Configure Plugins in Tenable Vulnerability Management Scans
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or Administrator
Required Scan Permissions: Can Configure
Required Template Permissions: Can Configure
Note: If a scan is based on a user-defined template, you cannot configure Plugin settings in the scan. You can only modify these settings in the related user-defined template.
Note: When Tenable adds new plugins to Tenable Vulnerability Management, the new plugins are automatically enabled if the entire plugin family they belong to is enabled in your scan policy template.
If you create a scan or user-defined template using the Tenable-provided Advanced Scan template, you can configure which security checks the scan performs by enabling or disabling plugins individually or by plugin family.
When you create and save a scan or user-defined template, it records all the plugins that are initially selected. When new plugins are received via a plugin update, the plugins are automatically enabled if the family with which the plugins are associated is enabled. If the family has been disabled or partially enabled, new plugins in that family are also automatically disabled.
Caution: The Denial of Service family contains some plugins that could cause outages on a network if the Safe Checks option is not enabled, in addition to some useful checks that do not cause any harm. The Denial of Service family can be used with Safe Checks to ensure that any potentially dangerous plugins are not run. However, Tenable recommends that you do not use Denial of Service family on a production network except during a maintenance window and when staff are ready to respond to any issues.
To configure plugins for a scan or user-defined template:
- Do one of the following:
- Create or edit a scan.
- Create or edit a user-defined template.
- In the left menu of the scan configuration page, click Plugins.
The Plugins page appears. This page contains a table of plugin families.
- Do one of the following:
- Filter the plugin families table by various attributes.
- Search the plugin families table by plugin family name. For more information on searching, see Tenable Vulnerability Management Tables.
- To enable or disable all the plugins in a plugin family, click the Status toggle in row for the plugin family.
- On — The scan includes the security checks associated with the plugin family.
- Off — The scan excludes the security checks associated with the plugin family.
- To enable or disable specific plugins for an individual plugin family:
- In the plugin families table, click the plugin family where you want to edit plugins. The plugin family plane appears.
(Optional) Click an individual plugin to review plugin details (Synopsis, Description, and Solution).
- For each plugin you want to enable or disable, select or clear the Status checkbox.
Click Save.
The Plugins page appears. In the plugin families table, Tenable Vulnerability Management updates the plugin family status as follows:
- On — If you enabled all plugins for the plugin family, the scan includes the security checks associated with the plugin family.
Off — If you disabled all plugins for the plugin family, the scan excludes the security checks associated with the plugin family.
Tip: Disabling a plugin family reduces the time and resources required to run the scan.
Mixed — If you enabled only some of the plugins for the plugin family, the scan includes only the enabled plugins. Mixed plugin families have a padlock icon that is locked or unlocked:
Locked — New plugins added to the plugin family via plugin feed updates are disabled automatically in the policy.
Unlocked — New plugins added to the plugin family via plugin feed updates are enabled automatically in the policy.
- Click Save to save your changes to the plugin family.
- Click Save to save your changes to the scan or user-defined template.