---
title: "Using custom fingerprints"
---
<!-- licenses: community, platform -->

Customers running a ((self-hosted)) instance or using the standalone ((scanner)) have the ability to use custom-written fingerprints. This can be useful in adding new fingerprint coverage for very unique or custom assets and services, such as device prototypes or proprietary applications/services. Custom fingerprints can also be used to override existing, similar runZero fingerprints by using a same-or-higher certainty value.

<div class="alert alert-info">
<svg class="alert-icon" xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg>
<div class="alert-body">
When using the runZero standalone scanner with custom fingerprints, you'll need to use the `RUNZERO_EXTERNAL_FINGERPRINTS` value as an environment variable when launching the scanner.
</div>
</div>

## Create new fingerprints {#custom-fingerprints-create}

Custom fingerprints follow the structure and format of the [open-source Recog fingerprint database](https://github.com/rapid7/recog). You can author your own fingerprint XML entries in files of similar name and format to [those found in Recog](https://github.com/rapid7/recog/tree/main/xml). For cases where an asset or service matches both a built-in runZero fingerprint and a custom fingerprint of the same kind, preference will be given to the fingerprint with higher "certainty" value(s) (e.g. `hw.certainty`, `os.certainty`, `service.certainty`). In the event of a certainty "tie" (i.e. same certainty value(s)), the custom fingerprint will be given preference.

## Add new fingerprints to your self-hosted runZero instance

To ensure the self-hosted instance of runZero can properly access your custom fingerprints, they will need to exist within the runZero installation directory ([/opt/runzero](docs/self-hosting.md#permissions) by default). The following steps will get your custom fingerprints setup for use by runZero:

* Create a new directory within the runZero install directory (e.g. `mkdir /opt/runzero/myfingerprints`)
* Update your `/etc/runzero/config` file with the new directory location (see below)
* Copy your custom fingerprint XML files into the new directory (e.g. `cp *.xml /opt/runzero/myfingerprints`)

The `/etc/runzero/config` file needs to be updated with the location of your custom fingerprints directory, which you can do by using your favorite editor to add the following line to the end of your config file (swapping `myfingerprints` with the name of the directory you added):

```
RUNZERO_EXTERNAL_FINGERPRINTS=myfingerprints
```

Note that you only need to do the directory creation and update of `/etc/runzero/config` file once. After that, you can add, remove, or modify your custom fingerprints in the directory as needed and then restart the runZero application to reload the current custom fingerprints.

## Restart the runZero service {#custom-fingerprints-restart}

The runZero self-hosted instance will need to be [restarted](docs/self-hosting.md#restart-the-runzero-service) when custom fingerprints are added, removed, or updated. On restart, the runZero log file can be monitored to verify if the custom fingerprints were successfully applied or if an error occurred. On successful load of custom fingerprints, a log message like the following should be present:

```
@cee:{"level":"info","msg":"loaded (5) external fingerprints","time":"2022-09-12T19:51:49Z"}
```

If issues are encountered when loading or processing custom fingerprints, or if a 10 second timeout is reached, a warning message will be logged and the runZero application will continue running without any custom fingerprints.

## Verify your fingerprints {#custom-fingerprints-verify}

Once your custom fingerprints have been added to your self-hosted runZero instance and the instance restarted, you can verify that the custom fingerprints are performing as-expected in one of the following ways:

* Running a scan task to go scan a relevant asset/service, or
* Importing an existing scan data file of the relevant asset/service

Following completion of the scan task OR the import of scan data, depending on which method you chose, you can then navigate to a [specific asset](https://console.runzero.com/inventory) or [specific service](https://console.runzero.com/inventory/services) and verify that your custom fingerprints are acting as-expected.