Antivirus metrics

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Antivirus metrics

    If the Antivirus Scanning plugin is activated in your ServiceNow instance, it helps protect against virus infections from attachments by scanning files. The system tracks antivirus-related events over the last 60 days, enabling you to monitor the effectiveness of the scanning functions and respond to threats accordingly.

    Show full answer Show less

    Key Features

    • Antivirus Events Graph: Accessible via System Security > Instance Security Center > Metrics tab, this graph displays daily antivirus events in color-coded lines representing quarantined files, infected downloads, deleted quarantined files, and restored quarantined files.
    • Analytics Hub Integration: Clicking a colored line in the events graph opens detailed analytics for that specific event type and date, offering breakdowns by event source, event type, and uploader user.
    • Event Source Breakdown: Categorizes events by origin such as file upload, download, quarantine action, or infected records in tables.
    • Event Type Breakdown: Classifies events as quarantine, download, restore, or deletion actions.
    • Uploader Identification: Tracks which logged-in user uploaded files that triggered virus detections.
    • Quarantined Files Listing: Provides detailed data on infected files, including file name, content type, associated table, virus name, detection timestamp, quarantining user, and record identifiers.
    • Customizable Event Ribbon: You can add tiles such as Quarantined Files and Virus Types to the security event ribbon for quick monitoring.

    Practical Benefits

    • Enables proactive monitoring of virus-related activity within your ServiceNow instance.
    • Helps identify infection sources and the users involved in uploading infected files.
    • Supports incident response by allowing quarantined files to be restored if false positives are detected.
    • Facilitates detailed reporting and analytics for security teams to assess antivirus scanning performance and trends.

    If the Antivirus Scanning plugin is activated, Antivirus Scanning runs in your instance to help protect it against virus infections from attachments.

    The following metrics appear for the last 60 days of activity, and enable you to assess the effectiveness of the Antivirus Scanning functions.

    Antivirus Events

    Antivirus Events indicate the number of antivirus events in your instance, by date. To access the antivirus events, navigate to System Security > Instance Security Center and select the Metrics tab. Color coded graph lines represent the following types of antivirus events:
    Color Description
    Blue Number of files quarantined by Antivirus Scanning in this instance for the indicated date.
    Green Number of infected files downloaded to the instance, and then quarantined for the indicated date. These files are primarily email attachments that contain a virus or rouge code.
    Yellow Number of quarantined files in the instance that were deleted for the indicated date.
    Orange Number of quarantined files in the instance that were restored for the indicated date.
    Note:
    After Antivirus Scanning runs and finds any false positives, you can restore a quarantined file and make it accessible in the instance.
    • To access the Analytics Hub page and view the detailed score card and analytics information for a specific date, click a colored line in the Antivirus Events graph. For example, click the blue graphics line to view analytics information for files quarantined for a specific date.
    • To view the following breakdowns in the Analytics Hub page, click Breakdown icon, then click:
      Breakdown Description
      AppSec - Antivirus Event Source Source of the antivirus event.
      • On Upload: Occurred due to an upload of an infected file, usually an attachment.
      • From Quarantine: Occurred due to the quarantine of an infected file, usually an attachment.
      • On Download: Occurred due to a download of an infected file, usually an attachment.
      • From Record: Occurred due to an infected record in a table.
      AppSec - Antivirus Event Type Type of antivirus event.
      • Quarantined: Occurred due to the quarantine of a file, usually an attachment.
      • Downloaded: Occurred due to a download of a file, usually an attachment.
      • Restored: Occurred due to the restoration of a quarantined file.
      • Deleted: Occurred due to the deletion of a quarantined file.
      AppSec - Antivirus Uploader Name of the logged in user who uploaded the files that were the source of virus infections detected by the Antivirus Scanning application.

    Quarantined Files

    Lists the infected files in the instance quarantined by Antivirus Scanning:
    Field Description
    File name Name of the infected file.
    Content type Type of content that was infected in the file. For example, application/x-dosexec is an infected application or DOS executable file, while text/plain is an infected .txt file.
    Table Name of the table that contains the infected file. For example, incident appears for an incident file record.
    Virus Name of the file quarantined by Antivirus Scanning.
    Detected Date and time the infected file was detected.
    Created By Name of the user who quarantined the infected file.
    Created Date and time the quarantine file record was created.
    Table sys ID Table system identifier assigned to the quarantine file record.
    Note:
    You can also add Quarantined Files and Virus Types tiles to the Event ribbon. To learn more, see Monitor security events and Configure the security event ribbon.