Antivirus metrics

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Antivirus metrics

    When the Antivirus Scanning plugin is activated in your ServiceNow instance, it automatically scans attachments to protect against virus infections. The system tracks antivirus activity over the last 60 days, helping you evaluate the effectiveness of the Antivirus Scanning functions.

    Show full answer Show less

    Key Features

    • Antivirus Events Graph: Accessible via System Security > Instance Security Center > Metrics tab, this graph uses color-coded lines to represent different antivirus event types by date:
      • Blue: Number of files quarantined
      • Green: Number of infected files downloaded and quarantined (mostly email attachments)
      • Yellow: Number of quarantined files deleted
      • Orange: Number of quarantined files restored
    • Analytics Hub Integration: Clicking a color line in the Antivirus Events graph opens detailed analytics for that date, including breakdowns by:
      • Event Source: Identifies if infection occurred on upload, quarantine, download, or from a record.
      • Event Type: Classifies events as quarantined, downloaded, restored, or deleted.
      • Uploader: Shows the logged-in user who uploaded the infected files.
    • Quarantined Files Listing: Provides detailed information about each infected file such as file name, content type, table location, virus name, detection time, and quarantine metadata.
    • Event Ribbon Tiles: You can add “Quarantined Files” and “Virus Types” tiles to the Event ribbon for quick monitoring.

    Key Outcomes

    This functionality enables ServiceNow customers to:

    • Monitor and analyze antivirus activity trends over time to assess security posture.
    • Identify and track infected files and their sources within the instance.
    • Manage quarantined files by restoring false positives or deleting threats.
    • Leverage detailed analytics for informed decision-making and incident response.

    If the Antivirus Scanning plugin is activated, Antivirus Scanning runs in your instance to help protect it against virus infections from attachments.

    The following metrics appear for the last 60 days of activity, and enable you to assess the effectiveness of the Antivirus Scanning functions.

    Antivirus Events

    Antivirus Events indicate the number of antivirus events in your instance, by date. To access the antivirus events, navigate to System Security > Instance Security Center and select the Metrics tab. Color coded graph lines represent the following types of antivirus events:
    Color Description
    Blue Number of files quarantined by Antivirus Scanning in this instance for the indicated date.
    Green Number of infected files downloaded to the instance, and then quarantined for the indicated date. These files are primarily email attachments that contain a virus or rouge code.
    Yellow Number of quarantined files in the instance that were deleted for the indicated date.
    Orange Number of quarantined files in the instance that were restored for the indicated date.
    Note:
    After Antivirus Scanning runs and finds any false positives, you can restore a quarantined file and make it accessible in the instance.
    • To access the Analytics Hub page and view the detailed score card and analytics information for a specific date, click a colored line in the Antivirus Events graph. For example, click the blue graphics line to view analytics information for files quarantined for a specific date.
    • To view the following breakdowns in the Analytics Hub page, click Breakdown icon, then click:
      Breakdown Description
      AppSec - Antivirus Event Source Source of the antivirus event.
      • On Upload: Occurred due to an upload of an infected file, usually an attachment.
      • From Quarantine: Occurred due to the quarantine of an infected file, usually an attachment.
      • On Download: Occurred due to a download of an infected file, usually an attachment.
      • From Record: Occurred due to an infected record in a table.
      AppSec - Antivirus Event Type Type of antivirus event.
      • Quarantined: Occurred due to the quarantine of a file, usually an attachment.
      • Downloaded: Occurred due to a download of a file, usually an attachment.
      • Restored: Occurred due to the restoration of a quarantined file.
      • Deleted: Occurred due to the deletion of a quarantined file.
      AppSec - Antivirus Uploader Name of the logged in user who uploaded the files that were the source of virus infections detected by the Antivirus Scanning application.

    Quarantined Files

    Lists the infected files in the instance quarantined by Antivirus Scanning:
    Field Description
    File name Name of the infected file.
    Content type Type of content that was infected in the file. For example, application/x-dosexec is an infected application or DOS executable file, while text/plain is an infected .txt file.
    Table Name of the table that contains the infected file. For example, incident appears for an incident file record.
    Virus Name of the file quarantined by Antivirus Scanning.
    Detected Date and time the infected file was detected.
    Created By Name of the user who quarantined the infected file.
    Created Date and time the quarantine file record was created.
    Table sys ID Table system identifier assigned to the quarantine file record.
    Note:
    You can also add Quarantined Files and Virus Types tiles to the Event ribbon. To learn more, see Monitor security events and Configure the security event ribbon.