Assessment Settings

You can use Assessment settings to configure how a scan identifies vulnerabilities, as well as what vulnerabilities are identified. This includes identifying malware, assessing the vulnerability of a system to brute force attacks, and the susceptibility of web applications.

Tip: When you configure a Tenable-provided scan template, you can modify only the settings included for the template type. When you create a user-defined template, you can modify a custom set of settings for your scan.

The Assessment settings include the following sections:

Mode

For certain templates, you can select a Mode that sets preconfigured assessment settings. The following table lists the templates that have preconfigured modes:

Template Available Modes

Basic Network Scan

Internal PCI Network Scan

  • Scan for known web vulnerabilities
  • Scan for all web vulnerabilities (quick)
  • Scan for all web vulnerabilities (complex)
  • Custom

The Tenable.io interface provides descriptions of each mode. To manually configure assessment settings, select Custom.

Assessment Settings

The following table includes the settings for the Advanced Network Scan template. Depending on the template you select, certain settings may not be available, and default values may vary.

General

The General section includes the following groups of settings:

Setting Default Value Description
Accuracy
Override Normal Accuracy Normal

In some cases, Tenable.io cannot remotely determine whether a flaw is present or not.

This setting has three options:

Normal: Tenable.io uses normal accuracy to report flaws. This option sets report paranoia between the other two options.

Avoid false alarms: Tenable.io does not report flaws when there is a hint of uncertainty about the remote host.

Paranoid (more false alarms): Tenable.io reports a flaw every time, even when there is doubt about the remote host being affected.

Perform thorough tests (may disrupt your network or impact scan speed) Disabled Causes various plugins to work harder. For example, when looking through SMB file shares, a plugin analyzes 3 directory levels deep instead of 1. This could cause much more network traffic and analysis in some cases. By being more thorough, the scan is more intrusive and is more likely to disrupt the network, while potentially providing better audit results.
Antivirus
Antivirus definition grace period (in days) 0 Configure the delay of the Antivirus software check for a set number of days (0-7). The Antivirus Software Check menu allows you to direct Tenable.io to allow for a specific grace time in reporting when antivirus signatures are considered out of date. By default, Tenable.io considers signatures out of date regardless of how long ago an update became available (e.g., a few hours ago). You can configure this option to allow for up to 7 days before reporting them out of date.
SMTP
Third party domain

Tenable.io attempts to send spam through each SMTP device to the address listed in this field. This third party domain address must be outside the range of the site being scanned or the site performing the scan. Otherwise, the test may be aborted by the SMTP server.

From address

The test messages sent to the SMTP server(s) appear as if the messages originated from the address specified in this field.

To address

Tenable.io attempts to send messages addressed to the mail recipient listed in this field. The postmaster address is the default value since it is a valid address on most mail servers.

Brute Force

The Brute Force section includes the following groups of settings:

Setting Default Value Description
General Settings
Only use credentials provided by the user Enabled In some cases, Tenable.io can test default accounts and known default passwords. This can cause the account to be locked out if too many consecutive invalid attempts trigger security protocols on the operating system or application. By default, this setting is enabled to prevent Tenable.io from performing these tests.
Oracle Database
Test default accounts (slow) Disabled Test for known default accounts in Oracle software.

SCADA

Setting Default Value Description
Modbus/TCP Coil Access

Modbus uses a function code of 1 to read coils in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a write coil message.

Start at Register

0

The register at which to start scanning.

End at Register 16 The register at which to stop scanning.
ICCP/COTP TSAP Addressing Weakness

The ICCP/COTP TSAP Addressing menu determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values.

Start COTP TSAP 8 Specifies the starting TSAP value to try. Tenable.io tries all values between the Start and Stop values.
Stop COTP TSAP 8 Specifies the ending TSAP value to try. Tenable.io tries all values between the Start and Stop values.

Web Applications

The Web Applications section includes the following groups of settings:

Setting Default Value Description
Scan web applications Disabled By default, Tenable.io does not scan web applications. To edit the following settings, enable this setting.
General Settings
Use the cloud to take screenshots of public webservers

Disabled

This option enables Tenable.io to take screenshots to better demonstrate some findings. This includes some services (e.g., VNC, RDP) as well as configuration specific options (e.g., web server directory indexing). The feature only works for Internet-facing hosts, as the screenshots are generated on a managed server and sent to the Tenable.io scanner.

Tenable.io does not export screenshots with Tenable.io scan reports.

Use a custom User-Agent

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

Specifies which type of web browser Tenable.io impersonates while scanning.

Web Crawler
Start crawling from

/

The URL of the first page that is tested. If multiple pages are required, use a colon delimiter to separate them (e.g., /:/php4:/base).

Excluded pages (regex) /server_privileges\.php <> log out

Specifies portions of the web site to exclude from being crawled. For example, to exclude the /manual directory and all Perl CGI, set this field to: (^/manual) <> (\.pl(\?.*)?$).

Tenable.io supports POSIX regular expressions for string matching and handling, as well as Perl-compatible regular expressions (PCRE).

Maximum pages to crawl

1000

The maximum number of pages to crawl.

Maximum depth to crawl

6

Limit the number of links Tenable.io follows for each start page.

Follow dynamically generated pages

Disabled

If selected, Tenable.io follows dynamic links and may exceed the parameters set above.

Application Test Settings
Enable generic web application tests Disabled Enables the following settings.
Abort web application tests if HTTP login fails Disabled If Tenable.io cannot log in to the target via HTTP, then do not run any web application tests.
Try all HTTP methods Disabled This option instructs Tenable.io to also use POST requests for enhanced web form testing. By default, the web application tests only use GET requests, unless you enable this option. Generally, more complex applications use the POST method when a user submits data to the application. When enabled, Tenable.io tests each script or variable with both GET and POST requests. This setting provides more thorough testing, but may considerably increase the time required.
Attempt HTTP Parameter Pollution Disabled When performing web application tests, attempt to bypass filtering mechanisms by injecting content into a variable while also supplying the same variable with valid content. For example, a normal SQL injecton test may look like /target.cgi?a='&b=2. With HTTP Parameter Pollution (HPP) enabled, the request may look like /target.cgi?a='&a=1&b=2.
Test embedded web servers Disabled Embedded web servers are often static and contain no customizable CGI scripts. In addition, embedded web servers may be prone to crash or become non-responsive when scanned. Tenable recommends scanning embedded web servers separately from other web servers using this option.
Test more than one parameter at a time per form Disabled

This setting manages the combination of argument values used in the HTTP requests.

This setting has five options:

  • one valueTenable.io tests one parameter at a time with an attack string, without trying non-attack variations for additional parameters. For example, Tenable.io would attempt
    /test.php?arg1=XSS&b=1&c=1, where b and c allow other values, without testing each combination. This is the quickest method of testing with the smallest result set generated.
  • some pairs: This form of testing randomly checks a combination of random pairs of parameters. This is the fastest way to test multiple parameters.
  • all pairs (slow but efficient): This form of testing is slightly slower but more efficient than the one value test. While testing multiple parameters, it tests an attack string, variations for a single variable and then use the first value for all other variables. For example, Tenable.io would attempt /test.php?a=XSS&b=1&c=1&d=1 and then cycle through the variables so that one is given the attack string, one is cycled through all possible values (as discovered during the mirror process) and any other variables are given the first value. In this case, Tenable.io would never test for /test.php?a=XSS&b=3&c=3&d=3 when the first value of each variable is 1.
  • some combinations: This form of testing randomly checks a combination of three or more parameters. This is more thorough than testing only pairs of parameters. Increasing the amount of combinations by three or more increases the web application test time.
  • all combinations (extremely slow): This method of testing checks all possible combinations of attack strings with valid input to variables. Where all pairs testing seeks to create a smaller data set as a tradeoff for speed, all combinations makes no compromise on time and uses a complete data set of tests. This testing method may take a long time to complete.
Do not stop after first flaw is found per web page

per CGI

This setting determines when to target a new flaw. This applies at the script level. Finding an XSS flaw does not disable searching for SQL injection or header injection, but unless otherwise specified, there is at most one report for each type on a given port. Note that several flaws of the same type (e.g., XSS, SQLi, etc.) may be reported if the flaws were caught by the same attack.

This setting has four options:

  • per CGI: As soon as a flaw is found on a web page, Tenable.io switches to the next web page.
  • per port (quicker): As soon as a flaw is found on a web server by a script, Tenable.io stops and switches to another web server on a different port.
  • per parameter (slow): As soon as one type of flaw is found in a parameter of a CGI (e.g., XSS), Tenable.io switches to the next parameter of the same CGI, the next known CGI, or to the next port or server.
  • look for all flaws (slower): Perform extensive tests regardless of flaws found. This option can produce a very verbose report and is not recommend in most cases.
URL for Remote File Inclusion http://rfi.nessus.org/rfi.txt During Remote File Inclusion (RFI) testing, this setting specifies a file on a remote host to use for tests. By default, Tenable.io uses a safe file hosted by Tenable for RFI testing. If the scanner cannot reach the Internet, you can use an internally hosted file for more accurate RFI testing.
Maximum run time (min) 5 This option manages the amount of time in minutes spent performing web application tests. This option defaults to 60 minutes and applies to all ports and CGIs for a given website. Scanning the local network for web sites with small applications typically completes in under an hour, however web sites with large applications may require a higher value.

Windows

The Windows section contains the following groups of settings:

Setting Default Value Description
General Settings
Request information about the SMB Domain Enabled

If enabled, domain users are queried instead of local users.

User Enumeration Methods

You can enable as many of the user enumeration methods as appropriate for user discovery.

SAM Registry Enabled Tenable.io enumerates users via the Security Account Manager (SAM) registry.
ADSI Query Enabled Tenable.io enumerates users via Active Directory Service Interfaces (ADSI). To use ADSI, you must configure credentials under Credentials > Miscellaneous > ADSI.
WMI Query Enabled Tenable.io enumerates users via Windows Management Interface (WMI).
RID Brute Forcing Enabled Tenable.io enumerates users via relative identifier (RID) brute forcing. Enabling this setting enables the Enumerate Domain Users and Enumerate Local User settings.
Enumerate Domain Users (available with RID Brute Forcing enabled)
Start UID 1000 The beginning of a range of IDs where Tenable.io attempts to enumerate domain users.
End UID 1200 The end of a range of IDs where Tenable.io attempts to enumerate domain users.
Enumerate Local User (available with RID Brute Forcing enabled)
Start UID 1000 The beginning of a range of IDs where Tenable.io attempts to enumerate local users.
End UID 1200 The end of a range of IDs where Tenable.io attempts to enumerate local users.

Malware

The Malware section contains the following groups of settings:

Setting Default Value Description
General Settings
Disable DNS resolution Disabled Checking this option prevents Tenable.io from using the cloud to compare scan findings against known malware.
Hash and Whitelist Files
Custom Netstat IP Threat List None

A text file that contains a list of known bad IP addresses that you want to detect.

Each line in the file must begin with an IPv4 address. Optionally, you can add a description by adding a comma after the IP address, followed by the description. You can also use hash-delimited comments (e.g., #) in addition to comma-delimited comments.

Provide your own list of known bad MD5 hashes None

A text file with one MD5 hash per line that specifies additional known bad MD5 hashes.

Optionally, you can include a description for a hash by adding a comma after the hash, followed by the description. If any matches are found when scanning a target, the description appears in the scan results. You can also use hash-delimited comments (e.g., #) in addition to comma-delimited comments.

Provide your own list of known good MD5 hashes None

A text file with one MD5 hash per line that specifies additional known good MD5 hashes.

Optionally, you can include a description for each hash by adding a comma after the hash, followed by the description. If any matches are found when scanning a target, and a description was provided for the hash, the description appears in the scan results. You can also use hash-delimited comments (e.g., #) in addition to comma-delimited comments.

Hosts file whitelist None

Tenable.io checks system hosts files for signs of a compromise (e.g., Plugin ID 23910 titled Compromised Windows System (hosts File Check)). This option allows you to upload a file containing a list of IPs and hostnames you want Tenable.io to ignore during a scan. Include one IP and one hostname (formatted identically to your hosts file on the target) per line in a regular text file.

Yara Rules
Yara Rules None

A .yar file containing the YARA rules to be applied in the scan. You can only upload one file per scan, so include all rules in a single file. For more information, see yara.readthedocs.io.

File System Scanning
Scan file system Disabled

If enabled, Tenable.io can scan system directories and files on host computers.

Caution: Enabling this setting in scans targeting 10 or more hosts could result in performance degradation.

Windows Directories
Scan %Systemroot% Disabled Enables file system scanning to scan %Systemroot%.
Scan %ProgramFiles% Disabled Enables file system scanning to scan %ProgramFiles%.
Scan %ProgramFiles(x86)% Disabled Enables file system scanning to scan %ProgramFiles(x86)%.
Scan %ProgramData% Disabled Enables file system scanning to scan %ProgramData%.
Scan User Profiles Disabled Enables file system scanning to scan user profiles.
Custom Filescan Directories None A custom file that lists directories to be scanned by malware file scanning. List each directory on one line.
Linux Directories
Scan $PATH Disabled Enables file system scanning to scan $PATH.
Scan /home Disabled Enables file system scanning to scan /home.
MacOS Directories
Scan $PATH Disabled Enables file system scanning to scan $PATH.
Scan /Users Disabled Enables file system scanning to scan /Users.
Scan /Applications Disabled Enables file system scanning to scan /Applications.
Scan /Library Disabled Enables file system scanning to scan /Library.