Using CDR to combat emerging threats

SMART Cybersecurity Handbook 2022 Information Security

CDR stands for content disarm and reconstruction. CDR, also known as data sanitisation, is an advanced threat prevention technology that does not rely on detection, it follows the zero-trust philosophy and assumes all files are malicious and sanitises and rebuilds each file ensuring full usability with safe content. This means that files are dissected and anything that has the potential to be dangerous is removed and then the file is reassembled.

CDR technology is highly effective for preventing known and unknown threats, including zero-day targeted attacks and threats that are equipped with malware evasion technology, such as Fully Undetectable malware, VMware detection, obfuscation and many others.

OPSWAT CDR technology, called Deep CDR, assumes all files are malicious. It ingests files and then regenerates these files in a way that ensures the regenerated file is both usable and harmless. Hence, CDR technology provides protection without needing to know whether a suspected file is ‘good’ or ‘bad’.

CDR follows a three-step process

1. Identify and scan files

Files are evaluated and verified as they enter the sanitisation system to ensure file type and consistency, with identification of over 4500 file types. Each file is scanned to identify all embedded active content in the file, such as macros, hyperlinks and OLE objects. File extensions are examined to prevent seemingly complex files from posing as simpler files and red-flagged for malicious content, alerting organisations when they are under attack. OPSWAT Deep CDR supports sanitisation for over 100 common file types, including PDF, Microsoft Office, HTML, many image file types, JTD and HWP.

2. Sanitise files

The files are rebuilt in a fast and secure process. File elements are separated into discrete components, malicious elements are removed and metadata and all file characteristics are reconstructed. The new files are recompiled, renamed and delivered, preserving file structure integrity so that users can safely use the file without loss of usability.

3. Use files

The newly regenerated files can now be used. Even complex files remain usable, for example, animations embedded in PowerPoint files remain intact after the CDR process is completed. Finally, the original files are quarantined for backup and further examination. By rendering fully usable files with safe content, the CDR engine protects organisations against the most sophisticated threats while maintaining user productivity

Two common CDR use cases

Can CDR prevent threats based on software vulnerabilities? A software vulnerability refers to the weakness of an asset that can be exploited by cyber attackers. Both known vulnerabilities and unknown vulnerabilities can be the root cause of security incidents. Many vulnerabilities leverage files to compromise file containers.

For example, hackers can leverage the disclosed Adobe Acrobat and Adobe Reader vulnerability, CVE-2019-16451, to distribute backdoor malware capable of controlling an infected system, providing attackers with the ability to install programs; view, modify and erase data; create new accounts with full user rights.

OPSWAT Deep CDR is effective for addressing file-based vulnerabilities since rebuilding the file removes malicious commands and exploits hidden in images, videos and other innocent file formats.

Can CDR protect against the risk of increasingly complex file formats? File formats are allowing increasingly complex functions through embedded scripts, macros and programming designed to streamline workflows and boost productivity. For example, PDFs may contain elements including hyperlinks, media files, forms, Unicode characters and encrypted data.

This complexity allows users to be more productive, but also enables malicious actors to embed scripts and exploits that take advantage of the flaws in applications.

OPSWAT Deep CDR further enhances the security effectiveness of CDR by diving ‘deep’ into nested layers of compression and embedded objects, such as an Excel chart inside of a Word document that is embedded in a PDF that was delivered to your inbox zipped up into a single file.

How to select a CDR technology

There are many CDR solutions available on the market today. How do you know which solution is best for your organisation? Below are key questions to ask during the evaluation process for a Content Disarm and Reconstruction solution.

1. What type of archive formats are supported?

Archives have become increasingly prevalent over the past couple of years to integrate and store multiple file types in a single volume. Ask to review the list of archives the CDR supports and check that you can control related features, such as the level of recursion. For example, if a PDF is embedded within a PowerPoint file, can the technology analyse and reconstruct both files?

2. How many file types are supported?

There are more than 5000 known file types. Ask how many file types the CDR supports, review evidence per file type and compare the list of file types to the ones your organisation uses.

3. Is usability preserved?

When you deal with files such as PowerPoint that include animation builds, or Excel where you want to preserve macro functionality, you need to ensure the rebuilt file will retain these capabilities. One way to test this is by processing a sample file as part of your evaluation process.

4. Does the CDR support comprehensive configurations to fit your use case?

Check to see if you can configure the embedded objects that should be removed/sanitised for each file type. Check that you can fine tune the sanitisation process as well as image quality, hyperlink handling, etc.

5. Can you create an audit trail?

For example, make sure the CDR records and logs which objects were removed and which objects were sanitised? Also find out if you can verify the integrity of an archive.

6. Can you deploy different policies for separate data channels?

For example, will the CDR allow you to retain an Excel macro for internal emails while removing it for external emails?

7. Which operating systems does the CDR support?

If your organisation supports both Windows and Linux, can the vendor support both?

8. What is the performance per file type?

Different file types should have different performance. Deploy the CDR technology and run some sample files, including large files and multi-level archives to verify that the CDR performance meets your organisation’s requirements.

9. How secure is the design?

Is a secure design pattern applied? How is the CDR engine protected? Is Secure SDLC (Software Development Lifecycle) implemented, enabling you to review a static analysis code review. Are third-party libraries used? Ask to review a CDR design architecture and challenge the design with questions about compromised CDR components.

10. Is the technology sustainable?

How many engineers are actively working on the CDR technology? Ask to see an organisation chart to validate the number of resources and their backgrounds. Ask to review their engineering QA procedures. Is the build process safe? Do they have a solution to prevent malware embedded into the build chain? What security certification does the vendor have?

11. How is the CDR technology tested?

Is there any third-party validation by a government agency or other independent organisations? Ask to see their pen test results. How big is the test data set? Ask to see true malware samples and zero-day attack samples. Ask to manually verify test data sets. Do they test with recent threats? Request a data set.

12. How easily does the CDR integrate with your current products?

Ask to review the REST API documentation.

13. Is the technology continuously updated?

Ask to see the release history for the past two quarters. Ask to see the product roadmap.

14. How quickly can they support a new file type?

There are 5000 file formats, how many can they support? Ask about specific file types you use in your organisation, including regional file types such as HWP or JTD.

15. Is the IP properly protected?

If the technology leverages third-party libraries, are they properly licenced? Ask to see the EULAs for the list of libraries or other supporting documents. Ask about any technology patents.

Altron CEO, Mteto Nyati, says the country has some of the best policies to curb cyber crime, but the problem is implementation. “At Altron Arrow, we have various cybersecurity solutions from top international suppliers around the world, including OPSWAT’s CDR and other solutions, to assist in cyber crime prevention and recovery.”


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Phishing attacks through SVG image files
Kaspersky News & Events Information Security
Kaspersky has detected a new trend: attackers are distributing phishing emails to individual and corporate users with attachments in SVG (Scalable Vector Graphics) files, a format commonly used for storing images.

Read more...
Crypto in SA: between progress and precaution
Information Security
“As cryptocurrency gains momentum and legitimacy, it’s becoming increasingly important for people to pay attention to financial security”, says Richard Frost, head of technology and innovation at Armata Cyber Security.

Read more...
Cyber recovery requires a different approach to disaster recovery
Information Security
Disaster recovery is about getting operations back on track after unexpected disruptions; cyber recovery, however, is about calculated actions by bad actors aiming to disrupt your business, steal sensitive data, or hold your system hostage.

Read more...
MDR users claim 97,5% less
Sophos Information Security
The average cyber insurance claim following a significant cyberattack is just $75 000 for MDR users, compared with $3 million for endpoint-only users, according to a new independent study.

Read more...
The impact of GenAI on cybersecurity
Sophos News & Events Information Security
Sophos survey finds that 89% of IT leaders worry GenAI flaws could negatively impact their organisation’s cybersecurity strategies, with 87% of respondents stating they were concerned about a resulting lack of cybersecurity accountability.

Read more...
Efficient, future-proof estate security and management
Technews Publishing ElementC Solutions Duxbury Networking Fang Fences & Guards Secutel Technologies OneSpace Technologies DeepAlert SMART Security Solutions Editor's Choice Information Security Security Services & Risk Management Residential Estate (Industry) AI & Data Analytics IoT & Automation
In February this year, SMART Security Solutions travelled to Cape Town to experience the unbelievable experience of a city where potholes are fixed, and traffic lights work; and to host the Cape Town SMART Estate Security Conference 2025.

Read more...
Kaspersky KATA 7.0 for targeted attack protection
Information Security Products & Solutions
] Kaspersky has announced a major update to its Kaspersky Anti Targeted Attack (KATA) including enhanced network detection and response (NDR) capabilities with deeper network visibility, internal threats detection and other critical security features.

Read more...
The role of advanced technologies in ransomware recovery
Information Security
As businesses increasingly adopt cloud technologies, the complexities of maintaining resilience and ensuring rapid recovery from such incidents become even more pronounced. The integration of advanced technologies is essential to navigate these challenges effectively.

Read more...
Cybersecurity best practice
Information Security Security Services & Risk Management
Breach and attack simulation has become an essential element of cybersecurity strategies in any modern business by allowing companies to actively detect and resolve vulnerabilities through real-world attack simulations.

Read more...