Rule out third-party interference

If a scanner is repeatedly and persistently returning or stuck on a 'Plugins Out of Sync' or 'Updating Plugins' status, it is possible that plugin updates to the scanner are being interrupted or blocked. Common possible causes include:

• Scanner host restarting mid-update
• Issues or interference with the network connection between Nessus and TSC
• Antivirus or endpoint protection software blocking or modifying plugin files

As some Nessus plugins utilize known exploit techniques to check for vulnerabilities, they can be flagged as threats by antivirus or endpoint protection software. Ensure that all files, folders, and processes listed in the following documentation are explicitly allowed by any endpoint protection software on the scanner host: File and Process Allowlist (Tenable Nessus)

Additionally, confirm that there is no interference at the network level, and that plugin traffic to and from the scanner is not being blocked or altered by any intervening network device (such as an IDS/IPS, firewall, or proxy).

If the issue still occurs, follow the troubleshooting steps below.

Increase Scanner Timeout in TSC

On the TSC server, check the current Scanner Timeout settings by running the following commands. Run all commands on the TSC host as root or using sudo:

/opt/sc/support/bin/sqlite3 -header -table /opt/sc/application.db "select name,value from Configuration where name='ScannerStatusTimeout'"

Example output where the ScannerStatusTimeout limit is set to 120 (seconds):

+----------------------+-------+
|         name         | value |
+----------------------+-------+
| ScannerStatusTimeout | 120   |
+----------------------+-------+

To modify the value, and increase the limit (in this example to 300), run the following command:

​/opt/sc/support/bin/sqlite3 /opt/sc/application.db "Update Configuration set value='300' where name='ScannerStatusTimeout'"

In some cases, more than 300 seconds may be needed. In very narrow band scenarios (Such as RF, or single channel ISDN) you may need to experiment, or test values up to the limit of 900 seconds.

Warning: Do not exceed 900 seconds (longer than 15 minutes). This could cause an update loop to occur causing TSC to become unstable.

Try to update the plugins for the affected scanner again in the TSC interface. 

Manually update the plugins on the affected scanner

Obtain plugin download URL

If you have root access on the TSC host, the plugin download URL can be obtained by running the following command:

PluginSubscriptionLogin=`/opt/sc/support/bin/sqlite3 /opt/sc/application.db 'SELECT value FROM Configuration WHERE name = "PluginSubscriptionLogin"'` && PluginSubscriptionPassword=`/opt/sc/support/bin/sqlite3 /opt/sc/application.db 'SELECT value FROM Configuration WHERE name = "PluginSubscriptionPassword"'` && echo -e '\nDownload URL:\n\nhttps://downloads.nessus.org/get.php?f=all-2.0.tar.gz&u='$PluginSubscriptionLogin'&p='$PluginSubscriptionPassword''

The output should be as follows:

https://downloads.nessus.org/get.php?f=all-2.0.tar.gz&u=e00036c8157ed2402d05491b1d90c5df&p=d7770d12a8acfeb28e5312b95b98a1bf

Navigate to the URL in a browser to download the all-2.0.tar.gz file.

If you do not currently have shell access on the TSC host, the plugin URL can be constructed with a diagnostic report. Continue reading below. Otherwise, jump to Updating the Scanner.

In order to perform this step, you will need to generate a TSC diagnostic report to obtain the plugin download site.

To download TSC diagnostics file:

1. Log in TSC as an admin user
2. In the top navigation, click System, then Diagnostics.
3. Click Create Diagnostics file.
4. Once it has been completed, click Download Diagnostics file.

In this example, we will use the information found in the sc-configuration.txt file in the diagnostic report. You will need to find the following:

• PluginActivationCode 'FTXX-67XX-C6XX-21XX-XXXX'
• PluginUpdateSite 'downloads.nessus.org'
• PluginSubscriptionStatus 'Valid'
• PluginSubscriptionLogin 'e00036c8157ed2402d05491b1d90c5df'
• PluginSubscriptionPassword 'd7770d12a8acfeb28e5312b95b98a1bf‘

Note: The information above is an example only. This cannot be used for your downloads.

Once you have this, craft this into a URL to download the all-2.0.tar.gz plugin update file.

• The URL is constructed using the following syntax:

  https://<PluginUpdateSite>/get.php?f=all-2.0.tar.gz&u=<PluginSubscriptionLogin>&p=<PluginSubscriptionPassword>

  • For example:

    https://downloads.nessus.org/get.php?f=all-2.0.tar.gz&u=e00036c8357ed5102d02291b1d90c5df&p=d7770d12a8acfeb28e5312b95b98a1bf

Using this URL, download the all-2.0.tar.gz file from it.

Updating the Scanner

NOTE: The Nessus scanner will still need to be able to communicate directly with TSC. This only resolves issues with the initial plugin push.

Upload the all-2.0.tar.gz file to the Nessus scanner host, update with the acquired tarball, and edit the plugin_feed_info.inc in the /plugins directory:

• Linux

  service nessusd stop
  /opt/nessus/sbin/nessuscli update all-2.0.tar.gz

• FreeBSD

  service nessusd stop
  /usr/local/nessus/sbin/nessuscli update all-2.0.tar.gz

• Mac OS X

  launchctl unload -w
  /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
  /Library/Nessus/run/sbin/nessuscli update all-2.0.tar.gz

• Windows
  • Place the all-2.0.tar.gz file in C:\Program Files\Tenable\Nessus then run the following commands from an Administrator command prompt:

    net stop "Tenable Nessus"
    "C:\Program Files\Tenable\Nessus\nessuscli.exe" update all-2.0.tar.gz

Updating the plugin_feed_info.inc file

This is needed to ensure a feed error does not occur when logging into Nessus installed on a Linux or Windows host.

Add the following line to /opt/nessus/lib/nessus/plugins/plugin_feed_info.inc:

PLUGIN_FEED_TRANSPORT = "Tenable Network Security Lightning";

The end result should look similar to this:

PLUGIN_SET = "201705191930";
PLUGIN_FEED = "ProfessionalFeed (Direct)";
PLUGIN_FEED_TRANSPORT = "Tenable Network Security Lightning";

Rebuild the plugins

• Linux

  /opt/nessus/sbin/nessusd -R
  service nessusd start

• FreeBSD

  /usr/local/nessus/sbin/nessusd -R
  service nessusd start

• Mac OS X

  /Library/Nessus/run/sbin/nessusd -R
  launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist

• Windows

  "C:\Program Files\Tenable\Nessus\nessusd.exe" -R
  net start "Tenable Nessus

Once you have run this and it completes, update the status on TSC and give up to 30 minutes for the scanners to reflect a working status.

Further troubleshooting

Since a stable fast network connection between Tenable products is mandatory for them to function correctly the following steps will help confirm if the current state of the connection between TSC and Nessus is sufficient to allow plugins to be transferred automatically.

1. Construct the plugin download URL as per Putting the download URL together of this guide. It will look similar to this:

   https://downloads.nessus.org/get.php?f=all-2.0.tar.gz&u=e00036c8357ed5102d02291b1d90c5df&p=d7770d12a8acfeb28e5312b95b98a1bf

2. Use curl to download the full plugin update to the TSC system and write it to a directory that is accessible over HTTP.

   curl -v 'https://downloads.nessus.org/get.php?f=all-2.0.tar.gz&u=e00036c8357ed5102d02291b1d90c5df&p=d7770d12a8acfeb28e5312b95b98a1bf' -o /opt/sc/www/html/all-2.0.tar.gz

3. Once the plugins have been downloaded to TSC, download them to the scanner from the HTTP accessible location. The plugin timeout was changed to 900 seconds (15 minutes) in Increase Scanner Timeout in TSC. 
   • *nix systems Command

     curl -v -k 'https://myTSC/all-2.0.tar.gz' -o /tmp/all-2.0.tar.gz

     • Expected Output:
   • Windows
     • You can navigate to https://<TSC_IP>/all-2.0.tar.gz or run the following Powershell command:

       Invoke-WebRequest -Uri "https://myTSC/all-2.0.tar.gz" -Headers @{"Upgrade-Insecure-Requests"="1";}

       • Expected Output: