Exploring Antivirus Scanning

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Antivirus Scanning

    Antivirus Scanning in ServiceNow helps protect your instance from virus infections introduced through file attachments on system records like incidents, problems, and stories. It scans all file attachments stored in thesysattachmenttable, covering all document types supported by the platform. This feature is enabled by default with the Antivirus Protection plugin (com.glide.snap) activated, allowing administrators to toggle scanning on or off, configure settings, and monitor antivirus activity.

    Show full answer Show less

    For Government Community Cloud (GCC) customers, scanning must be enabled via the com.glide.snap.fedenablescan property, while commercial customers use com.glide.snap.enablescan. The scanning supports HTTP and HTTPS protocols, excludes edge-encrypted files, updates antivirus definitions daily, and does not scan files larger than 100 MB. Note that inbound email viruses are scanned by system email filters, not by Antivirus Scanning.

    Key Features

    • Attachment Scanning: Automatically scans all attachments in the sysattachment table by default.
    • Dynamic Table Scanning: Supports scanning attachments in dynamic zzyy tables created when a File Attachment field is added to parent tables. Administrators can enable scanning on these tables by configuring the com.glide.snap.scan.zzyytables property with a comma-separated list of table names.
    • Quarantine and Notification: Infected files are quarantined and marked as unavailable in the Attachments window. Both the user and antivirus administrator receive email notifications regarding detected threats.
    • ZIP File Handling: ZIP archives are scanned file-by-file. Only safe files are downloaded, while infected files are excluded and noted with an error.txt file explaining the exclusion.

    Use Cases and Behavior

    • Uploading Infected Files: Files uploaded that fail the scan are quarantined and flagged as unavailable. Users see an error message and cannot use the infected file.
    • Downloading Infected Files: Attempting to download infected files triggers scanning, quarantines the file, and prevents download with an error message.
    • Downloading ZIP Files Containing Infected Files: Only clean files within the ZIP are downloaded; infected files are quarantined and documented within an error.txt file inside the ZIP.

    Practical Benefits for ServiceNow Customers

    Enabling Antivirus Scanning enhances security by preventing infected file attachments from compromising your instance. It ensures that uploaded and downloaded files are safe, protecting end users and administrators. The built-in notifications and quarantining mechanisms help maintain visibility and control over potential threats, while dynamic table scanning allows for comprehensive protection across custom and extended tables.

    Use Antivirus Scanning to help protect your instance against virus infections that can be introduced by file attachments to your system records, such as incidents, problems, and stories.

    Antivirus Scanning scans file attachments stored in your attachment [sys_attachment] table to help protect users from uploading and downloading infected files. All the document types supported by the Platform are scanned by Antivirus Scanning.

    If Antivirus Scanning is enabled, all file attachments in the Attachments table [sys_attachment.do] are scanned by default.

    The Antivirus Protection plugin (com.glide.snap) is activated and enabled by default on your instance. As an administrator, you can deactivate and reactivate the Antivirus Scanning feature across your instance at the switch of a toggle, set configuration options, and review antivirus activity on the instance.

    Note:
    • Antivirus Scanning is also available for customers in the Government Community Cloud (GCC) and commercial environment.

      GCC Users must set the (com.glide.snap.fed_enable_scan) property to true to start using the feature.

      Commercial users must set com.glide.snap.enable_scan to true.

    • HTTP and HTTPS communication protocols are supported.
    • Edge-encrypted files are excluded from this scan.
    • Antivirus definitions are updated everyday.
    • Any file above 100-MB file size isn’t scanned.

    Email scanning

    Inbound emails are scanned for viruses by the system email filters, not by Antivirus Scanning.

    File Attachment field in a table

    The addition of a File Attachment field in a table generates zz_yy tables. These tables are dynamic and virtual. They are automatically generated when the column type file_attachment is added to parent tables.

    Consider adding a user photo to the Users table and incorporating it into the form view. When a photo is uploaded to a record, it automatically uploads the attachment to the sys_attachment table. The sys_attachment table maps the photo to the zz_yyUsers table.

    By default only attachments attached to zz_yylive_profile tables are scanned. To scan other tables that have column type file_attachment create the system property com.glide.snap.scan.zz_yytables and insert the table name.

    Example

    The "zz_yyincident" and "zz_yycase" tables are dynamic tables created when the column is added to the parent tables: Incident and Case, then the property value should be zz_yyincident,zz_yycase.

    After this property is set, attachments for the zz_yyincident and zz_yycase tables are scanned.

    Scanning scenarios

    Review these upload and download scenarios to understand how the system identifies potential security threats from files attached to your records.

    Scenario 1 - Upload a file
    1. The user unknowingly uploads an infected file to a record.
    2. The system scans the file and moves it to quarantine.
    3. The file appears in the Attachments window, where it’s marked as unavailable.
    4. The user selects the file and this error message appears: The file Infected_testing.txt did not pass the security scan. Please remove the file from record INC0000059 and try again.
    5. The system sends an email notification to the user and the antivirus administrator.
    6. The user closes the Attachments window and is returned to the record. The infected file is displays in the header as unavailable. Example, infected_testing123.txtZ [unavailable].
    Scenario 2 - Download a file
    1. The user opens a record to download a file that is attached to it.
    2. Unaware that the file is infected, the user selects it for download.
    3. The system scans the file, moves it to quarantine, and displays a message similar to The file infected_testing123.txt did not pass security scan and cannot be downloaded.
    4. The user closes the message and the screen refreshes showing that the file is unavailable.
    5. The system sends an email notification to the user and the antivirus administrator.
    Scenario 3 - Download a ZIP file
    1. A user opens a record and downloads a ZIP file that is attached to it.
    2. The system scans the ZIP files individually.
    3. One file doesn’t pass the security scan and is marked as unavailable. The remaining files are zipped and downloaded successfully.
    4. The user opens the ZIP file and sees an “error.txt” file in addition to the successfully downloaded file. This file contains an error message specifying which file didn’t pass scanning and was therefore not included in the ZIP.
    5. The user opens the record again, and sees that the unavailable file has been moved into the Potential security risks section in the Attachments window and can’t be downloaded.