The Ultimate Guide to What to look for in a Virus Scanning Solution in Salesforce

Are you concerned about the security of your valuable data in Salesforce? In the current scenario of digitization, where cyber threats are ever-evolving, it has become essential to fortify your Salesforce environment against potential risks. That’s why finding the right virus-scanning solution for Salesforce is crucial to ensure the safety and integrity of your data.

When selecting a virus-scanning solution for Salesforce, you need to have the relevant knowledge and insights you need to make informed decisions. From hidden dangers lurking within your data to the importance of proactive security measures, you need to dive deep into the world of virus scanning to help you uncover all aspects of its significance.

In this captivating and enlightening guide, we’ll walk you through the key factors to consider, the common pitfalls to avoid, and the features that make a virus-scanning solution truly effective in the context of Salesforce. Get ready to explore the realm of data protection, uncover cutting-edge scanning techniques, and discover how you can safeguard your Salesforce instance like never before. We’ll be answering everything that might concern you before you choose the scanning solution for Salesforce.

Why Salesforce Users Should Care About Scanning the Platform?

It’s a common mistake for Salesforce users to overlook the importance of scanning their Salesforce environment for potential threats. With the platform being a hub for sensitive data, including customer information, sales data, and confidential documents, the implications of a security breach can be disastrous.

Imagine the devastating consequences of unauthorized access to your customer data or the potential damage caused by malware-infected files spreading throughout your organization. By neglecting to implement a robust scanning solution, users inadvertently expose themselves to significant risks, leaving their data vulnerable to exploitation.

Here we’ll shed light on why it is vital for Salesforce users to prioritize scanning their platform. Here are a few key reasons to consider:

 

• Safeguarding Sensitive Data: Your Salesforce instance contains a wealth of sensitive information that can be lucrative to cybercriminals. By implementing a scanning solution, you create an additional layer of defense against potential breaches, ensuring that your data remains secure and confidential.
• Protecting Against Malware and Viruses: Malicious actors continuously evolve their techniques, seeking new ways to infiltrate systems and spread malware. A robust scanning solution acts as a shield, detecting and neutralizing potential threats before they can cause harm.
• Complying with Data Security Regulations: Depending on your industry, strict regulatory requirements may exist for data security and privacy. Scanning your Salesforce platform demonstrates your commitment to data protection and ensures compliance with relevant regulations.
• Preventing Internal Threats: Scanning your Salesforce environment helps detect any potential insider threats, unauthorized access attempts, or suspicious activities within your organization, enabling you to take swift action and prevent any breaches before they occur.

How to Make the Right Choice of Virus Scanning Solution in Salesforce

 

Even though you’ll be aware of the threats associated with your Salesforce data, making the right choice won’t be easy. This is probably because you would have many questions about it in your mind, and you would likely prefer getting answers to them so you can understand the value of such a solution.

So, let’s answer some of your questions and help you prepare to choose a scanning solution that is capable enough to safeguard your Salesforce data.

Does the Scanner Scan for Threats in Every Salesforce Object Type That Supports File Uploads, or Only Certain Ones?

When evaluating a virus scanning solution for Salesforce, it’s essential to consider whether the scanner covers all Salesforce object types that support file uploads or only a select few. As a mature platform, Salesforce has introduced various features where files can be uploaded over time. Therefore, ensuring that the scanning solution thoroughly examines files for threats wherever file uploads are possible in Salesforce is crucial.

 

Specifically, pay attention to whether the scanner includes the scanning of threats in the following Salesforce object types:

• ContentVersion: ContentVersion represents a file or document in Salesforce, including attachments, Chatter files, and files uploaded via the Salesforce Files feature. It is crucial to have comprehensive scanning coverage for this object type to detect any potential threats.
• Attachment: Attachments are files attached to records within Salesforce. Scanning solutions should encompass attachments to identify any malicious content or vulnerabilities that could compromise the security of your Salesforce instance.
• Document: The Document object allows users to store and share files within Salesforce. It is vital that the scanner thoroughly examines documents to ensure they are free from any malicious elements that could pose a risk to your organization’s data.
• Static Resource: Static resources are often overlooked when it comes to scanning for threats, but they can be a potential source of danger. This object stores scripts and files for public Salesforce sites and Digital Experiences. Failing to scan static resources leaves your organization vulnerable to malicious scripts or files that could impact the integrity and security of your Salesforce environment.

 Considering the importance of scanning Static Resources, we highly recommend checking out our blog on why you should scan Static Resources to understand why including them in your scanning efforts is crucial.

 

Does the Scanner Block Users and APIs from Downloading Files Yet to Be Determined as Non-Threats?

When considering a virus scanning solution for Salesforce, it is crucial to assess whether the scanner not only detects threats in files but also blocks users, including both Salesforce users and APIs, from downloading files that are either identified as threats or are yet to be determined as non-threats. Merely scanning files is not sufficient; effective prevention of potential risks requires the scanner to have the capability to restrict access to such files.

It is imperative to ensure that the chosen scanner offers the following functionalities:

• Blocking File Downloads in the Salesforce User Interface: The scanner should integrate seamlessly with the Salesforce user interface, preventing users from downloading files that have been identified as threats. This ensures that users are protected from inadvertently accessing potentially harmful files.

• Blocking API Users from Downloading Files: APIs play a vital role in integrating Salesforce with other systems and applications. A comprehensive scanner should also block API users from downloading files marked as threats or files that are yet to be determined if they pose a threat. This extends the protection beyond the user interface and covers all avenues of file access.

To test the effectiveness of the scanner, a recommended approach is to upload a file marked as a threat and then attempt to download it both from the Salesforce user interface and through the Salesforce REST API using a developer account.

In both cases, the scanner should successfully block the download, providing an additional layer of security and ensuring that potentially harmful files do not reach users or API integrations.

Should the scanner delete files on upload in Salesforce?

Many times, we hear that customers want to delete files that have been determined to be a threat as soon as they are uploaded to Salesforce.  While on a desktop, this may be a good practice, but you need to remember that Salesforce is a CRM, and files are not just files. Files also contain metadata that contains valuable business data. Users could have linked records to those files providing more context to the business.

Automatically deleting a file on upload causes you to lose all that valuable business data. This is especially true for Salesforce ContentVersion records that allow uploading multiple file versions. You cannot delete just a single version; you have to delete all versions of the file. If a solution offers the ability to delete files on upload, make sure that the solution replaces the file with another file, informing the user that their file has been replaced.

IMPORTANT: Make sure that the solution also rebuilds the entire structure of the file, putting back any custom fields, pre-existing versions of the file, and other relationships to the file that existed, or you will lose valuable CRM data.

Does the scanner scan the entire file or only perform a checksum or signature scan before the file is made accessible to end users?

To save time, many scanners will perform a checksum or signature scan first and then, in another process, will perform a more advanced scan of the file. Checksum and Signature scans are a baseline to determine a threat, but they do not catch new threats, and many times experienced attackers can fool the scanner into thinking a file is not a threat using these techniques. Ensure the provider confirms that before a file is made accessible to your users, the entire file is being scanned using more than just a checksum or signature scan.

Does the scanner support scanning of large files?

Many scanners have limitations when it comes to scanning large files, often resulting in failures or silent non-scans. When assessing a scanner, it’s important to perform a test by uploading a file with a size of at least 100 megabytes. After the test, verify that the scanner successfully scanned the file rather than failing silently. You can do this by checking the scan log and ensuring that the scanner returned the file’s checksum.

A checksum acts as a unique fingerprint for the file, and a reputable scanner should provide a checksum value like “25d422cc23b44c3bbd7a66c76d52af46” after each scan. If the scanner’s log shows a blank checksum, it indicates that the file was not actually scanned. In our own tests, we found that some scanners in the market silently fail when handling large files, falsely giving the impression that the file was scanned. However, upon reviewing the scan log, we discovered that no checksum fingerprint was generated. Even worse, these scanners reported that the file was not a threat, creating a dangerous illusion of a scanned and safe file when, in reality, it was never scanned at all.

It is crucial to be aware of these limitations and potential shortcomings of scanners, especially when dealing with larger files. Performing thorough tests and scrutinizing the scan logs will help ensure that your chosen scanner can effectively scan files of significant sizes, provide accurate results, and maintain the security of your Salesforce environment.

Does the scanner block high-risk file types?

Attackers will often try to disguise a malicious file type by changing the extension. For example, they will change an exe extension to png. Some scanners will claim to be able to block files by file type, but actually, what they are doing is blocking based on extension or mime type, which can be easily faked. During our tests, we found some scanners would only block based on the extension and mime type, leaving an org open to attack. Upload an executable file to Salesforce to test if a scanner has true file type blocking, but first rename the extension from exe to png. If the scanner is set to block executable files, the file should be blocked. If the scanner doesn’t block the file, it is merely looking at the extension, which is ineffective.

Does the scanner block malicious URLs, including zero-day URLs?

Many attackers will try to target users using phishing attacks by using malicious URLs to get their information. Emails and chat posts in Salesforce are the highest right of this type of attack but don’t forget about custom objects where attacks can be performed.

Make sure the scanner supports the ability to block malicious URLs inside of files and on any object or field in Salesforce. Additionally, don’t take their word that the scanner will block malicious URLs. Use a tool such as URL Haus (https://urlhaus.abuse.ch) to validate their tool. In our tests, we found that some scanners did not block “Zero-day” malicious URLs. It is important to test this using the site above.

What happens when an error occurs during scanning? Does it fail silently, leaving you open to attack?

Ensure the scanner operates with a “zero trust” or pessimistic approach. This means the scanner should treat all files as a risk until proven otherwise. If the scanner fails during the scanning process, it should block access to files until it can achieve a “Safe” result. A good way to test this in Salesforce would be to go into “Remote Site Settings” in setup and disable all external endpoints for the scanning service. Once you have done this, try to upload a file that would be normally caught as malicious.

The scanner operates in a “Zero Trust” mode if you cannot access the file. Otherwise, if you can access the file, then the scanner is operating in a very dangerous mode where all files are trusted until they are not. This would put your organization at high risk if the scanner were to fail. Also, ensure that the scanner didn’t falsely report the file was scanned.

Does the provider claim that their scanning application is “Native” to Salesforce?

A “Native” application in Salesforce is an application that is entirely built in Salesforce where no data leaves Salesforce. Virus scanning is a very complicated procedure that requires a high amount of computing power. Therefore, performing accurate scanning of files “Natively” in Salesforce is impossible.

Be cautious if a provider claims their solution is “Native”, as this either means that their scanning solution will not be effective in scanning files in Salesforce or they are trying to hide the fact from you that your data will be leaving Salesforce. Always consult a Salesforce expert before deciding on a solution so you know exactly what is going on behind the scenes.

What is their support model? Are the support representatives Salesforce certified?

Make sure that you ask what the support model is like. Is there a number to contact someone any time you need help, or do you have to email someone waiting for a response? Do you get the full contact information (phone and email) of the support technician you are working with, or can you only connect with a support representative through their support system? Are their support personnel certified Salesforce professionals, or do they only have basic knowledge of Salesforce?

You want to ensure the people who support the product know not only the product but also Salesforce, as many issues are related to Salesforce-specific issues that only a Salesforce professional would know. Beware of providers who are not familiar with how Salesforce works. A good test would be to reach out to their support while evaluating the product and ask some Salesforce-specific questions that only a Salesforce professional would know. Don’t take their word at it.

Does the solution provide the flexibility to send notifications of threats that fit your business requirements?

You purchased Salesforce because it is a very powerful platform that allows you to perform many operations without writing a single line of code. For example, Salesforce out of the box allows you to send various types of notifications using “no code” or declarative functions. This allows you to send notifications to fit your exact business need.

Be aware of providers who provide a way to send notifications within their applications. This goes against Salesforce best practices as this means they used “code” rather than “clicks” to enable sending of notifications within their application. This limits what you can do when notifying your users, and as Salesforce releases new features, you cannot take advantage of these features. Be aware of any provider who does this, as this may be a sign they are not familiar with Salesforce best practices when developing applications on the Salesforce platform. This may sound like a minor thing, but what other best practices are they not following? What about data security best practices?

Does the scanning provider monitor your environment, ensuring scanning services are always running?

Many providers will monitor their own systems but leave it up to you to monitor your Salesforce environment, ensuring files are being scanned. Virus scanning is a mission-critical operation, this is why your provider should be constantly monitoring your environment, letting you know the moment there is an issue.

Be careful of providers who tell you they do this. Make sure you verify with them how they monitor your environment. If their application sends your file data out of your Salesforce environment rather than using Salesforce’s APIs to poll Salesforce for new files, they will never know when you have a problem.  All they know is you haven’t sent them any files. Whereas if they periodically call into Salesforce to check the “health” of the service, they will know the instant there is an issue. Make you ask them, “Do you call into my Salesforce to proactively monitor if there are any issues?”

Does the provider have expertise in building highly scalable and secure applications on the Salesforce platform?

If you have a complex Salesforce implementation, which most customers do, you must choose a provider with deep expertise in the Salesforce platform. Not only for building the application but also for supporting it. Being a multi-tenant provider, Salesforce has many limitations put in place to protect all customers on the platform.

Because of this, providers need to know how to build applications that play well with others and ensure that their applications will scale as they grow and will not interfere with your other Salesforce applications. When you have issues, you want someone there who knows how Salesforce works. Ask them if they have heard of “Salesforce Well-Architected” and if they follow “Salesforce Well-Architected” principles. If they say yes, ask them how? Do their support people know Salesforce, or are they general reps who support multiple products? Are they certified on Salesforce? Call their support and test their knowledge.

Is the provider knowledgeable about Salesforce Security?

Salesforce security is very complicated. You want the provider that is protecting your data to have a deep understanding of Salesforce security best practices. Viruses are only one of the many things that cause data leaks in Salesforce.

Do you want a provider who has a basic understanding of Salesforce security, building the product protecting your data, or do you want a true partner you can turn to with any question or concern you may have related to Salesforce security? I would think the latter.

The Real Question: What virus scanning engines are being used to scan for threats?

Not all virus-scanning engines are created equal. Before selecting a tool, ensure that the engine powering the virus scanner effectively detects a threat. Don’t just take the vendor’s word at it, ask for independent references. For example, EzProtect is powered by Sophos, a leader in the Gartner Magic Quadrant, and consistently receives perfect scores in 3rd party independent tests such as the recent test performed by SE Labs. Also, ask the vendor to demo the product using a real virus that is no less than 24 hours old. This will show you how effectively their tool catches “Zero Day” threats.

IMPORTANT: Have someone from your cybersecurity team test to make sure that the tool catches “Zero Day” threats.

Conclusion

Implementing a robust virus scanning solution for Salesforce is of utmost importance to safeguard your valuable data, protect against potential threats, and maintain the integrity of your CRM environment.

Among the various scanning solutions available, EzProtect stands out as an excellent choice. With its advanced features, EzProtect scans files for known and unknown threats and offers additional capabilities like multi-factor authentication and Salesforce Shield monitoring.

It ensures the security of your Salesforce instance by blocking high-risk file types, preventing unauthorized downloads, and enabling continuous monitoring for anomalous file activities.

Don’t compromise on the security of your Salesforce environment; choose EzProtect for a comprehensive and reliable solution that safeguards your data and ensures a secure and trustworthy CRM experience.

Schedule your free Salesforce security assessment to see if you are at risk.

---

---