Questions to Ask When Selecting a CDR Vendor

Content Disarm and Reconstruction (CDR) is an advanced threat prevention technology increasingly used by organizations as part of their zero-trust security approach to protect against both known and unknown threats.

As malware evolves and attack techniques become more complex, the traditional preventative controls like anti-malware engines and sandboxes are not enough to prevent threats before it’s too late because they were built to detect an anomaly in a file or in a file’s behavior.

With the mindset that every file presents a potential threat and focusing on prevention rather than just detection, organizations can improve their security posture. OPSWAT’s Deep CDR technology was built to address zero-day cyber threats that are not detected by next-generation anti-malware and dynamic analysis solutions. It also assumes all files are malicious, ingesting and then regenerating them in a manner in which the regenerated file is both usable and harmless.

Introduced in 2012, OPSWAT’s MetaDefender Deep CDR is widely deployed globally, particularly by customers in industries deemed “critical infrastructure” by the United States Homeland Security (US DHS).

Common attack vectors neutralized by MetaDefender Deep CDR include:

1. Complex file formats: Attackers will often exploit complex functionality such as embedded objects, automation macros, hyperlinks, scripting or other methods to trigger the execution of malicious content. Examples of complex file formats include Microsoft Office documents (i.e., Word, Excel and PowerPoint), Adobe PDF files, AutoDesk CAD files, among many others.

2. Application vulnerabilities: By exploiting existing vulnerabilities within commonly used productivity applications – regardless of whether the formats are complex or simple – an attacker will overwrite the memory of an application via a Buffer Overflow Attack or attempt to scan which type of malicious code to run on the target operating system. Examples of commonly exploited applications include Adobe Reader, Microsoft Office, etc.) According to National Vulnerability Database, 18,376 vulnerabilities were recorded as of December 8, 2021, which surpasses the 2020 record of 18351.

Bar graph titled: 5 Year document trends. Subtitle: Infections in document file types. Graph shows PDF files are more popular for hosting malware

Over the last nine years, we witnessed a significant increase in the number of OPSWAT’s Deep CDR module deployments which makes me proud of what our engineering team has accomplished. Over the same period, a growing number of security vendors have entered the CDR market with claims that can be both confusing and disingenuous.

Listed below are some guideline questions that will help you determine which CDR solution is best for your organization.

Baseline Questions

1. What type of archive formats does the CDR support? Archives have become increasingly prevalent over the past couple of years as a way to integrate and store multiple file types in a single volume. Ask to review the list of archives the CDR support and check that you can control related features, such as the level of recursion (i.e., if a PDF is embedded within a PowerPoint file, can the technology analyze and reconstruct both files?)

2. How many file types are supported? As there are more than 5,000 known file types, you should ask how many file types a CDR vendor supports and review evidence per file type and compare the list of file types to the ones your organization uses. You can find related information here and some examples of sanitization reports here.

3. Is usability preserved? When you deal with files such as PowerPoint that include animation builds or Excel where you would like to preserve existing macro functions, you need to ensure the rebuilt file will retain these capabilities. One way to test this is by processing a sample file as part of your evaluation process.

4. Does the CDR support comprehensive configurations to fit in your use case? Does the CDR remove hyperlinks for a specific filetype? Does it retain or remove embedded macros?

5. Does the CDR create an audit trail? For instance, does the CDR record and log which objects were removed, and which objects were sanitized? How can you verify the integrity of an archive?

6. Can you deploy different CDR policies for separate data channels? For instance, will the CDR allow you to retain an Excel macro for internal emails while removing it for external emails?

7. Which operating systems does the CDR support? Which files work on each operation system? If your organization supports both Windows and Linux, can the vendor support both?

8. What is the CDR performance per file type? Different file types should have different performance. Deploy the CDR technology and run some samples files to verify that the vendor performance meets your organization’s requirements.

Detailed R&D questions

9. How secure is the design? Is any secure design pattern applied? How do you protect the CDR engine? Is there a Secure SDLC (Software Development Lifecycle) process implemented? Ask to review a CDR design architecture and challenge the design.

10. Is it sustainable? How many engineers are building this technology, what is their background? Ask to see an org chart.

What is the engineering process? How do they perform QA? Ask to review their engineering QA procedures. Is the build process safe? Any solution to prevent malware embedded into build chain? What security certification does the vendor have?

11. How is it tested? Is there third-party validation? (Some governments conducted some tests, out-source Pen-test); ask to see the results. How big is the test data set? Ask to see true malware samples and zero-day attack samples. How can you be sure the usability remains with a massive data set? Ask to manually verify test data sets. Do they test with recent threats? Request a data set.

12. How easily does it integrate with your current product? REST API? Ask to review the document.

13. Is the product actively improving? What is the release frequency? Ask to see the past few months’ worth of releases.

14. How quickly can they support a new file type? Challenge them with something that you use in your organization.

15. What does their product roadmap look like? There are more than 5,000 file formats. Do you believe the team can address many of them or those most important for your organization?

Legal perspective

16. If the technology leverages third-party libraries, are they legally licensed? Ask to see the EULAs for the list of libraries or other supporting documents.

Selecting a CDR technology is not a simple check-off-the-boxes exercise — we have some additional training available in our free Academy module.

If you want to learn more, download this guide which provides an overview of Content Disarm and Reconstruction (CDR) technology and how you can select the best CDR solution to protect your business and infrastructure from emerging cybersecurity threats.

For more information, please contact one of our cybersecurity experts.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.