Advanced Settings in Tenable Vulnerability Management Scans
Note: If a scan is based on a user-defined template, you cannot configure Advanced settings in the scan. You can only modify these settings in the related user-defined template.
The Advanced settings provide increased control over scan efficiency and the operations of a scan, as well as the ability to enable plugin debugging.
Certain Tenable-provided scanner templates include
If you select the Custom preconfigured setting option, or if you are using a Nessus Scanner template that does not include preconfigured advanced settings, you can manually configure Advanced settings in the following categories:
- General Settings
- Performance Options
- Unix Find Command Options
- Windows File Search Options
- Debug Settings
- Stagger Scan Start (Agent scans only)
Note: The following tables include settings for the Advanced
| Setting | Default Value | Description |
|---|---|---|
| General Settings | ||
| Enable Safe Checks | Enabled |
When enabled, disables all plugins that may have an adverse effect on the remote host. |
| Stop scanning hosts that become unresponsive during the scan | Disabled |
When enabled, Tenable Vulnerability Management stops scanning if it detects that the host has become unresponsive. This may occur if users turn off their PCs during a scan, a host has stopped responding after a denial of service plugin, or a security mechanism (for example, an IDS) has started to block traffic to a server. Normally, continuing scans on these machines sends unnecessary traffic across the network and delay the scan. |
| Scan IP addresses in a random order | Disabled |
By default, Tenable Vulnerability Management scans a list of IP addresses in sequential order. When this option is enabled, Tenable Vulnerability Management scans the list of hosts in a random order within an IP address range. This approach is typically useful in helping to distribute the network traffic during large scans. |
| Automatically accept detected SSH disclaimer prompts | Disabled |
When enabled, if a credentialed scan tries to connect via SSH to a FortiOS host that presents a disclaimer prompt, the scanner provides the necessary text input to accept the disclaimer prompt and continue the scan. The scan initially sends a bad ssh request to the target in order to retrieve the supported authorization methods. This allows you to determine how to connect to the target, which is helpful when you configure a custom ssh banner and then try to determine how to connect to the host. When disabled, credentialed scans on hosts that present a disclaimer prompt fail because the scanner cannot connect to the device and accept the disclaimer. The error appears in the plugin output. |
| Scan targets with multiple domain names in parallel | Disabled |
When disabled, to avoid overwhelming a host, When enabled, a Tenable Vulnerability Management scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but hosts could potentially become overwhelmed, causing timeouts and incomplete results. |
| Create unique identifier on hosts scanned using credentials | Enabled | When enabled, the scanner creates a unique identifier for credentialed scans. |
| Trusted CAs | None |
Specifies CA certificates that the scan considers as trusted. This allows you to use self-signed certificates for SSL authentication without triggering plugin 51192 as a vulnerability in your Tenable Vulnerability Management environment. Note: In addition to this setting, you can configure trusted CAs at the individual scanner level (for more information, see Trust a Custom CA in the Tenable Nessus User Guide). There is no precedence or hierarchy between trusted CAs configured in the Tenable Vulnerability Management scan configuration and trusted CAs configured on the Tenable Nessus scanner. Tenable Vulnerability Management uses the correct certificate needed to complete the scan and ignores irrelevant certificates, regardless of which product you configure them in. |
| Performance Options | ||
|
Slow down the scan when network congestion is detected |
Disabled |
When enabled, Tenable detects when it is sending too many packets and the network pipe is approaching capacity. If network congestion is detected, throttles the scan to accommodate and alleviate the congestion. Once the congestion has subsided, Tenable automatically attempts to use the available space within the network pipe again. |
|
Use Linux kernel congestion detection |
Disabled |
When enabled, Tenable Vulnerability Management uses the Linux kernel to detect when it sends too many packets and the network pipe approaches capacity. If detected, Tenable Vulnerability Management throttles the scan to accommodate and alleviate the congestion. Once the congestion subsides, Tenable Vulnerability Management automatically attempts to use the available space within the network pipe again. |
|
Network timeout (in seconds) |
5 |
Specifies the time that Tenable waits for a response from a host unless otherwise specified within a plugin. If you are scanning over a slow connection, you may want to set this to a higher number of seconds. |
|
Max simultaneous checks per host |
5 |
Specifies the maximum number of checks a Tenable scanner will perform against a single host at one time. |
|
Max simultaneous hosts per scan |
Depends on the Tenable-provided template used for the scan |
Specifies the maximum number of hosts that Tenable Vulnerability Management submits for scanning at the same time in an individual scan task. To further refine scan performance using host limits, Tenable recommends adjusting Advanced settings for your individual scanners (for example, max_hosts, global.max_hosts, and global.max_scans). For more information, see Advanced Settings in the Tenable Nessus User Guide. If you set Max simultaneous hosts per scan to more than scanner’s max_hosts setting, Tenable Vulnerability Management caps Max simultaneous hosts per scan at the max_hosts value. For example, if you set the Max simultaneous hosts per scan to 150 and scanner's max_hosts is set to 100, with more than 100 targets, Tenable Vulnerability Management scans 100 hosts simultaneously. Note: You can only adjust individual scanner settings for your organization's managed scanners. You cannot modify the settings of Tenable-hosted scanners. |
|
Max number of concurrent TCP sessions per host |
None |
Specifies the maximum number of established TCP sessions for a single host. |
|
Max number of concurrent TCP sessions per scan |
None |
Specifies the maximum number of established TCP sessions for each scan task, regardless of the number of hosts being scanned. For scanners installed on any Windows host, you must set this value to 19 or less to get accurate results. |
| Unix Find Command Options | ||
|
Exclude Filepath |
None |
A plain text file containing a list of filepaths to exclude from all plugins that search using the find command on Unix systems. In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page. |
|
Exclude Filesystem |
None |
A plain text file containing a list of filesystems to exclude from all plugins that search using the find command on Unix systems. In the file, enter one filesystem per line, using filesystem types supported by the Unix find command -fstype argument. For more information, see the find command man page. |
| Include Filepath | None |
A plain text file containing a list of filepaths to include from all plugins that search using the find command on Unix systems. In the file, enter one filepath per line, formatted per patterns allowed by the Unix find command -path argument. For more information, see the find command man page. Including filepaths increases the locations that are searched by plugins, which extends the duration of the scan. Make your inclusions as specific as possible. Tip: Avoid having the same filepaths in Include Filepath and Exclude Filepath. This conflict may result in the filepath being excluded from the search, though results may vary by operating system. |
| Windows File Search Options | ||
|
Windows Exclude Filepath |
None |
A plain text file containing a list of filepaths to exclude from any search on Windows systems. In the file, enter one filepath per line. This setting overrides and removes default exclusions. Note: Windows file exclusions do not apply to any plugins that are managed by the operating system. |
|
Windows Include Filepath |
None |
A plain text file containing a list of filepaths to include in any use of Recursive search on Windows systems. In the file, enter one filepath per line. This setting replaces any defaults entirely. |
| Debug Settings | ||
|
Enable plugin debugging |
Disabled |
Attaches available debug logs from plugins to the vulnerability output of this scan. |
| Audit Trail Verbosity | Default |
Controls verbosity of the plugin audit trail. Options include:
|
| Stagger Scan Start | ||
| Maximum delay (minutes) | 0 |
(Agents 8.2 and later) If set, each agent in the agent group delays starting the scan for a random number of minutes, up to the specified maximum. Staggered starts can reduce the impact of agents that use a shared resource, such as virtual machine CPU. If the maximum delay you set exceeds your scan window, Tenable shortens your maximum delay to ensure that agents begin scanning at least 30 minutes before the scan window closes. |