Deep CDR

What is CDR?

An increasingly popular and effective method of compromising computer security, especially as part of a targeted attack, involves sharing common document types or image files with victims. Even though the original versions of these files do not contain executable data, attackers have found ways to trigger these files to execute embedded malicious code. Popular techniques used to accomplish this include VBA macros, exploit payloads, and embedded Flash or JavaScript code. This type of attack has a high success rate because most users don’t expect common file types to contain infections. For high-risk files or scenarios, Content Disarm & Reconstruction (CDR) prevents any possibility of malicious content (including zero-day threats) from executing. High-risk files can be sanitized through several different methods:

  • Removing hidden exploitable objects (e.g, scripts, macros, etc.)

  • Converting the file format

Supported File Types (both Windows and Linux)

 

Source File Type

Description

Target Sanitized Types

1

doc

Microsoft Word 97-2003 Document

doc, pdf

2

dot

Microsoft Word 97-2003 Template

dot

3

xls

Microsoft Excel 97-2003 Workbook

xls, pdf*

4

xlt

Microsoft Excel 97-2003 Template

xlt, pdf*, png*

5

ppt

Microsoft PowerPoint 97-2003 Presentation

ppt, pdf*

6

pot

Microsoft PowerPoint 97-2003 Template

pot, pdf*, png*

7

rtf

Microsoft Rich Text Format

rtf, pdf*

8

docx

Microsoft Word Document

docx, txt, html, pdf, ps*, jpg*, bmp*, png*, tiff*, svg*

9

docm

Microsoft Word Macro-Enabled Document

docm, docx*, txt*, html*, pdf*, ps*, jpg*, bmp*, png*, tiff*, svg*

10

dotx

Microsoft Word Template

dotx

11

dotm

Microsoft Word Macro-Enabled Template

dotm , dotx*

12

xlsx

Microsoft Excel Workbook

xlsx, csv, html, tiff*, pdf*, ps*, jpg*, bmp*, png*, svg*

13

xlsm

Microsoft Excel Macro-Enabled Workbook

xlsm , xlsx*, csv*, html*, tiff*, pdf*, ps*, jpg*, bmp*, png*, svg*

14

xlsb

Microsoft Excel Binary Workbook

xlsb

15

xltx

Microsoft Excel Template

xltx, pdf*, png*

16

xltm

Microsoft Excel Macro-Enabled Template

xltm, pdf*, png*

17

csv

Comma-separated values

csv

18

pptx

Microsoft PowerPoint Presentation

pptx, html*, pdf*, ps*, jpg*, bmp*, png*, tiff*, svg*

19

potx

Microsoft PowerPoint Template

potx, pdf*, png*

20

pptm

Microsoft PowerPoint Macro-Enabled Presentation

pptm , pptx*, html*, pdf*, ps*, jpg*, bmp*, png*, tiff*, svg*

21

potm

Microsoft PowerPoint Macro-Enabled Template

potm, pdf*, png*

22

pps

Microsoft PowerPoint 97-2003 Show

pps, pdf*, png*

23

ppsm

Microsoft PowerPoint Macro-Enabled Show

ppsm, pdf*, png*

24

ppsx

Microsoft PowerPoint Show

ppsx

25

vsdx

Microsoft Visio Drawing

vsdx, pdf, xps, jpg, png, bmp, tiff, svg, emf, html, xaml, swf

26

vssx

Microsoft Visio Stencil

vssx*, pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf*

27

vstx

Microsoft Visio Template

vstx*, pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf*

28

vsdm

Microsoft Visio Macro-Enabled Drawing

vsdm, pdf, xps, jpg, png, bmp, tiff, svg, emf, html, xaml, swf

29

vssm

Microsoft Visio Macro-Enabled Stencil

vstx*, pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf*

30

vstm

Microsoft Visio Macro-Enabled Template

vstx*, pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf*

31

vsx

Microsoft Visio XML Stencil

pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf*

32

vtx

Microsoft Visio XML Template

pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf*

33

vdx

Microsoft Visio XML Drawing

pdf*, xps*, jpg*, png*, bmp*, tiff*, svg*, emf*, html*, xaml*, swf*

34

odt

OpenDocument Text

odt

35

ott

OpenDocument Document Template

ott

36

htm/html

Hypertext Markup Language

html, pdf*, ps*, jpg*, bmp*, png*, svg*

37

mht

MIME HTML

pdf*,jpg*,bmp*,png*,tiff*

38

pdf

Adobe Portable Document Format

pdf, html*, svg*, jpg*, bmp, png*, tiff*, txt*

39

hwp

Hangul Word Processor

hwp

40

cell

Hancom Cell

cell

41

show

Hancom Show

show

42

jtd

Ichitaro Document

jtd

43

jtdc

Ichitaro Compressed Document

jtdc

44

xml

Extensible Markup Language

xml

45

xml-doc

Microsoft Word 2003 XML Document

pdf

46

xml-docx

Microsoft Word XML Document

pdf

47

xml-xls

Microsoft XML Spreadsheet 2003

pdf

48

vcs

vCalendar

vcs

49

ics

iCalendar

ics

50

jpg

JPEG Image

jpg, bmp, png, tiff, svg, gif, ps, eps, pdf*

51

bmp

Windows Bitmap Image

bmp, jpg, png, tiff, svg, gif, ps, eps, pdf*

52

png

Portable Network Graphics

png, jpg, bmp, tiff, svg, gif, ps, eps, pdf*

53

tiff

Tagged Image File Format

tiff, jpg, bmp, png, svg, gif, ps, eps

54

svg

Scalable Vector Graphics

svg, jpg*, bmp*, png*, tiff*, gif*, ps*, eps*

55

gif

Graphics Interchange Format

gif, jpg, bmp, png, tiff, svg, ps, eps, pdf*

56

wmf

Windows Metafile

wmf, jpg, bmp*, png*, tiff*, svg*, gif*, ps*, eps*, pdf*

57

emf

Windows Enhanced Metafile

emf

58

ico

Icon

ico*

59

cur

Cursor

cur*

60

dwg

AutoCAD

dwg

61

dxf

Drawing Interchange Format

pdf*, jpg*, png*, bmp*, gif*, tiff*

62

dwf

Design Web Format

pdf*, jpg*, png*, bmp*, gif*, tiff*

63

3ds

3D Studio

3ds*, dae*, stl*, fbx*

64

dae

Digital Asset Exchange

dea*, 3ds*, stl*, fbx*

65

u3d

Universal 3D

u3d*, 3ds*, dae*, stl*, pdf*, drc*, rvm*, fbx*

66

drc

Google Draco

drc*, 3ds*, dae*, pdf*, u3d*, rvm*, fbx*

67

rvm

AVEVA Plant Design Management System Model

rvm*, 3ds*, dae*, stl*, pdf*, u3d*, drc*, fbx*

68

wmv

Windows Media Video

wmv*

69

mpeg

Moving Picture Experts Group

mpeg*

70

wav

Waveform Audio

wav*

71

mp3

MPEG-1 Audio Layer-3

mp3*

72

mp4

MPEG-4 Part 14

mp4*

73

avi

Audio Video Interleave

avi*

74

eml

Electronic mail

eml

75

msg

Microsoft Outlook Message

msg

76

pst

Outlook Personal Folder

pst*

77

txt

Text

txt*, pdf*

78

7z

7-zip Archive

7z, zip, gz, xz, tar

79

gz

GNU Zipped Archive

gz, 7z, zip, xz, tar

80

rar

WinRAR Archive

zip, 7z, gz, xz, tar

81

xz

XZ Archive

xz, zip, 7z, gz, tar

82

zip

ZIP Archive

zip, 7z, gz, xz, tar

83

tar

Tape Archive

tar, zip, 7z, gz, xz

84

bz2

BZ2 Archive

zip, 7z, gz, xz, tar

85

lzma

LZMA Archive

zip, 7z, gz, xz, tar

86

lzh

LZH Archive

zip, 7z, gz, xz, tar

87

arj

ARJ Archive

zip, 7z, gz, xz, tar

88

cab

Cabinet Archive

zip, 7z, gz, xz, tar

* Only supported on Windows for now.

Sanitization is in BETA for these file types:

  • XLT / XLTX / XLTM

  • PPS / POT / PPSM / POTX / POTM

  • VSDX / VSDM / VSSX / VSTX / VSTM / VSSM / VSX / VTX / VDX

  • ODT / OTT

  • SVG (to SVG) / WMF / EMF

  • ICO / CUR

  • DXF / DWF

  • DAE / 3DS / U3D / DRC / RVM

  • MP3 / MP4 / WMV / MPEG / AVI

  • EML / MSG / PST

  • MHT

  • JTDC

  • XML

  • TXT

  • TAR / CAB / LZH / LZMA / BZ2 / ARJ

  • CELL / SHOW

Enabling these file types for production usage not recommended. However, it should not affect other sanitization when it is enabled.. Please contact OPSWAT tech support if you have any samples that you would like to share with us for investigation.

XML sanitization is specific to XML vulnerability. It does not eliminate other threat such as Microsoft Office XML formats. For example, Microsoft office 2003 supports XML format document (different from Microsoft Open XML, which is a more strict version and zipped format). Please do not enable XML sanitization on the production server to sanitize XML-based document. XML sanitization should be used only to reduce risk of XML parser vulnerability.

HTML sanitization is designed for Email Security purpose, should not use for sanitizing normal HTML traffic.

HWP: there are two versions of HWP, v3.0 and v5.0. v3.0 document can be created from only legacy old Hangul Word Processor. For this reason, we do not support HWP v3 and result in "failed to sanitize". We recommend this old version file as suspicious. If you need support for v3.0, please contact support.

Archive sanitization (7z, gz, rar, xz, zip) is for MetaDefender Core V4 only.

EML sanitization is available from MetaDefender Core 4.14.2 only

Additional notes for Metadefender Core v3.x:

  • It is required to restart Metadefender service after changes to the configuration. You can locate the ini file under <Metadefender Core v3.x install directory>\omsDSConfig.ini

Additional notes for Metadefender Core v4.x:

  • To change configuration, log into the Web Management Console then go to Inventory → Technologies. Press the edit button on the Deep CDR row and enter the configuration in the Advanced Engine Configuration box.

  • The modified configuration will be deployed within a few minutes.

  • There is no need to restart Metadefender service.

  • Due to strict file type enforcement, not all the file type listed in this table are supported depending on the file type analysis result. For example, if a specific file is not detected correctly as PDF, no PDF sanitization will be performed.

Single / Multiple Output File

If target contains only one file, it will be not zipped and treat as single output file. For example, If a PDF file has only one page, converts to JPG will be JPG. If a PDF file has more than one page, there will be multiple JPG files and will result in a ZIP file. The following sanitization result in potentially multiple files (single ZIP file).

  • PDF->HTML

  • PDF->IMG

  • DOCX→HTML, IMG

  • XLSX->HTML, CSV, IMG

  • PPTX→HTML, IMG

Known Issues

  1. Not supporting Microsoft Office 95 document format

  2. Conversion from HTML to an image would fail if the size of the HTML file is bigger than 90KB

  3. Supported AutoCAD file (.DWG) versions: 2004-2018. With version 2007-2009, when removing macro from the original file (if it has), opening sanitize file will display an error message "Failed to load project from storage" appeared but the file still works as usual

  4. Supported MPEG2 only

  5. Supported TXT in ASCII and UTF-8 only

  6. When converting Excel files to TXT, only the first sheet is converted