Ron Gula: We added some capabilities to the language, like improved support of arrays. We also added some functions (like compression) which may come in handy some day. Finally, we have extended some of the existing functions to provide users with improved reporting in the future.

Ron Gula: The majority of the plugins will, but a very restricted set which extend the audit spectrum of Nessus will probably work on Nessus 3 only. For instance, we do plan to use some of the newer features in Nessus 3 to offer "compliance" checks for Windows and UNIX servers. These checks can allow you to look at a known good windows server, grab its policy and then use that as a template to scan all of your other servers for deviations. That check won't work on Nessus 2, and it will only be available to our 'direct feed' customers using Nessus 3.

Ron Gula: We do not have any official program like that. You should also realize we have many people offer us zero-day NASL checks for money, but we don't engage in those sorts of business models. However we will soon announce a "contest" to reward Nessus users who work with us to improve the accuracy of the scans.

Ron Gula: We're simplifying the licenses:

• The direct feed will include support from Tenable for Nessus 3. For $1200/year, that is a very good deal.
• The registered feed can be used for commercial services whereas today there are two separate registered feed licenses.
• We're not making any changes to the content or delay or whatever. The registered feed is basically all vulnerability checks available after 7 days.

Ron Gula: Nessus 3 or Nessus 2 are not the places to fight false positives. Tenable pays very close attention to the NASL checks we produce, feedback from the user community, Tenable's customers, MSPs using Nessus, etc. With close to 10,000 checks, it's simply not possible to test every combination of a potential server patch level, configuration and network/OS environment. We do extensive QA on the NASLs we produce, and even more on the NASLs submitted by the community.

Nessus 3 will have the ability to perform packet capture on the packets involved for a specific check. This makes it easier to diagnose a false positive reported by anyone.

We also have completed a major audit of the plugins. The truth is that out of all the plugins, a very restricted subset would produce false positives, and we believe we have fixed most of those.

Ron Gula: Actually, it's quite the opposite. If there is a flaw in Apache tomorrow, then many distributions won't upgrade to the newest version of Apache, but will backport the patch instead. This means that we now have to deal with dozens of different flavors of Apache, all claiming to be of one version when they really are custom.

At the opposite, if tomorrow there is a flaw in IIS, we'll only have to deal with the version(s) distributed by Microsoft, which is a much more restricted set. That's much easier for us.

Ron Gula: The main ones, but you have to realize, we get requests to port Nessus to platforms like Red Hat 6 which are now part of 'embedded' solutions. Those are mostly commercially funded projects, yet they don't want to pay for support in an open source project as their "IP" is now out in the wild.

Nessus 3 will initially be available for Red Hat, Fedora, SuSE, Debian and FreeBSD. We will have Nessus 3 for Windows and Mac OS X very shortly. You should realize that we've been making NeWT (basically Nessus for Windows) available for free to most people but with a limit of only scanning the local network. There are about 20k people using it like this today. Nessus 3 for Windows is basically NeWT, with our modification for Nessus 3 -- and we are removing the feature of only scanning your local network. We had previously been selling a version of NeWT Pro that costs $6000 and now we'll be giving away the same sort of thing at no cost.

Ron Gula: We're planning on supporting Solaris, but have not announced specific architectures or which versions we will support. Most likely is it will be Solaris 10 and Solaris 9 on x86/sparc architectures.

Our development process allows us to switch architectures very easily, so if there was a huge demand of a x86_64 or Linux/PPC version of Nessus tomorrow, we'd have the ability to make and QA binaries for this architecture in a short amount of time.