Non-reliable Nessus scan results
Alexander Leonov
Vulnerability & Compliance Management, Security Automation, Metrics
Do you perform massive unauthenticated vulnerability scans with Nessus? It might be a bad idea. It seems that Nessus is not reliable enough to assess hundreds and thousands of hosts in one scan and can lose some valuable information.
The thing is that sometimes Nessus does not detect open ports and services correctly. And without successful service detection it will not launch other vulnerability detection plugins (see Nessus Scan stages in my post about Tenable University ). Scan results for the host will be empty, however in reality it may have some critical vulnerabilities, that you simply will not see!
Upd. When you use Nessus inside your corporate network only, it might not be issue for you. But if you deploy Nessus on some remote hosting to perform regular perimeter scans, emulating attacker's actions, it's quite a possibility that you will face such kind of errors. Especially if Nessus and scan targets are placed in different geograpfical locations and it takes many hops for Nessus to reach each target. If you use load balancers in your organisation to increase capacity and reliability of applications, this can also lead to errors.
Anyway, it’s good to know when Nessus was not able to detect services on some hosts and you should not relly on these scan results. Let’s see how we can figure this out.
So, I have one vulnerability scan task for 130 hosts. The scanning lasts 6-7 hours. I see a regular problem: Nessus does not make all the checks for sDo you perform massive #VulnerabilityManagement scans with #Tenable #Nessus? It might be a bad idea. It seems that Nessus is not reliable enough to assess hundreds and thousands of hosts in one scan and can lose some valuable information.ome hosts.
For example, during the mass scan Nessus successfully detects open ports (“Nessus SYN scanner”, 11219), but does not detect the services (“Service Detection”, 22964).
Senior SecOps Engineer | Cloud Security | DevSecOps | VM
7yArvin H.
Engineering Manager @ Workiva
7yСаша, поздравляю, ты вызвал локальное полыхание у нас своим постом
Director, Security Engineering at Tenable
7ySomething is definitely not configured correctly. If you would like another pair of eyes on this, I'd be happy to help. I've only seen a scan for 130 host take that long when there is a problem.
This is suspect. If it’s taking 6-7 hours to run a Nessus scan on 130 hosts, something was misconfigured. (And that’s nowhere near “massive”.)