File Handling Beyond Antivirus: Content Disarm and Reconstruction

5 min readMay 30, 2023

Introduction

According to Ponemon Institute’s study in 2020 ( https://engage.morphisec.com/2020-endpoint-security-risk-study), 80% of successful breaches were due to new or unknown “zero-day attacks” that either involved the exploitation of undisclosed vulnerabilities or the use of new/polymorphic malware variants that signature-based detection solutions do not recognize.

While antivirus software has been effective at detecting and removing threats, it is no longer enough to prevent cyberattacks. While the days of hackers sending unsolicited emails with malicious attachments or links are not gone entirely, today’s sophisticated attackers are using social engineering techniques to trick users into opening malicious files that may not be detected by traditional anti-virus programs.

Modern applications typically contain file upload functionality that is of particular interest to attackers — serving as an entry point for delivering malicious files to the target organization.

As a result, security focused organizations have turned to content disarm and reconstruction (CDR) solutions as part of their security strategy.

What is Content Disarm and Reconstruction?

Content Disarm and Reconstruction (CDR) is a security feature that disassembles malicious code in order to understand the behavior of embedded payloads. It can be used to analyze malware, phishing campaigns and ransomware.

CDR can also be used to analyze file uploads from endpoints, which has been an important feature for cloud computing environments where users access resources from multiple systems. It can also be used at the application layer for common functions like file upload for document sharing with financial institutions and seemingly harmless profile pictures — like social media apps.

File upload controls are hard enough to implement on your own and requires specialized knowledge to implement and test appropriately. The OWASP Application Verification Standard (ASVS) covers 15 individual controls alone under v12 Files and Resources, which merely serves as a reference point for secure file upload techniques. shown below.

How does it work?

The following is transcribed directly from security researchers from FPT University of Vietnam, Hà Nội. Their excellent paper has been referenced at the end of this article. I encourage you to give it a read to observe a team attempting to build a CDR solution.

All active content is assumed to be insecure, and all exploitive content will fail to comply with the file format specification, according to Content Disarm and Reconstruct (CDR). Any active or non-compliant data in the content is found and deleted, with the remaining content being corrected to be legitimate.

The CDR technology is implemented in the following steps:

To ensure file type and integrity, files are evaluated and tested when they reach the sanitization method. File extensions are checked to ensure that apparently complicated files don’t
masquerade as simpler files, and malicious material is flagged, alerting organizations when they’re under assault.
Malicious elements are deleted or sanitized after file elements are divided into distinct components.
The process of rebuilding files is fast and safe. Both metadata and file characteristics are reconstructed.
New files are recompiled, renamed, and delivered while maintaining file structure integrity, allowing users to securely use the file without losing functionality.

What’s wrong with existing antivirus solutions?

Existing antivirus solutions are definitely a great control to have, but should be seen as a single layer of defense. The threat landscape is continuously evolving, security controls should stay as far ahead of the curve as possible.

We will not be diving into the numerous antivirus evasion techniques that are already well documented.

The following table has also been transcribed from the security researchers referenced earlier.

Why should you use it?

When you consider that CDR can integrate with your existing security infrastructure and work with popular cloud services, it’s clear how content disarm and reconstruction can provide additional security assurance to your organization.

Detects new and unknown threats: Content disarm and reconstruction allows you to detect malicious content before it reaches your network or endpoints. It also detects malicious file uploads so that you can stop attacks before they happen.
Detects malicious active content: This includes any active code in an application or document, including JavaScript, macros and scripts in Office files (like Word documents), embedded objects in web pages (like Flash animations), dynamic URLs (URLs that change every time someone visits them) and malware executable files such as .exe or .dll files associated with viruses/trojans/worms/rootkits etc..

Ultimately, this type of security control can help your organization stay further ahead of the evolving threat landscape to prevent malicious content from reaching your network, protect your business from data loss such as advanced ransomware, reduce the risk of security breaches, and reduce the risk of downtime due to malware outbreaks.

Where to use it?

When you expect static, flat file content from untrusted sources like end users. Examples may be during document upload for identity verification, healthcare documents, financial statements, manufacturing schematics, profile pictures, insurance documents, customer support ticket attachments, etc.
Additional assurance for file analysis for enterprise email attachments — beyond basic antivirus scanning

Open Source Software Solutions

Here are a few open source software solutions than can help the small-medium sized business who is concerned about this risk. What you will notice about these resources is that they are not well-maintained or updated, which does not provide the strongest sense of reliability. However, it is still a great defense-in-depth mechanism to have in place instead of nothing at all.

This is clearly complicated software to develop and maintain. The commercial CDR market is growing rapidly, and according to some analysts, the market is expected to reach $553.8m by 2027, with a market growth of 15.6% CAGR ( https://www.prnewswire.com/news-releases/the-worldwide-content-disarm-and-reconstruction-industry-is-expected-to-reach-533-8-million-by-2027--301589266.html). I won’t be providing a vendor analysis here — each organization’s needs will be different.

Conclusion

With so many new threats to contend with, it’s important that businesses have access to the latest tools to protect themselves. Sensitive document transfers are a prime low-effort entry point for untrusted users to deliver potentially malicious files to internal employees. Content disarm and reconstruction should be considered in your overall security strategy.