You’re likely aware that accessing files or attachments on an inadequately secured device can pose significant risks to both you and your organization. In today’s cloud-centric environment, security has become a paramount concern, if not the most crucial one.

Salesforce has several features designed to prevent users from uploading specific high-risk types of files. These features are decent at preventing normal users from uploading undesired types of files, but they fall short when blocking a malicious actor.  This presents a substantial security hazard. This becomes especially concerning when your Salesforce application is publicly accessible through public facing sites. After all, the last thing you want is a malicious file being uploaded into Salesforce, potentially compromising your network, and jeopardizing the integrity or confidentiality of your sensitive data.

What are high-risk file types?

High-risk file types typically refer to file formats that have a higher likelihood of containing malware, viruses, or other malicious content. These file types are often used by cybercriminals to deliver their malicious payloads to unsuspecting users. Some common high-risk file types include:

  • Executable Files (.exe): These files can run programs on your computer and are commonly used to distribute malware.
  • Script Files (.js, .vbs, .ps1): Script files can contain malicious code that, when executed, can perform harmful actions on your system.
  • Document Files with Macros (.docm, .xlsm): Documents that contain macros can execute code, and malicious macros can be used to infect your system.
  • Archive Files (.zip, .rar): While archive files themselves are not inherently dangerous, they can contain other high-risk file types or compressed malware.
  • Batch Files (.bat): Batch files can be used to automate tasks, but they can also execute malicious commands.
  • Java Archives (.jar): These files can contain Java applications, and malicious ones can be used to exploit vulnerabilities in the Java Runtime Environment.
  • PDF Files (.pdf): While PDFs are typically safe, they can contain embedded scripts or links that lead to malicious websites.
  • HTML Files (.html): HTML files can contain malicious scripts or redirects to phishing websites.

Other file types include Shortcut Files, Shell Script Files, Compressed files with unusual extensions, DLL files, JavaScript files, Shortcut files and Batch Script files.

What is the impact of a high-risk file?

The impact of a high-risk file can vary widely depending on the nature of the file and the specific malware or malicious code it contains. Some common impacts of opening or executing a high-risk file are:

  • Malware Infection: Many high-risk files, such as executable files (.exe) or document files with malicious macros (.docm), may contain malware. When opened or executed, these files can infect your computer with viruses, worms, Trojans, ransomware, or other types of malicious software. The impact can range from slowing down your computer to encrypting your files and demanding a ransom.
  • Data Loss: Some high-risk files may delete or corrupt your files and data, leading to data loss or data leakage. This is common with certain types of malware that are designed to destroy or steal information.
  • Unauthorized Access: High-risk files can contain code that allows cybercriminals to gain unauthorized access to your computer or network. This can lead to the theft of sensitive information, such as personal data, financial information, or login credentials.
  • System Compromise: In some cases, high-risk files can compromise the security of your entire system. This can include taking control of your computer, using it as part of a botnet, or exploiting vulnerabilities to gain deep access.
  • Privacy Invasion: Malicious files can be used to monitor your online activities, capture keystrokes, or record your screen, leading to a significant invasion of your privacy.
  • Financial Loss: Certain types of high-risk files, such as those associated with banking Trojans or phishing attacks, can lead to financial losses if they are used to steal your banking or credit card information.

How an attacker would perform an attack with a high-risk file type?

Salesforce is a robust platform, prioritizes security over everything else, but its users remain vulnerable to attacks involving high-risk file types.

Here’s an overview of how such an attack unfolds:

  1. Phishing Attack: Attackers initiate these attacks with phishing emails targeting Salesforce users. These emails often contain malicious attachments or links leading to high-risk file downloads, aiming to deceive users.
  2. Malicious Payload: The unsuspecting users then download high-risk files carrying malicious payloads, such as executable (.exe) files or scripts, capable of running on the victim’s device. These payloads exploit system vulnerabilities or attempt to compromise Salesforce credentials.
  3. Execution: Upon opening the high-risk file, it executes locally, resulting in various scenarios:
  4. Malware Infection: Executables can house malware, infecting the user’s device. This malware may steal sensitive data, such as stored Salesforce login credentials or propagate within the network.
  5. Credential Theft: The malicious file could capture Salesforce login credentials through methods like keylogging, form data interception, or redirection to fake login pages.
  6. Privilege Escalation: Gaining access to a victim’s Salesforce account, attackers may escalate privileges within the platform. This may involve attempts to access sensitive data, manipulate records, or attain administrative privileges.
  7. Data Exfiltration: Once inside Salesforce, attackers may seek to exfiltrate sensitive data like customer records, financial information, or proprietary documents. They might use Salesforce features for data export or exploit platform vulnerabilities.
  8. Maintaining Persistence: To sustain access, attackers often establish backdoors or persistent entry points within Salesforce. This ensures continued control, even if their initial entry is detected and removed.

    How would one go about blocking a high-risk file type?

    Detecting and blocking high-risk file types is a critical aspect of cybersecurity, and there are various methods to do so.

    One common approach is File Extension Detection, which identifies file types by examining their extensions (e.g., .exe for executables or .png for images). However, this method has a significant limitation: attackers can easily manipulate file extensions, disguising high-risk files as innocuous ones. For instance, a malicious executable can be renamed to “malware.png” to deceive users into downloading and executing it.

    Another method is MIME-Type Detection, which relies on MIME (Multipurpose Internet Mail Extensions) types conveyed by servers during web downloads. These types are meant to describe a file’s nature, but they can be manipulated by attackers who set up fake servers to send false MIME types. For instance, an attacker might configure a web server to send an “image/png” MIME type for an executable file, tricking security systems into treating it as a harmless image.

    These two types of detection are how Salesforce blocks undesirable high-risk files types. While this may be effective for regular users, a skilled attacker can easily bypass these security controls.

    The most reliable approach is True File Type Detection, also known as content-based detection. This method examines a file’s actual content by analyzing its binary structure, allowing it to accurately identify the true file type. Unlike the previous methods, content-based detection is less susceptible to manipulation, as it looks beyond file extensions and MIME types. It involves inspecting the binary content for specific patterns or signatures associated with known file types. Although content-based detection is resource-intensive, it offers a higher level of accuracy and resistance to evasion by malicious actors.

    Choosing the right solution

    It’s important to understand that while there are several solutions available to block high-risk file types in Salesforce, the effectiveness of these solutions can vary significantly. One solution that has gained recognition for its effectiveness in this regard is EzProtect.

    There is a notable distinction between competitors and EzProtect. Competing solutions often hinge on Salesforce’s reported file type, largely determined by file extensions and MIME types. As previously discussed, this reliance on easily manipulated attributes makes them less effective in accurately detecting high-risk files. Malicious actors can exploit these weaknesses to cloak dangerous files as innocuous ones.

    In contrast, EzProtect adopts a more resilient approach. It foregoes exclusive reliance on file extensions and MIME types, opting instead to scrutinize the complete content of files. This content-based detection method proves highly effective at uncovering a file’s true nature, irrespective of its name or server representations. By delving into the core of file content, EzProtect erects a formidable defense, fortified against the artifice of malicious actors.

    However, true efficacy extends beyond mere detection; it involves thwarting user access to identified high-risk files. In this crucial aspect, EzProtect excels. Not only does it excel at pinpointing the genuine file type, but it also possesses the capability to prevent user interaction with these high-risk files within the Salesforce environment. This comprehensive approach ensures that identified high-risk files are swiftly contained, averting potential harm.

    EzProtect stands out as a high-caliber solution for high-risk file management. Its content-based detection method, fortified by the capability to block user access, renders it a robust guardian of data integrity and security within the Salesforce platform. In a landscape where security is paramount, this comprehensive approach proves essential for safeguarding against potential threats.

    Would you like to know more about how EzProtect can help to keep your users and data safe? Schedule a risk free Salesforce security assessment to find out how.

    By Published On: April 10, 2024Categories: Cybersecurity, Salesforce, Virus scanning0 Comments


    Did you love this blog and wish there could be more?

    It is our goal to keep you informed about everything you need to know about Salesforce security to keep your Salesforce data and company safe and secure by providing you with the highest quality of original content.

    If this sounds good to you, then sign-up below to be one of the first to know when the next super awesome Salesforce security blog has been released.

    Download your free guide today!

    Learn if you are at risk and how to start protecting your users!