Scan Policy Options

Name

A unique name for the policy.

Description

(Optional) A description for the policy.

Enable safe checks

Tenable Nessus attempts to identify remote vulnerabilities by interpreting banner information and attempting to exercise a vulnerability. When Enable safe checks is enabled, Tenable Nessus does not attempt to exercise any vulnerabilities. This is not as reliable as a full probe, but is less likely to negatively impact a targeted system.

Determines whether the scan searches for unpatched vulnerabilities. This includes CVEs marked as "Will Not Fix" by the related vendor.

Enabling this setting may increase your overall findings count; each platform and package combination results in an individual plugin. If additional CVEs are found to affect a platform and package combination, the CVEs are added to the existing plugin.

This setting is disabled by default.

Note: If you configure a scan to produce findings for unpatched vulnerabilities and then the setting is unchecked, Tenable Security Center remediates unpatched findings in the next scan. Additionally, if multiple scans target the same device and one has enabled findings for unpatched vulnerabilities and another does not, the findings results may vary per scan.

Stop scanning hosts that become unresponsive during the scan

During a scan, hosts may become unresponsive after a period of time. Enabling this setting stops scan attempts against hosts that stop sending results.

Automatically accept detected SSH disclaimer prompts

When enabled, if a credentialed scan tries to connect via SSH to a host that presents a disclaimer prompt, the scanner provides the necessary text input to accept the disclaimer prompt and continue the scan.

When disabled, credentialed scans on hosts that present a disclaimer prompt fail because the scanner cannot connect to the device and accept the disclaimer. The error appears in the plugin output.

When disabled, to avoid overwhelming a host, Tenable Nessus prevents against simultaneously scanning multiple targets that resolve to a single IP address. Instead, Tenable Nessus scanners serialize attempts to scan the IP address, whether it appears more than once in the same scan task or in multiple scan tasks on that scanner. Scans may take longer to complete.

When enabled, a Tenable Nessus scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but hosts could potentially become overwhelmed, causing timeouts and incomplete results.

When enabled, the scanner creates a unique identifier (Tenable UUID) . Tenable Vulnerability Management and Tenable Security Center use the Tenable UUID to merge incoming scan data with historical results for the asset and ensure that license counts are accurately reflected.

For more information, see Why Tenable Tags and Agent IDs are created during authenticated scans.

Slow down the scan when network congestion is detected

When Tenable Nessus detects congestion during a scan, it will slow the speed of the scan in an attempt to ease the burden on the affected segment(s).

Network timeout (in seconds)

Determines the amount of time, in seconds, to determine if there is an issue communicating over the network.

Max simultaneous checks per host

This setting limits the maximum number of checks a Tenable Nessus scanner performs against a single host at one time. The default value of this option is 5 simultaneous checks per host.

Type an integer greater than 0. If you enter 0, enter a negative integer, or delete the value in the field, Tenable Security Center does not perform any checks and scans will not complete.

Max simultaneous hosts per scan

This setting limits the maximum number of hosts that a single Tenable Nessus scanner scans at the same time. The default value of this option is 30 hosts per scan.

If the scan is using a zone with multiple scanners, each scanner will accept up to the amount specified in the Max simultaneous hosts per scan option. For example, if the Max simultaneous hosts per scan is set to 5 and there are 5 scanners per zone, each scanner will accept 5 hosts to scan, allowing a total of 25 hosts to be scanned between the 5 scanners.

If you set Max Simultaneous hosts per scan to more than the Nessus scanner’s max_hosts value, the following message appears in the scanner's nessusd.messages: Tried to raise the maximum hosts number - 150. Using 100. Change 'max_hosts' in the server configuration if you believe this is incorrect. You can ignore this message; Tenable Security Center send scans to the scanner into scan chunks of up to eight IPs and will not reach the scanner's max_hosts, which must be nine or greater.

Max number of concurrent TCP sessions per host

Specifies the maximum number of established TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. For example, if this option is set to 15, the SYN scanner sends 150 packets per second at most.

Type an integer between 1-2000. If you leave the box empty or enter 0, Tenable Security Center does not enforce a limit.

Max number of concurrent TCP sessions per scan

This setting limits the maximum number of TCP sessions established by any of the active scanners during a scan.

Type an integer between 1-2000. If you leave the box empty or enter 0, Tenable Security Center does not enforce a limit.

Command Timeout

The maximum number of seconds the find command is allowed to run on Unix systems. Not all Find commands use this timeout. Default value is 240.

Note: For all Find command executions in the plugin to complete, and to prevent the plugin from timing out, its plugin timeout should be adjusted with timeout_<plugin ID> in the scanner's Advanced Settings,

A plain text file containing a list of filepaths to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.

A plain text file containing a list of filesystems to exclude from all plugins that search using the find command on Unix systems.

In the file, enter one filesystem per line, using filesystem types supported by the Unix find command -fstype argument. For more information, see the find command man page.

A plain text file containing a list of filepaths to include from all plugins that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page.

Including filepaths increases the locations that are searched by plugins, which extends the duration of the scan. Make your inclusions as specific as possible.

Tip: Avoid having the same filepaths in Include Filepath and Exclude Filepath. This conflict may result in the filepath being excluded from the search, though results may vary by operating system.

When enabled, instead of running native operating system commands of find and unzip, plugins use binaries included within the plugin feed for agent-based scanning. This allows CPU consumption to be controlled for the Tenable Nessus Agentfind command. Another benefit to enabling this setting is that if find or unzip are not found natively on the operating system, using the commands from the feed allows full plugin execution with these commands to continue.

This setting works in tandem with the Scan Performance setting, which you can set locally on the agent. If you enable this setting and have adjusted the Scan Performance to a setting other than the default (High), the resulting scan findings may be different than previous scans with the same configuration. This is because the scan may experience timeouts in finding files due to the lower CPU resources.

Note: Due to the need for thorough and complete results, audits do not leverage the find or unzip binaries from the Tenable feed.

Note: With this setting enabled, CPU usage may spike up or close to 100% when the plugin requests a batch of results to process. The CPU then drops down to a lower level until the next batch is requested for processing.

A plain text file containing a list of filepaths to exclude from all plugins that search using Tenable's unmanaged software directory scans.

In the file, enter one absolute or partial filepath per line, formatted as the literal strings you want to exclude. You can include absolute or relative directory names, examples such as E:\, E:\Testdir\, and \Testdir\.

Tip: The default exclusion paths include \Windows\WinSxS\ and \Windows\servicing\ if you do not configure this setting. If you configure this setting, Tenable recommends adding those two paths to the file; those directories are very slow and do not contain unmanaged software.

A plain text file containing a list of filepaths to include in all plugins that search using Tenable's unmanaged software directory scans.

In the file, enter one absolute or partial filepath per line, formatted as the literal strings you want to exclude. You can only include absolute directory names, examples such as E:\, E:\Testdir\, and C:\.

Caution: Avoid having the same filepaths in the Windows Include Filepath and Windows Exclude Filepath settings. This conflict results in the filepath being excluded from the search.

Controls the maximum timeout duration for compliance checks.

This setting is used by checks with long run times, especially checks that run commands on remote targets for Windows and Unix audits. This timeout setting overrides all other timeout settings when it is available.

Generate Gold Image Audit

Attaches a compliance gold image .audit established by generated compliance scan results. For more information, see Compliance Export Gold Image.

Attaches XCCDF result files generated from compliance .audit scans. For more information, see Compliance Export XCCDF Results.

Attaches .audit JSON result files. For more information, see Compliance Export JSON Results.

When enabled, Tenable Security Center generates a report of all the commands run over SSH on the host in a machine-readable format. You can view the reported commands under plugin 168017.

Note: The setting does not function correctly if you disable plugin 168017.

(Agents 8.2 and later) If set, each agent in the agent group delays starting the scan for a random number of minutes, up to the specified maximum. Staggered starts can reduce the impact of agents that use a shared resource, such as virtual machine CPU.

If the maximum delay you set exceeds your scan window, Tenable shortens your maximum delay to ensure that agents begin scanning at least 30 minutes before the scan window closes.

Use Tenable supplied binaries for 'find' and 'unzip'

Ping the remote host

When enabled, Tenable Nessus attempts to ping the hosts in the scan to determine if the host is alive or not.

Test the local Tenable Nessus host

This option allows you to include or exclude the local Tenable Nessus host from the scan. This is used when the Tenable Nessus host falls within the target network range for the scan.

Use fast network discovery

When Tenable Nessus pings a remote IP address and receives a reply, it performs extra checks to make sure that it is not a transparent proxy or a load balancer that would return noise but no result (some devices answer to every port 1 - 65535 even when there is no service behind the device). Such checks can take some time, especially if the remote host is firewalled. If Use fast network discovery is enabled, Tenable Nessus does not perform these checks.

ARP

Ping a host using its hardware address via Address Resolution Protocol (ARP). This only works on a local network.

TCP

Ping a host using TCP.

Destination ports

Destination ports can be configured to use specific ports for TCP ping. This option specifies the list of ports that are checked via TCP ping. Type one of the following:

• a single port
• a comma-separated list of ports

• built-in

  For more information about which ports built-in specifies, see the knowledge base article.

ICMP

Ping a host using the Internet Control Message Protocol (ICMP).

Assume ICMP unreachable means the host is down

When a ping is sent to a host that is down, its gateway may return an ICMP unreachable message. When enabled, this option considers this to mean the host is dead. This is to help speed up discovery on some networks.

Some firewalls and packet filters use this same behavior for hosts that are up but are connecting to a port or protocol that is filtered. With this option enabled, this leads to the scan considering the host is down when it is indeed up.

Maximum number of retries

(If you enabled ICMP) Allows you to specify the number of attempts to try to ping the remote host. The default is two attempts.

UDP

Ping a host using the User Datagram Protocol (UDP).

Tip: UDP is a stateless protocol, meaning that communication is not performed with handshake dialogues. UDP-based communication is not always reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable.

Scan Network Printers

Instructs the Tenable Nessus scanner not to scan network printers if unselected. Since many printers are prone to denial of service conditions, Tenable Nessus can skip scanning them once identified. This is recommended if scanning is performed on production networks.

Scan Novell Netware hosts

Instructs the Tenable Nessus scanner not to scan Novel Netware hosts if unselected. Since many Novell Netware hosts are prone to denial of service conditions, Tenable Nessus can skip scanning them once identified. This is recommended if scanning is performed on production networks.

When enabled, Tenable Security Center performs a full scan of Operational Technology (OT) devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs) that monitor environmental factors and the activity and state of machinery.

When disabled, Tenable Security Center uses ICS/SCADA Smart Scanning to identify OT devices cautiously and stops scanning them once they are discovered.

List of MAC addresses

Wake on Lan (WOL) packets will be sent to the hosts listed, one on each line, in an attempt to wake the specified host(s) during a scan.

Boot time wait (in minutes)

The number of minutes Tenable Nessus will wait to attempt a scan of hosts sent a WOL packet.

Consider unscanned ports as closed

If a port is not scanned with a selected port scanner (for example, out of the range specified), the scanner will consider it closed.

Port scan range

Specifies the range of ports to be scanned.

The supported ranges are:

• default — Instructs the scanner to scan approximately 4,790 commonly used ports specified in the nessus-services file. You can also combine the default keyword with other ports and port ranges.

  Note: You can convert the nessus-services file to a custom list of ports by performing four consecutive regular expression (regex) replace-all operations in a text editor that supports such operations:

  • .*\s+(\d+)\/(tcp|udp)(\r\n|\r|\n) to $1\/$2,

  • (\d+)\/(tcp|udp) to $2:$1

  • tcp to T

  • udp to U

  You can find the nessus-services file in the following directories, depending on your operating system:

  • Linux — /opt/nessus/var/nessus/nessus-services

  • Windows — C:\ProgramData\Tenable\Nessus\nessus\nessus-services

  • macOS — /Library/Nessus/run/var/nessus/nessus-services

• all — Instructs the scanner to scan all 65,536 ports, excluding port 0. You cannot combine the all keyword with other ranges.

• A comma-separated list of ports (for example, 21,23,25,80,110), port ranges (for example, 1-1024,9000-9200 or 1-65535 to scan all ports but 0 and T:1-1024,U:300-500 or 1-1024,T:1024-65535,U:1025 to scan separate or overlapping TCP and UDP port ranges), or combinations thereof.

If you disable the UDP, SYN, or TCP port scanner settings in the scan policy Discovery settings, those ports are not scanned despite what range of ports you specify. The UDP and TCP port scanner settings are disabled by default; the SYN port scanner setting is enabled by default.

SSH (netstat)

When enabled, the scanner uses netstat to check for open ports from the local machine. It relies on the netstat command being available via an SSH connection to the target. This scan is intended for Linux-based systems and requires authentication credentials. To use this setting, you must first configure SSH Credentials.

WMI (netstat)

When enabled, the scanner uses netstat to determine open ports while performing a WMI-based scan.

In addition, the scanner:

• Ignores any custom range specified in the Port Scan Range setting.
• Continues to treat unscanned ports as closed if the Consider unscanned ports as closed setting is enabled.

If any port enumerator (netstat or SNMP) is successful, the port range becomes all. To use this setting, you must first configure Windows Credentials.

SNMP

When enabled, if the appropriate credentials are provided by the user, the scanner can better test the remote host and produce more detailed audit results. For example, there are many Cisco router checks that determine the vulnerabilities present by examining the version of the returned SNMP string. This information is necessary for these audits.

Only run network port scanners if local port enumeration failed

If a local port enumerator runs, all network port scanners will be disabled for that asset.

Verify open TCP ports found by local port enumerators

When enabled, if a local port enumerator (for example, WMI or netstat) finds a port, the scanner also verifies that the port is open remotely. This approach helps determine if some form of access control is being used (for example, TCP wrappers or a firewall).

TCP

Use the built-in Tenable Nessus TCP scanner to identify open TCP ports on the targets, using a full TCP three-way handshake. If you enable this option, you can also set the Override Automatic Firewall Detection option.

Note: On some platforms (for example, Windows and macOS), if the operating system is causing serious performance issues using the TCP scanner, Tenable Nessus launches the SYN scanner instead.

SYN

Use the built-in Tenable Nessus SYN scanner to identify open TCP ports on the target hosts. SYN scans do not initiate a full TCP three-way handshake. The scanner sends a SYN packet to the port, waits for SYN-ACK reply, and determines the port state based on a response or lack of response.

If you enable this option, you can also set the Override Automatic Firewall Detection option.

Override automatic firewall detection

Rely on local port enumeration first before relying on network port scans.

UDP

This option engages the built-in Tenable Nessus UDP scanner to identify open UDP ports on the targets.

Due to the nature of the protocol, it is generally not possible for a port scanner to tell the difference between open and filtered UDP ports. Enabling the UDP port scanner may dramatically increase the scan time and produce unreliable results. Consider using the netstat or SNMP port enumeration options instead if possible.

Probe all ports to find services

When enabled, the scanner attempts to map each open port with the service that is running on that port, as defined by the Port scan range option.

Caution: In some rare cases, probing might disrupt some services and cause unforeseen side effects.

Search for SSL/TLS services

Controls how the scanner tests SSL-based services.

Caution: Testing for SSL capability on all ports may be disruptive for the tested host.

Search for SSL/TLS on

Specifies which ports on target hosts the scanner searches for SSL/TLS services.

This setting has two options:

• Known SSL/TLS ports
• All ports

Search for DTLS on

Specifies which ports on target hosts the scanner searches for DTLS services.

This setting has the following options:

• None

• Known DTLS ports

• All ports

Identify certificates expiring within x days

Identifies SSL certificates that age out within the specified timeframe. Type a value to set a timeframe (in days).

Enumerate all SSL/TLS ciphers

When Tenable Security Center performs an SSL scan, it tries to determine the SSL ciphers used by the remote server by attempting to establish a connection with each different documented SSL cipher, regardless of what the server says is available.

Enable CRL checking (connects to the Internet)

Direct Tenable Nessus to check SSL certificates against known Certificate Revocation Lists (CRL). Enabling this option makes a connection and query one or more servers on the internet.

Override normal accuracy

In some cases, Tenable Nessus cannot remotely determine whether a flaw is present or not. If report paranoia is set to Paranoid then a flaw is reported every time, even when there is a doubt about the remote host being affected. Conversely, a paranoia setting of Avoid false alarms will cause Tenable Nessus to not report any flaw whenever there is a hint of uncertainty about the remote host. Normal is a middle ground between these two settings.

Perform thorough tests (may disrupt your network or impact scan speed)

Causes various plugins to use more aggressive settings. For example, when looking through SMB file shares, a plugin can analyze 3 directory levels deep instead of its default of 1. This could cause much more network traffic and analysis in some cases. Note that by being more thorough, the scan will be more intrusive and is more likely to disrupt the network, while potentially providing better audit results.

Antivirus definition grace period (in days)

This option determines the delay in the number of days of reporting the software as being outdated. The valid values are between 0 (no delay, default) and 7.

Third party domain

Tenable Nessus attempts to send spam through each SMTP device to the address listed in this option. This third party domain address must be outside the range of the site being scanned or the site performing the scan. Otherwise, the test may be aborted by the SMTP server.

From address

The test messages sent to the SMTP server(s) will appear as if they originated from the address specified in this option.

To Address

Tenable Nessus attempts to send messages addressed to the mail recipient listed in this option. The postmaster address is the default value since it is a valid address on most mail servers.

Only use credentials provided by the user

In some cases, Tenable Nessus can test default accounts and known default passwords. This can cause the account to be locked out if too many consecutive invalid attempts trigger security protocols on the operating system or application. By default, this setting is enabled to prevent Tenable Nessus from performing these tests.

Test default Oracle accounts (slow)

Test for known default accounts in Oracle software.

The number of simultaneous Hydra tests that you want to execute. By default, this value is 16.

Provide your own list of known bad MD5/SHA1/SHA256 hashes

Additional known bad MD5 hashes can be uploaded via a text file that contains one MD5 hash per line.

If you want to add a description for each hash, type a comma after the hash, followed by the description. If any matches are found when scanning a target and a description was provided for the hash, the description will show up in the scan results.

Provide your own list of known good MD5/SHA1/SHA256 hashes

Additional known good MD5 hashes can be uploaded via a text file that contains one MD5 hash per line.

If you want to add a description for each hash, type a comma after the hash, followed by the description. If any matches are found when scanning a target and a description was provided for the hash, the description will show up in the scan results.

Hosts file allowlist

Tenable Nessus checks system hosts files for signs of a compromise (e.g., Plugin ID 23910). This option allows you to upload a file containing a list of IPs and hostnames that will be ignored by Tenable Nessus during a scan. Include one IP address and hostname (formatted identically to your hosts file on the target) per line in a regular text file.

Turning on this option allows you to scan system directories and files on host computers.

A custom file that lists directories for malware file scanning. List each directory on one line.

A .yar file containing the YARA rules to be applied in the scan. You can only upload one file per scan, so include all rules in a single file. For more information, see yara.readthedocs.io.

Start at register

End at register

These options are available for commercial users. This drop-down box item is dynamically generated by the SCADA plugins available with the commercial version of Tenable Nessus. Modbus uses a function code of 1 to read coils in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a write coil message. The defaults for this are 0 for the Start at register value and 16 for the End at register value.

Start COTP TSAP

Stop COTP TSAP

The ICCP/COTP TSAP Addressing menu determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values. The start and stop values are set to 8 by default.

Use a custom User-Agent

Specifies which type of web browser Tenable Nessus will impersonate while scanning.

Start crawling from

The URL of the first page that will be tested. If multiple pages are required, use a colon delimiter to separate them (e.g., /:/php4:/base).

Excluded pages (regex)

Enable exclusion of portions of the web site from being crawled. For example, to exclude the /manual directory and all Perl CGI, set this option to: (^/manual)|(\.pl(\?.*)?$). Tenable Nessus supports POSIX regular expressions for string matching and handling, as well as Perl-compatible regular expressions (PCRE).

Maximum pages to crawl

The maximum number of pages to crawl.

Maximum depth to crawl

Limit the number of links Tenable Nessus will follow for each start page.

Follow dynamically generated pages

When enabled, Tenable Nessus will follow dynamic links and may exceed the parameters set above.

Enable generic web application tests

Enables the Application Test Settings options.

Abort web application tests if HTTP login fails

If Tenable Nessus cannot login to the target via HTTP, then do not run any web application tests.

Try all HTTP Methods

This option will instruct Tenable Nessus to also use POST requests for enhanced web form testing. By default, the web application tests will only use GET requests, unless this option is enabled. Generally, more complex applications use the POST method when a user submits data to the application. This setting provides more thorough testing, but may considerably increase the time required. When selected, Tenable Nessus will test each script/variable with both GET and POST requests. This setting provides more thorough testing, but may considerably increase the time required.

Attempt HTTP Parameter Pollution

When performing web application tests, attempt to bypass filtering mechanisms by injecting content into a variable while supplying the same variable with valid content as well. For example, a normal SQL injection test may look like /target.cgi?a='&b=2. With HTTP Parameter Pollution (HPP) enabled, the request may look like /target.cgi?a='&a=1&b=2.

Test embedded web servers

Embedded web servers are often static and contain no customizable CGI scripts. In addition, embedded web servers may be prone to crash or become non-responsive when scanned. Tenable recommends scanning embedded web servers separately from other web servers using this option.

Test more than one parameter at a time per form

This option manages the combination of argument values used in the HTTP requests. The default, without checking this option, is testing one parameter at a time with an attack string, without trying non-attack variations for additional parameters. For example, Tenable Nessus attempts /test.php?arg1=XSS&b=1&c=1 where b and c allows other values, without testing each combination. This is the quickest method of testing with the smallest result set generated.

This drop-down box has five selections:

• One value — This tests one parameter at a time with an attack string, without trying non-attack variations for additional parameters. For example, Tenable Nessus attempts /test.php?arg1=XSS&b=1&c=1 where b and c allows other values, without testing each combination. This is the quickest method of testing with the smallest result set generated.
• Some pairs — This form of testing will randomly check a combination of random pairs of parameters. This is the fastest way to test multiple parameters.
• All pairs (slower but efficient) — This form of testing is slightly slower but more efficient than the one value test. While testing multiple parameters, it will test an attack string, variations for a single variable and then use the first value for all other variables. For example, Tenable Nessus attempts /test.php?arg1=XSS&b=1&c=1 and then cycles through the variables so that one is given the attack string, one is cycled through all possible values (as discovered during the mirror process) and any other variables are given the first value. In this case, Tenable Nessus will never test for /test.php?a=XSS&b=3&c=3&d=3 when the first value of each variable is 1.
• Some combinations — This form of testing will randomly check a combination of three or more parameters. This is more thorough than testing only pairs of parameters. Note that increasing the amount of combinations by three or more increases the web application test time.
• All combinations (extremely slow) — This method of testing will do a fully exhaustive test of all possible combinations of attack strings with valid input to variables. Where All-pairs testing seeks to create a smaller data set as a tradeoff for speed, all combinations makes no compromise on time and uses a complete data set of tests. This testing method may take a long time to complete.

Do not stop after the first flaw is found per web page

This option determines when a new flaw is targeted. This applies at the script level; finding an XSS flaw will not disable searching for SQL injection or header injection, but you will have at most one report for each type on a given port, unless thorough tests is set. Note that several flaws of the same type (e.g., XSS, SQLi, etc.) may be reported sometimes, if they were caught by the same attack. The drop-down has four options:

• Per CGI — As soon as a flaw is found on a CGI by a script, Tenable Nessus switches to the next known CGI on the same server, or if there is no other CGI, to the next port/server. This is the default option.
• Per port (faster) — As soon as a flaw is found on a web server by a script, Tenable Nessus stops and switches to another web server on a different port.
• Per parameter (slow) — As soon as one type of flaw is found in a parameter of a CGI (e.g., XSS), Tenable Nessus switches to the next parameter of the same CGI, or the next known CGI, or to the next port/server.
• Look for all flaws (slower) — Perform extensive tests regardless of flaws found. This option can produce a very verbose report and is not recommend in most cases.

URL for Remote File Inclusion

During Remote File Inclusion (RFI) testing, this option specifies a file on a remote host to use for tests. By default, Tenable Nessus will use a safe file hosted by Tenable for RFI testing. If the scanner cannot reach the Internet, using an internally hosted file is recommended for more accurate RFI testing.

Maximum run time (minutes)

This option manages the amount of time in minutes spent performing web application tests. This option defaults to 60 minutes and applies to all ports and CGIs for a given web site. Scanning the local network for web sites with small applications will typically complete in under an hour, however web sites with large applications may require a higher value.

Request information about the SMB Domain

When enabled, Tenable Nessus queries domain users instead of local users.

Start UID

1000

1200

Determines the verbosity of the detail in the output of the scan results:

• Normal — Provides the standard level of plugin activity in the report.
• Quiet — Provides less information about plugin activity in the report to minimize impact on disk space.
• Verbose — Provides more information about plugin activity in the report. When this option is selected, the output includes the informational plugins 56310, 64582, and 58651.

When enabled, Unicode characters appear in plugin output such as usernames, installed application names, and SSL certificate information.

Note: Plugin output may sometimes incorrectly parse or truncate strings with Unicode characters. If this issue causes problems with regular expressions in plugins or custom audits, disable this setting and scan again.

Specifies the type of authentication you want scanners to use for credentialed access to scan targets. Credentialed access gathers more complete data about a target.

• Host
• Database Credentials
• Miscellaneous
• Plaintext Authentication

• Patch Management

UDP Port

Additional UDP port #1

Additional UDP port #2

Additional UDP port #3

This is the UDP port that will be used when performing certain SNMP scans. Up to four different ports may be configured, with the default port being 161.

known_hosts file

If an SSH known_hosts file is provided for the scan policy, Tenable Nessus will only attempt to log in to hosts defined in this file. This helps to ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a login to a system that may not be under your control.

Preferred port

This option is set to direct the scan to connect to a specific port if SSH is known to be listening on a port other than the default of 22.

Client version

Specifies which type of SSH client to impersonate while performing scans.

Enables or disables dynamic privilege escalation. When enabled, if the scan target credentials include privilege escalation, Tenable Nessus first attempts to run commands without privilege escalation. If running commands without privilege escalation fails, Tenable Nessus retries the commands with privilege escalation.

Plugins 102095 and 102094 report whether plugins ran with or without privilege escalation.

Note: Enabling this option may increase the time required to perform scans by up to 30%.

Never send credentials in the clear

By default, Windows credentials are not sent to the target host in the clear.

Do not use NTLMv1 authentication

When disabled, it is theoretically possible to trick Tenable Nessus into attempting to log in to a Windows server with domain credentials via the NTLM version 1 protocol. This provides the remote attacker with the ability to use a hash obtained from Tenable Nessus. This hash can be potentially cracked to reveal a username or password. It may also be used to directly log in to other servers.

Because NTLMv1 is an insecure protocol, this option is enabled by default.

Start the Remote Registry service during the scan

This option tells Tenable Nessus to start the Remote Registry service on computers being scanned if it is not running. This service must be running in order for Tenable Nessus to execute some Windows local check plugins.

Enable administrative shares during the scan

This option will allow Tenable Nessus to access certain registry entries that can be read with administrator privileges.

When enabled, the scanner temporarily enables the Windows Server service, which allows the computer to share files and other devices on a network. The service is disabled after the scan completes.

By default, Windows systems have the Windows Server service enabled, which means you do not need to enable this setting. However, if you disable the Windows Server service in your environment, and want to scan using SMB credentials, you must enable this setting so that the scanner can access files remotely.

Perform patch audits over telnet

When enabled, Tenable Security Center uses telnet to connect to the host device for patch audits.

Note: This protocol is sent in cleartext and could contain unencrypted usernames and passwords.

Perform patch audits over rsh

When enabled, Tenable Security Center permits patch audits over a rsh connection.

Note: This protocol is sent in cleartext and could contain unencrypted usernames and passwords.

Perform patch audits over rexec

When enabled, Tenable Security Center permits patch audits over a rexec connection.

Note: This protocol is sent in cleartext and could contain unencrypted usernames and passwords.

Login method

Specify whether the login action is performed via a GET or POST request.

Re-authenticate delay (seconds)

The delay between authentication attempts, in seconds.

Tip: A time delay can help prevent triggering brute force lockout mechanisms.

Follow 30x redirections (# of levels)

If a 30x redirect code is received from a web server, this directs Tenable Nessus to follow the link provided or not.

Invert authenticated regex

The regex pattern you want Tenable Security Center to look for on the login page that, if found, denies authentication.

Tip: Tenable Security Center can attempt to match a given string, such as Authentication failed.

Use authenticated regex on HTTP headers

When enabled, Tenable Security Center searches the HTTP response headers for a given regex pattern instead of searching the body of a response to better determine authentication state.

Case insensitive authenticated regex

When enabled, Tenable Security Center ignores case in regex.

(Generic SSH audits only) The command to use for accomplishing the privilege escalation. This is similar to the enable command for Cisco devices.

(Generic SSH audits only) A regular expression that must match after the escalation has succeeded. This can be the prompt or any other message notifying the success of privilege escalation.