67 Reasons – Why You Need Deep CDR

Tuesday, October 15th wasn’t patch 2’s-day for Adobe, it was patch 67-day for Acrobat and Reader. The good news is that out of the 67 patched vulnerabilities, 23 of them were not critical—they were only important. There is a significant distinction between a critical vulnerability and an important vulnerability. A critical vulnerability allows malicious code to execute, if exploited. An important vulnerability compromises data security, if exploited. Are you feeling safer now? Yeah, me neither.

So, what does this have to do with Deep CDR? Come to think of it, what is Deep CDR?

Deep CDR is one of the six key technologies that make up MetaDefender Core. CDR stands for content disarm and reconstruct. This means that files are dissected, anything that has the potential to be dangerous (except typos) is removed, and then the file is reassembled. Has the potential to be dangerous does not mean detection: it means that if the content can be active, it is removed. It doesn’t matter if the content pops up a dialog box that says, Good morning, you are amazing! or if the content plants a keystroke logger. If it can execute it is removed.

Deep CDR enhances the security effectiveness of CDR by diving deep into nested layers of compression and embedded objects, such an Excel chart inside of a Word document that is embedded in a PDF that was delivered to your inbox zipped up all nice and pretty.


This is only a brief description of Deep CDR, but then you’re here for a blog, not CPE credits. So we’ll keep it brief.

Here is why Deep CDR matters. Vulnerabilities in Acrobat and Reader can allow a specially crafted PDF to run malicious code that anti-malware products will not detect. At least not initially. Between the beginning of 2017 and the end of 2018 there were 93 CVEs rated 9.3 or higher for Adobe Acrobat.

Deep CDR removes the malicious content without detection. It’s kind of like taking a gun and removing anything in the chambers. It doesn’t matter if it is a bullet, a blank, a speck of dust, whatever. What matters is that if a bad guy picks up the gun it can’t cause harm. We have a lot more information about Deep CDR and the other technologies used to protect critical infrastructure in the OPSWAT Academy.

So why dig deeper into the files? According to the 2018 Verizon Data Breach Investigations Report (DBIR), many PDFs are simply vehicles for delivering macro-enabled Office documents that are embedded within the PDFs. According to the Symantec Internet Security Threat Report (February 2019), in 2019, 48% of malicious attachments are Office files. That’s up from 5% in 2017. Deep CDR dissects a PDF, removes the document, dissects the document, removes any potentially harmful active content, and then reconstructs every object in every nested layer before Acrobat, Word, or any of the dozens of other supported applications can even touch the files.

You have all heard of zero-day attacks. I call them zero minus X-day attacks, where X equals the number of days between when the vulnerability could have been exploited and when it became publicly known. If any of the Reader and Acrobat vulnerabilities were already known to malicious actors two years ago but were only publicly known to exist two years later, then they are zero-minus-730-day vulnerabilities. Many of the vulnerabilities patched on October 15th were for Acrobat Reader 2017. In 2017 Deep CDR was already capable of neutralizing malicious PDFs that may have been used to exploit these vulnerabilities, even though they were not known to be in existence. That is why I say zero minus X-day vulnerabilities.

Deep CDR protects you from threats in supported filetypes that are currently known, and it protects you for all zero-minus X number of days that the vulnerability has existed.

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.