file-upload-virus-scanning

Use when designing malware and content scanning for files uploaded to Salesforce (Files, Attachments, ContentVersion) — external scanning service callouts, quarantine patterns, and user-facing messaging. Triggers: 'virus scan salesforce upload', 'malware scan content version', 'quarantine uploaded file', 'clamav salesforce', 'file upload security'. NOT for field-level data validation.

Best use case

file-upload-virus-scanning is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when designing malware and content scanning for files uploaded to Salesforce (Files, Attachments, ContentVersion) — external scanning service callouts, quarantine patterns, and user-facing messaging. Triggers: 'virus scan salesforce upload', 'malware scan content version', 'quarantine uploaded file', 'clamav salesforce', 'file upload security'. NOT for field-level data validation.

Teams using file-upload-virus-scanning should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/file-upload-virus-scanning/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/security/file-upload-virus-scanning/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/file-upload-virus-scanning/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How file-upload-virus-scanning Compares

Feature / Agentfile-upload-virus-scanningStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when designing malware and content scanning for files uploaded to Salesforce (Files, Attachments, ContentVersion) — external scanning service callouts, quarantine patterns, and user-facing messaging. Triggers: 'virus scan salesforce upload', 'malware scan content version', 'quarantine uploaded file', 'clamav salesforce', 'file upload security'. NOT for field-level data validation.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# File Upload Virus Scanning

Salesforce does not scan files. Any file uploaded into ContentVersion, Attachment, or a Document object is trusted bytes until you prove otherwise. For internal-only orgs the risk is moderate; for Experience Cloud portals, Email-to-Case, partner portals, and any surface that accepts uploads from unauthenticated or lightly authenticated users, the risk is substantial. Ransomware, credential stealers, and polyglot files routinely ride in on expected-looking PDFs and spreadsheets.

The architecture is the same across scanning providers: intercept uploads, send the byte stream (or hash) to a scanning service, route based on the verdict, and expose state to consumers. The design choices are where to intercept, how to handle large files, what "pending" looks like to the user, and how to quarantine without deleting audit trail.

---

## Before Starting

- List every upload surface: LWC components, standard pages, Email-to-Case, Web-to-Case, API integrations, Experience Cloud, mobile app.
- Identify the file types and size ranges in scope.
- Choose scanning service (hosted ClamAV, Cloudmersive Virus Scan, MetaDefender, etc.) — confirm SLA and throughput.
- Define quarantine policy: block, allow-with-warning, or allow-after-review.

## Core Concepts

### Interception Points

1. **Pre-save trigger** on ContentVersion — inspects inserts before the file is indexed/shared.
2. **Post-save async** on ContentVersion — scans via a Queueable after commit; toggles a `ScanStatus__c` field.
3. **Flow on Attachment** — legacy object; same pattern.
4. **Middleware interception** — scan happens in MuleSoft / Apigee before Salesforce sees the bytes.

Pre-save interception is cleanest but blocks the user on scan latency. Post-save async avoids the block at the cost of a scan-pending window.

### State Machine

A scanned file should live in one of:

- `Scan_Pending` — uploaded, not yet scanned.
- `Scan_Clean` — passed; fully available.
- `Scan_Infected` — failed; quarantined.
- `Scan_Error` — scanner unreachable; policy decides (block or allow-with-warning).

Sharing, preview, and download must honor the state. `Scan_Pending` files should typically not be previewable or shareable externally.

### Quarantine Without Deletion

Deleting infected files destroys audit trail. Preferred: retain the ContentVersion record with restricted sharing, strip the preview, redact the blob (or move to a dedicated quarantine library), and mark the state.

### Large-File And Timeout Handling

Most scanning services cap at ~100 MB or ~10 minutes. For larger files use chunked scanning or a side-channel scanner that reads from the file storage directly (signed URL + external scanner + result webhook).

---

## Common Patterns

### Pattern 1: Post-Save Queueable With State Field

ContentVersion insert fires a trigger that enqueues a Queueable. The Queueable hashes or streams to the scanner and updates `ScanStatus__c`. Consumers read the state field.

### Pattern 2: Signed URL + External Scanner + Webhook

Salesforce hands the scanner a signed URL (via Content Distribution or a public ShareType), scanner reads directly, posts verdict to a webhook endpoint. Best for large files.

### Pattern 3: Middleware-Pre-Scan

Uploads route through MuleSoft or a front-proxy that scans before handing bytes to Salesforce. Clean separation but requires that all upload paths funnel through middleware.

### Pattern 4: Allow-With-Warning For Trusted Surfaces

Internal uploads get `Scan_Pending → Clean` fast path. Experience Cloud uploads block sharing until `Clean`. Differentiates risk by surface.

### Pattern 5: Scheduled Rescan

All files rescanned on a cadence against updated signature databases. Critical for files uploaded before a new malware signature existed.

---

## Decision Guidance

| Situation | Recommended Approach | Reason |
|---|---|---|
| Internal-only org, moderate sensitivity | Post-save async (Pattern 1) | Best UX with adequate coverage |
| Customer portal / Experience Cloud | Pre-save or middleware (Pattern 3) | Untrusted source |
| Files > 50 MB | Signed URL + webhook (Pattern 2) | Avoid callout timeouts |
| Highly regulated industry | Pre-save block + scheduled rescan (Pattern 5) | Defense in depth |
| Public-facing file downloads | Always `Clean`-gated | Do not serve unscanned bytes |

## Review Checklist

- [ ] Every upload surface intercepts or the policy justifies skipping.
- [ ] State machine implemented on ContentVersion (or Attachment).
- [ ] Sharing and preview honor `Scan_Pending` / `Scan_Infected`.
- [ ] Infected files retained for audit; blob redacted or moved.
- [ ] Large-file handling (> 50 MB) uses out-of-band scanning.
- [ ] Scheduled rescan cadence defined.
- [ ] Monitoring on scan failures / queue depth.

## Recommended Workflow

1. Inventory upload surfaces and classify by trust level.
2. Choose scanning service; confirm SLA, throughput, file-size cap.
3. Design state machine on ContentVersion; add `ScanStatus__c`.
4. Implement pre-save or post-save interception appropriate to the surface.
5. Gate sharing, preview, and external download on `Clean` state.
6. Add monitoring and a scheduled rescan job.

---

## Salesforce-Specific Gotchas

1. ContentDocument is shared broadly by default; sharing honors Content Delivery settings, not your `ScanStatus__c`.
2. Email-to-Case attachments create ContentVersions out-of-band; the trigger fires, but the user may never see the quarantine.
3. Preview generation happens async — infected files can have a preview created before your scan completes.
4. `ContentVersion` is insert-only for the file blob; you cannot "clean" a file, only quarantine metadata and redact downstream.
5. Scanner timeouts produce `Scan_Error`; policy must specify fail-open vs fail-closed.

## Proactive Triggers

- ContentVersion trigger writes `Clean` without invoking a scanner → Flag Critical.
- Sharing rule not gated on `ScanStatus__c` → Flag High.
- Experience Cloud upload surface with no interception → Flag Critical.
- No scheduled rescan → Flag Medium.
- Quarantine that deletes the record → Flag High. Audit trail lost.

## Output Artifacts

| Artifact | Description |
|---|---|
| Upload surface inventory | Each surface, trust level, interception plan |
| State machine | States, transitions, and who can read each |
| Quarantine runbook | Steps to quarantine without losing audit |

## Related Skills

- `security/experience-cloud-security` — customer-facing surface hardening.
- `security/data-classification-labels` — classifying files by sensitivity.
- `integration/webhook-inbound-patterns` — scan-result webhooks.
- `security/platform-encryption` — encryption of stored files.

Related Skills

file-upload-patterns

8
from PranavNagrecha/AwesomeSalesforceSkills

Upload files in LWC: lightning-file-upload, manual multipart, large-file chunked upload, and ContentDocument associations. NOT for ContentDocument query patterns.

file-and-document-integration

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when uploading, downloading, managing, or integrating files and documents with Salesforce — covering ContentVersion/ContentDocument, REST multipart uploads, base64 inserts, Files Connect for external storage reads, and virus scanning callout patterns. Triggers: 'upload file to Salesforce', 'ContentVersion REST API', 'Files Connect external storage', 'multipart file upload', 'document integration pattern', 'virus scan uploaded file'. NOT for Bulk API data loads, Chatter feed post content, email attachment handling via EmailMessage, or CRM Content classic libraries.

salesforce-files-architecture

8
from PranavNagrecha/AwesomeSalesforceSkills

Working with Salesforce Files at the data layer — `ContentVersion` (the binary content + version metadata), `ContentDocument` (the parent / shareable handle), `ContentDocumentLink` (the sharing / parent-record join), the 2 GB single-file size limit and the 10 MB feed-attached limit, the deprecated `Attachment` object, the `Document` object (Classic-only), and Files Connect for external file sources. Covers SOQL patterns to enumerate files attached to a record, Apex insert / link patterns, sharing implications of `ShareType` and `Visibility`, and the migration path from the legacy Attachment object. NOT for LWC file upload UI components (see lwc/lwc-file-upload-patterns), NOT for static-resource bundling (see lwc/static-resources).

attachment-to-files-migration

8
from PranavNagrecha/AwesomeSalesforceSkills

Migrating Classic Notes & Attachments to Salesforce Files (ContentDocument / ContentVersion / ContentDocumentLink): bulk extraction, owner and parent preservation, sharing translation, idempotent re-runs, and post-migration cleanup. Triggers: 'attachments to files', 'notes and attachments migration', 'ContentDocument from Attachment', 'enable Files for Salesforce'. NOT for general file storage strategy (use data/file-and-document-integration) or for ContentVersion API patterns in new code (use integration/file-and-document-integration).

permission-sets-vs-profiles

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing or auditing Salesforce access control — deciding between Profiles, Permission Sets, and Permission Set Groups. Triggers: 'user can't see field', 'too many profiles', 'permission model', 'least privilege', 'profile migration'. NOT for sharing rules or record-level access — use security/fls-crud for that.

xss-and-injection-prevention

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).

visualforce-security-and-modernization

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).

transaction-security-policies

8
from PranavNagrecha/AwesomeSalesforceSkills

Transaction Security policy creation and configuration: condition builder, enhanced policies, enforcement actions (block, MFA, notification, end session), real-time monitoring mode, and policy troubleshooting. NOT for Event Monitoring log analysis or Shield Event Monitoring setup (use event-monitoring). NOT for Apex testing or debug-log analysis.

sso-saml-troubleshooting

8
from PranavNagrecha/AwesomeSalesforceSkills

Diagnosing broken SAML SSO into Salesforce — IdP-initiated vs SP-initiated flows, signing-certificate validity / expiry, NameID format mismatches, RelayState handling, audience / entityId / issuer mismatches, clock skew, the SAML Assertion Validator in Setup, the Login History debug log, and the My Domain prerequisite for SSO. Covers the standard diagnostic loop: read the SAML response, identify which check failed, fix at the IdP or SP. NOT for OAuth / OpenID Connect SSO (see security/oauth-openid-troubleshooting), NOT for setting up SSO from scratch (see security/sso-saml-setup).

shield-kms-byok-setup

8
from PranavNagrecha/AwesomeSalesforceSkills

Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.

shield-event-log-retention-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).

session-management-and-timeout

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when configuring session timeout values, concurrent session limits, session IP locking, or logout behavior in Salesforce. Covers org-wide session settings, profile-level overrides, Connected App session policies, and Metadata API SecuritySettings deployment. NOT for OAuth token refresh flows, login IP ranges, or MFA/identity-provider configuration.