Deep CDR
What is CDR?
An increasingly popular and effective method of compromising computer security, especially as part of a targeted attack, involves sharing common document types or image files with victims. Even though the original versions of these files do not contain executable data, attackers have found ways to trigger these files to execute embedded malicious code. Popular techniques used to accomplish this include VBA macros, exploit payloads, and embedded Flash or JavaScript code. This type of attack has a high success rate because most users don’t expect common file types to contain infections. For high-risk files or scenarios, Content Disarm & Reconstruction (CDR) prevents any possibility of malicious content (including zero-day threats) from executing. High-risk files can be sanitized through several different methods:
-
Removing hidden exploitable objects (e.g, scripts, macros, etc.)
-
Converting the file format
Supported File Types (both Windows and Linux)
|
Source File Type |
Description |
Target Sanitized Types |
1 |
doc |
Microsoft Word 97-2003 Document |
doc, pdf |
2 |
dot |
Microsoft Word 97-2003 Template |
dot |
3 |
xls |
Microsoft Excel 97-2003 Workbook |
xls, pdf* |
4 |
xlt |
Microsoft Excel 97-2003 Template |
xlt, pdf*, png* |
5 |
ppt |
Microsoft PowerPoint 97-2003 Presentation |
ppt, pdf* |
6 |
pot |
Microsoft PowerPoint 97-2003 Template |
pot, pdf*, png* |
7 |
rtf |
Microsoft Rich Text Format |
rtf, pdf* |
8 |
docx |
Microsoft Word Document |
docx, txt, html, pdf, ps*, jpg*, bmp*, png*, tiff*, svg* |
9 |
docm |
Microsoft Word Macro-Enabled Document |
docm, docx*, txt*, html*, pdf*, ps*, jpg*, bmp*, png*, tiff*, svg* |
10 |
dotx |
Microsoft Word Template |
dotx |
11 |
dotm |
Microsoft Word Macro-Enabled Template |
dotm , dotx* |
12 |
xlsx |
Microsoft Excel Workbook |
xlsx, csv, html, tiff*, pdf*, ps*, jpg*, bmp*, png*, svg* |
13 |
xlsm |
Microsoft Excel Macro-Enabled Workbook |
xlsm , xlsx*, csv*, html*, tiff*, pdf*, ps*, jpg*, bmp*, png*, svg* |
14 |
xlsb |
Microsoft Excel Binary Workbook |
xlsb |
15 |
xltx |
Microsoft Excel Template |
xltx, pdf*, png* |
16 |
xltm |
Microsoft Excel Macro-Enabled Template |
xltm, pdf*, png* |
17 |
csv |
Comma-separated values |
csv |
18 |
pptx |
Microsoft PowerPoint Presentation |
pptx, html*, pdf*, ps*, jpg*, bmp*, png*, tiff*, svg* |
19 |
potx |
Microsoft PowerPoint Template |
potx, pdf*, png* |
20 |
pptm |
Microsoft PowerPoint Macro-Enabled Presentation |
pptm , pptx*, html*, pdf*, ps*, jpg*, bmp*, png*, tiff*, svg* |
21 |
potm |
Microsoft PowerPoint Macro-Enabled Template |
potm, pdf*, png* |
22 |
pps |
Microsoft PowerPoint 97-2003 Show |
pps, pdf*, png* |
23 |
ppsm |
Microsoft PowerPoint Macro-Enabled Show |
ppsm, pdf*, png* |
24 |
ppsx |
Microsoft PowerPoint Show |
ppsx |
25 |
vsdx |
Microsoft Visio Drawing |
vsdx*, pdf, xps, jpg, png, bmp, tiff, svg, emf, html, xaml, swf |
26 |
vssx |
Microsoft Visio Stencil |
vssx*, pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf* |
27 |
vstx |
Microsoft Visio Template |
vstx*, pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf* |
28 |
vsdm |
Microsoft Visio Macro-Enabled Drawing |
vsdm, pdf, xps, jpg, png, bmp, tiff, svg, emf, html, xaml, swf |
29 |
vssm |
Microsoft Visio Macro-Enabled Stencil |
vstx*, pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf* |
30 |
vstm |
Microsoft Visio Macro-Enabled Template |
vstx*, pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf* |
31 |
vsx |
Microsoft Visio XML Stencil |
pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf* |
32 |
vtx |
Microsoft Visio XML Template |
pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf* |
33 |
vdx |
Microsoft Visio XML Drawing |
pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf* |
34 |
odt |
OpenDocument Text |
odt |
35 |
ott |
OpenDocument Document Template |
ott |
36 |
htm/html |
Hypertext Markup Language |
html, pdf*, ps*, jpg*, bmp*, png*, svg* |
37 |
mht |
MIME HTML |
pdf*,jpg*,bmp*,png*,tiff* |
38 |
|
Adobe Portable Document Format |
pdf, html*, svg*, jpg*, bmp, png*, tiff*, txt* |
39 |
hwp |
Hangul Word Processor |
hwp |
40 |
jtd |
Ichitaro Document |
jtd |
41 |
jtdc |
Ichitaro Compressed Document |
jtdc |
42 |
xml |
Extensible Markup Language |
xml |
43 |
xml-doc |
Microsoft Word 2003 XML Document |
|
44 |
xml-docx |
Microsoft Word XML Document |
|
45 |
xml-xls |
Microsoft XML Spreadsheet 2003 |
|
46 |
vcs |
vCalendar |
vcs |
47 |
ics |
iCalendar |
ics |
48 |
jpg |
JPEG Image |
jpg, bmp, png, tiff, svg, gif, ps, eps, pdf* |
49 |
bmp |
Windows Bitmap Image |
bmp, jpg, png, tiff, svg, gif, ps, eps, pdf* |
50 |
png |
Portable Network Graphics |
png, jpg, bmp, tiff, svg, gif, ps, eps, pdf* |
51 |
tiff |
Tagged Image File Format |
tiff, jpg, bmp, png, svg, gif, ps, eps |
52 |
svg |
Scalable Vector Graphics |
svg, jpg*, bmp*, png*, tiff*, gif*, ps*, eps* |
53 |
gif |
Graphics Interchange Format |
gif, jpg, bmp, png, tiff, svg, ps, eps, pdf* |
54 |
wmf |
Windows Metafile |
wmf, jpg, bmp*, png*, tiff*, svg*, gif*, ps*, eps*, pdf* |
55 |
emf |
Windows Enhanced Metafile |
emf |
56 |
dwg |
AutoCAD |
dwg |
57 |
dxf |
Drawing Interchange Format |
pdf*, jpg*, png*, bmp*, gif*, tiff* |
58 |
dwf |
Design Web Format |
pdf*, jpg*, png*, bmp*, gif*, tiff* |
59 |
3ds |
3D Studio |
3ds*, dae*, stl*, fbx* |
60 |
dae |
Digital Asset Exchange |
dea*, 3ds*, stl*, fbx* |
61 |
u3d |
Universal 3D |
u3d*, 3ds*, dae*, stl*, pdf*, drc*, rvm*, fbx* |
62 |
drc |
Google Draco |
drc*, 3ds*, dae*, pdf*, u3d*, rvm*, fbx* |
63 |
rvm |
AVEVA Plant Design Management System Model |
rvm*, 3ds*, dae*, stl*, pdf*, u3d*, drc*, fbx* |
64 |
wmv |
Windows Media Video |
wmv* |
65 |
wav |
Waveform Audio |
wav* |
66 |
mp3 |
MPEG-1 Audio Layer-3 |
mp3* |
67 |
mp4 |
MPEG-4 Part 14 |
mp4* |
68 |
eml |
Electronic mail |
eml |
69 |
msg |
Microsoft Outlook Message |
msg |
70 |
7z |
7-zip Archive |
7z, zip, gz, xz, tar |
71 |
gz |
GNU Zipped Archive |
gz, 7z, zip, xz, tar |
72 |
rar |
WinRAR Archive |
zip, 7z, gz, xz, tar |
73 |
xz |
XZ Archive |
xz, zip, 7z, gz, tar |
74 |
zip |
ZIP Archive |
zip, 7z, gz, xz, tar |
75 |
tar |
Tape Archive |
tar, zip, 7z, gz, xz |
76 |
bz2 |
BZ2 Archive |
zip, 7z, gz, xz, tar |
77 |
lzma |
LZMA Archive |
zip, 7z, gz, xz, tar |
78 |
lzh |
LZH Archive |
zip, 7z, gz, xz, tar |
79 |
arj |
ARJ Archive |
zip, 7z, gz, xz, tar |
80 |
cab |
Cabinet Archive |
zip, 7z, gz, xz, tar |
* Only supported on Windows for now.
Sanitization is in BETA for these file types:
-
XLT / XLTX / XLTM
-
PPS / POT / PPSM / POTX / POTM
-
VSDX / VSDM / VSSX / VSTX / VSTM / VSSM / VSX / VTX / VDX
-
ODT / OTT
-
SVG (to SVG) / WMF / EMF
-
VCS / ICS
-
DXF / DWF
-
DAE / 3DS / U3D / DRC / RVM
-
MP4 / WMV
-
EML / MSG / MHT / JTDC / XML
-
TAR / CAB / LZH / LZMA / BZ2 / ARJ
Enabling these file types for production usage not recommended. However, it should not affect other sanitization when it is enabled.. Please contact OPSWAT tech support if you have any samples that you would like to share with us for investigation.
XML sanitization is specific to XML vulnerability. It does not eliminate other threat such as Microsoft Office XML formats. For example, Microsoft office 2003 supports XML format document (different from Microsoft Open XML, which is a more strict version and zipped format). Please do not enable XML sanitization on the production server to sanitize XML-based document. XML sanitization should be used only to reduce risk of XML parser vulnerability.
HTML sanitization is designed for Email Security purpose, should not use for sanitizing normal HTML traffic.
HWP: there are two versions of HWP, v3.0 and v5.0. v3.0 document can be created from only legacy old Hangul Word Processor. For this reason, we do not support HWP v3 and result in "failed to sanitize". We recommend this old version file as suspicious. If you need support for v3.0, please contact support.
Archive sanitization (7z, gz, rar, xz, zip) is for MetaDefender Core V4 only.
EML sanitization is available from MetaDefender Core 4.14.2 only
Additional notes for Metadefender Core v3.x:
-
It is required to restart Metadefender service after changes to the configuration. You can locate the ini file under <Metadefender Core v3.x install directory>\omsDSConfig.ini
Additional notes for Metadefender Core v4.x:
-
To change configuration, log into the Web Management Console then go to Inventory → Technologies. Press the edit button on the Deep CDR row and enter the configuration in the Advanced Engine Configuration box.
-
The modified configuration will be deployed within a few minutes.
-
There is no need to restart Metadefender service.
-
Due to strict file type enforcement, not all the file type listed in this table are supported depending on the file type analysis result. For example, if a specific file is not detected correctly as PDF, no PDF sanitization will be performed.
Single / Multiple Output File
If target contains only one file, it will be not zipped and treat as single output file. For example, If a PDF file has only one page, converts to JPG will be JPG. If a PDF file has more than one page, there will be multiple JPG files and will result in a ZIP file. The following sanitization result in potentially multiple files (single ZIP file).
-
PDF->HTML
-
PDF->IMG
-
DOCX→HTML, IMG
-
XLSX->HTML, CSV, IMG
-
PPTX→HTML, IMG
Known Issues
-
Not supporting Microsoft Office 95 document format
-
Conversion from HTML to an image would fail if the size of the HTML file is bigger than 90KB
-
Supported AutoCAD file (.DWG) versions: 2004-2018. With version 2007-2009, when removing macro from the original file (if it has), opening sanitize file will display an error message "Failed to load project from storage" appeared but the file still works as usual