Full user guide

WithSecure Cloud Protection for Salesforce is a cloud-based security solution that is designed to improve and extend the native security capabilities of the Salesforce platforms.

WithSecure Cloud Protection for Salesforce analyzes the content that enters or leaves the Salesforce cloud, so that files and URLs that are uploaded or downloaded from a Salesforce organization cannot be used in cyber attacks against your company, partners, or customers.

The solution comprises a native Salesforce application and WithSecure Security Cloud that provides file and website reputation and security services. The WithSecure Cloud Protection application is installed on Salesforce Sales, Service, or Experience Cloud (previously known as Community Cloud) that your company uses. You do not need to install any other software or make any changes to your network configuration.

WithSecure Security Cloud is a cloud-based threat analysis and response system. It analyzes the threat intelligence that is gathered by our millions of sensor nodes, creating a vast database of digital threats that builds a real-time picture of the global threat situation.

WithSecure Cloud Protection for Salesforce leverages this data to respond to changes in the global or local threat landscape within minutes. For example, when our heuristic and behavior analysis identifies a new zero-day attack, the information is shared with all our customers - rendering the advanced attack harmless very soon after the initial detection.

The solution is designed to reduce delays and it does not hinder the use of Salesforce. When analyzing files or content, the solution uses a multi-stage process that leverages WithSecure Security Cloud. The steps within this process are triggered based on the risk profile of the content. For example, only high-risk files go through a deeper analysis with our Smart Cloud Sandboxing technology, which is designed to prevent attacks using zero-day malware and other advanced threats.

WithSecure Cloud Protection for Salesforce is the ideal solution to handle your part of security under the Shared Responsibility model. It provides more than a simple antivirus software ever will. The solution integrates seamlessly with Salesforce and requires no middleware.

File protection

The solution provides advanced protection for files inside Salesforce. It protects them against malware, ransomware, exploits, and other advanced threats. It automatically scans uploaded and downloaded files with minimal impact on performance and user experience.

URL protection

The solution analyzes and blocks access to malicious URLs before they can compromise your network. The analysis is done with zero latency and requires very few resources.

Threat intelligence check

By leveraging real-time threat intelligence that is gathered from tens of millions of sensors, we can identify emerging and new threats within minutes of their inception, ensuring exceptional security against constantly evolving threats.

Multi-engine advanced antivirus

WithSecure technologies use behavioral analysis and multiple security layers to detect exploits and unknown malware that are used in targeted attacks.

Smart cloud sandboxing

When a high-risk file is found, it is subjected to deeper analysis with WithSecure Smart Cloud Sandboxing technology, blocking zero-day malware and advanced threats without any unnecessary delays.

Content filtering

The solution allows the detection and blocking of dangerous and inappropriate content that is not allowed according to security or compliance policies. Disallowed files can be filtered out based on the file type or file extension.

On-demand and scheduled scanning

Salesforce files and attachments can be scanned for harmful and disallowed content at any time or at predefined intervals. You can choose which files are scanned based on the creation or modification time, file type, or location.

Quarantine management

Harmful or disallowed content removed by File Protection can be viewed and restored with the quarantine management tool.

File replacement in alert details

When harmful content is removed and replaced by a text file, the object ID of the replacement file is reported in the alerts details.

Dynamic analytics and reporting

Dynamic analytics and reporting gives a holistic security overview of Salesforce content and an opportunity to follow your security strategy in action.
Rich reporting, advanced security analytics, and full audit trails help system administrators to respond to threats in Salesforce and to investigate attacks coming from unknown sources.

Alerting

You can automate reports of security incidents with email alerts that are sent to administrators and your security department.

Automatic updates

You can receive the new version of the app to your sandbox and production organizations automatically based on your preferences.

Scan page customization

The product banner shown on the scan pages can be customized. The organization can also change messages shown to the end users when harmful or disallowed content is blocked.

Scalable licensing

WithSecure offers a predictable licensing model based on your actual network traffic.

Automatic license assignment

Application licenses can be automatically assigned as standard user, community user, and community login user licenses to Salesforce users based on user profiles or other criteria.

Quick and easy installation

The installation takes only a few minutes from Salesforce AppExchange. You do not need to install any software on end-user devices, deploy any proxies, or make any MX changes.

Lightning ready

The application supports both Salesforce Classical and Lightning Experience User Interface.

This section provides instructions for deploying WithSecure Cloud Protection in your Salesforce organization.

Deploying the application involves the following steps:

• Installing the application
• Assigning permission sets and licenses
• Configuring the application settings

If you are upgrading from the previous version, see 2.5 Upgrading the application.

The WithSecure Cloud Protection application supports Salesforce Classic and Lightning Experience user interfaces, and can be installed to the Salesforce Editions listed here.

• Enterprise
• Performance
• Unlimited
• Developer

Note: We highly recommend that you verify the application in a sandbox before you deploy it to your production environment.

Check the Salesforce settings here before you start to install WithSecure Cloud Protection for Salesforce.

To install and use WithSecure Cloud Protection, the Chatter feature must be on in your Salesforce organization.

To turn on the Chatter feature:

1. Log in to Salesforce with your System Administrator account.
2. Go to your organization settings and select Setup.
3. Navigate to Feature Settings > Chatter > Chatter Settings.
4. Select Edit to change the settings.
5. Select Enable under Chatter Settings and then select Save.

To prevent broken user mentions in the Chatter posts and comments, we highly recommend that you turn on the Allow users to edit posts and comments setting in the Chatter settings.

To turn this setting on in your Salesforce organization:

1. Log in to Salesforce with your System Administrator account.
2. Go to your organization settings and select Setup.
3. Navigate to Feature Settings > Chatter > Chatter Settings.
4. Select Edit to change the settings.
5. Under Post and Comment Modification, select Allow users to edit posts and comments and then select Save.

If you are storing files as attachments and use Salesforce Classic user interface, we recommend that you turn on the Files uploaded to the Attachments related list on records are uploaded as Salesforce Files, not as attachments setting.

By turning on this setting, files that are uploaded as attachments are converted to Salesforce files and scanned by WithSecure Cloud Protection when uploaded or downloaded.

To turn this setting on in your Salesforce organization:

1. Log in to Salesforce with your System Administrator account.
2. Go to your organization settings and select Setup.
3. Navigate to Feature Settings > Salesforce Files > General Settings.
4. Select Edit to change the settings.
5. Select Files uploaded to the Attachments related list on records are uploaded as Salesforce Files, not as attachments and then select Save.

The default language for WithSecure Cloud Protection is English, but you can also activate other supported languages.

WithSecure Cloud Protection currently supports the following languages:

• Chinese (Simplified)
• Chinese (Traditional)
• Czech
• English
• French
• German
• Hungarian
• Italian
• Japanese
• Korean
• Polish
• Portuguese
• Russian
• Slovak
• Spanish
• Thai
• Turkish

Note: The administrator's selected language during installation is used as the default language for alerts.

To activate other languages:

1. Log in to Salesforce with your System Administrator account.
2. Go to your organization settings and select Setup.
3. Select User Interface > Translation Workbench > Translation Settings from the menu.
4. Select the Active checkbox for the language that you want.

Users within your organization can now use WithSecure Cloud Protection in the activated language if they have selected that language in their account settings, under Settings > My Personal Information > Language & Time Zone.

Follow these instructions to install the application to your Salesforce organization.

1. Log in to Salesforce with your System Administrator account.
2. Go to the Salesforce AppExchange marketplace, find the WithSecure Cloud Protection application, and select Get It Now to start the installation.

3. WithSecure Cloud Protection is listed on Salesforce AppExchange here: https://appexchange.salesforce.com/listingDetail?listingId=a0N3A00000EFntJUAT.

   Note: If you are installing a release preview or beta version of the WithSecure Cloud Protection application, you will receive a direct link to the managed installation package. To start the installation, open the link in your web browser.

   Note: If you already have a release preview or beta version of the application installed, uninstall it before you install the new version of the application.

4. Depending on whether you are installing the application to your production Salesforce org or Sandbox, choose Install in production or Install in Sandbox.
5. Check the installation details.
6. Select I have read and agree to the terms and conditions and then select Confirm and Install.
7. Select Install for Admins Only and then select Install.
8. Select Yes, grant access to these third-party web sites to allow the application to connect to the WithSecure Security Cloud services. Then, select Continue.
9. Wait until the installation is compl

   Important: If you receive a message that the app is taking too long to install, wait for a confirmation email from Salesforce that the app has been installed.

10. Select Done when the installation is complete.

WithSecure Cloud Protection has been installed successfully.

After you have installed the application, you need to assign WithSecure Cloud Protection permission sets and licenses.

You need to assign the WithSecure Cloud Protection User permission set to all active users within your organization even if you do not have WithSecure software license purchased for some of them.

Follow these instructions to assign the WithSecure Cloud Protection User permission set.

1. Log into Salesforce with your System Administrator account.
2. Go to App Launcher and open Cloud Protection.
3. Go to Administration > Tools and select Assign under Manage user permission set.

4. All active users within your Salesforce organization get the WithSecure Cloud Protection User permission set assigned.

5. Under Administration > Tools, select Enable to turn on the automatic assignment of the WithSecure Cloud Protection User permission set to new users who are added to your Salesforce organization after the WithSecure application has been installed.

    

   Tip: We recommend that you keep this option turned on.

    

Note: The permission set is assigned to active users in the background.

The app creates informational alerts when the tasks are activated and complete.

If the assignment of the WithSecure permission set fails, the app generates an error alert with a list of user IDs that did not receive the permission set.

You need to assign WithSecure Cloud Protection Admin permission set to users who are allowed to access the application settings, analytics, and reports.

Follow these steps to assign the WithSecure Cloud Protection Admin permission set:

1. Log into Salesforce with your System Administrator account.
2. Go to your organization settings and select Setup.
3. Select Users > Permission Sets > WithSecure Cloud Protection Admin.
4. Select Manage Assignments.
5. Select Add Assignments.
6. Select all the users who need to access the WithSecure Cloud Protection application, analytics, and reports, and then select Add Assignments.

WithSecure Cloud Protection licenses must be assigned to all users who administer the application or who are protected against security threats associated with harmful and disallowed content.

Note: Users without assigned WithSecure licenses are not protected by WithSecure Cloud Protection. They are at risk of accessing harmful or disallowed content that may get into your Salesforce organization

Follow the steps below to assign WithSecure Cloud Protection licenses to your users:

1. Log into Salesforce with your System Administrator account.
2. Go to App Launcher and open Cloud Protection.
3. Go to Administration > License.
4. Depending on the number of licenses you have purchased, do one of the following:
   • If you have purchased WithSecure licenses for a limited number of users, set the License mode to Selected users, select Save and proceed to the next step.
   • If you have purchased WithSecure licenses for all users in your organization, set the License mode to All users and select Save.
5. Select the Select licensed users link. The Assign Licenses window opens.
6. Search by the user name, profile, or department, or scroll through the list to find the users who need the license.
7. Select Assign in the Action column to assign the license to the selected user. You can also select Assign All to assign WithSecure Cloud Protection licenses to the list of users retrieved by your search.
8. Select Close when you are done. 

You can consider turning on automatic license assignments on user profiles or other criteria: 

• Click Manage automatic license assignments....
• Define the search criteria to add a new automatic license assignment rule

You can use Name, Profile, Role, Email, Company, Division, and Licensed values for the search criteria. The search box supports partial and full matches:

• Profile=System finds any user whose profile name contains System, such as System Administrator.
• Profile="System" finds only users with a profile named System.
• You can use the percent sign as a wildcard to match any characters, for example Profile=S%A will find users with profiles like System Administrator but also Standard User and so on.

Click Add. The rule is added to the table, and you can add more rules as needed.

Note: The rules you add are read using "OR" between the lines. In other words, the rules mean that licenses are assigned automatically to new users that only match one of the rules in the table. To define an "AND" condition, write the search criteria on the same line, for example "Profile=System, Department=Sales"

• Switch on Automatic license assignments to take the specified rules into use.

When WithSecure licenses are assigned to a large number of users, the app assigns these licenses in the background and reports the status or any errors as alerts.

The latest version of the WithSecure Cloud Protection application is always available in Salesforce AppExchange. Upgrading the application from the previous version preserves all the existing settings and analytics data.

Note: You cannot upgrade from a release preview or beta version of the application. Uninstall the previous version and then install the new version of the application.

1. Go to the Salesforce AppExchange marketplace, find the WithSecure Cloud Protection application, and select Get It Now to start installation.

2. WithSecure Cloud Protection is listed on Salesforce AppExchange here: https://appexchange.salesforce.com/listingDetail?listingId=a0N3A00000EFntJUAT.

3. Depending on whether you are installing the application to your production Salesforce org or Sandbox, choose Install in production or Install in Sandbox.
4. Check the installation details.
5. Select I have read and agree to the terms and conditions and then select Confirm and Install.
6. Select Install for Admins Only and then select Upgrade.
7. Select Yes, grant access to these third-party web sites to allow the application to connect to the WithSecure Security Cloud services, and then select Continue.
8. Wait until the installation is complete.

    

   Important: If you receive a message that the app is taking too long to install, wait for a confirmation email from Salesforce that the app has been installed.

    

9. Select Done when the installation is complete.

WithSecure Cloud Protection has been upgraded successfully.

This section describes the application settings that you need to check and configure after the installation.

WithSecure Cloud Protection sends security alerts and user notifications by email.

Security alerts are sent to the WithSecure Cloud Protection Admins group. User notifications are sent to internal users within your Salesforce organization. You need to create an organization- wide email address that is used to send security alerts and user notifications from.

Note: The email address used for security alerts and user notifications must exist and be valid. You must verify the email address before Salesforce allows you to use it.

Follow these instructions to configure the WithSecure Cloud Protection Admins and email address to send security alerts and user notifications.

1. Log in to Salesforce with your System Administrator account.
2. Go to App Launcher and open Cloud Protection.
3. Go to Administration > General.
4. Open the Notifications panel.
5. Select the WithSecure Cloud Protection Admins link.
6. Select Edit, and add the users who will receive security alerts from WithSecure Cloud Protection and then select Save.
7. Go back to Administration > General and select Configure organization-wide email addresses… on the Notifications panel.
8. Next to User Selectable Organization-Wide Email Addresses, select Add.
9. Specify the display name and email address, and then select Save.
10. Go to Administration > General Settings > General.
11. Under Notifications, next to Send email notifications from this address, select the email address that you created previously.
12. Select Save to save the changes.

Follow these instructions to choose when to send alerts to administrators and users, and to edit the warning messages.

1. Go to App Launcher and open Cloud Protection.
2. Go to the Administration > File Protection tab.
3. Open Notifications to configure file protection alerts and messages.
   • Select Send a security alert when harmful content is detected to send an alert to administrators when harmful content is uploaded or downloaded from the Salesforce cloud.
   • Select Send a security alert when disallowed content is detected to send an alert to administrators when disallowed content is uploaded or downloaded from the Salesforce cloud.
   • Select Send a warning message to internal users when they upload harmful content to send an alert to users when they upload malicious content to the Salesforce cloud.
   • Select Send a warning message to internal users when they upload disallowed content to send an alert to users when they upload disallowed content to the Salesforce cloud.
   • Select Send a security alert when content reputation changes to send an alert to administrators when the reputation for a file changes.

4. If you have selected to remove harmful or disallowed files when the scan finds them, turn on Replace removed harmful content with a text file or Replace removed disallowed content with a text file to use a placeholder text file in place of the removed file. To edit the files, click Configure file replacement.

5. Go to the Administration > URL Protection tab.
6. Open Notifications to configure URL protection alerts and messages.
   • Select Send a security alert when a harmful URL is detected to send an alert to administrators when a harmful web link is published or clicked on the Salesforce cloud.
   • Select Send a security alert when a disallowed URL is detected to send an alert to administrators when a disallowed web link is published or clicked on the Salesforce cloud.
   • Select Send a warning message to internal users when they upload a harmful URL to send an alert to users when they publish a harmful web link to the Salesforce cloud.
   • Select Send a warning message to internal users when they upload a disallowed URL to send an alert to users when they publish a disallowed web link to the Salesforce cloud.
   • Select Send a security alert when the URL reputation changes to send an alert to administrators when the reputation for a web link that has been published to the Salesforce cloud changes.

This section describes how to set up the basic File Protection scan settings.

Follow these instructions to configure how to scan files that are uploaded and downloaded from Salesforce.

1. Log in to Salesforce with your System Administrator account.
2. Go to App Launcher and open Cloud Protection.
3. Go to Administration > File Protection.
4. Depending on how the content that you want to check is stored, switch on Scan content stored as Salesforce Attachments, Scan content stored as Salesforce Files, or both.
5. If you are scanning attachments, select Configure locations to specify the sources of content that you want to check.
   • Choose Selected objects and select the sources that you want to check.
   • Choose All objects if you want to check all available attachments.
6. Click Confirm.
7. Turn on Scan files for harmful content on upload and Scan files for harmful content on download.
8. Select what happens when harmful content is found.
   • Allow access neither blocks nor removes harmful files that are found during the scan.
   • Remove file moves harmful files that are found during scanning to the quarantine.
   • Block access blocks all access to harmful files, but does not remove them.
9. If necessary, change the file types or file extensions that are scanned:

• Select All except excluded or Only included.
  • Select Configure excluded file types and extensions or Configure included file types and extensions.
  • Specify the list of relevant file types or extensions.
  • Use the file type or file extension, for example WORD_X or docx.
  • Note: File type identification is based on the type as it is listed in Salesforce. To see examples of the file types, you can view the details of files listed on the Analytics > File Events page.
  • If the type or extension that you want is not listed, enter it in the text field and select Add.
  • Select Save.

10. To configure what WithSecure Cloud Protection does when it detects disallowed content that is uploaded or downloaded by Salesforce users:

1. Go to Administration > File Protection.
2. Turn on Scan files for disallowed content on upload and Scan files for disallowed content on download.
3. Select what happens when harmful content is foun

• Allow access neither blocks nor removes disallowed files that are found during the scan.
• Remove file moves disallowed files that are found during scanning to the quarantine.
• Block access blocks all access to disallowed files, but does not remove them.

11. If necessary, change the file types or file extensions that you want to allow or disallow:

1. Select Only disallowed or All except allowed.
2. Select Configure disallowed file types or Configure allowed file types.
3. Specify the list of relevant file types or extensions. Use the file type or file extension, for example WORD_X or docx.
4. If the type or extension that you want is not listed, enter it in the text field and select Add.
5. Select Save.

This section describes how to set up the URL protection scan settings.

Follow these instructions to block harmful and disallowed links in your Salesforce organization.

1. Log in to Salesforce with your System Administrator account.
2. Go to App Launcher and open Cloud Protection.
3. Go to Administration > URL Protection.
4. Under General, make sure that Scan URLs in standard objects is turned on.
5. Under Configure objects, select objects that you want to scan.

   Note: We recommend that you select all objects from the list.

6. To block access to harmful websites:
   1. Under Settings, turn on Check reputation of URLs.
   2. In When URL is rated harmful, select Block access.
7. To block websites with disallowed content:
   1. Under Settings, turn on Check category of URLs.
   2. In the Select disallowed categories list, select the content that you want to block.
   3. In When a disallowed URL is found, select Block access.
8. To use click time protection:
   1. Under Settings, turn on Replace URLs with click time protection links.
   2. Select Configure Objects and select objects that you want to include in the click time protectio

      Note: We recommend that you select all objects from the list.
      

9. To allow access to specified websites:
   1. Select Exclusions.
   2. Turn on Exclude trusted domains, hosts, and URLs.
   3. Select Open the list of trusted domains, hosts, and URLs to specify websites that are never blocked.
   4. Turn on Exclude domains that support rich link previews and select Open the list of domains to specify websites from which embedded videos, images, and article previews are allowed.
10. Select Advanced.
11. Turn on Custom Chatter integration for processing posts and comments to create the WithSecure Cloud Protection Edit Chatter Posts permission set. Assign this permission set with the WithSecure Cloud Protection User permission set to all users as described in the Assign WithSecure Cloud Protection User permission set section.
12. Turn off Report excluded URLs in Analytics if you do not want to show excluded URLs in the analytics reports.
13. Turn off Show original URLs in redirect links if you do not want to show the original URL in links.
14. Select Save to save all the changes.

Both manual and scheduled scans use the same shared settings for what is scanned, how detections are handled, and what notifications are sent.

1. Log in to Salesforce with your System Administrator account.
2. Go to App Launcher and open Cloud Protection.
3. Go to Administration > Manual Scan.
4. Under Settings, switch on Scan files for harmful content.
   1. Select All except excluded or Only included.
   2. Select Configure excluded file types and extensions or Configure included file types and extensions.
   3. Specify the list of relevant file types or extensions.

   4. Use the file type or file extension, for example WORD_X or docx.

      Note: File type identification is based on the type as it is listed in Salesforce. To see examples of the file types, you can view the details of files listed on the Analytics > File Events page.

   5. If the type or extension that you want is not listed, enter it in the text field and select Add.
   6. Select Save.

5. To configure the type of files that are scanned:

6. Switch on Scan files for disallowed content if you also want to check for certain types of content.
   1. Select Only disallowed or All except allowed.
   2. Select Configure disallowed file types or Configure allowed file types.
   3. Specify the list of relevant file types or extensions.

   4. Use the file type or file extension, for example WORD_X or docx.

   5. If the type or extension that you want is not listed, enter it in the text field and select Add.
   6. Select Save.

7. To set the type of files that are disallowed:

8. Select what happens when the product finds harmful or disallowed content.
   • Report only includes the detection in reports and notifications, but does not do anything to the file.
   • Remove file places the file in quarantine and also includes the detection in reports and notifications.
9. Set the notifications for scans.

10. The notifications are sent to the recipients set in Administration > General > Notifications.

    To edit the notification templates, click Configure security alert message or Configure file replacement for the selected notifications.

11. Select Advanced and check the settings there:
    • Turn on Report harmful or disallowed content only if you do not want the scan results to show clean or excluded files.
    • Turn on Update hash checksums for scanned files if you want to update the file modification timestamps for scanned files. This updates the SHA value for the scanned file, which also sets the time of the most recent change for the file.
    • Turn on Maximum number of files per batch if you want to define how many files are processed in one batch.

      Note: Normally, this setting does not need changing. However, if the Exceeded maximum time error appears, it is recommended to decrease the value defined in this setting.

Manual and scheduled scanning with WithSecure Cloud Protection require special permissions that allow the processing of all files in Salesforce.

To create the set of required permissions:

1. Log in to Salesforce with your System Administrator account.
2. Go to your organization settings and select Setup.
3. Navigate to Administration > Users > Permission Sets.
4. Click New to create a new permission set.
5. Enter a Label and API Name for the new permission set. For example, enter WithSecure Cloud Protection Manual Scan and use the automatically generated API name: WithSecure_Cloud_Protection_Manual_Scan.
6. Click Save.
7. On the page with the newly created permission set, click App Permissions under the Apps section.
8. On the App Permissions page, click Edit.
9. Under Content, select Query All Files.
10. Click Save.
11. Click Save in the Permission Changes Confirmation dialog to enable the additional system and object permissions. The new permission set is now created.
12. Click Manage Assignments and assign the new permission set to the users who need to run manual or scheduled scans.

Follow these instructions to set up automatic updates.

After a new version of the application has been validated internally and reviewed by the Salesforce security team, it is published in Salesforce AppExchange.

1. Go to App Launcher and open Cloud Protection.
2. Go to the General tab.
3. Open Automatic updates.
4. Turn on Install product updates automatically to receive new versions of the app automatically.
5. In Preferred week day and time to install updates, select the day and time when you want to have the new version installed to your Salesforce org environment

    

   Note: Updates are queued in Salesforce and may not take effect immediately at the preferred time. The exact time when updates are installed to your Salesforce org will depend on the upgrade queue. Per the product Lifecycle policy, WithSecure™ reserves the right to push product updates irrespective of the automatic update settings.

6. To check when updates have been installed successfully, go to Analytics > Alerts.

   Note: When a new version is installed, the app sends an email notification to the users added to the WithSecure Cloud Protection Admins group.

Follow these instructions to choose what information you want to contribute to Security Cloud.

Security Cloud is an analytics engine and information repository for malware and a variety of other digital threats. Security Cloud's reputation services provide a fast way to identify known safe and malicious objects, it can perform both automated and manual analysis of suspicious objects, and it aggregates information on a global scale about objects in order to increase protection accuracy.

We apply a set of strict privacy principles to avoid collecting sensitive personal data and ensure that only essential technical data arrives on our servers.

1. Go to App Launcher and open Cloud Protection.
2. Go to the Administration > General tab.
3. Change the settings under Privacy.
   1. WithSecure Cloud Protection primarily performs queries to Security Cloud with the hash of a file. Turn on Send complete files for malware and advanced threat scanning to send the complete file instead of just its hash for analysis. We recommend that you keep this option on to allow WithSecure Cloud Protection to detect advanced threats and complex malware as soon as possible. Files submitted for advanced threat scanning are deleted immediately after processing.
   2. Turn on Allow WithSecure Labs to collect suspicious executable files for analysis to send unknown executable files for deeper analysis.

   3. Interpreted code, like Flash, Silverlight, and scripts may also be handled as executable files.

   4. Turn on Allow WithSecure Labs to collect suspicious non-executable files for analysis to send potentially harmful data files for deeper analysis.
   5. Select what data you want to allow to be shared with third-party services when a file triggers a detection for threat analysis:
      • Do not allow: No data is shared with third-party services.
      • Metadata only: Only file metadata can be shared.
      • Whole content: Files can be shared.

This section describes various tasks related to the regular use of WithSecure Cloud Protection for Salesforce.

By default, WithSecure Cloud Protection for Salesforce automatically checks the content that is uploaded, downloaded, or accessed in your organization.

In addition to automatically checking content that is uploaded, downloaded, or accessed in your organization, you can use the product to manually check the content that is stored in your organization.

Note: You must have special permissions assigned to your user account to use manual and scheduled scanning.

1. Log in to Salesforce with your System Administrator account.
2. Go to App Launcher and open Cloud Protection.
3. Go to Administration > Manual Scan.
4. Depending on how the content that you want to check is stored, switch on Scan content stored as Salesforce Attachments, Scan content stored as Salesforce Files, or both.
5. If you are scanning attachments, select Configure locations to specify the sources of content that you want to check.
   • Choose Selected objects and select the sources that you want to check.
   • Choose All objects if you want to check all available attachments.
6. Click Confirm.
7. Set the date range for the content to check and whether the date is based on when the content was created or when it was last modified.
8. Set Maximum number of files to scan.
9. Click Scan now.

10. A Scan Job Started notification appears.

There is no separate report of the scan results, but the Analytics > File Events page shows you any files that are processed during the scan. The Direction column shows Scan Job for events related to manual and scheduled scans.

You can set up scheduled scanning tasks in Cloud Protection for Salesforce to check your organization's content at specific times.

Note: You must have special permissions assigned to your user account to use manual and scheduled scanning.

To create a new scheduled scanning task:

1. Log in to Salesforce with your System Administrator account.
2. Go to App Launcher and open Cloud Protection.
3. Go to Administration > Manual Scan.
4. Select Scheduled Scanning and then click Create.

5. This opens the Schedule Apex view, where you can set up your scheduled task.

6. Edit the Job Name.
7. Select Weekly or Monthly as the frequency.
8. Set the recurrence for the task.
9. Set the Start and End dates for the task.
10. Select the Preferred Start Time.
11. Click Save.

There is no separate report of the scan results, but the Analytics > File Events page shows you any files that are processed during the scan. The Direction column shows Scan Job for events related to manual and scheduled scans.

To edit the scheduled task later, click View scheduled jobs under Scheduled Scanning to open the Schedule Apex view, then click Manage for your task.

Sometimes you might want not to scan certain file types or specific file extensions. Excluded files are never scanned unless you remove them from the excluded lists.

To remove file types or file extensions from the scan:

1. Go to App Launcher and open Cloud Protection.
2. Find the file type or file extension to exclude:
   1. Go to Analytics > File Events.
   2. Select View at the end of the event row for a file that you do not want to scan.

   3. The File Extension and File Type are listed in the File Event History view, next to the File Name.

3. Go to the Administration > File Protection tab.
4. Open Exclusions to remove files based on either their type or extension from scanning.
   • Turn on Exclude files by file type, select Open the list of file types, and specify which file types should not be scanned.
   • Turn on Exclude files by file extension, select Open the list of file extensions, and specify which file extensions should not be scanned.

Sometimes scanning engines incorrectly identify a file or a website as malicious or safe. Reporting them helps us to improve the detection accuracy and protect you from real threats. To report an incorrectly identified file or website:

Log in to Salesforce with your System Administrator account.

2. Go to App Launcher and open Cloud Protection.

3. Go to Analytics > File Events to report a file or Analytics > URL Events to report a website.

4. Select the file or URL that you want to report.

After selecting, the event details view opens.

• Select Report as false positive to report a safe file or website that has been incorrectly identified as unsafe or categorized inaccurately.
• Select Report as false negative to report a malicious file or website that has been incorrectly identified as safe or categorized inaccurately

5. Select Report in the confirmation dialog that opens.

When reporting a URL, choose the reason why you want the URL to be reanalyzed.

• Select Harmless URL is blocked when a safe website has been identified as harmful.
• Select Harmful URL is not blocked when a website that is identified as safe is harmful.
• Select Allowed URL is blocked when the website is blocked because it has been categorized incorrectly.
• Select Disallowed URL is not blocked when the website is not blocked because it has been
  categorized incorrectly.

Tip: If you suspect a file is harmful or that a file or a website has been incorrectly detected and rated, you may submit it for analysis at any time using our Submit a sample website.

Cloud Protection for Salesforce moves detected harmful files to the quarantine so that they do not pose any further risk for your organization.

Note: The quarantine is based on the Salesforce recycle bin, so stored content is deleted permanently based on your organization's settings for the recycle bin. You should check the quarantine as soon as possible after receiving alerts of harmful files to make sure that you can check the file if necessary before it is deleted permanently.

To view quarantined content:

1. Log in to Salesforce with your System Administrator account.
2. Go to App Launcher and open Cloud Protection.
3. Go to Administration > Quarantine.

Click View to see the details for a file.

To permanently delete a file: 

1. Select the files that you want to delete.
2. Click Delete.
3. Click Confirm.

To restore a quarantined file:

1. Select the files that you want to restore.
2. Click Restore.

3. This returns the selected files to their original location and allows you to access them again.

WithSecure Cloud Protection stores its scan results in the scan result cache to optimize performance. This cache is cleaned up periodically, but you may want to delete all scan results from the cache manually, for example while testing the product.

1. Go to App Launcher and open Cloud Protection.
2. Go to the Administration > Tools tab.
3. Under Clean up scan result cache, click Start.
4. To set how long scan results are stored in the cache:
   1. Go to the Administration > General > Advanced tab.
   2. In Expiration time (TTL) for scan results in the cache, select how long scan results are stored in the cache.

The Connected App with WithSecure Cloud Protection for Salesforce is designed to enhance the existing scanning capabilities and provide more effective protection for your business-critical platform now and in the future.

WithSecure Cloud Protection for Salesforce is a seamlessly integrated solution that typically operates without requiring external data access to your Salesforce environment. However, due to certain execution limits within the Salesforce platform, processing large volumes of data can occasionally lead to performance issues. The WithSecure Cloud Protection connected app ensures optimal security with minimal impact on Salesforce's performance even in situations like this.

The connected app allows WithSecure Cloud Protection to perform thorough threat analysis, ensuring comprehensive protection against zero-day exploits and advanced malware as soon as they emerge and by leveraging asynchronous processing, it minimizes the impact on Salesforce's performance, allowing your platform to continue operating smoothly even during intensive security operations.

The connected app is not mandatory, but we strongly recommend using it, especially if you store large files within your Salesforce environment.

Before using the WithSecure Cloud Protection connected app, you need to set up the user account and assign the required permissions in Salesforce.

Withsecure Cloud Protection accesses your Salesforce organization under the account that enables the integration. This account requires different access levels to Salesforce data and features compared to regular user accounts. We highly recommend that you create a dedicated user account for the connected app and assign only the required permissions for the account.

Creating a separate integration account improves audit trails and access management for Salesforce data. For example during troubleshooting, a separate account makes it easier to trace integration issues to the specific account instead of trying to identify the user account that is causing the issue.

Follow these steps to create a new integration user for WithSecure Cloud Protection connected app.

1. Open the Salesforce Setup interface.
2. Go to Administration > Users > Users.
3. Select New User to create a new user.
4. Enter the Last Name, Alias, Email, Username and other details for a new user account as appropriate.
   • For User License, select Salesforce.
   • For Profile, select Standard User.
5. Select Save.

6. The new user is created and an email message is sent to the email address that is specified in Email.

7. Set up the login password by logging in with the new user account to complete account creation.

8. Secure the integration account with a strong password and remember to regularly monitor the account for any signs of suspicious activity.

Create the permission set for the app and assign proper permission sets to the integration user to use and manage the connected app within the Salesforce environment.

Follow these steps to create a new permission set with the required permissions.

1. Open the Salesforce Setup interface.
2. Go to Administration > Users > Permission Sets.
3. Select New to create a new permission set.
4. Enter the Label and API name for the new permission set. For example, the label can be WithSecure Cloud Protection Connected App with auto-generated API name: WithSecure_Cloud_Protection_Connected_App.
5. Select Save.
6. On the page with the newly created permission set, select System Permissions.
7. On the page with System Permissions, select Edit.
8. In the System section, select API Enabled and View All Data checkboxes.
9. Select Save.
10. Select Save in Permission Changes Confirmation dialog to turn on additional system and object permissions. The new permission set is now created.
11. In the Salesforce Setup interface, go to Administration > Users > Users to set permission rights for the dedicated user.
12. Select the user account that you created for the WithSecure Cloud Protection connected app.
13. Select Permission Set Assignments and then Edit Assignments.
14. On the list of Available Permission Sets, select WithSecure Cloud Protection Admin and the permission set that you created earlier for the WithSecure Cloud Protection connected app.
15. Select Save.

Instructions how to take the connected app into use in WithSecure Cloud Protection app.

1. Log in to Salesforce with the account that you created for the WithSecure Cloud Protection connected app.
2. Go to App Launcher and open Cloud Protection.
3. Go to Administration > Tools.
4. Select Connect under Manage connected app.
5. Select Connect in the Connect WithSecure Cloud Protection dialog.
6. In the Allow Access dialog, verify the requested permissions and select Allow.
7. Select Close window.
8. Check the status on the Administration > Tools page to make sure that Cloud Protection connected app is connected.

URLs have the potential to transform from harmless-looking links to dangerous payloads over time, even if they initially appeared safe upon upload. With click-time protection, you can ensure the safety of URLs is verified in real-time whenever they are clicked. This prevents users from falling into previously dormant traps and safeguards your organization against potential data breaches or system compromises.

You can turn URL protection on or off for specific Salesforce objects based on your preferences. For example, you can apply click-time protection to Chatter posts to provide maximum protection for your internal users while disabling it for outbound emails sent to external customers.

Follow these instructions to turn on the click-time URL protection and tailor it to suit your security requirements.

1. Go to App Launcher and open Cloud Protection.
2. Go to Administration > URL Protection.
3. Under General, make sure that Scan URLs in standard objects is turned on.
4. Select Configure locations to select Salesforce objects that you want to be included for URL scanning. URLs in these objects are scanned for security threats when they are uploaded to Salesforce.
5. Select Confirm.
6. Open Settings and make sure that When URL is rated harmful is set to Block access.
7. Turn on Replace URLs with click time protection links.
8. Select Configure objects to select Salesforce objects that you want to be included in click-time URL protection.
9. Select Confirm.
10. Select Save to save your changes.

The advanced threat analysis utilizes advanced detection capabilities, such as cloud sandboxing, to thoroughly scan uploaded files. Advanced threat analysis provides a more thorough scan compared to the initial file scan. It scans files in a sandboxing environment, which takes longer but identifies malicious files more reliably.

Note: You need to use WithSecure Cloud Protection Connected App to take the advanced threat analysis into use.

Tip: For increased security, block file downloads during advanced threat analysis. This may result in longer wait times for file access.

1. Go to App Launcher and open Cloud Protection.
2. Go to Administration > File Protection.
3. Under Settings, turn on Advanced threat analysis.
4. Select Save to save your changes.

Follow these instructions to view security alerts.

1. Go to App Launcher and open Cloud Protection.
2. Go to the Analytics tab.
   • The Alerts view shows all security alerts.
   • The File Events view shows all events from the file scan.
   • The URL Events view shows all events from the web link reputation and category checks.
3. Click View at the end of the alert or event row to see the full details of the alert or the event history.
4. Use search values to narrow down the listed results.
   • Supported values for the Alerts view: TIME, SEVERITY, SOURCE, USER, REASON.
   • Supported values for the File Events view: TIME, ACTION, VERDICT, FILENAME, FILETYPE, DIRECTION, LOCATION, SHA1, USER, IPADDRESS.
   • Supported values for the URL Events view: TIME, ACTION, VERDICT, URL, DIRECTION, LOCATION, USER, IPADDRESS, CATEGORY.
   • To search events on a certain date and time, use the date and time values based on your current locale. The search supports all Salesforce SOQL date literals.
   • Find critical alerts that are related to the file protection in the Alerts view: SEVERITY=Critical, SOURCE=File Protection
   • Find all uploaded files that have been blocked in the File Events view: ACTION=Blocked, DIRECTION=Upload
   • Find all blocked download attempts for the Sales Report.xlsx file in the File Events view: ACTION=Blocked, DIRECTION=Download, FILENAME=Sales Report.xlsx
   • Find all blocked URLs that have been posted by users in the URL Events view: ACTION=Blocked, DIRECTION=Post
   • Find all URLs that have been opened from the IP address 192.168.0.1 in the URL Events view: DIRECTION=Open, IPADDRESS=192.168.0.1
   • TIME=31/12/2016 12:00
   • TIME=31/12/2016 12:00...12/12/2016 14:00
   • STARTTIME=31/12/2016 12:00
   • ENDTIME=31/12/2016 12:00
   • TIME=31/12/2016>5d
   • TIME=31/12/2016 12:00>5h
   • TIME=YESTERDAY

5. Search examples:

   Date and time search examples (locale: English (United Kingdom))

WithSecure Cloud Protection's reporting provides information that is useful both in getting a quick overview of the protection status and in investigating or responding to an attack.

The reporting information includes infection-related statistics, such as infections found and their sources, a comparison of the trends between safe and unsafe files, as well as the amount of currently protected files. WithSecure Cloud Protection for Salesforce also reports the most commonly used file types, the most frequently occurring sources, and the most active users.

Follow these instructions to view reports for WithSecure Cloud Protection for Salesforce.

1. Go to App Launcher and open Cloud Protection.
2. Go to the Summary tab. The Summary view shows the all-time statistics of scanned files and blocked URLs, and the total number of alerts.
   Note: It is a good idea to monitor the number of alerts, especially those listed as Critical and Important. Sudden increases in these numbers may indicate security issues within your organization.
3. To see a filtered view of a specific type of alert, click the corresponding number in the Alerts table.
4. Click the More reports drop-down and select a report to view the protected content analytics and more details of file and URL protection.
   1. Click Subscribe.
   2. Set the frequency and time for sending the report.
   3. Click Edit Recipients and add any other users who should receive the report.
   4. Click Save.

5. Each of these reports contains a number of charts and graphs that provide details of the protection status of your organization. You can edit the reports and save them as new, customized reports if necessary.

   To schedule email delivery of a report:

To create a new report using the available attributes:

1. Click the drop-down icon next to Subscribe and select New Dashboard.
2. Enter a name and description for the report and select a folder, then click Create.
3. Use the Component and Filter options on the toolbar to select what to include in the report.
4. Click Save.
5. Click Done when you have finished editing the report.

Attributes for file reports:

• Created By: Full Name
• Created Date
• Date/Time
• File Extension
• File Name
• File Scan ID
• File Size
• File Type
• IP Address
• Last Modified By: Full Name
• Last Modified Date
• Name
• Owner: Full Name
• Record Id
• Scan Type
• SHA1
• Location
• User: Full Name
• Verdict
• Owner (First Name, Full Name, Last Name, Owner ID, Phone, Profile: Name, Rule: Name, Title, Username, Email, Alias, Active)
• Reason
• File Prevalence
• File Reputation Rating

Attributes for URL reports:

• URL Scan: ID
• URL Scan: Name
• Action
• Categories
• Date/Time
• Direction
• IP Address
• Location
• Reason
• Reputation
• Reputation Description
• URL
• User
• Verdict
• Owner Name
• Owner Alias
• Owner Role
• Created By
• Created Alias
• Created Date
• Last Modified By
• Last Modified Alias
• Last Modified Date

The License page in WithSecure Cloud Protection for Salesforce includes details on your license status and usage.

1. Log in to Salesforce with your System Administrator account.
2. Go to App Launcher and open Cloud Protection.
3. Go to the Administration > License page.

4. This page shows you the current status and expiration date for your license, as well as information on the license usage and scanning usage statistics.

You can choose the geographic region where your data is processed. By default, WithSecure Cloud Protection for Salesforce automatically selects the nearest data processing region. If your company has compliance, performance, or data residency requirements that necessitate choosing the geographic location for data processing, follow these instructions.

1. Go to App Launcher and open Cloud Protection.
2. Go to Administration > General.
3. Under Advanced, open the Data processing region drop-down menu and select your new region. Note: The Automatic selection chooses the closest active region automatically.
4. Select Save to save your changes. Because the remote site has not been set up yet, a notification opens that reminds you to create a new remote site setting.
5. Copy the URL address from the notification.
6. Open Salesforce, go to Setup, and browse to Remote Site Settings. The Remote Site Settings setup view opens.
7. Select New Remote Site.
   a) Enter the name of your site to Remote Site Name.
   b) Paste the URL that you copied earlier to Remote Site URL.
   c) Select Save.
8. Open the Cloud Protection app again.
9. Go to Administration > General.
10. Under Advanced, open the Data processing region drop-down menu and select your new region again.
11. Select Save to save your changes. A notification tells you that the new setting has been saved.
    
    

Your data will be processed in the location that you chose.

After you have installed and configured the WithSecure Cloud Protection application, test that the file protection and the URL protection are working.

Follow these instructions to test the file protection with the Eicar test file.

1. Download the Eicar.com test file from https://www.eicar.org/download-anti-malware-testfile/ and rename it to Example_MaliciousFile.docx

   Note: Even though it is not harmful, Eicar.com is identified as malware for testing purposes. If your anti-malware protection blocks the file, exclude a folder from real-time scanning and place the Eicar.com file there.

2. Upload Example_MaliciousFile.docx and any clean file to Salesforce Files or Chatter.
3. Go to App Launcher and open Cloud Protection.
4. Go to the Analytics > File Events tab.

5. This shows you one clean file and one blocked file.

6. Try to download both files.

7. You can download the clean file, but the malicious file is blocked.

8. Go back to the Analytics > File Events tab to see the download events.
9. Click View to see the full event history.

10. This shows you all upload and download actions for the selected file.

Follow these instructions to test the URL protection using the test domains.

1. Go to App Launcher and open Cloud Protection.
2. Go to the Administration > URL Protection tab.
3. For this test, make sure that Gambling is selected in the Select disallowed categories list.
4. Post two example URLs unsafe.fstestdomain.com and gambling.fstestdomain.info to Salesforce Chatter.
5. Open Chatter to see two new posts where URLs has been rewritten.
6. Go back to WithSecure Cloud Protection and go to the Analytics > URL Events tab. This shows you two new Chatter posts.
7. Go back to Chatter and try to open both links. You will see Harmful web site blocked and Disallowed web site blocked block pages.
8. Go back to WithSecure Cloud Protection and go to the Analytics > URL Events tab again. This shows you two URL opening events.
9. Click View to see the full event history. This shows you all posting and opening actions for the selected URL.

This section provides instructions for removing WithSecure Cloud Protection from your Salesforce organization.

Removing the application involves the following steps:

• Remove permission set assignments
• Uninstall the application

Before uninstalling the WithSecure Cloud Protection application, you must remove WithSecure Cloud Protection User and WithSecure Cloud Protection Admin permission sets, which you assigned to users within your Salesforce organization.

To remove the permission sets:

1. Log in to Salesforce with your System Administrator account.
2. Go to App Launcher and open Cloud Protection.
3. Go to Administration > Tools and under Manage user permission set, select Remove.
4. Go to your organization settings and click Setup.
5. Select Users > Permission Sets > WithSecure Cloud Protection Admin.
6. Click Manage Assignments.
7. Select all users and click Remove Assignments.
8. Click OK to confirm that you want to remove all users.

After you have removed all user permissions, you need to uninstall the WithSecure Cloud Protection application.

Follow these instructions to uninstall the WithSecure Cloud Protection application:

1. Log into Salesforce with your System Administrator account.
2. Go to your organization settings and select Setup.
3. Go to Apps > Installed Packages.
4. Next to WithSecure Cloud Protection, select Uninstall.
5. On the Uninstalling a Package page, scroll down and select Yes, I want to uninstall this package and permanently delete all associated components.

You receive an email notification when the WithSecure Cloud Protection application has been uninstalled.