Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

File-based Discovery

Log in to subscribe to topics and get notified when content changes.

File-based Discovery

File-based Discovery helps you identify what software is running on your Windows and UNIX servers and devices, even if there is no registration information available. You can then manage and maintain records of your software licenses, check for unlicensed files, detect forbidden or damaged files, and help evaluate any threats from unwanted files.

Required plugins

The File-based Discovery [com.snc.discovery.file_based_discovery] plugin is required for file signature filtering. Your Discovery subscription includes this plugin, but you must request activation. Once the File-based Discovery plugin is active, the Software Asset Management - File Signature Normalization [com.snc.file_signature_normalization] plugin will also be activated. For more information on the File Signature Normalization plugin, see File Signature Normalization.

How File-based Discovery works

File-based Discovery enhances the pre-existing discovery of installed software. It scans target servers for a known list of file signatures and processes those files with an established set of rules. The resulting data enhances the identification of installed software and identifies unregistered software products.

File-based Discovery is triggered in the exploration phase of normal Discovery. File-based Discovery probes execute a scan searching for specific file extensions or file names in paths that you configure. The resulting file information is returned in the probe payload. The sensor attempts to match the discovered files with installed software, using the file name, size, and version returned by the probe. File-based Discovery uses file signatures to detect software that might not have been registered. This information is then stored in the File Information [cmdb_file_information] table with a reference to the CI of the server. You can view the files found from each CI in a related list on this table. For more information, see Related Lists of CI components.

When Software Asset Management Professional (SAMP) is active, if any file matches a software product, Discovery populates the Product and Publisher information for that file. Use this information to understand what software is running on your server and to help evaluate any threats from unwanted files. Discovery uses lists of known file signatures for Windows and UNIX to constrain the scope of the search. The filtering process for Windows and UNIX hosts is executed differently because their signature lists differ greatly in size. The much smaller UNIX signature list is included with the Unix - File Discovery probe and processed directly on the target. The Windows signature list is much larger and cannot be processed on the target. The Windows - File Discovery probe scans the target for specific file extensions and paths and returns these results to the MID Server. The MID Server performs file signature filtering using the entire Windows list. The MID Server then sends all file information back to the instance for normalization and matching.

If SAMP is active on the instance, File-based Discovery creates or updates identified software products in the Software Installation [cmdb_sam_sw_install] table and updates the licenses of matched software packages. Without SAMP, no software records are created and only the file information goes into the File Information [cmdb_file_information] table.
Figure 1. File-based Discovery filtering flow
File-based Discovery filtering flow
File-based Discovery inserts any file not matched by the normalization API into the Unidentified File Set [cmdb_unidentified_file_set] table. You can update the records in this table and provide additional details for previously unidentified files. If you provide values for the Product and Publisher fields for a file, settings in SAMP can enable File-based Discovery to use that file for installed software matching in future discoveries.
Note: You can disable File-based Discovery at any time by changing the setting in the Discovery Configuration Console. If you disable File-based Discovery before scan results are returned, the file data is ignored.
Figure 2. File-based Discovery table schema
File-based Discovery table schema
Note: File-based Discovery supports Windows and UNIX devices. The UNIX probe is POSIX-compliant and should run on any Linux/Solaris server. We support Windows versions 2008, 2008R2, 2012R2, 2016, 2019, and above with PowerShell 3.0 and above. We also support AIX versions 5.3, 6.1, and 7.1 and HP/UX 8.11.

Run File-based Discovery

Run File-based Discovery to find all of your installed software whether it is registered or not. You can enable and configure File-based Discovery at any time using the Discovery Configuration Console.

Before you begin

Role required: admin

Procedure

  1. Set up the PowerShell script.
    By default, the filebaseddiscovery.ps1 script has a ServiceNow signature. Its certificate chain resolves up to the VeriSign Universal Root Certification Authority which is trusted by Windows by default. Since PowerShell scripts are signed by ServiceNow publisher, add ServiceNow publisher to your trusted publisher repository.
    script certificate
    If your Execution Policy requires you to use your own certificate or if you need to make any changes to the script, re-sign the script.
    1. Navigate to the probe “Windows - File discovery.”
    2. Open the filebaseddiscovey.ps1 probe parameter.
    3. Copy the contents of the value field into a file.
    4. Make the necessary changes to the file and then remove the (old) signature block at the end of the file.
    5. Re-sign the script: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-authenticodesignature?view=powershell-6.

      After re-signing, the file should have a new signature block at the end of it.

    6. Copy the entire file contents and replace the old value in the filebaseddiscovery.ps1 probe parameter from step b.

      Windows File-based Discovery should now run using the updated signed script.

    If you are using anti-virus software, make sure to whitelist all of the ServiceNowWindows PowerShell scripts so the anti-virus software does not see it as a threat.
  2. Activate the File-based Discovery plugin.
  3. Enable and configure File-based Discovery.
    Using the Discovery Configuration Console, you can enable File-based Discovery as well as configure several components to find and manage all of your installed software.
    To avoid impacting performance for existing customers, File-based Discovery is disabled by default.
  4. Configure File-based Discovery scans.
    After Discovery runs and returns file information for a CI, it will not execute File-based Discovery again on that target until the interval has expired. Since there is a performance cost when File-based Discovery performs scans, it is important to determine how frequently to scan. However, choosing a more frequent interval than Monthly is not recommended due to performance considerations.
    1. Using the Discovery Configuration Console, expand Common and then enter the maximum number of files that you want to discover. NOTE: Increasing this value can impact performance.
    2. Select the Frequency that File-based Discovery runs on the CI. The default is set to Monthly.
    Note: File-based Discovery does not trigger until initial Content Data Service (CDS) synchronization occurs. CDS synchronization could take approximately 24 hours for the initial set of data to be synchronized from CDS. For more information see, File Signature Normalization.

Result

Your File-based Discovery should run based on the configurations set. You can then monitor the results using the Discovery Dashboard.
File-based Discovery reference information link File-based Discovery reference information
Feedback