Launch a Remediation Scan

Required Tenable.io Vulnerability Management User Role: Standard, Scan Manager, or Administrator

Required Access Group Permissions: Can Scan

You can create a remediation scan to run a follow-up scan against existing scan results. A remediation scan evaluates a specific plugin against a specific scan target or targets where a vulnerability was present in your earlier active scan.

Remediation scans allow you to validate whether your vulnerability remediation actions on the scan targets have been successful. If a remediation scan cannot identify a vulnerability on targets where the vulnerability was previously identified, the system changes the status of the vulnerability to Fixed.

You can perform remediation scans for scan results from certain sensors only:

Sensor Type Supported?
Tenable.io cloud yes
On-premises Nessus yes

Nessus scanner for Amazon Web Services (AWS)

yes

On-premises Tenable.io Web Application Scanning

no
Nessus Network Monitor no
Nessus Agent no

To launch a remediation scan:

  1. Set the scope for the remediation scan:

    Remediation Scan Scope Action
    All vulnerabilities on all affected assets

    This scope is not supported.

    All vulnerabilities on an individual asset

    To set this scope:

    1. View asset details.
    2. On the Asset Details page, click the Vulnerabilities tab.

      The Vulnerabilities tab appears.

    3. In the upper-right corner, click the Actions button.

      The actions menu appears.

    4. In the actions menu, click Scan Launch Remediation Scan.
    All vulnerabilities on multiple assets

    This scope is not supported.

    An individual vulnerability on the top 500 affected assets

    To set this scope:

    1. View vulnerability details.

    2. Click the Assets Affected tab.

      The assets table appears.

    3. In the upper-right corner, click the Actions button.

      The actions menu appears.

    4. Click Scan Launch Remediation Scan.
    An individual vulnerability on an individual asset

    To set this scope:

    1. View vulnerability details.

    2. Click the Assets Affected tab.

      The assets table appears.

    3. In the assets table, select the check box for the asset you want to select.

      The action bar appears at the bottom of the page.

    4. In the action bar, click Scan Launch Remediation Scan.
    An individual vulnerability on multiple assets

    To set this scope:

    1. View vulnerability details.

    2. Click the Assets Affected tab.

      The assets table appears.

    3. In the assets table, select the check box next to each asset you want to select.

      The action bar appears at the bottom of the page.

    4. In the action bar, click Scan Launch Remediation Scan.
    Multiple vulnerabilities on all affected assets This scope is not supported.
    Multiple vulnerabilities on an individual asset

    To set this scope:

    1. View asset details.
    2. On the Asset Details page, click the Vulnerabilities tab.

      The Vulnerabilities tab appears.

    3. In the vulnerabilities table, select the check box next to each vulnerability you want to select.

      The action bar appears at the bottom of the page.

    4. In the action bar, click Scan Launch Remediation Scan.
    Multiple vulnerabilities on multiple assets This scope is not supported.

    The Create a Scan - Remediation Scan appears.

    Tenable.io automatically creates the remediation scan from the Tenable-provided Advanced Network Scan template and populates certain settings based on the assets and vulnerabilities you selected.

  2. On the Create a Scan page:

    1. Verify the settings that Tenable.io populated based on the vulnerabilities and assets you selected.
    2. Configure additional settings for the scan.

      The number of manual changes you must make depends on the plugins involved in the remediation scan.

    The following table defines the inherited and default values for settings in the remediation scan.

    Setting Category Setting Remediation Scan Value
    Basic Name Specifies an editable scan name in the format "Remediation scan of plugin # number" where number is the number of the plugin that identified the vulnerability.
    Folder Cannot be configured. Remediation scans appear in the Remediation Scans folder only.
    Scanner

    Specifies the scanner that performs the scan.

    The scanner you select depends on the location of the targets included in the remediation scan. For example:

    • By default, this value is the cloud scanner for your geographical region (for example, US Cloud Scanner). However, a cloud scanner cannot scan non-routable IP addresses. If the scan targets include non-routable IP addresses, select a linked scanner instead.
    • Select a scanner group if you want to:

      • Improve scan speed by balancing the scan load among multiple scanners.
      • Rebuild scanners and link new scanners in the future without having to update scanner designations in scan configurations.
    Network (Required if the scanner is set to Auto-Select) Do one of the following:
    • If your scans involve separate environments with overlapping IP ranges, select the network that contains the scanner groups that you configured for scan routing.
    • If your scans do not involve separate environments with overlapping IP ranges, retain the Default network.
    Targets

    Specifies the scan targets based on the assets you selected for the remediation scan.

    User Permissions

    Specifies default settings for the Advanced Network Scan template.

    By default, only you have access to the individual scan results for the remediation scan. The Default user permissions are set to No Access. If you want to share the remediation scan with other users, configure the user permissions.

    Schedule

    Cannot be configured. If you do not launch a remediation scan when you create it, you can launch the scan manually later.

    all other settings Specifies default settings for the Advanced Network Scan template.
    Discovery all

    Specifies default settings for the Advanced Network Scan template.

    Note: The default Port Scan Range scans common ports only. If the plugins used in the remediation scan require specific ports, configure this setting for a range that includes those ports.

    Assessment all Specifies default settings for the Advanced Network Scan template.
    Report all Specifies default settings for the Advanced Network Scan template.
    Advanced all Specifies default settings for the Advanced Network Scan template.
    Credentials all

    By default, there are no credentials configured. If the plugins in the remediation scan require credentials, configure them in the remediation scan.

    Note: Remediation scans work best for un-credentialed network scan results. Use caution when running a remediation scan for a plugin that requires scan credentials. If you neglect to add scan credentials when required for a specific plugin, or if you type the credentials incorrectly, the system may identify the related vulnerabilities as fixed. In fact, the vulnerabilities do not appear in the scan results because the system could not complete the credentialed scan.

    Compliance all

    By default, no compliance audits are configured. If the plugins in the remediation scan require compliance audit settings, configure the appropriate settings.

    Plugins limited

    Specifies plugins limited to the following:

    • the plugins you selected for remediation scanning
    • any plugins on which the selected plugins are dependent
  3. Do one of the following:

    • If you want to save without launching the scan, click Save.

      Tenable.io saves the scan.

    • If you want to save and launch the scan immediately, click Save & Launch.

      Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.

      Tenable.io saves and launches the scan.

What to do next:

  • In the Remediation Scans folder on the Scans page:
    • View the scan status to determine when the scan completes.
    • Edit the scan configuration.
    • Change the read status of the scan results.
    • Launch the scan.
  • Once the scan completes:
    1. On the Vulnerabilities page, search on the plugin.
    2. Verify that the status for the selected vulnerabilities is now Fixed on the assets that the remediation scan targeted.