File-based Discovery

  • Release version: Yokohama
  • Updated March 25, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of File-based Discovery

    File-based Discovery is a ServiceNow feature that identifies software running on Windows and UNIX servers and devices, even when no registration information exists. It helps you maintain accurate software license records, detect unlicensed, forbidden, or damaged files, and assess potential threats from unwanted files.

    Show full answer Show less

    This capability is part of the Discovery process and enhances software identification by scanning servers for known file signatures and applying rules to the collected data. The results improve software inventory accuracy and support Software Asset Management (SAM) by linking discovered files to software products and publishers.

    Key Features

    • Plugin Requirements: Activation of the File-based Discovery [com.snc.discovery.filebaseddiscovery] plugin is required, which also activates the Software Asset Management - File Signature Normalization plugin automatically.
    • Discovery Process: File-based Discovery runs during the exploration phase of normal Discovery, scanning configured paths for specific file names or extensions.
    • Windows and UNIX Support: Supports Windows (2008 and later versions with PowerShell 3.0-5.1) and UNIX systems (including Linux, Solaris, AIX, HP/UX). UNIX probes are POSIX-compliant, and Windows file signature filtering occurs on the MID Server due to larger signature lists.
    • File Signature Matching: Uses file name, size, and version to match files with installed software and records details in the File Information [cmdbfileinformation] table linked to the server CI.
    • SAM Integration: When SAM is active, matched software details populate the Software Installation [cmdbsamswinstall] table and update license information.
    • SWID Tag Support: Enables discovery of SWID tag information, populating the [cmdbswidtag] table to capture software metadata with links to software installation records. Base64 package is required for UNIX/Linux SWID tag scanning.
    • Unidentified Files: Files that do not match known signatures are stored in the Unidentified File Set [cmdbunidentifiedfileset] table for manual review and future matching enhancements.
    • Configurability: File-based Discovery can be enabled or disabled via the Discovery Configuration Console. Disabling before scan completion causes discovered file data to be ignored.
    • Version Information: Only files that provide version details (e.g., .exe, .jar) have version data recorded.

    Practical Benefits for ServiceNow Customers

    • Gain comprehensive visibility into installed software on servers without relying solely on registration data, improving software asset accuracy.
    • Enhance license compliance by identifying unlicensed or unauthorized software.
    • Improve security posture by detecting forbidden or potentially harmful files on your infrastructure.
    • Leverage integration with SAM to update software installations and license usage automatically.
    • Manage unidentified files proactively by reviewing and updating records, enabling better software identification in subsequent discoveries.
    • Support both Windows and UNIX environments with tailored scanning and filtering methods appropriate to each platform's characteristics.

    File-based Discovery helps you identify what software is running on your Windows and UNIX servers and devices, even if there’s no registration information available. You can then manage and maintain records of your software licenses, check for unlicensed files, detect forbidden or damaged files, and help evaluate any threats from unwanted files.

    Required plugins

    The File-based Discovery [com.snc.discovery.file_based_discovery] plugin is required for file signature filtering. Your Discovery subscription includes this plugin, but you must request activation. Once the File-based Discovery plugin is active, the Software Asset Management - File Signature Normalization [com.snc.file_signature_normalization] plugin is also activated. For more information on the File Signature Normalization plugin, see File Signature Normalization.

    How File-based Discovery works

    File-based Discovery enhances the pre-existing discovery of installed software. It scans target servers for a known list of file signatures and processes those files with an established set of rules. The resulting data enhances the identification of installed software and identifies unregistered software products.

    File-based Discovery is triggered in the exploration phase of normal Discovery. File-based Discovery probes execute a scan searching for specific file extensions or file names in paths that you configure. The resulting file information is returned in the probe payload. The sensor attempts to match the discovered files with installed software, using the file name, size, and version returned by the probe. File-based Discovery uses file signatures to detect software that might not have been registered. This information is then stored in the File Information [cmdb_file_information] table with a reference to the CI of the server. You can view the files found from each CI in a related list on this table. For more information, see Related list of CI components. When Software Asset Management (SAM) is active, if any file matches a software product, Discovery populates the Product and Publisher information for that file. Use this information to understand what software is running on your server and to help evaluate any threats from unwanted files. Discovery uses lists of known file signatures for Windows and UNIX to constrain the scope of the search. The filtering process for Windows and UNIX hosts is executed differently because their signature lists differ greatly in size. The smaller UNIX signature list is included with the Unix - File Discovery probe and processed directly on the target. The Windows signature list is larger and can’t be processed on the target. The Windows - File Discovery probe scans the target for specific file extensions and paths and returns these results to the MID Server. The MID Server performs file signature filtering using the entire Windows list. The MID Server then sends all file information back to the instance for normalization and matching.

    If SAMP is active on the instance, File-based Discovery creates or updates identified software products in the Software Installation [cmdb_sam_sw_install] table and updates the licenses of matched software packages. Without SAMP, no software records are created and only the file information goes into the File Information [cmdb_file_information] table.

    You can enable SWID tags in the Discovery Configuration Console. With SWID tag enabled, when running File-based Discovery, the SWID tag information then populates the [cmdb_swid_tag] table. Information about the software installed on a particular machine includes name, file information, publisher, version, installed on, and content. The software_installation column in the [cmdb_swid_tag] is a reference to the [cmdb_sam_sw_install] table.
    Note:
    Base64 package is a prerequisite for any UNIX or Linux servers to scan SWID tag files using File-based Discovery.

    File-based Discovery inserts any file not matched by the normalization process into the Unidentified File Set [cmdb_unidentified_file_set] table. You can update the records in this table and provide additional details for previously unidentified files. If you provide values for the Product and Publisher fields for a file, settings in SAMP can enable File-based Discovery to use that file for installed software matching in future discoveries.

    You can disable File-based Discovery at any time by changing the setting in the Discovery Configuration Console. If you disable File-based Discovery before scan results are returned, the file data is ignored.

    Note:

    File-based Discovery supports Windows and UNIX devices. The UNIX probe is POSIX-compliant and should run on any Linux/Solaris server. Discovery supports Windows versions 2008, 2008R2, 2012R2, 2016, 2019, and above with PowerShell 3.0-5.1. Discovery also supports AIX versions 5.3, 6.1, and 7.1 and HP/UX 8.11.

    If you're running File-based Discovery on Ubuntu version 20, modify the default Bourne shell (sh) to point to Bourne Again shell (bash).

    Version information is populated only for the files with version information returned from probes. Not all files have versions. Files with extensions such as .exe, .jar, and so on, have versions.