Types of software scans

The scanner can search for different types of information to determine whether the software is installed or to measure its usage. Generally, all types of scans should be run regularly. However, you can choose to run different types of scans at different times or distribute the scan schedule over the computers in your environment to improve the performance of the import process.

Software discovery

Catalog-based scan

In this type of scan, the BigFix server creates scanner catalogs that are sent to the endpoints. Based on those catalogs, the scanner discovers exact matches and sends its findings to the server. Scanner catalogs do not include signatures that can be found based on the list of file extensions nor entries that are irrelevant for a particular operating system.

File system scan

In this type of scan, the scanner uses a list of file extensions to check whether any files with those extensions exist on the endpoints. Then, it returns the findings to the BigFix server where the discovered files are compared with the software catalog. If a particular file matches an entry in the catalog, the software is discovered.

The complete file extensions list is stored in the file_names_all.txt, file_names_unix.txt, and file_names_win.txt files located in the BigFix Inventory server configuration directory. Both catalog-based scanning and file system scanning work together as complementary methods. Some signatures are catalog-based, some are package-based, and some require file facts to work. There are also signatures that combine file facts with the package data. Catalog-based signatures work independently and can look up files on their own.

Collecting executable files based on application usage

9.2.8 Linux Solaris Starting from application update 9.2.8, the file system scan additionally reports files that are based on processes that have been run on the computers in your infrastructure, regardless of their extension. To view these files, you need to meet the following criteria:
  • The BigFix server and client are in version 9.5.5 or higher.
  • The operating system is Linux or Solaris.
  • Application Usage Statistics analysis is activated.
The reported files, with supplementing information such as path and size, are available on the Scanned File Data report and can be used to create custom discovery and use signatures for software components. If the process has been active at least once since the feature was turned on and the associated file exists on the computer, this file is displayed on the report.

This feature is enabled by default. To stop collecting information about the files, run the Disable Collecting Executable Files Based on Application Usage fixlet. In case you need to reactivate this feature, run the Enable Collecting Executable Files Based on Application Usage fixlet.

Note: Checksums collection (MD5 and SHA-256) for these files is not supported.

Outputs of the file system scan

The scan generates a full file system scan. The full file system scan includes information about all files that were discovered on the endpoint. The output is generated during every scan and uploaded to the BigFix server.

Package data scan
In this type of scan, the scanner searches the system registry to gather information about Windows and UNIX packages that are installed on the endpoints. Then, it returns the findings to the server where the discovered packages are compared with the software catalog. If a particular package matches an entry in the catalog, the software is discovered.
During the package scan, the package installation path and installation date are collected for Windows endpoints (Windows uninstall registry and Windows MSI). The Package Data and Software Classification Details panels show the installation date and installation path for the Windows endpoints. The REST API that supports the functionality are api/sam/raw_package_facts and /api/sam/unified/current/software. For more information on the APIs, refer to Retrieving raw package data and Unified Software API to combine package data and software instance data.
10.0.13 From version 10.0.13, the report shows installation path and installation date for Linux packages. Only installed Linux deb (DEB) and Linux rpm (RPM) are checked during the package scan.
In Linux disconnected scanner, the same shell scripting is used.
The 'Type' column in Package Data report for packages from disconnected scanner on Debian is shown as 'Deb' instead of 'CustomPackage'. The package_scan.xml.sg signature file for package data is no longer attached to the disconnected scanner results.

The following are the core paths for package scanning:

  • HKEY_CLASSES_ROOT\Installer\Products\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

The MSI path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData is accessed only when an additional information is needed, not as part of a comprehensive scan. Uninstall registry is the main path that the package scanner scans. If there are missing metadata, MSI paths are used.

For package information, refer to https://help.hcl-software.com/bigfix/11.0/BigFix_Scanner/BigFix_Scanner/developer/package_information.html.
Software identification tags scan

In this type of scan, the scanner searches for software identification tags that are delivered with software products. Then, it returns the findings to the BigFix server where the tags are processed. Based on the information that they contain, the software is discovered.

Additional scan capabilities

Application usage statistics

In this type of scan, the scanner gathers information about processes that are running on the endpoints. Then, it returns the findings to the BigFix server where the data is translated into usage statistics.

The usage data is first collected when the BigFix client is installed on an endpoint, and an application usage statistics is enabled. The statistics are displayed on the Metering Data report. When the processes are matched against usage signatures from the software catalog, or custom usage signatures, the statistics are available on the Software Classification panel.

9.2.11 Starting from application update 9.2.11, BigFix Inventory additionally collects application usage data in a new format.

Remember: By default, the usage scan is scheduled to run weekly to avoid performance issues. If you want to collect software usage on a daily basis, run the usage scan daily.
Resource utilization scan
In this type of scan, the scanner searches for software license metric tags that contain information about types of licenses that can be used by a product and their usage. The scanner returns its findings to the BigFix server where the tags are processed. Based on the information that they contain, the maximum usage of license metrics over the last 30 days and its trend value are calculated. For more information, see: Raw utilization of license metrics.
Tip: The scan collects information about license metrics that are reported by products which implemented the ISO/IEC 19770-4:2017 standard. Because the volume of the collected data might be large, do not run this scan if you do not want to monitor these metrics.
9.2.13 User information
In this type of scan, the scanner collects information about users of the specific software products that help calculate the usage of some license-based products. The results are shown on the All Metrics and Software Users reports. For more information, see: Available reports.
Scanning on Linux machines

The scanner script can be used for Linux package as well. The script checks only two package managers: RPM-based systems: Uses rpm -qa command and Debian-based systems: Uses dpkg-query -W command. The scanner does not access other package managers like YUM, APT, and Zypper, etc. It only uses the core RPM and DPKG APIs.