Discovery Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Discovery settings in the scan. You can only modify these settings in the related user-defined template.

The Discovery settings relate to discovery and port scanning, including port ranges and methods.

Certain Tenable-provided scanner templates include preconfigured discovery settings.

If you select the Custom preconfigured setting option, or if you are using a scanner template that does not include preconfigured discovery settings, you can manually configure Discovery settings in the following categories:

Host Discovery
Port Scanning
Service Discovery
Identity

Host Discovery

By default, some settings in the Host Discovery section are enabled. When you first access the Host Discovery section, the Ping the remote host option appears and is set to On.

Setting	Default Value	Description
Ping the Remote Host	On	If set to On, the scanner pings remote hosts on multiple ports to determine if they are alive. Additional options General Settings and Ping Methods appear. If set to Off, the scanner does not ping remote hosts on multiple ports during the scan. Note: To scan VMware guest systems, Ping the remote host must be set to Off.
Scan Unresponsive Hosts	Disabled	Specifies whether the Nessus scanner scans hosts that do not respond to any ping methods. This option is only available for scans using the PCI Quarterly External Scan template.
General Settings
Use Fast Network Discovery	Disabled	When disabled, if a host responds to ping, Tenable Vulnerability Management attempts to avoid false positives, performing additional tests to verify the response did not come from a proxy or load balancer. These checks can take some time, especially if the remote host is firewalled. When enabled, Tenable Vulnerability Management does not perform these checks.
Ping Methods
ARP	Enabled	Ping a host using its hardware address via Address Resolution Protocol (ARP). This only works on a local network.
TCP	Enabled	Ping a host using TCP.
Destination Ports (TCP)	Built-In	Destination ports can be configured to use specific ports for TCP ping. This specifies the list of ports that are checked via TCP ping. Type one of the following: built-in, a single port, or a comma-separated list of ports. For more information about which ports built-in specifies, see the knowledge base article.
ICMP	Enabled	Ping a host using the Internet Control Message Protocol (ICMP).
Assume ICMP Unreachable From the Gateway Means the Host is Down	Disabled	Assume ICMP unreachable from the gateway means the host is down. When a ping is sent to a host that is down, its gateway may return an ICMP unreachable message. When this option is enabled, when the scanner receives an ICMP Unreachable message, it considers the targeted host dead. This approach helps speed up discovery on some networks. Note: Some firewalls and packet filters use this same behavior for hosts that are up, but connected to a port or protocol that is filtered. With this option enabled, this leads to the scan considering the host is down when it is indeed up.
UDP	Disabled	Ping a host using the User Datagram Protocol (UDP). UDP is a stateless protocol, meaning that communication is not performed with handshake dialogues. UDP-based communication is not always reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable.
Maximum Number of Retries	2	Specifies the number of attempts to retry pinging the remote host.
Fragile Devices
Scan Network Printers	Disabled	When enabled, the scanner scans network printers.
Scan Novell Netware Hosts	Disabled	When enabled, the scanner scans Novell NetWare hosts.
Scan Operational Technology Devices	Disabled	When enabled, the scanner performs a full scan of Operational Technology (OT) devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs) that monitor environmental factors and the activity and state of machinery. When disabled, the scanner uses ICS/SCADA Smart Scanning to cautiously identify OT devices and stops scanning them once they are discovered.
Wake-on-LAN
List of MAC Addresses	None	The Wake-on-LAN (WOL) menu controls which hosts to send WOL magic packets to before performing a scan. Hosts that you want to start prior to scanning are provided by uploading a text file that lists one MAC address per line. For example: 33:24:4C:03:CC:C7 FF:5C:2C:71:57:79
Boot Time Wait (In Minutes)	5 minutes	The amount of time to wait for hosts to start before performing the scan.

Port Scanning

The Port Scanning section includes settings that define how the port scanner behaves and which ports to scan.

Setting	Default Value	Description
Ports
Consider Unscanned Ports as Closed	Disabled	When enabled, if a port is not scanned with a selected port scanner (for example, the port falls outside of the specified range), the scanner considers it closed.
Port Scan Range	Default	Specifies the range of ports to be scanned. The supported ranges are: default — Instructs the scanner to scan approximately 4,790 commonly used ports specified in the nessus-services file. You can also combine the default keyword with other ports and port ranges. Note: You can convert the nessus-services file to a custom list of ports by performing four consecutive regular expression (regex) replace-all operations in a text editor that supports such operations: .\s+(\d+)\/(tcp\|udp)(\r\n\|\r\|\n) to $1\/$2, (\d+)\/(tcp\|udp) to $2:$1 tcp to T udp to U You can find the nessus-services file in the following directories, depending on your operating system: Linux — /opt/nessus/var/nessus/nessus-services Windows — C:\ProgramData\Tenable\Nessus\nessus\nessus-services macOS — /Library/Nessus/run/var/nessus/nessus-services all — Instructs the scanner to scan all 65,536 ports, including port 0. You cannot combine the all keyword with other ranges. A comma-separated list of ports (for example, 21,23,25,80,110), port ranges (for example, 1-1024,9000-9200* or 1-65535 to scan all ports but 0 and T:1-1024,U:300-500 or 1-1024,T:1024-65535,U:1025 to scan separate or overlapping TCP and UDP port ranges), or combinations thereof. If you disable the UDP, SYN, or TCP port scanner settings in the scan policy Discovery settings, those ports are not scanned despite what range of ports you specify. The UDP and TCP port scanner settings are disabled by default; the SYN port scanner setting is enabled by default.
Local Port Enumerators
SSH (netstat)	Enabled	When enabled, the scanner uses netstat to check for open ports from the local machine. It relies on the netstat command being available via an SSH connection to the target. This scan is intended for Linux-based systems and requires authentication credentials. To use this setting, you must first configure SSH Credentials.
WMI (netstat)	Enabled	When enabled, the scanner uses netstat to determine open ports while performing a WMI-based scan. In addition, the scanner: Ignores any custom range specified in the Port Scan Range setting. Continues to treat unscanned ports as closed if the Consider unscanned ports as closed setting is enabled. If any port enumerator (netstat or SNMP) is successful, the port range becomes all. To use this setting, you must first configure Windows Credentials.
SNMP	Enabled	When enabled, if the appropriate credentials are provided by the user, the scanner can better test the remote host and produce more detailed audit results. For example, there are many Cisco router checks that determine the vulnerabilities present by examining the version of the returned SNMP string. This information is necessary for these audits.
Only Run Network Port Scanners if Local Port Enumeration Failed	Enabled	If a local port enumerator runs, all network port scanners will be disabled for that asset.
Verify Open TCP Ports Found By Local Port Enumerators	Disabled	When enabled, if a local port enumerator (for example, WMI or netstat) finds a port, the scanner also verifies that the port is open remotely. This approach helps determine if some form of access control is being used (for example, TCP wrappers or a firewall).
Network Port Scanners
TCP	Disabled	Use the built-in Tenable Nessus TCP scanner to identify open TCP ports on the targets, using a full TCP three-way handshake. If you enable this option, you can also set the Override Automatic Firewall Detection option.
SYN	Enabled	Use the built-in Tenable Nessus SYN scanner to identify open TCP ports on the target hosts. SYN scans do not initiate a full TCP three-way handshake. The scanner sends a SYN packet to the port, waits for SYN-ACK reply, and determines the port state based on a response or lack of response. If you enable this option, you can also set the Override Automatic Firewall Detection option.
Override Automatic Firewall Detection	Disabled	This setting can be enabled if you enable either the TCP or SYN option. When enabled, this setting overrides automatic firewall detection. This setting has three options: Use aggressive detection attempts to run plugins even if the port appears to be closed. It is recommended that this option not be used on a production network. Use soft detection disables the ability to monitor how often resets are set and to determine if there is a limitation configured by a downstream network device. Disable detection disables the firewall detection feature.
UDP	Disabled	This option engages the built-in Tenable Nessus UDP scanner to identify open UDP ports on the targets. Due to the nature of the protocol, it is generally not possible for a port scanner to tell the difference between open and filtered UDP ports. Enabling the UDP port scanner may dramatically increase the scan time and produce unreliable results. Consider using the netstat or SNMP port enumeration options instead if possible.

Service Discovery

The Service Discovery section includes settings that attempt to map each open port with the service that is running on that port.

Setting	Default Value	Description
General Settings
Probe All Ports to Find Services	Enabled	When enabled, the scanner attempts to map each open port with the service that is running on that port, as defined by the Port scan range option. Caution: In some rare cases, probing might disrupt some services and cause unforeseen side effects.
Search for SSL/TLS Based Services	On	Controls how the scanner tests SSL-based services. Caution: Testing for SSL capability on all ports may be disruptive for the tested host.
Search for SSL/TLS/DTLS Services (enabled)
Search for SSL/TLS On	Known SSL/TLS ports	Specifies which ports on target hosts the scanner searches for SSL/TLS services. This setting has two options: Known SSL/TLS ports All TCP ports
Search for DTLS On	None	Specifies which ports on target hosts the scanner searches for DTLS services. This setting has the following options: None Known DTLS ports All UPD ports
Identify Certificates Expiring Within x Days	60	When enabled, the scanner identifies SSL and TLS certificates that are within the specified number of days of expiring.
Enumerate All SSL/TLS Ciphers	True	When enabled, the scanner ignores the list of ciphers advertised by SSL/TLS services and enumerates them by attempting to establish connections using all possible ciphers.
Enable CRL Checking (Connects to the Internet)	False	When enabled, the scanner checks that none of the identified certificates have been revoked.

Identity

The Identity section allows you to enable or disable the collection of Active Directory data.

Note: This section is only applicable in Tenable One Enterprise environments.


General Settings
Collect Identity Data from Active Directory	Disabled	Enable this setting to allow Tenable Vulnerability Management to gather user, computer, and group objects from Active Directory. This setting requires that you specify an Active Directory user account for the scan. You also need to enable LDAPS on the Domain Controller that the scan is targeting.

General Settings

Collect Identity Data from Active Directory

Disabled

Enable this setting to allow Tenable Vulnerability Management to gather user, computer, and group objects from Active Directory.

This setting requires that you specify an Active Directory user account for the scan. You also need to enable LDAPS on the Domain Controller that the scan is targeting.