Skip to main content

Configure the scanner

To configure the Snow Inventory Java Scanner, use the SnowInventoryJavaScanner element of the agent configuration file, snowagent.config.

The element has the following contents:

<SnowInventoryJavaScanner enabled="...">
    <SecurityLevel>...</SecurityLevel>
    <ImpersonationUser>...</ImpersonationUser>
    <JavaMsiIgnore>
      <Filename>...</Filename>
    </JavaMsiIgnore>
</SnowInventoryJavaScanner>

The available configurations are described in the following sections.

Enable the scanner

To enable the scanner, set the enabled setting to true. The agent will then run the scanner as part of the scanning process.

<SnowInventoryJavaScanner enabled="true">

Scanner security level

If the scanner is executed with elevated permissions, that is, as Administrator (Windows) or root (Linux, Unix, and macOS), you can configure the security level of the scanner by adding one of the following levels to the SecurityLevel element:

  • LOW: Every Java executable found during the file system search will be treated as a secure (admin) path and the commands required to properly identify the installation will be executed in the same security context as the user executing the scan.

  • MEDIUM: The Java executables found that are part of the administrator/root’s PATH environment variable will be treated as secure (admin) paths, and the commands required to properly identify the installation will be executed in the same security context as the user executing the scan. All the other Java executables will be treated as non-secure (non-admin) paths and the commands will be executed in a lower security context:

    • For Windows, the runas /trustlevel:0x20000 command will be used, which lowers the permissions to basic user.

    • For Unix, Linux, and macOS, the commands will be executed with the dedicated user defined in the ImpersonationUser element.

  • HIGH: The Java executables found that are part of the administrator/root’s PATH environment variable will be treated as secure (admin) paths, and the commands required to properly identify the installation will be executed in the same security context as the user executing the scan. All the other Java executables will be treated as non-secure (non-admin) paths and will not be identified at this security level. The scanner's raw data will contain information that these installations are not identified due to the HIGH security level setting.

The default level is HIGH.

EXAMPLE
<SecurityLevel>MEDIUM</SecurityLevel>
<ImpersonationUser>javascan</ImpersonationUser>

MSI Enterprise JRE Installer detection

By default, the scanner considers the MSI Enterprise JRE Installer as being detected if any file matching the pattern *java*.msi is found during the file system search. To exclude certain file names from the search, you can add them to the JavaMsiIgnore element. The wildcard * can be used to match a sequence of characters in the specified file name.

EXAMPLE
<JavaMsiIgnore>
  <Filename>filename-1.msi</Filename>
  <Filename>java*.msi</Filename>
</JavaMsiIgnore>