Does Salesforce Scan Files for Viruses?

Salesforce stores an enormous amount of file content—case attachments from customers, documents shared through Experience Cloud, files attached to records by sales reps and partners, and more. Some of it is even uploaded by people outside your organization. That raises a question every Salesforce admin and security team eventually asks: does Salesforce scan files for viruses? The short answer is partly—and for most organizations, not enough.

The short answer

Salesforce now provides a baseline of protection: native malware scanning for Salesforce Files arrived in the Spring ‘26 release (initially as a beta). It is a genuine and welcome improvement—but it is a baseline. It covers a subset of upload paths, the detection engine is neither disclosed nor configurable, and it does not give administrators the real-time mitigation, full re-scanning, notifications, and reporting that a security or compliance program needs. If your org accepts files from customers, partners, or the public, you should not assume Salesforce alone keeps malware out of your data.

What Salesforce protects natively

Spring ‘26 introduced native File Scan (Malware Detection) for Salesforce Files, switched on by default under Setup → Salesforce Files → Malware Scanning. It behaves differently depending on how a file arrives:

• New UI uploads are scanned and blocked if the file is found to be malicious.
• New API uploads are allowed through and scanned asynchronously—a malicious file is not stopped on the way in; it is flagged afterward and listed under Malicious Files.
• Files uploaded before scanning was enabled are not scanned until someone first tries to download them. Salesforce lets that first download proceed and scans the file in the background; if it turns out to be malicious, the file joins the Malicious Files list and later downloads are blocked.
• Known-malicious files are blocked from download, and users can’t preview them.

That is a solid foundation. But it is intentionally narrow, and for production orgs that handle customer- and partner-uploaded content, several important gaps remain:

• Salesforce Files only. Native scanning covers Salesforce Files (ContentVersion). Legacy Attachments and other ingestion paths are out of scope, yet many orgs still hold large volumes of attachment data.
• A 100 MB size limit. Salesforce only scans files that are 100 MB or smaller. A larger file is neither scanned nor blocked—it can be uploaded, previewed, and downloaded freely, malware and all.
• Only “high-probability” threats are flagged. Salesforce’s own documentation notes that scanning flags a file only when it has a high probability of being malicious—and directs organizations that need more stringent scanning to its malware-scanning partners.
• Existing files aren’t proactively scanned. Files uploaded before scanning was enabled are never re-checked on a schedule. Such a file is only inspected the first time someone downloads it—and that first download is allowed to proceed before the verdict comes back. Until then, it sits in your org unscanned.
• API uploads aren’t blocked in real time. Because API uploads are scanned asynchronously, a malicious file can land in your org before it is flagged—and deciding what to do about it is left to you.
• No automated mitigation or notifications. Malicious files surface in a list, but there is no built-in workflow to automatically delete or quarantine them, alert an admin, or notify the uploader according to your own policy.
• Flagged files are easy to miss. A malicious file can appear in any Files list view, but most list views give no indication that it is malicious—you have to look in the dedicated Malicious Files list. There is no full record of everything that was scanned and cleared, which is the evidence auditors typically ask for.
• No engine choice. You cannot select a leading commercial detection engine or tune how files are handled.

Where native scanning falls short

In short, Salesforce’s native scanning only inspects files of 100 MB or smaller, only flags files it considers highly likely to be malicious, and never proactively scans the files already in your org. For a careers page or a community portal that accepts uploads from anyone on the internet, that is not a security posture. Comprehensive malware protection for Salesforce means catching threats at upload, across every file object, at any size, with an action you control, and with a record you can show an auditor. That is the gap a dedicated solution fills.

How attachmentAV adds comprehensive malware protection to Salesforce

attachmentAV – Antivirus for Salesforce is a native app, installed from the AppExchange, that scans files uploaded by both internal and external users and mitigates threats in real time:

• Real-time scanning on upload — every file uploaded to your org is scanned the moment it arrives, covering Salesforce Files (ContentVersion) and legacy Attachments.
• Scheduled full scans — re-scan all existing files on a weekly or monthly schedule, so files uploaded before today’s threats were known are caught retroactively.
• Automated mitigation — automatically delete infected files, and publish platform events to trigger your own Flows and custom logic. See how to notify Salesforce admins about infected files with Flows.
• Notifications — alert admins and users when a malicious file is detected.
• Dashboard and reporting — a clear overview of scan results across your org for security and compliance evidence.
• Powered by Sophos — enterprise-grade detection of viruses, ransomware, trojans, and zero-day threats, with continuously updated signatures.
• ISO 27001 certified and GDPR compliant — data is encrypted in transit and at rest and deleted immediately after processing.

Protecting Salesforce in practice

Setup takes a few clicks: install the app, authorize it, and choose how infected files should be handled. From that point on, every upload is scanned in real time and your scheduled full scans keep existing files clean as new threats emerge. The setup guide walks through the details, and a 14-day free trial lets you see it working in your own org.

So, does Salesforce scan files for viruses?

It offers a baseline—but baseline detection is not the same as comprehensive, real-time, auditable malware protection for every file in your org. If customers and partners upload files into your Salesforce, the safe assumption is that you need a dedicated layer on top.

Start a free 14-day trial of attachmentAV for Salesforce and protect every file uploaded to your org.