Summary

Scanned printers will now have an OS artefact surfaced in their scan host metadata if the target has been identified as a printer when the “Scan Network Printers” policy option is disabled. 

This change will not cause any additional asset licenses to be consumed within Tenable VM or Tenable Security Center.

Background

Printers are notoriously unstable scan targets. Oftentimes, they can behave erratically when scanned, so some users prefer to avoid scanning them altogether. At present, there is a switch in the scan policies to prevent further scanning of a host when it's identified as a printer. To enable this setting, go to Settings -> Host Discovery -> Fragile devices - Scan Network Printers (Currently, this is a checkbox setting, default value “off”).

With that said, how can the scanner know the target is a printer if it cannot be scanned? In reality, the scanner still performs very basic fingerprinting (usually via SNMP) in order to gather enough information to make an educated guess at the device type. When the scan target is thought to be a printer, it essentially gets marked as “Host/dead" in the scan KB. When this happens, the scanner will not perform any further active scanning.

Changes

With this update, the fingerprint used to identify the printer as such, will now be stored in the scan Knowledge Base (KB) so it can be processed by os_fingerprint2.nasl ("Post-scan OS Identification", plugin ID 83349) and surfaced as metadata in the scan result.

The relevant policy setting located at Settings -> Host Discovery -> Fragile devices -> Scan Network Printers, now has two options when enabled:

1. Surface Printer OS only : The printer will be marked as dead and only the OS information gathered from fingerprinting will be surfaced (default option when setting is not enabled)
2. Full Network Scan : The printer will not be marked as dead and a full scan will be performed, as if this were any other device.

Impact

Users can now see the OS information for their printer devices that would have otherwise gone unreported if the scan is not configured to “Scan Network Printers”.

As plugin ID 83349 generates no plugin output, only an “operating-system” tag will be added to the scan result (and stored in an exported .nessus file). This information will be visible only the in “Host/Asset Details” section of the Tenable product UI, i.e:

• Tenable Nessus:
  • Scans -> [Folder] -> [Individual Scan Result] - > Host Details -> OS (sidebar)
• Tenable Vulnerability Management:
  • Explore -> Assets -> [Asset] -> Details -> Operating System
  • Scans -> Vulnerability Management Scans -> [Individual Scan Result] -> Scan Details -> Asset Details -> Operating System
• Tenable Security Center:
  • Analysis -> IP Summary -> [IP address] -> System Information -> OS
  • Scans -> Scan Results -> [Individual Scan Result] ->  IP Summary -> [IP address] -> System Information -> OS

Note, we expect this information to surface mainly in individual scan results. It would only be present in cumulative asset details if a licensed asset already exists for the target in question. This update will not cause additional assets to be created or consume any additional licenses.

Affected Plugins

• 83349 - os_fingerprint2.nasl
• 11933 - dont_scan_printers.nasl
• 22481 - dont_scan_settings.nasl

Targeted Release Date

Wednesday, March 4, 2026