Recently, the following discussion was posted on the Salesforce Trailblazer community and we think it’s a terrific example of how malicious content bypasses gateway, desktop, and email virus scanning solutions to enter directly into Salesforce environments via the email-to-case functionality.
From the Salesforce Trailblazer Community:
We experienced a security breach on one of our Salesforce Orgs the other day where we use the email-to-case functionality.
A file containing malware in a .JS (java script) format was attached to a case.
A user clicked on it, assuming it is safe to do so, and it wiped out all of her personal files on that laptop, as well as all recently viewed public files.
Obviously, this is very worrying and we contacted Salesforce. We wanted to understand how was this allowed to happen, and their (Salesforce) response was:
“The usual, initial response, is that we don’t scan attachments. We never have, and I understand that we have no plans to start doing this. It’s often called out in a pen test as the pen testers will upload an attachment with a virus and then tell us this should have been caught by the platform; we then tell them they should scan their out-going/in-coming data, rather than us.”
They (Salesforce) are correct that a penetration test (pen test) would indeed help identify any vulnerabilities in the Salesforce environment if a virus had been uploaded during the pen test. But, it would not do anything to stop any viruses from causing damages to Salesforce users.
Here’s What You Can Do About It
As a best practice, we recommend that viruses should be included in regular pen tests at least every three months. If organizations are actively updating the application (Salesforce), we recommend a pen test before every release.
The logic of Salesforce (organization) is, if an attachment with a virus was uploaded during the pen test it would tell you (the Salesforce Admin) that Salesforce is vulnerable. Great, but now what?
The solution is, in order to block malicious content (in this case, a java script file) from being unleashed, a non-native, third-party virus scanning application must be connected to the Salesforce environment.
In this case, the EZProtect virus scanner would have blocked the java script from entering the Salesforce environment through a blacklisting feature.
Designed by a Salesforce CTA (certified technical architect (only 300 in the world), EZProtect was designed to scan every area of the Salesforce database for malicious content and scripts. This includes the files, documents, legacy attachments and static resources areas, with the ability to detect and remove malicious scripts by themselves, or within PDFs and all Microsoft Office documents. EZProtect is the only solution on the market that can do this and is part of the reason it is the industry’s leading solution.
This is also a great example of how gateway and desktop virus scanners can miss malicious content. The attachment was sent via email which deposited directly into the Salesforce environment, and was then launched without detection.