The File Protection feature in WithSecure Cloud Protection for Salesforce scans files across your Salesforce platform to detect cyber threats and restricted content.
This guide outlines the recommended File Protection configurations to ensure your environment is secure and compliant. Please adapt these best practices to align with your organization’s specific security policies, business processes, and customizations.
The guide covers optimizing File Protection settings, general application settings, and licensing settings. For further guidance or tailored recommendations, please reach out to the WithSecure Customer Success team.
File Protection settings
- Go to Administration -> File Protection
Scanning files and attachments
- Salesforce stores documents as Salesforce Files and Salesforce Attachments. We recommend enabling scanning for both.
- Enable Salesforce Attachments scanning for all objects in your environment.
- Note: Salesforce Files are scanned across all objects for licensed users. Object-based scanning restrictions apply only to Salesforce Attachments.
Advanced Threat Analysis
- We recommend enabling Advanced Threat Analysis for enhanced detection, including cloud sandboxing.
- Recommendation: Keep ‘Block file downloads until advanced threat analysis is completed’ turned off to prevent unnecessary delays.
Harmful content settings
- The default settings automatically remove harmful files uploaded and block access to harmful files detected on download.
- Encrypted archives (password-protected files) cannot be scanned. We recommend removing or blocking access to these files.
Excluded file types
- Files excluded from scanning will not be analyzed for malware or ransomware threats.
- Recommendation: Do not exclude file types unless you absolutely must to ensure maximum security coverage.
Disallowed content
- The Disallowed Content feature can be used to allow or block specific file extensions.
- Recommendation: If using this as a disallowed list, keep the default settings, as most organizations have no valid business case for allowing risky file types (e.g., .exe files).
Advanced File Protection settings
- Keep ‘Treat unknown file reputation as’ set to “Safe”.
- Why? This ensures that files without a known reputation are scanned instead of being automatically blocked, which could disrupt business processes.
General settings
- Go to Go to Administration -> General
Automatic updates
Keep automatic updates enabled to receive the latest security enhancements, malware detection updates, and bug fixes.
Advanced settings
Data processing region
- For regulated industries, manually restricting processing to a specific region may be required.
- ‘Automatic’ region selection processes file and URL data in the Salesforce-hosted region.
- If AWS faces downtime in that region, processing will temporarily switch to another secure location.
Expiration time for scan results in cache
- We recommend setting the cache expiration time to 1 day.
- Why? Malware threats evolve constantly. A shorter cache period helps prevent zero-day malware propagation.
File scan timeout
- Increase the scan timeout to 120 seconds.
- Why? This prevents scans from timing out during high-traffic periods in your Salesforce environment.
Sharing settings
- Enable ‘Send complete files for malware and advanced threat scanning’ to ensure full security coverage.
- Optional settings:
- Allow WithSecure Labs to collect suspicious executable files to enhance detection.
- Allow WithSecure Labs to collect suspicious non-executable files to support security research and development.
Third-party services
- Allowing file and URL data to be shared with WithSecure’s trusted third-party services can significantly improve detection accuracy. All queries go through several layers of anonymization to ensure utmost confidentiality.
Licensing
- Go to Administration -> License
- Set ‘License Mode’ to ‘All Users’ to ensure all files are scanned on upload and download, protecting both internal and external users.
- Note: If ‘All Users’ mode is enabled, manual assignment rules are not required.
