File-based Discovery

  • Release version: Australia
  • Updated March 25, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of File-based Discovery

    File-based Discovery helps ServiceNow customers identify installed software on Windows, UNIX, and macOS servers and devices, even without registration data. It scans for known file signatures to detect installed, unregistered, or unwanted software and helps manage software licenses and security threats associated with files.

    Show full answer Show less

    Key Features

    • Plugin Requirements: Activation of the File-based Discovery plugin is required, which automatically enables the Software Asset Management - File Signature Normalization plugin.
    • Discovery Process: Runs during the exploration phase of normal Discovery, using probes to scan configured file paths and extensions on target servers.
    • File Signature Filtering: Uses distinct signature lists for Windows (large, processed on MID Server) and UNIX (smaller, processed on target server) to enhance software identification.
    • Integration with Software Asset Management (SAM): When SAM is active, identified software files populate product and publisher information and update software installation and licensing records.
    • SWID Tag Support: Enables collection of SWID tag data to further detail installed software, requiring the Base64 package on UNIX/Linux servers.
    • Handling Unidentified Files: Files not matched in normalization are saved in the Unidentified File Set table for review and manual enrichment.
    • Compatibility: Supports Windows versions from 2008 onwards (with PowerShell 3.0–7, except PowerShell 7 for Windows ADME), POSIX-compliant UNIX/Linux servers, AIX, HP/UX, and macOS.

    Practical Usage and Configuration

    • File-based Discovery can be enabled or disabled via the Discovery Configuration Console; disabling before scan completion discards file data.
    • Windows file signature filtering is done on the MID Server due to the large signature list, while UNIX filtering is performed on the target server.
    • To run successfully on Ubuntu 20, the default shell must be switched from sh to bash.
    • Files with version information (e.g., .exe, .jar) populate version details; not all files contain this metadata.

    Benefits for ServiceNow Customers

    • Gain comprehensive visibility into software running on servers, including unregistered and unauthorized software.
    • Enhance software asset management by automatically updating software installation and licensing data.
    • Improve security posture by identifying forbidden or damaged files and evaluating threats from unwanted software.
    • Leverage detailed file and software data, including SWID tags, for accurate inventory and compliance.
    • Maintain a clean and actionable database by managing unidentified files and refining their records for future discovery accuracy.

    File-based Discovery helps you identify what software is running on your Windows and UNIX servers and devices, even if there’s no registration information available. You can then manage and maintain records of your software licenses, check for unlicensed files, detect forbidden or damaged files, and help evaluate any threats from unwanted files.

    Required plugins

    The File-based Discovery [com.snc.discovery.file_based_discovery] plugin is required for file signature filtering. Your Discovery subscription includes this plugin, but you must request activation. Once the File-based Discovery plugin is active, the Software Asset Management - File Signature Normalization [com.snc.file_signature_normalization] plugin is also activated. For more information on the File Signature Normalization plugin, see File Signature Normalization.

    How File-based Discovery works

    File-based Discovery enhances the pre-existing discovery of installed software. It scans target servers for a known list of file signatures and processes those files with an established set of rules. The resulting data enhances the identification of installed software and identifies unregistered software products. For information about using Agent Client Collector for Visibility - Content to perform file-based discovery, see Discover java installation data using Agent Client Collector for Visibility - Content file-based discovery.

    File-based Discovery is triggered in the exploration phase of normal Discovery. File-based Discovery probes execute a scan searching for specific file extensions or file names in paths that you configure. The resulting file information is returned in the probe payload. The sensor attempts to match the discovered files with installed software, using the file name, size, and version returned by the probe. File-based Discovery uses file signatures to detect software that might not have been registered. This information is then stored in the File Information [cmdb_file_information] table with a reference to the CI of the server. You can view the files found from each CI in a related list on this table. For more information, see Related list of CI components. When Software Asset Management (SAM) is active, if any file matches a software product, Discovery populates the Product and Publisher information for that file. Use this information to understand what software is running on your server and to help evaluate any threats from unwanted files. Discovery uses lists of known file signatures for Windows and UNIX to constrain the scope of the search. The filtering process for Windows and UNIX hosts is executed differently because their signature lists differ greatly in size. The smaller UNIX signature list is included with the Unix - File Discovery probe and processed directly on the target. The Windows signature list is larger and can’t be processed on the target. The Windows - File Discovery probe scans the target for specific file extensions and paths and returns these results to the MID Server. The MID Server performs file signature filtering using the entire Windows list. The MID Server then sends all file information back to the instance for normalization and matching.

    If SAMP is active on the instance, File-based Discovery creates or updates identified software products in the Software Installation [cmdb_sam_sw_install] table and updates the licenses of matched software packages. Without SAMP, no software records are created and only the file information goes into the File Information [cmdb_file_information] table.

    You can enable SWID tags in the Discovery Configuration Console. With SWID tag enabled, when running File-based Discovery, the SWID tag information then populates the [cmdb_swid_tag] table. Information about the software installed on a particular machine includes name, file information, publisher, version, installed on, and content. The software_installation column in the [cmdb_swid_tag] is a reference to the [cmdb_sam_sw_install] table.
    Note:
    Base64 package is a prerequisite for any UNIX or Linux servers to scan SWID tag files using File-based Discovery.

    File-based Discovery inserts any file not matched by the normalization process into the Unidentified File Set [cmdb_unidentified_file_set] table. You can update the records in this table and provide additional details for previously unidentified files. If you provide values for the Product and Publisher fields for a file, settings in SAMP can enable File-based Discovery to use that file for installed software matching in future discoveries.

    You can disable File-based Discovery at any time by changing the setting in the Discovery Configuration Console. If you disable File-based Discovery before scan results are returned, the file data is ignored.

    Note:

    File-based Discovery supports Windows, UNIX, and macOS devices. The UNIX probe is POSIX-compliant and should run on any Linux/Solaris server. Discovery supports Windows versions 2008, 2008R2, 2012R2, 2016, 2019, and above with PowerShell 3.0–7. Discovery also supports AIX versions 5.3, 6.1, and 7.1 and HP/UX 8.11.

    File-based Discovery and Windows ADME are not supported on Windows with PowerShell 7. File-based Discovery fails with the following error message: Error(s) during file-based discovery: Unable to start background scan. System.Management.Automation.CommandNotFoundException: The term 'Invoke-WmiMethod' is not recognized as a name of a cmdlet, function, script file, or executable program.

    If you’re running File-based Discovery on Ubuntu version 20, modify the default Bourne shell (sh) to point to Bourne Again shell (bash).

    Version information is populated only for the files with version information returned from probes. Not all files have versions. Files with extensions such as .exe, .jar, and so on, have versions.