CPM scanner parameters file (CACPMScanner.exe.config)

This topic describes the parameters in the CPM Scanner configuration file.

 
  • All parameters must be specified without spaces.

  • This file includes parameters that are not described in this topic. Edit only parameters that are defined in this topic.

Overview

During installation, the CPM Scanner configuration file, CACPMScanner.exe.config, is copied to the Scanner subfolder in the Password Manager installation folder.

All other CPM parameter files are configured in the PVWA interface. For more information, see Configure the system through PVWA.

CPM Scanner parameters

Configuration and management

Parameter

Description

VaultFile

Defines the full path name of the Vault configuration file of the Vault where the discovered accounts are onboarded.

Acceptable Values: Full path name

Default value: C:\Program Files (x86)\CyberArk\Password Manager\Vault\Vault.ini

ConfigurationCredentialFile

Defines the full path name of the user credentials file used to connect to the Vault.

Acceptable Values: Full path name

Default value: C:\Program Files (x86)\CyberArk\Password Manager\Vault\User.ini

Configure discovery filters

Parameter

Description

ADFilterAccountsInactiveDays

The number of days that a computer in the Active Directory is inactive and is therefore excluded from the scan.

Acceptable Values: Positive number or -1 to disable filtering

Default Value: -1

AccountTypeScanFilter

The type of accounts that are scanned.

Acceptable Values:

  • Domain – Only domain users

  • Local – Only local users

  • All – Domain and local users

Default Value: All

AccountCategoryScanFilter (Scans Windows only)

The local groups that are scanned for accounts.

Acceptable Values:

  • Privileged – Administrators and Power Users

  • NonPrivileged – All other local groups

  • All – Both privileged and non-privileged local groups

Default Value: All

ScanScheduledTasks

Whether or not Scheduled Tasks are scanned for dependencies.

Acceptable Values: Yes/No

Default Value: Yes

ScanWindowServices

Whether or not Windows Services are scanned for dependencies.

Acceptable Values: Yes/No

Default Value: Yes

ScanHardCodedCredentialsInIIS

Whether or not IIS Application Pools and IIS Directory Security (Anonymous Access) are scanned for dependencies.

Acceptable Values: Yes/No

Default Value: Yes

ScanComPlus

Whether or not COM+ applications are scanned for dependencies.

Acceptable Values: Yes/No

Default Value: No

Optimize the CPM Scanner

 

Some of the parameters in this section are not included by default in the configuration file and must be added manually.

 

Parameter

Description

BundleTransaction

Determines whether or not communication between the scanner and the Vault is bundled. Do not change this parameter.

Acceptable Values: Yes/No

Default Value: Yes

MaxThreadNumber

Determines how many machines are scanned simultaneously during each discovery process. We recommend that you specify a number between 10 and 20.

Default value: 10

PingMachineBeforeScan

Whether or not the scanner pings the remote machine before scanning it. Add this parameter and its value manually to the configuration file.

Acceptable Values: Yes/No

Default Value: Yes

MachineScanTimeoutInMinutes

During a discovery scan, if there is an issue with one of the machines that stops the scan process, the Scanner will wait for the configured timeout before moving on to the next machine.

Acceptable Values: Timeout in number of minutes, 30 - 600

Default value: 60

Increase the default value when a machine may take more than 60 minutes to complete the scan.

Configure Logs

Parameter

Description

LogFolder

The path where the CACPMScanner log is stored.

Acceptable Values: Full path name

Default Value: C:\Program Files (x86)\CyberArk\Password Manager\Logs

ConsoleLogActive

Whether or not a console log is created when the CPM Scanner runs.

Acceptable Values: Yes/No

Default Value: Yes

TraceLogActive

Whether or not a trace log is created for each discovery process.

Acceptable Values: Yes/No

Default Value: Yes

TraceLogPath

The path where the trace log is created.

Acceptable Values: A folder under the Scanner subfolder of the Password Manager installation folder.

Default Value: \log

ConsoleLogPath

The path where the console log is created.

Acceptable Values: A folder under the Scanner subfolder of the Password Manager installation folder.

Default Value: \log

LogArchiveDirectory

The directory where the CACPMScanner log is archived after it reaches 200 MB.

Acceptable Values: Full path name.

Default Value: C:\Program Files (x86)\CyberArk\Password Manager\Logs\Archive