable Nessus web crawler that requires HTTP authentication.
HTTP proxy test website If Hydra successfully brute forces an HTTP proxy, it will attempt to access the website provided here via the brute forced proxy.
LDAP DN The LDAP Distinguish Name scope that Hydra will authenticate against.

Malware Options

The Malware tab specifies options for DNS Resolution, hash, and allowlist files and file system scanning.

Option Description
Malware Scan Settings
Malware scan When enabled, displays the General Settings, Hash and Allowlist Files, and File System Scanning sections.
General Settings (available when Malware scan is enabled)
Disable DNS Resolution Checking this option will prevent Tenable Nessus from using the cloud to compare scan findings against known malware.

Hash and Allowlist Files (available when Malware scan is enabled)

Custom Netstat IP Threat List

A text file that contains a list of known bad IP addresses that you want to detect.

Each line in the file must begin with an IPv4 address. Optionally, you can add a description by adding a comma after the IP address, followed by the description. You can also use hash-delimited comments (e.g., #) in addition to comma-delimited comments.

Note: Tenable does not detect private IP ranges in the text file.

Provide your own list of known bad MD5/SHA1/SHA256 hashes

Additional known bad MD5 hashes can be uploaded via a text file that contains one MD5 hash per line.

If you want to add a description for each hash, type a comma after the hash, followed by the description. If any matches are found when scanning a target and a description was provided for the hash, the description will show up in the scan results.

Provide your own list of known good MD5/SHA1/SHA256 hashes

Additional known good MD5 hashes can be uploaded via a text file that contains one MD5 hash per line.

If you want to add a description for each hash, type a comma after the hash, followed by the description. If any matches are found when scanning a target and a description was provided for the hash, the description will show up in the scan results.

Hosts file allowlist

Tenable Nessus checks system hosts files for signs of a compromise (e.g., Plugin ID 23910). This option allows you to upload a file containing a list of IPs and hostnames that will be ignored by Tenable Nessus during a scan. Include one IP address and hostname (formatted identically to your hosts file on the target) per line in a regular text file.

File System Scanning (available when Malware scan is enabled)
Scan file system

Turning on this option allows you to scan system directories and files on host computers.

Caution: Enabling this setting in scans targeting 10 or more hosts could result in performance degradation.

Directories (available when File System Scanning is enabled)
Scan %Systemroot% Enable file system scanning to scan %Systemroot%.
Scan %ProgramFiles% Enable file system scanning to scan %ProgramFiles%.
Scan %ProgramFiles(x86)% Enable file system scanning to scan %ProgramFiles(x86)%.
Scan %ProgramData% Enable file system scanning to scan %ProgramData%.
Scan User Profiles Enable file system scanning to scan user profiles.
Custom Filescan Directories

A custom file that lists directories for malware file scanning. List each directory on one line.

Caution: Root directories such as C:\ or D:\ are not accepted.

Yara Rules Files

A .yar file containing the YARA rules to be applied in the scan. You can only upload one file per scan, so include all rules in a single file. For more information, see yara.readthedocs.io.

SCADA Options

The SCADA tab specifies how the scanner tests for information against SCADA systems.

Option Description

Modbus/TCP Coil Access

Start at register

End at register

These options are available for commercial users. This drop-down box item is dynamically generated by the SCADA plugins available with the commercial version of Tenable Nessus. Modbus uses a function code of 1 to read coils in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a write coil message. The defaults for this are 0 for the Start at register value and 16 for the End at register value.

ICCP/COTP TSAP Addressing Weakness

Start COTP TSAP

Stop COTP TSAP

The ICCP/COTP TSAP Addressing menu determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values. The start and stop values are set to 8 by default.

Web Applications Options

The Web Applications tab specifies how the scanner tests for information against web server applications.

Value Description
Web Application Settings
Scan web applications When enabled, displays the General Settings, Web Crawler, and Application Test Settings sections.

General Settings (available when Scan web applications is enabled)

Use a custom User-Agent

Specifies which type of web browser Tenable Nessus will impersonate while scanning.

Web Crawler (available when Scan web applications is enabled)

Start crawling from

The URL of the first page that will be tested. If multiple pages are required, use a colon delimiter to separate them (e.g., /:/php4:/base).

Excluded pages (regex)

Enable exclusion of portions of the web site from being crawled. For example, to exclude the /manual directory and all Perl CGI, set this option to: (^/manual)|(\.pl(\?.*)?$). Tenable Nessus supports POSIX regular expressions for string matching and handling, as well as Perl-compatible regular expressions (PCRE).

Maximum pages to crawl

The maximum number of pages to crawl.

Maximum depth to crawl

Limit the number of links Tenable Nessus will follow for each start page.

Follow dynamically generated pages

When enabled, Tenable Nessus will follow dynamic links and may exceed the parameters set above.

Application Test Settings (available when Scan web applications is enabled)

Enable generic web application tests

Enables the Application Test Settings options.

Abort web application tests if HTTP login fails

If Tenable Nessus cannot login to the target via HTTP, then do not run any web application tests.

Try all HTTP Methods

This option will instruct Tenable Nessus to also use POST requests for enhanced web form testing. By default, the web application tests will only use GET requests, unless this option is enabled. Generally, more complex applications use the POST method when a user submits data to the application. This setting provides more thorough testing, but may considerably increase the time required. When selected, Tenable Nessus will test each script/variable with both GET and POST requests. This setting provides more thorough testing, but may considerably increase the time required.

Attempt HTTP Parameter Pollution

When performing web application tests, attempt to bypass filtering mechanisms by injecting content into a variable while supplying the same variable with valid content as well. For example, a normal SQL injection test may look like /target.cgi?a='&b=2. With HTTP Parameter Pollution (HPP) enabled, the request may look like /target.cgi?a='&a=1&b=2.

Test embedded web servers

Embedded web servers are often static and contain no customizable CGI scripts. In addition, embedded web servers may be prone to crash or become non-responsive when scanned. Tenable recommends scanning embedded web servers separately from other web servers using this option.

Test more than one parameter at a time per form

This option manages the combination of argument values used in the HTTP requests. The default, without checking this option, is testing one parameter at a time with an attack string, without trying non-attack variations for additional parameters. For example, Tenable Nessus attempts /test.php?arg1=XSS&b=1&c=1 where b and c allows other values, without testing each combination. This is the quickest method of testing with the smallest result set generated.

This drop-down box has five selections:

  • One value — This tests one parameter at a time with an attack string, without trying non-attack variations for additional parameters. For example, Tenable Nessus attempts /test.php?arg1=XSS&b=1&c=1 where b and c allows other values, without testing each combination. This is the quickest method of testing with the smallest result set generated.
  • Some pairs — This form of testing will randomly check a combination of random pairs of parameters. This is the fastest way to test multiple parameters.
  • All pairs (slower but efficient) — This form of testing is slightly slower but more efficient than the one value test. While testing multiple parameters, it will test an attack string, variations for a single variable and then use the first value for all other variables. For example, Tenable Nessus attempts /test.php?arg1=XSS&b=1&c=1 and then cycles through the variables so that one is given the attack string, one is cycled through all possible values (as discovered during the mirror process) and any other variables are given the first value. In this case, Tenable Nessus will never test for /test.php?a=XSS&b=3&c=3&d=3 when the first value of each variable is 1.
  • Some combinations — This form of testing will randomly check a combination of three or more parameters. This is more thorough than testing only pairs of parameters. Note that increasing the amount of combinations by three or more increases the web application test time.
  • All combinations (extremely slow) — This method of testing will do a fully exhaustive test of all possible combinations of attack strings with valid input to variables. Where All-pairs testing seeks to create a smaller data set as a tradeoff for speed, all combinations makes no compromise on time and uses a complete data set of tests. This testing method may take a long time to complete.

Do not stop after the first flaw is found per web page

This option determines when a new flaw is targeted. This applies at the script level; finding an XSS flaw will not disable searching for SQL injection or header injection, but you will have at most one report for each type on a given port, unless thorough tests is set. Note that several flaws of the same type (e.g., XSS, SQLi, etc.) may be reported sometimes, if they were caught by the same attack. The drop-down has four options:

  • Per CGI — As soon as a flaw is found on a CGI by a script, Tenable Nessus switches to the next known CGI on the same server, or if there is no other CGI, to the next port/server. This is the default option.
  • Per port (faster) — As soon as a flaw is found on a web server by a script, Tenable Nessus stops and switches to another web server on a different port.
  • Per parameter (slow) — As soon as one type of flaw is found in a parameter of a CGI (e.g., XSS), Tenable Nessus switches to the next parameter of the same CGI, or the next known CGI, or to the next port/server.
  • Look for all flaws (slower) — Perform extensive tests regardless of flaws found. This option can produce a very verbose report and is not recommend in most cases.

URL for Remote File Inclusion

During Remote File Inclusion (RFI) testing, this option specifies a file on a remote host to use for tests. By default, Tenable Nessus will use a safe file hosted by Tenable for RFI testing. If the scanner cannot reach the Internet, using an internally hosted file is recommended for more accurate RFI testing.

Maximum run time (minutes)

This option manages the amount of time in minutes spent performing web application tests. This option defaults to 60 minutes and applies to all ports and CGIs for a given web site. Scanning the local network for web sites with small applications will typically complete in under an hour, however web sites with large applications may require a higher value.

Windows Options

The Windows tab specifies basic Windows SMB domain options.

Option Description
General Settings

Request information about the SMB Domain

When enabled, Tenable Nessus queries domain users instead of local users.

User Enumeration Methods
SAM Registry When enabled, Tenable Nessus enumerates users via the Security Account Manager (SAM) registry.
ADSI Query When enabled, Tenable Nessus enumerates users via Active Directory Service Interfaces (ADSI). To use ADSI, you must also configure ADSI authentication options.
WMI Query When enabled, Tenable Nessus enumerates users via Windows Management Interface (WMI).
RID Brute Forcing When enabled, Tenable Nessus enumerates users via relative identifier (RID) brute forcing. Enabling this setting enables the Enumerate Domain User and Enumerate Local User options.
Enumerate Domain Users (available when RID Brute Forcing is enabled)

Start UID

1000

End UID 1200
Enumerate Local Users (available when RID Brute Forcing is enabled)
Start UID 1000
End UID

1200

Report Options

The Report tab specifies information to include in the scan’s report.

Option Description

Processing

Override normal verbosity

Determines the verbosity of the detail in the output of the scan results:

  • Normal — Provides the standard level of plugin activity in the report.
  • Quiet — Provides less information about plugin activity in the report to minimize impact on disk space.
  • Verbose — Provides more information about plugin activity in the report. When this option is selected, the output includes the informational plugins 56310, 64582, and 58651.
Show missing patches that have been superseded Show patches in the report that have not been applied but have been superseded by a newer patch if enabled.
Hide results from plugins initiated as a dependency If a plugin is only run due to it being a dependency of a selected plugin, hide the results if enabled.

Output

Designate hosts by their DNS name When possible, designate hosts by their DNS name rather than IP address in the reports.
Display hosts that respond to ping When enabled, show a list of hosts that respond to pings sent as part of the scan.
Display unreachable hosts Display a list of hosts within the scan range that were not able to be reached during the scan, if enabled.
Display Unicode characters

When enabled, Unicode characters appear in plugin output such as usernames, installed application names, and SSL certificate information.

Note: Plugin output may sometimes incorrectly parse or truncate strings with Unicode characters. If this issue causes problems with regular expressions in plugins or custom audits, disable this setting and scan again.

Generate SCAP XML Results Generate a SCAP XML results file as a part of the report output for the scan.

Authentication Options

The Authentication tab specifies authentication options during a scan.

Option Description

Authentication

Type

Specifies the type of authentication you want scanners to use for credentialed access to scan targets. Credentialed access gathers more complete data about a target.

SNMP

UDP Port

Additional UDP port #1

Additional UDP port #2

Additional UDP port #3

This is the UDP port that will be used when performing certain SNMP scans. Up to four different ports may be configured, with the default port being 161.

SSH

known_hosts file

If an SSH known_hosts file is provided for the scan policy, Tenable Nessus will only attempt to log in to hosts defined in this file. This helps to ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a login to a system that may not be under your control.

Preferred port

This option is set to direct the scan to connect to a specific port if SSH is known to be listening on a port other than the default of 22.

Client version

Specifies which type of SSH client to impersonate while performing scans.

Attempt least privilege (experimental)

Enables or disables dynamic privilege escalation. When enabled, if the scan target credentials include privilege escalation, Tenable Nessus first attempts to run commands without privilege escalation. If running commands without privilege escalation fails, Tenable Nessus retries the commands with privilege escalation.

Plugins 102095 and 102094 report whether plugins ran with or without privilege escalation.

Note: Enabling this option may increase the time required to perform scans by up to 30%.

Windows

Never send credentials in the clear

By default, Windows credentials are not sent to the target host in the clear.

Do not use NTLMv1 authentication

When disabled, it is theoretically possible to trick Tenable Nessus into attempting to log in to a Windows server with domain credentials via the NTLM version 1 protocol. This provides the remote attacker with the ability to use a hash obtained from Tenable Nessus. This hash can be potentially cracked to reveal a username or password. It may also be used to directly log in to other servers.

Because NTLMv1 is an insecure protocol, this option is enabled by default.

Start the Remote Registry service during the scan

This option tells Tenable Nessus to start the Remote Registry service on computers being scanned if it is not running. This service must be running in order for Tenable Nessus to execute some Windows local check plugins.

Enable administrative shares during the scan

This option will allow Tenable Nessus to access certain registry entries that can be read with administrator privileges.

Start the Server service during the scan

When enabled, the scanner temporarily enables the Windows Server service, which allows the computer to share files and other devices on a network. The service is disabled after the scan completes.

By default, Windows systems have the Windows Server service enabled, which means you do not need to enable this setting. However, if you disable the Windows Server service in your environment, and want to scan using SMB credentials, you must enable this setting so that the scanner can access files remotely.

Plaintext Authentication

Perform patch audits over telnet

When enabled, Tenable.sc uses telnet to connect to the host device for patch audits.

Note: This protocol is sent in cleartext and could contain unencrypted usernames and passwords.

Perform patch audits over rsh

When enabled, Tenable.sc permits patch audits over a rsh connection.

Note: This protocol is sent in cleartext and could contain unencrypted usernames and passwords.

Perform patch audits over rexec

When enabled, Tenable.sc permits patch audits over a rexec connection.

Note: This protocol is sent in cleartext and could contain unencrypted usernames and passwords.

HTTP

Login method

Specify whether the login action is performed via a GET or POST request.

Re-authenticate delay (seconds)

The delay between authentication attempts, in seconds.

Tip: A time delay can help prevent triggering brute force lockout mechanisms.

Follow 30x redirections (# of levels)

If a 30x redirect code is received from a web server, this directs Tenable Nessus to follow the link provided or not.

Invert authenticated regex

The regex pattern you want Tenable.sc to look for on the login page that, if found, denies authentication.

Tip: Tenable.sc can attempt to match a given string, such as Authentication failed.

Use authenticated regex on HTTP headers

When enabled, Tenable.sc searches the HTTP response headers for a given regex pattern instead of searching the body of a response to better determine authentication state.

Case insensitive authenticated regex

When enabled, Tenable.sc ignores case in regex.

Compliance Options

The Compliance tab specifies compliance the audit files to reference in a scan policy. The options available depend on the type of audit file selected.

For more information, see Audit Files and Configure Compliance Options.

Option Description
Generic SSH Escalation command

(Generic SSH audits only) The command to use for accomplishing the privilege escalation. This is similar to the enable command for Cisco devices.

Generic SSH Escalation success check

(Generic SSH audits only) A regular expression that must match after the escalation has succeeded. This can be the prompt or any other message notifying the success of privilege escalation.

Plugins Options

The Plugins tab specifies which plugins are used during the policy’s Tenable Nessus scan. You can enable or disable plugins in the plugin family view or in the plugin view for more granular control.

For more information, see Configure Plugin Options.

Caution: The Denial of Service plugin family contains plugins that could cause outages on network hosts if the Safe Checks option is not enabled, but it also contains useful checks that do not cause any harm. The Denial of Service plugin family can be used in conjunction with Safe Checks to ensure that any potentially dangerous plugins are not run. However, Tenable does not recommend enabling the Denial of Service plugin family in production environments.