Launch a Tenable Vulnerability Management Scan

In addition to configuring a scan's Schedule settings to launch the scan at scheduled times, you can launch a scan manually. You can only launch a new scan when the previous scan has the Completed, Aborted, or Canceled status (for more information, see Scan Status).

To launch a standard scan manually, see Launch a Scan. Alternatively, you can launch a rollover scan to scan the remaining targets of a previous scan that ended prematurely (for more information, see Launch a Rollover Scan). Finally, you launch a remediation scan to run a follow-up scan against existing scan results (for more information, see Launch a Remediation Scan).

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

Launch a Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or Administrator

Required Scan Permissions: Can Control

Use the following steps to launch a scan manually. You can launch the scan using the targets as configured in the scan, or you can launch the scan with custom targets that override the configured targets.

To launch a scan:

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. In the left navigation plane, click Scans.

    The Scans page appears.

  3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

  4. In the Folders section, click a folder to load the scans you want to view.

    The scans table updates to display the scans in the folder you selected.

    For more information about scan folders, see Scan Folders.

  5. In the scans table, roll over the scan you want to launch.

    The action buttons appear in the row.

  6. Do one of the following:

    • To launch the scan using the targets as configured in the scan, click the Launch button in the row.
    • If you have previously launched the scan and want to use custom targets that override the configured targets:
      1. In the row, click the button.

        The Custom Launch Scan plane opens.

      2. In the Targets box, type a comma-separated string of targets.
      3. Click Launch.

    Tenable Vulnerability Management launches the scan.

    You can follow the scan's progress by checking its Scan Status on the Scans page.

Launch a Rollover Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or Administrator

Required Scan Permissions: Can Control

When you launch a rollover scan, the scan runs only against targets and hosts that Tenable Vulnerability Management did not scan previously. This happens when a scan ends before scanning all the assigned targets, which can occur when:

  • A user manually stops the scan

  • The scan times out due to the Scan Window setting

  • The scanner aborts scan tasks or does not initialize properly

In some cases, you may see Completed scans that you can perform rollover scans for. This indicates that even though all the assigned targets were scanned, some individual scan tasks may have failed.

Rollover scans allow you to achieve complete scan coverage for all your assets, and you can use the rollover feature to split up large, network-impacting scans. You can launch a rollover scan from Scans page. Tenable Vulnerability Management marks scans that you can launch a rollover scan for in the scan table with the Rollover tag in the Name column.

To view the remaining targets that the rollover scan will run against, see Download Rollover Targets. If you want to restart the scan and rescan all the targets, see Launch a Scan.

Note: You cannot launch rollover Web Application scans.

To launch a rollover scan:

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. In the left navigation plane, click Scans.

    The Scans page appears.

  3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

  4. In the Folders section, click a folder to load the scans you want to view.

    The scans table updates to display the scans in the folder you selected.

    For more information about scan folders, see Scan Folders.

  5. In the scans table, roll over the scan you want to launch.

  6. In the row, click the More button.

    A menu appears.

  7. Click the Launch Rollover option.

    Tenable Vulnerability Management launches the rollover scan.

    You can follow the scan's progress by checking its Scan Status on the Scans page.

Launch a Remediation Scan

Required Tenable Vulnerability Management User Role: Standard, Scan Manager, or Administrator

Required Access Group Permissions: Can Scan

You can create a remediation scan to run a follow-up scan against existing scan results. A remediation scan evaluates a specific plugin against a specific scan target or targets where a vulnerability was present in your earlier active scan.

Remediation scans allow you to validate whether your vulnerability remediation actions on the scan targets have been successful. If a remediation scan cannot identify a vulnerability on targets where the vulnerability was previously identified, the system changes the status of the vulnerability to Fixed.

You can perform remediation scans for scan results from certain sensors only:

Sensor Type Supported?
Tenable Vulnerability Management Cloud Sensor yes
On-premises Tenable Nessus yes

Tenable Nessus scanner for Amazon Web Services (AWS)

yes

Tenable Web App Scanning

no
Tenable Nessus Network Monitor no
Tenable Nessus Agent no

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

To launch a remediation scan:

  1. Set the scope for the remediation scan:

    Remediation Scan Scope Action
    All vulnerabilities on all affected assets

    This scope is not supported.

    All vulnerabilities on an individual asset

    To set this scope:

    1. View asset details.
    2. On the Asset Details page, click the Vulnerabilities tab.

      The Vulnerabilities tab appears.

    3. In the upper-right corner, click the Actions button.

      The actions menu appears.

    4. In the actions menu, click ScanLaunch Remediation Scan.
    All vulnerabilities on multiple assets

    This scope is not supported.

    An individual vulnerability on the top 500 affected assets

    To set this scope:

    1. View vulnerability details.

    2. Click the Assets Affected tab.

      The assets table appears.

    3. In the upper-right corner, click the Actions button.

      The actions menu appears.

    4. Click ScanLaunch Remediation Scan.
    An individual vulnerability on an individual asset

    To set this scope:

    1. View vulnerability details.

    2. Click the Assets Affected tab.

      The assets table appears.

    3. In the assets table, select the checkbox for the asset you want to select.

      The action bar appears at the bottom of the page.

    4. In the action bar, click ScanLaunch Remediation Scan.
    An individual vulnerability on multiple assets

    To set this scope:

    1. View vulnerability details.

    2. Click the Assets Affected tab.

      The assets table appears.

    3. In the assets table, select the checkbox next to each asset you want to select.

      The action bar appears at the bottom of the page.

    4. In the action bar, click ScanLaunch Remediation Scan.
    Multiple vulnerabilities on all affected assets This scope is not supported.
    Multiple vulnerabilities on an individual asset

    To set this scope:

    1. View asset details.
    2. On the Asset Details page, click the Vulnerabilities tab.

      The Vulnerabilities tab appears.

    3. In the vulnerabilities table, select the checkbox next to each vulnerability you want to select.

      The action bar appears at the bottom of the page.

    4. In the action bar, click ScanLaunch Remediation Scan.
    Multiple vulnerabilities on multiple assets This scope is not supported.
    An individual finding

    To set this scope:

    1. View findings details for a host vulnerability finding or web application vulnerability finding.
    2. On the Findings Details page, in the upper-right corner, click the Actions button.

      The actions menu appears.

    3. In the actions menu, click ScanLaunch Remediation Scan.

    The Create a Scan - Remediation Scan appears.

    Tenable Vulnerability Management automatically creates the remediation scan from the Tenable-provided Advanced Network Scan template and populates certain settings based on the assets and vulnerabilities you selected.

  2. On the Create a Scan page:

    1. Verify the settings that Tenable Vulnerability Management populated based on the vulnerabilities and assets you selected.
    2. Configure additional settings for the scan.

      The number of manual changes you must make depends on the plugins involved in the remediation scan.

    The following table defines the inherited and default values for settings in the remediation scan.

    Setting Category Setting Remediation Scan Value
    Basic Name Specifies an editable scan name in the format "Remediation scan of plugin # number" where number is the number of the plugin that identified the vulnerability.
    Folder Cannot be configured. Remediation scans appear in the Remediation Scans folder only.
    Scanner

    Specifies the scanner that performs the scan.

    The scanner you select depends on the location of the targets included in the remediation scan. For example:

    • By default, this value is the cloud scanner for your geographical region (for example, US Cloud Scanner). However, a cloud scanner cannot scan non-routable IP addresses. If the scan targets include non-routable IP addresses, select a linked scanner instead.
    • Select a scanner group if you want to:

      • Improve scan speed by balancing the scan load among multiple scanners.
      • Rebuild scanners and link new scanners in the future without having to update scanner designations in scan configurations.
    Network (Required if the scanner is set to Auto-Select) Do one of the following:
    • If your scans involve separate environments with overlapping IP ranges, select the network that contains the scanner groups that you configured for scan routing.
    • If your scans do not involve separate environments with overlapping IP ranges, retain the Default network.
    Targets

    Specifies the scan targets based on the assets you selected for the remediation scan.

    User Permissions

    Specifies default settings for the Advanced Network Scan template.

    By default, only you have access to the individual scan results for the remediation scan. The Default user permissions are set to No Access. If you want to share the remediation scan with other users, configure the user permissions.

    Schedule

    Cannot be configured. If you do not launch a remediation scan when you create it, you can launch the scan manually later.

    all other settings Specifies default settings for the Advanced Network Scan template.
    Discovery all

    Specifies default settings for the Advanced Network Scan template.

    Note: The default Port Scan Range scans common ports only. If the plugins used in the remediation scan require specific ports, configure this setting for a range that includes those ports.

    Assessment all Specifies default settings for the Advanced Network Scan template.
    Report all Specifies default settings for the Advanced Network Scan template.
    Advanced all Specifies default settings for the Advanced Network Scan template.
    Credentials all

    By default, there are no credentials configured. If the plugins in the remediation scan require credentials, configure them in the remediation scan.

    Note: Remediation scans work best for un-credentialed network scan results. Use caution when running a remediation scan for a plugin that requires scan credentials. If you neglect to add scan credentials when required for a specific plugin, or if you type the credentials incorrectly, the system may identify the related vulnerabilities as fixed. In fact, the vulnerabilities do not appear in the scan results because the system could not complete the credentialed scan.

    Compliance all

    By default, no compliance audits are configured. If the plugins in the remediation scan require compliance audit settings, configure the appropriate settings.

    Plugins limited

    Specifies plugins limited to the following:

    • the plugins you selected for remediation scanning
    • any plugins on which the selected plugins are dependent
  3. Do one of the following:

    • If you want to save without launching the scan, click Save.

      Tenable Vulnerability Management saves the scan.

    • If you want to save and launch the scan immediately, click Save & Launch.

      Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.

      Tenable Vulnerability Management saves and launches the scan.

What to do next:

  • In the Remediation Scans folder on the Scans page:
    • View the scan status to determine when the scan completes.
    • Edit the scan configuration.
    • Change the read status of the scan results.
    • Launch the scan.
  • Once the scan completes:
    1. On the Vulnerabilities page, search on the plugin.
    2. Verify that the status for the selected vulnerabilities is now Fixed on the assets that the remediation scan targeted.