Scans
This topic provides an Overview, Requirements, Workflows, and FAQs regarding Tenable Vulnerability Management scanning.
Caution: Tenable occasionally performs maintenance on Tenable Vulnerability Management. To avoid performance issues, Tenable recommends not running or scheduling scans during maintenance windows. For current maintenance status and updates, see the Tenable Status page.
Note: For information about scanning in Tenable Web App Scanning, see the Tenable Web App Scanning Getting Started Guide.
Overview
Tenable Vulnerability Management allows you to scan your environment for vulnerabilities. Unlike Tenable Nessus and Tenable Security Center, Tenable Vulnerability Management is hosted in the cloud, and allows you to scan remotely with your Tenable Nessus scanners and Tenable Agents, or with Tenable's cloud scanners if you want to scan assets from an external network.
Tenable Vulnerability Management provides various Tenable Nessus Scanner and Tenable Agent scan templates that meet different business needs. Tenable Vulnerability Management provides four categories of scan templates: Vulnerability Scans, Configuration Scans, Tactical Scans, and Inventory Collection. You can view Tenable Vulnerability Management's complete offering of scan templates when you Create a Scan.
See the following sections to learn about the different scan template types. For information about specific scan templates, see Scan Templates.
Vulnerability Scans
Tenable recommends using vulnerability scan templates for most of your organization's standard, day-to-day scanning needs. Some of Tenable Vulnerability Management's most notable vulnerability scan templates are:
-
Advanced Network/Agent Scan — The most configurable scan type that Tenable Vulnerability Management offers. You can configure this scan template to match any policy.
Note: Advanced scan templates allow Tenable Vulnerability Management experts to scan more deeply using custom plugins, or faster or slower as required, but misconfigurations can cause asset outages or network saturation. Use the advanced templates with caution.
-
Basic Network/Agent Scan — Use this template to scan assets with all of Tenable Vulnerability Management's current plugins enabled. This scan provides a quick and easy way to scan assets for all vulnerabilities.
-
Credentialed Patch Audit (Tenable Nessus Scanner only) — Use this template to give the scanner direct access to the host, scans the target hosts, and enumerates missing patch updates.
-
Host Discovery (Tenable Nessus Scanner only) — Launch this scan to see what hosts are on your network, and associated information such as IP address, FQDN, operating systems, and open ports, if available. After you have a list of hosts, you can choose what hosts you want to target in a specific vulnerability scan.
Tenable recommends that organizations who do not have a passive network monitor, such as Tenable Network Monitor, run this scan weekly to discover new assets on your network.
Note: Assets identified by discovery scans do not count toward your license.
Configuration Scans
(Tenable Nessus Scanner only) Use configuration scans to check whether host configurations are compliant with various industry standards. Configuration scans are sometimes referred to as compliance scans. For more information about the checks that compliance scans can perform, see Compliance in Tenable Vulnerability Management Scans and SCAP Settings in Tenable Vulnerability Management Scans.
Tactical Scans
(Tenable Nessus Scanner only) Tactical scans are lightweight, timely scan templates that you can use to scan your assets for a particular vulnerability. Tenable frequently updates the Tenable Vulnerability Management Tactical Scans library with templates that detect the latest vulnerabilities of public interest.
Inventory Collection
(Tenable Agent only) Unlike standard Tenable Agent vulnerability scans, the Collect Inventory template uses Tenable's Frictionless Assessment technology to provide faster scan results and reduce the scan's system footprint. For more information, see Scan Templates.
Note: An asset that Tenable Vulnerability Management has performed inventory scanning on continues to report vulnerabilities until the asset ages out, even if the asset is offline.
Most of the Tenable Vulnerability Management scan templates are meant to create assessment scans: scans that find vulnerabilities on your assets. However, some of the scan templates, such as Host Discovery, allow you to create discovery scans: scans that find assets on your network. For more information about these scan methods, see Discovery Scans vs. Assessment Scans.
Requirements
To scan your internal assets with Tenable Vulnerability Management, you need to set up Tenable Nessus scanners and Tenable Agents. In addition to your own internal sensors, you can use Tenable's cloud scanners to scan assets outside of your network.
To view the Tenable Vulnerability Management system requirements, see System Requirements.
Workflows
Create and Launch a Scan
- Create a scan.
- Select a scan template that fits your needs.
- Use a Tenable-provided Tenable Nessus Scanner template.
- Use a Tenable-provided Tenable Agent template.
- Create and use a user-defined template.
- Configure the scan:
Configure the scan settings available for your template.
For information about scan targets, see Scan Targets.
- (Optional) To run a credentialed scan, configure credentials.
- (Optional) To run a compliance scan, select the compliance audits your scan includes.
- (Optional) If you are using an advanced scan template, select what plugins your scan includes.
- Launch the scan.
View and Manage Scans
- View your configured scans.
- View scan details and scan results for a specific scan.
- Manage scan folders.
- To analyze data across all your scan results, see Findings.
Refine Scanning Settings
- Use exclusions to restrict the scanning of specific hosts based on a selected schedule.
- Use target groups to set permissions on which hosts a user can scan.
- To understand scan distribution concepts such as scanner capacity, job queues, and how Tenable Vulnerability Management dispatches tasks, see Scan Distribution.
FAQs
What can Tenable Vulnerability Management scan?
Tenable Vulnerability Management can scan any network asset with a public-facing IP address, such as desktops, laptops, servers, storage devices, network devices, phones, tablets, virtual machines, and hypervisors.
How often should my organization scan?
Tenable recommends scanning your assets at least two times per week, or about every three days. However, other business and industry needs may require you to scan more often.
Tenable also recommends limiting the number of total scans running on your network. For example, you can re-use scheduled scans instead of creating new scans. This approach can help you to avoid latency issues in the Tenable Vulnerability Management user interface.
What happens during a Tenable Vulnerability Management scan? What is the "lifecycle" of a Tenable Vulnerability Management scan?
There are four phases in the Tenable Vulnerability Management scan lifecycle. Depending on your organization, one person can perform the entire scan process, or several people can share the phases.
| Scan Phase | Description |
|---|---|
| 1. Configure the scan |
Before you launch a scan, you have to create a scan configuration in Tenable Vulnerability Management. A scan's configuration determines various settings and parameters for a scan, and you set up multiple scan configurations that meet different business needs. A scan configuration determines scan settings such as:
Tenable Vulnerability Management provides various scan templates to create your scan configurations from. The scan templates vary in scope and depth; for example, the Advanced Network Scan allows you to customize all aspects of the scan, while Tenable Nessus Scanner Tactical Scans are tuned to detect specific vulnerabilities. To configure a scan configuration, see Create a Scan. |
| 2. Launch the scan |
Once you have configured the scan configuration, you launch a scan that uses the new configuration. When you launch a scan from the user interface, Tenable Vulnerability Management breaks down the scan job into individual scan tasks. While this occurs, the scan shows as Initializing in the Tenable Vulnerability Management user interface. Next, Tenable Vulnerability Management assigns the scan tasks to the scan configuration's sensors. While this occurs, the scan shows as Pending in the Tenable Vulnerability Management user interface. To launch a scan, see Launch a Scan. |
| 3. Sensors scan your assets and Tenable Vulnerability Management processes the scan results |
The sensors begin their scan task or tasks. Once the sensor's complete their scan tasks, the sensor sends the scan data to Tenable Vulnerability Management, where it is processed and indexed into actionable scan results. While this occurs, the scan shows as Running in the Tenable Vulnerability Management user interface. Tip: A progress bar shows next to the status when a scan is running. The progress bar shows the percentage of the completed scan tasks. |
| 4. View the results | The assigned sensors have completed the scan job, and Tenable Vulnerability Management has processed and indexed the results. Now, the scan shows as Completed in the Tenable Vulnerability Management user interface, and you can select the scan from the scan table and view its results. For more information, see View Scan Details. |
How long does it take to complete a scan?
Tenable Vulnerability Management scan time can vary greatly based on the following variables:
| Variable | Impact on Scan Time | Impact Description |
|---|---|---|
| Scan configuration | High |
Your scan configuration specifies the depth of your scan. In general, increasing the depth of your scan increases the total scan time. Consider the following when planning your scan depth:
You can use Tenable-provided templates to perform both targeted and all-encompassing checks. You can create custom policies to customize all possible policy settings. |
| Scanner resources available | High |
The number of IP addresses you can assess simultaneously via a network scan largely depends on two things:
Increasing one or both of these factors is the fastest way to improve your rate of simultaneous assessment and overall scan time. However, large enterprise networks often have infrastructure or technology limitations that prohibit increasing these resources beyond a certain maximum. Your Nessus scanners should meet the hardware requirements whenever possible, but exceeding the minimum requirements lets your scanners assess more targets faster. Note: You cannot modify some cloud scanner settings. |
| Type of assessment | Medium |
You have various options available for assessing assets in your environment. While the correct scan configuration can vary depending on your environment, you should build the most efficient scan configuration for your organization's assets or environment. For example, use agents for remote systems that are not local to your scanners |
| Number of live hosts | Medium |
Scanning a dead host takes less time than scanning a live host. A distribution of IP addresses with a low number of associated hosts takes less time to scan than a distribution of IP addresses with a higher number of hosts. You can choose to scan an entire range of IPs, or target specific ones, depending on the use case for that particular scan job. For more information, see General. |
| Target configurations | Medium | Scanning a locked-down system with few exposed network services takes less time than complicated target configurations. For example, a Windows server with a web server, database, and host intrusion prevention software takes more time to scan than a Windows 11 workstation. |
| Scanner proximity to targets | Medium |
Tenable recommends placing your scanners close to your targets, connected with minimum latency (for more information, see the following Tenable blog article). Latency has an additive effect on every packet exchanged between a scanner and its target. The largest impacts tend to be network latency and simultaneous plugin checks. For example:
|
| Time of day and week | Low | In many environments, there are periods of time where infrastructure load is higher. Scheduling assessments outside of these windows can improve scan performance. |
|
Target resources |
Low | The resources available to the scan target can impact scan time as well. A public-facing system (a system with load) takes longer to scan than an idle backup system. |
Real-world performance and practical impact of any particular configuration is highly dependent on your local environment. To achieve a certain scan time, Tenable recommends setting up the scan configuration, running the scan in your environment, and adjusting the configuration based on the results.
How many resources does Tenable Vulnerability Management scanning consume on the endpoint?
The amount of endpoint resources consumed depends on various factors, including:
-
Scan policy configuration (thorough tests enabled, file content audits, etc.)
-
Target operating system (Windows, Linux, network device, etc.)
-
Target configuration (for example, minimal server installation versus average user workstation)
-
Access level to target (credentialed versus non-credentialed)
-
Method of assessment (Tenable Agent scanning versus network scanning with Tenable Nessus scanners)
The best way to measure this value for your environment is to configure and run a test scan with your desired scan configuration against an average system in your environment and monitor the system while the test scan runs.