Exploring Antivirus Scanning

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Antivirus Scanning

    Antivirus Scanning in ServiceNow helps protect your instance by scanning file attachments on records such as incidents, problems, and stories. It scans all supported document types stored in thesysattachmenttable to prevent virus infections from uploaded or downloaded files. This feature is enabled by default via the Antivirus Protection plugin (com.glide.snap) and can be toggled on or off by administrators. The scanning supports HTTP and HTTPS protocols, excludes edge-encrypted files, and skips files larger than 100 MB. Antivirus definitions are updated daily to ensure up-to-date protection.

    Show full answer Show less

    Note that inbound emails are scanned by system email filters, not by this Antivirus Scanning feature.

    Key Features

    • Default scanning: All file attachments in the sysattachment table are scanned automatically when the feature is enabled.
    • Dynamic table support: Attachments linked to dynamic and virtual tables (zzyy tables) created by adding fileattachment fields are scanned by default only for zzyyliveprofile tables. To scan attachments in other dynamic tables, administrators must add those table names to the system property com.glide.snap.scan.zzyytables.
    • Government Community Cloud (GCC) and commercial environments: GCC users must enable scanning by setting com.glide.snap.fedenablescan to true, while commercial users set com.glide.snap.enablescan to true.

    Scanning Scenarios

    • Uploading infected files: When a user uploads an infected file, the system scans it, quarantines the file, marks it as unavailable in the Attachments window, and sends email notifications to the user and antivirus administrator. Users receive an error message instructing them to remove the file.
    • Downloading infected files: If a user attempts to download an infected file, the system quarantines it, disallows the download, marks the file as unavailable, refreshes the display, and sends email alerts.
    • Downloading ZIP files: ZIP files are scanned individually. Infected files inside the ZIP are excluded from download, replaced by an error.txt file explaining which files failed scanning. Unavailable files are moved to the Potential Security Risks section and cannot be downloaded.

    Practical Considerations for ServiceNow Customers

    • Administrators can easily enable or disable Antivirus Scanning and configure which dynamic tables to scan, allowing tailored protection based on organizational needs.
    • The feature ensures that infected attachments do not compromise your instance or users by quarantining and marking files clearly.
    • Email notifications keep relevant stakeholders informed about security incidents related to file attachments.
    • Large files and edge-encrypted files are excluded from scanning, which may require additional handling or policies.
    • Understanding scanning behavior for ZIP files helps manage expectations when users download compressed attachments.

    Use Antivirus Scanning to help protect your instance against virus infections that can be introduced by file attachments to your system records, such as incidents, problems, and stories.

    Antivirus Scanning scans file attachments stored in your attachment [sys_attachment] table to help protect users from uploading and downloading infected files. All the document types supported by the Platform are scanned by Antivirus Scanning.

    If Antivirus Scanning is enabled, all file attachments in the Attachments table [sys_attachment.do] are scanned by default.

    The Antivirus Protection plugin (com.glide.snap) is activated and enabled by default on your instance. As an administrator, you can deactivate and reactivate the Antivirus Scanning feature across your instance at the switch of a toggle, set configuration options, and review antivirus activity on the instance.

    Note:
    • Antivirus Scanning is also available for customers in the Government Community Cloud (GCC) and commercial environment.

      GCC Users must set the (com.glide.snap.fed_enable_scan) property to true to start using the feature.

      Commercial users must set com.glide.snap.enable_scan to true.

    • HTTP and HTTPS communication protocols are supported.
    • Edge-encrypted files are excluded from this scan.
    • Antivirus definitions are updated everyday.
    • Any file above 100-MB file size isn’t scanned.

    Email scanning

    Inbound emails are scanned for viruses by the system email filters, not by Antivirus Scanning.

    File Attachment field in a table

    The addition of a File Attachment field in a table generates zz_yy tables. These tables are dynamic and virtual. They are automatically generated when the column type file_attachment is added to parent tables.

    Consider adding a user photo to the Users table and incorporating it into the form view. When a photo is uploaded to a record, it automatically uploads the attachment to the sys_attachment table. The sys_attachment table maps the photo to the zz_yyUsers table.

    By default only attachments attached to zz_yylive_profile tables are scanned. To scan other tables that have column type file_attachment create the system property com.glide.snap.scan.zz_yytables and insert the table name.

    Example

    The "zz_yyincident" and "zz_yycase" tables are dynamic tables created when the column is added to the parent tables: Incident and Case, then the property value should be zz_yyincident,zz_yycase.

    After this property is set, attachments for the zz_yyincident and zz_yycase tables are scanned.

    Scanning scenarios

    Review these upload and download scenarios to understand how the system identifies potential security threats from files attached to your records.

    Scenario 1 - Upload a file
    1. The user unknowingly uploads an infected file to a record.
    2. The system scans the file and moves it to quarantine.
    3. The file appears in the Attachments window, where it’s marked as unavailable.
    4. The user selects the file and this error message appears: The file Infected_testing.txt did not pass the security scan. Please remove the file from record INC0000059 and try again.
    5. The system sends an email notification to the user and the antivirus administrator.
    6. The user closes the Attachments window and is returned to the record. The infected file is displays in the header as unavailable. Example, infected_testing123.txtZ [unavailable].
    Scenario 2 - Download a file
    1. The user opens a record to download a file that is attached to it.
    2. Unaware that the file is infected, the user selects it for download.
    3. The system scans the file, moves it to quarantine, and displays a message similar to The file infected_testing123.txt did not pass security scan and cannot be downloaded.
    4. The user closes the message and the screen refreshes showing that the file is unavailable.
    5. The system sends an email notification to the user and the antivirus administrator.
    Scenario 3 - Download a ZIP file
    1. A user opens a record and downloads a ZIP file that is attached to it.
    2. The system scans the ZIP files individually.
    3. One file doesn’t pass the security scan and is marked as unavailable. The remaining files are zipped and downloaded successfully.
    4. The user opens the ZIP file and sees an “error.txt” file in addition to the successfully downloaded file. This file contains an error message specifying which file didn’t pass scanning and was therefore not included in the ZIP.
    5. The user opens the record again, and sees that the unavailable file has been moved into the Potential security risks section in the Attachments window and can’t be downloaded.