How does it work?
Our internal scanning is 'agent-based' – meaning you have to download software onto each machine that you wish to check for vulnerabilities. Once a scan has completed, the agent will send the results back to Intruder, and should we detect any weaknesses, you'll see them appear on your issues page.
What internal targets do you support?
We only support machines running Windows, Linux, or macOS.
How do I install the agent?
Using the in-app wizard, select if you'd like to deploy a single agent or make use of mass deployment:
For single targets, you'll see this wizard:
If you choose mass deployment, you'll instead find the values you'll need to add to your script:
We also have some support articles and videos, should you need them:
Best practice recommendations
Timing
We recommend scanning desktop or laptop targets during working hours (preferably at the very start of the day) as the scan can take several hours to complete, depending on the target's file sizes, complexity, etc, and you don't want the machine going offline when the team clocks off.
For server-type targets that have high uptime, we're more concerned with system resourcing and so we'd recommend scheduling outside of working hours (when the demand will be lower).
Organising a large number of targets
Where you have a large number of targets, we'd recommend leveraging our tagging functionality. It can be especially helpful if you have teams in different time zones, as you can schedule scans to run during the appropriate local working hours.
Where can I find a list of all the internal checks?
You can find them on our checks page. Simply head to Dashboard > Checks > filter by Internal checks, and you'll see them all listed below.
How do I know when it was last scanned?
You can find this information in two places:
The Licenses page:
The target's detail page:
Last scanrefers to the last time the target was successfully scanned. (ie. The target was responsive, and we were able to scan it for vulnerabilities.)Licensetells you what type of license it's consuming and when the license is due for release, which will be 30 days after you last kicked off a scan, regardless of whether the target was responsive or not.
What do the statuses mean?
You may have noticed an amber status under the Latest Activity column, like this:
These statuses give an insight into the current status of the installation or linking process.
Status Message | Meaning |
Ready  | The agent is successfully installed and linked, and the target is ready to scan. |
Agent!  | The target has been added to Intruder, but the agent needs to be installed and/or linked.
|
Agent!  | There is an issue with the agent. Confirm the agent is properly installed and linked.
|
Having trouble with the installation?
If you're having issues with the installation, we recommend having a read of the troubleshooting article first and then contacting the team, who will be more than happy to help.
FAQs
Do you scan internal networks?
We don't scan internal networks in the traditional sense (via an appliance), but you can install an agent on any device that supports Windows, Linux, or macOS. (And if you're interested, we wrote a blog on why we think agents are superior to appliances when it comes to scanning internal devices.)
How many resources will the agent use?
Our scanners are designed to have minimal impact on your systems, but as the local agent will consume some resources. If the target is resource-limited, it can have a minor impact on the target's performance.
The minimum requirements for the agent are a dual-core CPU with a speed >= 1GHz and 1GB or more of RAM. Provided these resource requirements are met, the scanner will not experience any issues (such as running out of memory or CPU capacity). That said, the agent will scan slightly slower if the target is at the lower end of the requirements, to try and avoid overwhelming your target.
Can you run the internal agent alongside Device Management tools?
Yes! Running the agent alongside an MDM or device management solution should be no problem at all. It could be worthwhile confirming that the device management platform will not interfere with the Nessus Agent service or prevent it from running at startup.
Does the agent have any display to the end user (e.g., in the tray)?
No, there's no tray icon or any visible UI. The agent runs silently as a background service.
Is the agent working in real time or on a set schedule?
The agent is a background service that works by periodically checking in with Tenable's server in the background. When a scan is queued (either scheduled or triggered manually), the agent picks it up during one of these check-ins and runs it. Between scans, it's dormant. Scans can be scheduled daily (Enterprise/Vanguard), weekly, monthly, quarterly, or triggered on-demand at any time.
How long does a scheduled scan normally take?
For a single online device, expect around an hour under normal conditions. If a target is offline when a scan runs, the scanner will wait up to 12 hours for that agent to check in before giving up — at which point the scan ends with no findings published and the target is marked as unresponsive in the portal.
If an internal target is offline, will a scan run and report findings when the target reconnects?
No, if the machine doesn't come back online within the 12-hour window, the scan won't resume or report findings when it eventually reconnects. The scan would need to be re-run. The portal will show the target's status as either "active" or "unresponsive" based on the last completed scan, so you always have visibility on which endpoints were successfully scanned.
When an issue is found, does it update immediately or wait until the scan is complete?
The agent sends all findings back to the portal after the scan has fully completed, not incrementally during the scan.
Do internal agents update automatically?
Yes, agent updates are managed automatically. No action is required from end users or admins.
Note: Internal vulnerability scanning is available to anyone on the Pro, Enterprise, and Vanguard plans.