Launch a Scan

Required Scan Permissions: Can Control

In addition to configuring Schedule settings for a scan, you can manually run a scan.

You can launch the scan using the targets as configured in the scan. For Tenable Vulnerability Management scans, you can launch the scan with custom targets that override the configured targets.

The workflow for launching a remediation scan differs from the workflow described in this procedure. For more information, see the Launch a remediation scan steps at the end of this topic.

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

To launch a scan:

In the upper-left corner, click the button.

The left navigation plane appears.
In the left navigation plane, click Scans.

The Scans page appears.
Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.
In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.
In the scans table, roll over the scan you want to launch.
In the row, click the button.

A menu appears.
Do one of the following:
- To launch the scan using the targets as configured in the scan, click the Launch button.
- (Tenable Vulnerability Management scans only) If you have previously launched the scan and want to use custom targets that override the configured targets:
  1. Click the Custom Start button.
    The Custom Launch Scan plane opens.
  2. In the Targets box, type a comma-separated string of targets.
  3. Click Launch.
Tenable Vulnerability Management launches the scan.

You can follow the scan's progress by checking its Scan Status on the Scans page.

Launch a remediation scan

Required Access Group Permissions: Can Scan

Note: This feature is only available for Tenable Vulnerability Management scans.

You can create a remediation scan to run a follow-up scan against existing scan results. A remediation scan evaluates a specific plugin against a specific scan target or targets where a vulnerability was present in your earlier active scan.

Remediation scans allow you to validate whether your vulnerability remediation actions on the scan targets have been successful. If a remediation scan cannot identify a vulnerability on targets where Tenable Vulnerability Management previously identified the vulnerability, the system changes the status of the vulnerability to Fixed.

You can perform remediation scans for scan results from certain sensors only:

Sensor Type	Supported?
Tenable Vulnerability Management cloud	yes
On-premises Tenable Nessus	yes
Tenable Nessus scanner for Amazon Web Services (AWS)	yes
On-premises Tenable Web App Scanning	no
Tenable Nessus Network Monitor	no
Tenable Nessus Agent	no

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

To launch a remediation scan:

Set the scope for the remediation scan:

Remediation Scan Scope	Action
All vulnerabilities on all affected assets	Tenable Vulnerability Management does not support this scope.
All vulnerabilities on an individual asset	To set this scope: View asset details. On the Asset Details page, click the Vulnerabilities tab. The Vulnerabilities tab appears. In the upper-right corner, click the Actions button. The actions menu appears. In the actions menu, click Launch Remediation Scan.
All vulnerabilities on multiple assets	Tenable Vulnerability Management does not support this scope.
An individual vulnerability on the top 500 affected assets	To set this scope: View vulnerability details. Click the Assets Affected tab. The assets table appears. In the upper-right corner, click the Actions button. The actions menu appears. Click Launch Remediation Scan.
An individual vulnerability on an individual asset	To set this scope: View vulnerability details. Click the Assets Affected tab. The assets table appears. In the assets table, select the check box for the asset you want to select. The action bar appears at the bottom of the page. In the action bar, click Launch Remediation Scan.
An individual vulnerability on multiple assets	To set this scope: View vulnerability details. Click the Assets Affected tab. The assets table appears. In the assets table, select the check box next to each asset you want to select. The action bar appears at the bottom of the page. In the action bar, click Launch Remediation Scan.
Multiple vulnerabilities on all affected assets	Tenable Vulnerability Management does not support this scope.
Multiple vulnerabilities on an individual asset	To set this scope: View asset details. On the Asset Details page, click the Vulnerabilities tab. The Vulnerabilities tab appears. In the vulnerabilities table, select the check box next to each vulnerability you want to select. The action bar appears at the bottom of the page. In the action bar, click Launch Remediation Scan.
Multiple vulnerabilities on multiple assets	Tenable Vulnerability Management does not support this scope.

The Create a Scan - Remediation Scan appears.

Tenable Vulnerability Management automatically creates the remediation scan from the Tenable-provided Advanced Network Scan template and populates certain settings based on the assets and vulnerabilities you selected.

On the Create a Scan page:

Verify the settings that Tenable Vulnerability Management populated based on the vulnerabilities and assets you selected.
Configure more settings for the scan.
The number of manual changes you must make depends on the plugins involved in the remediation scan.

The following table defines the inherited and default values for settings in the remediation scan.

Setting Category	Setting	Remediation Scan Value
Basic	Name	Specifies an editable scan name in the format "Remediation scan of plugin # number" where number is the number of the plugin that identified the vulnerability.
	Folder	Cannot be configured. Remediation scans appear in the Remediation Scans folder only.
	Scanner	Specifies the scanner that performs the scan. The scanner you select depends on the location of the targets included in the remediation scan. For example: By default, this value is the cloud scanner for your geographical region (for example, US Cloud Scanner). However, a cloud scanner cannot scan non-routable IP addresses. If the scan targets include non-routable IP addresses, select a linked scanner instead. Select a scanner group if you want to: Improve scan speed by balancing the scan load among multiple scanners. Rebuild scanners and link new scanners in the future without having to update scanner designations in scan configurations.
	Network	(Required if you set the scanner to Auto-Select) Do one of the following: If your scans involve separate environments with overlapping IP ranges, select the network that contains the scanner groups that you configured for scan routing. If your scans do not involve separate environments with overlapping IP ranges, retain the Default network.
	Targets	Specifies the scan targets based on the assets you selected for the remediation scan.
	User Permissions	Specifies default settings for the Advanced Network Scan template. By default, only you have access to the individual scan results for the remediation scan. Tenable Vulnerability Management sets the Default user permissions to No Access. If you want to share the remediation scan with other users, configure the user permissions.
	Schedule	Cannot be configured. If you do not launch a remediation scan when you create it, you can launch the scan manually later.
	all other settings	Specifies default settings for the Advanced Network Scan template.
Discovery	all	Specifies default settings for the Advanced Network Scan template. Note: The default Port Scan Range scans common ports only. If the plugins used in the remediation scan require specific ports, configure this setting for a range that includes those ports.
Assessment	all	Specifies default settings for the Advanced Network Scan template.
Report	all	Specifies default settings for the Advanced Network Scan template.
Advanced	all	Specifies default settings for the Advanced Network Scan template.
Credentials	all	By default, there are no credentials configured. If the plugins in the remediation scan require credentials, configure them in the remediation scan. Note: Remediation scans work best for un-credentialed network scan results. Use caution when running a remediation scan for a plugin that requires scan credentials. If you neglect to add scan credentials when required for a specific plugin, or if you type the credentials incorrectly, the system may identify the related vulnerabilities as fixed. In fact, the vulnerabilities do not appear in the scan results because the system could not complete the credentialed scan.
Compliance	all	By default, Tenable Vulnerability Management does not configure compliance audits. If the plugins in the remediation scan require compliance audit settings, configure the appropriate settings.
Plugins	limited	Specifies plugins limited to the following: the plugins you selected for remediation scanning any plugins on which the selected plugins are dependent

Do one of the following:
- If you want to save without launching the scan, click Save.
  
  Tenable Vulnerability Management saves the scan.
- If you want to save and launch the scan immediately, click Save & Launch.
  
  Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.
  
  Tenable Vulnerability Management saves and launches the scan.

What to do next:

In the Remediation Scans folder on the Scans page:
- View the scan status to determine when the scan completes.
- Edit the scan configuration.
- Change the read status of the scan results.
- Launch the scan.
Once the scan completes:
1. On the Vulnerabilities page, search on the plugin.
2. Verify that the status for the selected vulnerabilities is now Fixed on the assets that the remediation scan targeted.