Questions to Ask Before You Select a CDR (Content Disarm and Reconstruction) Technology to Protect Your Business from Cyber Security Attacks

At OPSWAT, we built our CDR technology to address zero-day cyber threats that are not detected by next-generation anti-malware and dynamic analysis solutions like sandboxes.

The reasons that next-gen antimalware and dynamic analysis solutions like sandboxes are missing threats is because they were built to detect an anomaly in a file or in a file’s behavior

OPSWAT’s CDR technology assumes all files are malicious. It ingests files and then regenerates these files in a manner in which the regenerated file is both usable and harmless. Hence, CDR is a technology that provides protection without needing to know whether a suspected file is “good” or “bad”.

OPSWAT introduced MetaDefender Deep CDR in 2012 and our solution is widely deployed globally, particularly by customers in industries deemed “critical infrastructure” by the United States Homeland Security (US DHS). We are the recognized industry leader in this space.

Common attack vectors neutralized by MetaDefender Deep CDR include:

  1. Complex file formats: Attackers will often exploit complex functionality such as embedded objects, automation macros, hyperlinks, scripting or other methods to trigger the execution of malicious content. Examples of complex file formats include Microsoft Office documents (i.e., Word, Excel and PowerPoint), Adobe PDF files, AutoDesk CAD files, among many others.
  2. Application vulnerabilities: By exploiting existing vulnerabilities within commonly used productivity applications – regardless of whether the formats are complex or simple -- an attacker will overwrite the memory of an application via a Buffer Overflow Attack or attempt to scan which type of malicious code to run on the target operating system. Examples of commonly exploited applications include Adobe Reader, Microsoft Office, etc.) According to CVE Details, there were more than 18,216 reported file-based vulnerabilities in 2019

Over the last eight years, we witnessed a significant increase in the number of OPSWAT’s Deep CDR module deployments which makes me proud of what our engineering team has accomplished. Over the same period, a growing number of security vendors have entered the CDR market with claims that that can be both confusing and disingenuous.

Listed below are some guideline questions that will help you determine which CDR solution is best for your organization.

Baseline Questions

  1. What type of archive formats does the CDR support? Archives have become increasingly prevalent over the past couple of years as a way to integrate and store multiple file types in a single volume. Ask to review the list of archives the CDR support and check that you can control related features, such as the level of recursion (i.e., if a PDF is embedded within a PowerPoint file, can the technology analyze and reconstruct both files?)
  2. How many file types are supported? As there are more than 5,000 known file types, you should ask how many file types a CDR vendor supports and review evidence per file type and compare the list of file types to the ones your organization uses. You can find related information here and some examples of sanitization reports here.
  3. Is usability preserved? When you deal with files such as PowerPoint that include animation builds or Excel where you would like to preserve existing macro functions, you need to ensure the rebuilt file will retain these capabilities. One way to test this is by processing a sample file as part of your evaluation process.
  4. Does the CDR support comprehensive configurations to fit in your use case? Does the CDR remove hyperlinks for a specific filetype? Does it retain or remove embedded macros?
  5. Does the CDR create an audit trail? For instance, does the CDR record and log which objects were removed and which objects were sanitized? How can you verify the integrity of an archive?
  6. Can you deploy different CDR policies for separate data channels? For instance, will the CDR allow you to retain an Excel macro for internal emails while removing it for external emails?
  7. Which operating systems does the CDR support? Which files work on each operation system? If your organization supports both Windows and Linux, can the vendor support both?
  8. What is the CDR performance per file type? Different file types should have different performance. Deploy the CDR technology and run some samples files to verify that the vendor performance meets your organization’s requirements.

  9. Detailed R&D questions

  10. How secure is the design?
    1. Is any secure design pattern applied? How do you protect the CDR engine?
    2. Is there Secure SDLC (Software Development Lifecycle) implemented, as to review a static analysis code review.
    3. Are third-party libraries used?
    4. Ask to review a CDR design architecture and challenge the design with tough questions about compromised CDR components
  11. Is it sustainable?
    1. How many engineers are building this technology, what is their background, ask to see an org chart.
    2. What is the engineering process? How do they perform QA? Ask to review their engineering QA procedures.
    3. Is build process safe? Any solution to prevent malware embedded into build chain? What security certification does the vendor have?
  12. How it is tested?
    1. Is there rhird-party validation? (Some governments conducted some tests, out-source Pen-test); ask to see the results
    2. How big is the test data set? Ask to see true malware samples and Zero-day attack samples.
    3. How can you be sure the usability remains with a massive data set? Ask to manually verify test data sets.
    4. Do they test with recent threats? Request a data set.
  13. How easily does it integrate with your current product? REST API? Ask to review the document.
  14. Is the product actively improving? What is the release frequency? Asked to see the past few months’ worth of releases.
  15. How quickly can they support a new file type? Challenge them with something that you use in your organization.
  16. What does their product roadmap look like? There are 5,000 file formats do you believe the team can address many of them or the most important for your organization

Legal perspective:

  1. Is the IP protected (patented)?
  2. If the technology leverages third-party libraries, are they legally licensed? Ask to see the EULAs for the list of libraries or other supporting documents.

As you can see selecting a CDR technology is not a simple check off the boxes – we have some additional training available in our free Academy module.

I appreciate your comments, which you can send to my social profile. https://www.facebook.com/benny.czarny, https://www.linkedin.com/bennyczarny, https://twitter.com/bennyczarny

Stay Safe. Use Deep CDR.

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.