File-based Discovery

  • Release version: Zurich
  • Updated March 25, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of File-based Discovery

    File-based Discovery in ServiceNow enables you to identify software running on Windows, UNIX, and macOS servers and devices, even when registration information is absent. This capability supports managing software licenses, detecting unlicensed or forbidden files, and assessing potential security threats from unwanted files. It complements existing installed software discovery by scanning servers for known file signatures and applying rules to enhance software identification.

    Show full answer Show less

    Key Features

    • Plugin requirements: Activation of the File-based Discovery plugin is necessary, which automatically activates the Software Asset Management - File Signature Normalization plugin.
    • Discovery process: File-based Discovery runs during the exploration phase of normal Discovery, scanning for configured file extensions or names, and returns detailed file information.
    • Signature-based matching: Uses file name, size, and version to match discovered files with installed software, storing results in the File Information [cmdbfileinformation] table linked to the server CI.
    • Integration with Software Asset Management (SAM): When SAM is active, matches populate Product and Publisher fields, updating software installation records and licenses in the Software Installation [cmdbsamswinstall] table.
    • SWID tag support: Enables capturing and storing SWID tag data in the cmdbswidtag table to improve software identification accuracy, requiring the Base64 package on UNIX/Linux servers.
    • Platform-specific processing: UNIX signatures are processed directly on targets; Windows uses MID Server for signature filtering due to larger signature lists.
    • Unidentified files handling: Files not matched are stored in the Unidentified File Set [cmdbunidentifiedfileset] table, where you can add details to improve future matching.
    • Configurable and disable option: You can enable or disable File-based Discovery anytime through the Discovery Configuration Console.

    Supported Environments and Requirements

    • Supports Windows Server versions 2008 through 2019+ with PowerShell 3.0–5.1.
    • Supports UNIX systems including AIX 5.3/6.1/7.1, HP/UX 8.11, and POSIX-compliant Linux/Solaris servers.
    • For Ubuntu 20, the default shell must be set to bash for proper operation.
    • File version information is collected when available, typically for executables like .exe and .jar files.

    Practical Benefits for ServiceNow Customers

    • Improves visibility of installed and unregistered software on your infrastructure.
    • Enables more accurate software license management and compliance monitoring by integrating file-level discovery with SAM.
    • Helps identify and mitigate risks from unauthorized or damaged software files.
    • Facilitates ongoing software asset normalization and improved data quality with user updates on unidentified files.
    • Supports extensive platforms and integrates smoothly with existing Discovery and MID Server infrastructure.

    File-based Discovery helps you identify what software is running on your Windows and UNIX servers and devices, even if there’s no registration information available. You can then manage and maintain records of your software licenses, check for unlicensed files, detect forbidden or damaged files, and help evaluate any threats from unwanted files.

    Required plugins

    The File-based Discovery [com.snc.discovery.file_based_discovery] plugin is required for file signature filtering. Your Discovery subscription includes this plugin, but you must request activation. Once the File-based Discovery plugin is active, the Software Asset Management - File Signature Normalization [com.snc.file_signature_normalization] plugin is also activated. For more information on the File Signature Normalization plugin, see File Signature Normalization.

    How File-based Discovery works

    File-based Discovery enhances the pre-existing discovery of installed software. It scans target servers for a known list of file signatures and processes those files with an established set of rules. The resulting data enhances the identification of installed software and identifies unregistered software products. For information about using Agent Client Collector for Visibility - Content to perform file-based discovery, see Discover java installation data using Agent Client Collector for Visibility - Content file-based discovery.

    File-based Discovery is triggered in the exploration phase of normal Discovery. File-based Discovery probes execute a scan searching for specific file extensions or file names in paths that you configure. The resulting file information is returned in the probe payload. The sensor attempts to match the discovered files with installed software, using the file name, size, and version returned by the probe. File-based Discovery uses file signatures to detect software that might not have been registered. This information is then stored in the File Information [cmdb_file_information] table with a reference to the CI of the server. You can view the files found from each CI in a related list on this table. For more information, see Related list of CI components. When Software Asset Management (SAM) is active, if any file matches a software product, Discovery populates the Product and Publisher information for that file. Use this information to understand what software is running on your server and to help evaluate any threats from unwanted files. Discovery uses lists of known file signatures for Windows and UNIX to constrain the scope of the search. The filtering process for Windows and UNIX hosts is executed differently because their signature lists differ greatly in size. The smaller UNIX signature list is included with the Unix - File Discovery probe and processed directly on the target. The Windows signature list is larger and can’t be processed on the target. The Windows - File Discovery probe scans the target for specific file extensions and paths and returns these results to the MID Server. The MID Server performs file signature filtering using the entire Windows list. The MID Server then sends all file information back to the instance for normalization and matching.

    If SAMP is active on the instance, File-based Discovery creates or updates identified software products in the Software Installation [cmdb_sam_sw_install] table and updates the licenses of matched software packages. Without SAMP, no software records are created and only the file information goes into the File Information [cmdb_file_information] table.

    You can enable SWID tags in the Discovery Configuration Console. With SWID tag enabled, when running File-based Discovery, the SWID tag information then populates the [cmdb_swid_tag] table. Information about the software installed on a particular machine includes name, file information, publisher, version, installed on, and content. The software_installation column in the [cmdb_swid_tag] is a reference to the [cmdb_sam_sw_install] table.
    Note:
    Base64 package is a prerequisite for any UNIX or Linux servers to scan SWID tag files using File-based Discovery.

    File-based Discovery inserts any file not matched by the normalization process into the Unidentified File Set [cmdb_unidentified_file_set] table. You can update the records in this table and provide additional details for previously unidentified files. If you provide values for the Product and Publisher fields for a file, settings in SAMP can enable File-based Discovery to use that file for installed software matching in future discoveries.

    You can disable File-based Discovery at any time by changing the setting in the Discovery Configuration Console. If you disable File-based Discovery before scan results are returned, the file data is ignored.

    Note:

    File-based Discovery supports Windows, UNIX, and macOS devices. The UNIX probe is POSIX-compliant and should run on any Linux/Solaris server. Discovery supports Windows versions 2008, 2008R2, 2012R2, 2016, 2019, and above with PowerShell 3.0–5.1. Discovery also supports AIX versions 5.3, 6.1, and 7.1 and HP/UX 8.11.

    If you're running File-based Discovery on Ubuntu version 20, modify the default Bourne shell (sh) to point to Bourne Again shell (bash).

    Version information is populated only for the files with version information returned from probes. Not all files have versions. Files with extensions such as .exe, .jar, and so on, have versions.