The Best Way to Stop Document-Borne Malware

Detecting Document Malware

Attackers often use email attachments as vehicles for malware. It is difficult to defend a network completely from such "document malware" without thoroughly breaking down, scanning, sanitizing, and reconstructing all email attachments.

How Do Documents Spread Malware?

Malicious email attachments often contain scripts or macros, or even hyperlinks to insecure sites. Usually these malicious attachments are common Microsoft Office files, such as Excel spreadsheets, Word Documents, or PowerPoint presentations. PDFs can also be used to spread malware via embedded JavaScript.

One common attack vector is through the use of malicious macros. Macros are a feature in many types of Microsoft Office files, and they're used especially in Word and Excel. Macro malware works by either injecting code into the device's files to infect it or downloading malware from an online source.

Macro malware used to be executed immediately when the malicious file was opened. Now, Office disables macros automatically, and they have to be enabled by the user. However, hackers get around this roadblock through social hacking — a message pops up when these files are opened, prompting the user to enable macros (thus enabling embedded document malware).

Why Users Open Infected Documents

Ideally, all users would only open emails, and email attachments, that come from trusted sources. Realistically, that will never be the case — user error is bound to occur. If a user gets tricked or clicks mistakenly on something, the system is compromised.

Additionally, spear-phishing techniques are designed to fool even security-conscious users. Highly personalized emails that seem to come from a trusted source, like a bank or even an executive within their company, fool many users into following insecure links or opening infected attachments.

Making users aware of the threat of document-borne malware is the first step towards prevention.

But that alone won't eliminate the spread of email attachment viruses.

The Solution: Content Disarm and Reconstruction (Data Sanitization)

The best way to fight document malware is to remove the exploitable parts of files altogether.

Content Disarm and Reconstruction, also known as data sanitization, is the process of deconstructing files, expunging any exploitable content (such as macros) from those files, and reconstructing them with all their original usability. This renders any file secure and safe to open. OPSWAT's CDR engine is unique in that it retains even complex functionality, such as animations or Excel formulas, when it reconstructs files.

Data Sanitization, or CDR

OPSWAT's CDR technology removes any potential threats, from Word macro virus removal to removing malicious scripts from files. OPSWAT's CDR engine assumes any file may be infected and disarms and reconstructs all files that pass through it.

A number of OPSWAT MetaDefender implementations incorporate this technology precisely because of the threat of document-borne malware.

MetaDefender Cloud sanitizes all files that are uploaded to it. It's quick and easy to upload files at MetaDefender.com. Home users can leverage MetaDefender Cloud's free data sanitization, while corporate users can easily integrate the commercial solution.

MetaDefender Email Security adds an additional layer of protection by disarming and reconstructing all email attachments.

MetaDefender ICAP Server is an enterprise solution that protects from malicious downloads and uploads by filtering all data going to and from a network through a proxy server.

The best way to protect against document viruses and malware is to render all files safe and secure through data sanitization/Content Disarm and Reconstruction. Learn more about data sanitization (CDR) here.

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.