I can never find this when I need it, so I am going to write up how I troubleshoot long scan times in Tenable Security Center. And if it helps you too, so be it. Usually when a Security Center scan takes forever, it’s because one or two hosts is responding much more slowly than the rest, holding up the entire scan. The scan won’t complete until every system finishes. Finding the slow hosts so you can troubleshoot them, or at least move them to their own scan, can help you keep the scan from dragging on forever.
Find slow scanning hosts with a Security Center asset list
To find slow scanning hosts, create a Security Center asset list that looks at the plugin output of Nessus plugin 19506 using POSIX regex. It’s hard to escape regular expressions when you work in security operations.
To create an asset list, log in to Tenable Security Center. Click Assets, then click the +Add button. From the Custom section, click Dynamic. Enter an appropriate name in the field labeled Name. I typically name it something like Slow Scan Hosts. Hover over the area titled Any of the following are true: and click Asset Definition > +Add Rule.
In the first drop-down box, select Plugin Text. Then, in the second drop-down box, select POSIX regex.
In last field, titled where plugin ID is, type “19506“, without the quotes.
Now let’s talk about what to enter in the field highlighted in blue in the screenshot above, because the full text doesn’t fit in the screenshot.
POSIX regex for plugin 19506 to find slow scanning hosts in Tenable Security Center
The magic happens in the POSIX regex that looks at the plugin output. I have it look for scan times of 3000 seconds or more, which works out to 50 minutes. In my experience, a healthy host generally takes less than 30 minutes to scan. Some people draw the line at 30 minutes for excessive scan times and others draw it at 60 minutes. But 50 minutes is convenient to write regex for, and it’s within that range, so I go with that. Here’s the regex code to type into the blue box from the screenshot above:
Scan duration : (([3-9][0-9]{3})|([1-9][0-9]{4,})) sec
If you’re good at regex, you can modify it to look for other durations if you wish.
Troubleshooting hosts with long scan times
Now, when you pull up the asset list called Slow Scan Hosts, you’ll find systems that took longer than 50 minutes in their last scan. The immortal Packetchaos has some good suggestions at the end of his blog post For the Love of 19506 for plugins that can give insights into why hosts are slow. He starts with looking at plugins 12264, 10287, 45433, 56299, and 45432 on the slow scanning host.
Excessive numbers of hops on in the plugin output of 12264 and 10287 suggest a scanner placement issue. See the next section for advice on that. If those are OK, use plugins 45433, 56299, and 45432 to look at the hosts themselves.
I’ll add one more thing. Sometimes a reboot is all it takes to speed those systems back up. The presence of plugin 35453 or 163103 in the system’s scan results is a telltale sign it needs a reboot anyway, but I’d request a reboot on that system during the next maintenance window either way.
If it’s not as simple as a reboot, export the informational plugins from that system, making sure to include the plugin output, then work with your system administrators to figure out why those systems are under such heavy load. If those systems bog down during Tenable scans, they are probably bogging down at other times as well.
What to do if all your hosts have long scan times
If all your hosts have long scan times, or an excessively large number of them do, then you may not have enough Nessus scanners or your Nessus scanners themselves may not have enough resources. That can get into a long rabbit hole, but here are some general rules to live by.
- Make sure your Nessus scanners have 4 CPU cores, 8 GB RAM, and 50 GB of disk space
- If using virtual infrastructure, make sure all your Nessus scanners have a dedicated network card
- At the risk of sounding like a networking snob, Intel network cards give the best performance, followed by Broadcom, with Realtek a distant third
- Have one Nessus scanner per 5,000 live hosts as a general rule
- Avoid scanning between sites if possible. Instead, put Nessus scanners on site at each of your physical locations
While this borders on shadow IT, sometimes budgets require us to get… creative. A Dell Optiplex 3000-series desktop that’s obsolete because it can’t run Windows 11 still makes a good Nessus scanner running Tenable Core. The 3000-series models have nice Intel network cards in them, and as long as they have an i5 or i7 CPU, they have plenty of CPU cores. Nothing against HP or Lenovo, I just happen to be familiar with Optiplexes.
Better yet, work with the rest of your IT organization to repurpose some obsolete assets. An obsolete Dell Precision or HP Z workstation makes an excellent Nessus scanner, as these systems have server-grade components in them. Actual server hardware that’s outlived its usefulness for its original purpose will still make an excellent Nessus scanner as long as it meets the CPU requirements.
That said, if you only have a few slow scanning hosts, throwing more Nessus scanners at them won’t solve your problem.
Disclaimer
This blog post was not solicited by, approved by, or endorsed by Tenable, Inc.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.