The introduction of this native malware scanner reflects the continued evolution of security capabilities within SaaS platforms, as vendors respond to changing threat landscape and customer requirements.
With this addition, security teams naturally want to understand how this capability behaves operationally, particularly when files are uploaded through different workflows and when malicious content is encountered.
As part of our regular threat coverage validation program, where we periodically assess our own detection quality, we also evaluated the Salesforce Malware Scanner.
Why file security in Salesforce matters
Salesforce environments frequently store and distribute files as part of everyday workflows. These files may include:
- Office documents
- PDF files
- Archive files
- Images
Threat actors increasingly use these file types as delivery mechanisms. Instead of distributing standalone malware, attackers often rely on documents containing embedded links, redirect chains, or other mechanisms that lead users to malicious infrastructure.
Some common techniques include:
- Documents containing embedded phishing URLs
- Archive files used to bypass simple file inspection
- Multi-stage payload delivery (document → link → payload)
- Image-based lures such as QR-code phishing (“quishing”)
Because of these patterns, file security inside SaaS platforms has become an important layer of organizational defense.
How Salesforce Malware Scanner works
Testing revealed several behaviors related to how Salesforce Malware Scanner evaluates uploaded files.
It is important to note that this malware scanning capability applies only to files stored in Salesforce Files. Some environments still make use of the legacy Attachment object, which is not covered by this scanning capability.
Synchronous scanning for UI uploads
When files are uploaded through the Salesforce user interface, the malware scanner performs a synchronous scan.
If the file is identified as malicious during this scan, the upload is blocked immediately and the file is never stored in the Salesforce environment.
UI upload block message
This approach prevents malicious files from entering the platform but also means that blocked uploads do not appear in administrative detection views.
Asynchronous scanning for API uploads
Files uploaded through API workflows, such as via Data Loader or integrations, are handled differently.
In these cases, the file is first stored in Salesforce and the malware scanner then performs an asynchronous scan.
This means that potentially malicious files uploaded using APIs may temporarily be accessible in the environment before the scan completes.
If the file is later determined to be malicious, the file is flagged and prevented from being previewed.
Preview block message
Detection visibility and administrative actions
Detection records in Salesforce represent malware scan results. When files are detected asynchronously, they appear in the Malicious Files (Beta) view, where administrators can review flagged files.
Detected files view
Administrators also have the ability to mark files as safe if the detection is determined to be incorrect. During testing, we observed that doing so removes the corresponding entry from this view, meaning the interface primarily reflects current detections rather than a persistent historical log.
Marking as safe
In addition, subsequent access attempts, such as users attempting to download a flagged file, are not recorded as separate security events, limiting visibility into how the file was accessed after detection.
For organizations performing incident investigation or audit review, these distinctions may affect how security events are tracked and analyzed.
Download enforcement behavior
Once a file has been flagged as malicious, download enforcement depends on user permissions.
Standard users attempting to download a flagged file receive a block message preventing access. Administrative users, however, may still be able to download the file depending on their permissions.
Download block message
This behavior allows administrators to investigate files if needed, while preventing general users from accessing potentially malicious content.
Threat coverage observations
While the previous sections describe how the scanner behaves operationally, the following observations relate to how it performs against common threats.
During this threat coverage validation cycle, a dataset of samples representing common threats in Salesforce environments was evaluated. These primarily included Office documents, PDFs, archives, and image-based lures.
Salesforce Malware Scanner detected a small portion of the evaluated samples, identifying only 3 out of 85 malicious samples (3.5%), primarily those containing high-confidence indicators such as exploits or macro code. However, many modern threats rely on multi-stage delivery mechanisms in which the document itself acts as the initial stage of the attack. These documents often contain embedded URLs that redirect users to external infrastructure where additional payloads or phishing activity occurs.
This presents a key challenge for file-based security, as the malicious activity may not be fully visible within the file itself.
Layered protection in SaaS environments
Several operational observations from testing highlight how the Salesforce Malware Scanner behaves in practice:
- Detection focused on high-confidence malicious files
- Different behavior between UI and API upload workflows
- Detection records reflect scan results but not subsequent access attempts
- Detection records are removed when files are marked as safe
- Limited visibility into detection context and historical detection activity
Because many of the threats extend beyond the initial file, organizations often implement layered protection strategies around their SaaS platforms.
Layered protection solutions can complement built-in controls by providing capabilities such as:
- Deeper inspection of files and embedded links
- Detection of redirect chains and staged payload delivery
- Quarantine and mitigation of malicious content
- Operational visibility into detection events and file activity
In practice, these capabilities enable security teams to observe how threats progress beyond the initial file and provide additional context for investigation and response.
This becomes particularly relevant as many modern attacks rely on URL-based delivery stages. In our recent Threat Landscape Report, the majority of observed threats targeting Salesforce environments originated from URLs (98%), while a smaller portion were initially delivered as files (1.74%).
Conclusion
Salesforce Malware Scanner introduces a baseline capability for detecting malicious files uploaded into Salesforce environments. During testing, the platform demonstrated the ability to block high-confidence malicious files and enforce access controls when flagged content is encountered.
At the same time, modern threats increasingly rely on multi-stage delivery techniques and external infrastructure, where the initial file acts only as the first step in a broader attack chain.
As Salesforce environments increasingly support business-critical data and processes, the security controls protecting them are expected to meet enterprise-grade requirements.
Enterprise-grade security solutions are designed to provide comprehensive detection coverage, investigation context, mitigation, and operational visibility, with investment aligned to the level of protection required for these business-critical environments.
This built-in Salesforce capability, in contrast, provides a baseline level of protection as part of the broader service offering, with inherent limitations in detection scope and operational visibility. A detailed comparison of these capabilities can be found in our feature comparison page.
Understanding how these protections behave in real workflows helps organizations make informed decisions about protecting their Salesforce environments.