AppAssessor / Admins / Security

Prevent Security Threats Across Your Salesforce Instance [In-Depth Overview]

By Andreea Doroftei

Branded content with WithSecure

Maintain business continuity without worrying about malicious content or phishing links within your Salesforce content, regardless of its source.


  • Automatically scan URLs as well as all attachments, either uploaded or downloaded, to detect potential risks in real time.
  • Monitor, investigate, and resolve any cyber security threats following either an automated or a manual scan.
  • Customize end-user messaging and expected actions pertaining to flagged content.
  • Proactively keep track of user activity and prevent unexpected threats right from within your Salesforce org.

Working with a large number of customers will inevitably involve sharing files and URLs – whether it’s a quote, report, or perhaps just additional resources related to a purchase. The chances are that some (if not all) of these will also be uploaded to your CRM. In the event of files being corrupted or emails containing phishing links, wouldn’t you be taking an unnecessary risk?

WithSecure’s tailored solution for Salesforce comes to the rescue!

Security is imperative (and front of mind) for everyone working in the ecosystem, particularly as Salesforce holds so much personal and business-critical data – the platform’s own model is designed with controlled access in mind.

Malicious content has no place in this equation, and this is exactly what their Cloud Protection offering ensures: real-time threat detection and protection, custom notifications for both users and the Salesforce team, along with rich analytics that offer a complete overview of your instance.

This in-depth overview will showcase Cloud Protection’s (by WithSecure) main features, ideal use cases, and setup effort, as well as how fast this product will turn cyber-security threats into a thing of the past.


At first glance, Cloud Protection may appear simply as a way to block undesirable content; look further, and you’ll find it offers an array of features. The overriding objective is to enhance content security against ransomware, phishing and other advanced malware threats – all in a thorough, yet transparent manner.

Once the managed package is installed and permissions are granted, everything you need can be found in one Lightning App.

The Administration tab is where the behind-the-scenes magic happens. It’s also where you, the Salesforce Administrator, will configure the functionality.

File Protection

It’s likely that you’re already familiar with Salesforce validation rules, which verify that the data entered by a user meets certain criteria before the user can save the record.

What if you could validate the content safety of your Salesforce Files and Attachments in next to no time? This comparison with validation rules may seem a little far-fetched, but let’s take a look:

  • Cloud Protection’s File functionality ensures that harmful content cannot be previewed and/or downloaded.
  • A record of the file being uploaded into Salesforce is available for further investigation, if needed.
  • Functionality can be turned on quickly, with an option to select all/specific objects to be included in the scan.

Once the File Protection option is enabled for Files and/or Attachments, additional options become available:

  • Set the desired behavior for harmful or disallowed content in accordance with compliance policies.
  • Include/exclude file types and extensions to be scanned whenever needed.

The advanced threat analysis functionality allows the admin to configure if the file can be sent to an in-depth behavioral analysis in the WithSecure Security Cloud. 

This in-depth analysis can discover even the most sophisticated and “zero-day” forms of malware that bypass traditional signature-based detections and require a behavioral analysis to thwart. The file will run and be analyzed in a secure isolated sandboxing environment to detect any anomalies. It will be anonymized and encrypted both during rest and transit for maximum privacy.

Intelligent file type recognition

File extension spoofing is an attack method where hackers disguise a file type, for example, to make a questionable executable (.exe) seem like an ordinary image file (.jpeg). 

Intelligent File Type Recognition enhances the accuracy of detecting malicious files in Salesforce environments by analyzing the actual content of a file, rather than relying solely on its name or label. 

A sophisticated analysis of the file’s behavior offers an additional layer of verification to confirm the file type – regardless of what the file name indicates. Intelligent File Type Recognition is automatically enabled as part of the File Protection feature, requiring no separate configuration.

With the exclusions and disallowed file types set up, it’s time to upload a file in Salesforce – now with far more peace of mind.

Custom Notifications

As you will have noticed in the video above, once the file is uploaded to an Opportunity record, the name changes almost instantly. Instead of previewing the actual content, a message was displayed to inform the user that harmful content was detected.

As one of the Cloud Protection admins (and as I was the one uploading the file), two emails have been triggered:

  • One from a user’s perspective – this informed me that the file was removed and also recommended to me the action I should take if I opened the file locally.
  • Another one from an admin’s perspective – this had extra information to keep me posted on user activity pertaining to the threat.

Let’s look at how the file behavior and notifications can be enabled. Without having to leave the File Protection tab, the Notifications menu is available to customize every alert and warning. Also, you can pick and choose which notifications to use, ensuring that both users and admins are aware of potential security implications relating to harmful or disallowed files.

URL Protection

Similar to the File Protection functionality, you can control the access to harmful or disallowed URLs from standard objects. There are a few specific differences:

  • URL categories can easily be restricted.
  • Certain domains or URLs can be whitelisted if required.
  • Advanced URL analysis means the admin can configure if URLs can be analyzed in-depth – but this may cause a delay in verdict.

In addition, URLs are always re-checked when users click on them, ensuring that no dormant trap will go unnoticed.

Custom notifications are also available for URL Protection as you would expect, for both users and administrators.

Manual Scan

While you might expect the Manual Scan to work by manually selecting individual files in your org to be scanned, you’ll find it means much more than that.

Up to 100 items can be scanned at a time. Items can be filtered on created date, last modified date, and the Salesforce object they are related to.

Plus, it doesn’t matter if the file was scanned at the moment it was uploaded, because the exclusion lists you set up can also have changed – for example, files that were not supposed to be scanned 90 days ago may be of interest for the scan job now.

There is the option for scheduled file scanning, which will schedule a batch delivered with the managed package at the frequency of your choice.

The admins can let WithSecure threat analysts know directly in the app if something safe is flagged incorrectly or something malicious gets through without detection. This collective feature helps build more precise protection for all.


There may be scenarios when the file has to be retrieved, even though content might have been flagged as containing potential malware, and is therefore unsafe. Retrieval can be done with just a few clicks through the Quarantine tab. Use the Restore button once the record is identified and selected.

The document will appear back against the record it was initially related to, but with the replaced text file still available.

Data handling

WithSecure’s threat analysis service is run on a highly reliable multi-zone model of AWS data centers, and admins can now control the data processing location. They can either choose automatic region selection for the most reliable performance (the system picks the best option automatically based on availability and proximity, for example), or choose to keep all traffic within a selected region.

The current options are Europe (Ireland), US (N.Virginia), Australia, and Singapore. Upcoming regions include Canada and Japan.

Summary and Analytics

Cloud Protection offers a comprehensive view of everything that is going on, right within the dedicated Lightning App, from the time of the first file upload or URL shared in a Chatter post.

The Summary tab contains:

  • Overall statistics and alerts.
  • Reports insights – dive into native Salesforce reports and dashboards by clicking through each of the widgets from the Protection Dashboard.

Within the Analytics tab, you can:

  • Seamlessly explore any of the alerts, or File and URL events.
  • Filter, as needed, as your database grows and more content is being scanned.

For example, if you’d like to take a look at the URL events which have been scanned from Chatter posts, you only need to search by the location – the information will be displayed. You can also use the verdict or action as keywords or other attributes.

Use Cases

There are multiple sources from which your users can get hold of files or URLs, and manually (or through automations) add them into Salesforce.

One important data entry point is external users – and in this context, Experience Cloud or site visitors.

Agents reviewing file content could expose their machine (and critical information) to malware, potentially leading to significant breaches and business disruption.

Cloud Protection for Salesforce will comply with the settings determined in the Administration tab, send notifications, and allow you to further report on these events – all in just a matter of moments.


It goes without saying that, from a security standpoint, Cloud Protection keeps your Salesforce org protected and your users at ease, knowing that all content across the platform can be trusted.


WithSecure’s Cloud Protection for Salesforce is delivered as a managed package, which means that you can easily install it in your sandboxes and/or production instance directly from the AppExchange.

  • Assign licenses either to all users directly, or selectively by using criteria such as the user Profile (simply search or automate it via a rule).
  • Assign the permission sets manually through an import, or automatically assign or revoke from the Cloud Protection Administration tab to all active users.

Leverage a Connected App to increase the scanning capabilities, especially for larger files – this has recently been enabled. In my experience, once the integration user was properly set up, as highlighted in this guide, the connection was easy to establish through the Administration tab, within the Tools section.

It didn’t go unnoticed that even the way data collection is handled can be decided in accordance with your security and retention policies. When administering Cloud Protection, you can define the items shared for further analysis with WithSecure, including notification recipients within a public group, as well as how long reportable events will be stored for analytical purposes.


Finding everything you need in terms of support – from documentation to actually raising a support ticket – can also be found within the Cloud Protection App, removing the need to bookmark any of the resources.

By navigating to the Support section under the Administration tab, you can get in touch with support, access the Help Center, find out what’s new in the Release notes, or simply provide feedback on the functionality.


The minimum price starts at $1000/Salesforce org/year, with custom pricing available following a conversation about your user base and the volume of content you will be scanning.

The product trial is available for 30 days, which allows plenty of time for testing, as well as further conversations about your specific use cases.


As the chance of security threats grows alongside the evolution of technology, security is more important than ever before – whether this is in your Salesforce instance or on your local machine.

WithSecure’s commitment to building a scalable plug-and-play solution to prevent harmful content from being uploaded, or simply being accessed, should not go unnoticed. Visit the AppExchange to learn more about WithSecure’s solution.

The Author

Andreea Doroftei

Andreea is a Salesforce Technical Instructor at Salesforce Ben. She is an 18x certified Salesforce Professional with a passion for User Experience and Automation. 

Leave a Reply