Frequently Asked Questions (FAQ)

Content Disarm and Reconstruction (CDR) technology is designed to protect against zero-day attacks by focusing on the sanitation of files rather than attempting to detect malicious content based on known threat signatures. CDR works by removing or neutralizing potentially risky elements within a document or file, such as macros, embedded objects, and scripts, which are common vectors for malware delivery. This process involves reconstructing the file to a clean state, ensuring that it contains only safe, verified content. By doing so, CDR can effectively mitigate threats posed by zero-day attacks, which exploit previously unknown vulnerabilities, as it does not rely on prior knowledge of the threat but rather disarms any element that could be weaponized, regardless of its novelty or detection status.

Our Content Disarm and Reconstruction (CDR) technology supports both cloud-based and on-premise deployment options to meet diverse organizational needs. Cloud-based deployment allows for flexibility, scalability, and reduced maintenance and infrastructure costs, as the CDR service is hosted and managed remotely on cloud servers. On-premise deployment, on the other hand, offers greater control over the data and system, enhanced security compliance, and the ability to operate within a closed network. This dual-approach ensures that organizations can choose the deployment model that best aligns with their specific security requirements, IT infrastructure, and operational policies.

Our Content Disarm and Reconstruction (CDR) technology supports a wide range of file formats for the removal of malicious code. These include document formats such as DOC, DOCM, DOCX, DOTM, PPT, PPTM, PPTX, XLS, XLSM, XLSX, PDF, ODC, ODT, OTT, ODP, OTP, ODS, OTS, RTF, and XML. Image formats supported include TIFF, JPEG, PNG, BMP, WEBP, JPX, and SVG. Additionally, the technology can clean files in ZIP archives, as well as HTML, LNK, and ICS formats. This extensive support ensures that various common and widely used file types are secured against potential cyber threats, providing comprehensive protection across different data and media types.

Yes, configuration is highly customizable in our Content Disarm and Reconstruction (CDR) technology. Users can tailor the sanitization process to meet specific security and operational needs by enabling or disabling various cleaning features. Here is an example of our configuration structure:

log_backup_count: Backup file count for log rollover (CDR rotates log file every week, ex. 4 will rotate in a month)
include_object: Include sanitized object details in result
skip_errors: Default False - True If there is error in some part of sanitization do not continue to sanitize file, return failed
hyperlink_allowlist: Regular expression list or filepath that contains regex patterns line by line
pdf_conf:
    hyperlink: Sanitize hyperlinks in file
    annotations: Annotations in PDF files, annotations other than URI  
    embedded_file: Remove embedded files in document
    metadata: File metadata
    macro: true
    decrypt_force: True If pdf encrypted but has no password decrypt pdf and sanitize (this removes encryption when saving sanitized file)
    image: Sanitize images in file
    html_conf:
    script: JavaScript code removal
    hyperlink: Sanitize hyperlinks in file
word_conf:
    hyperlink: Sanitize hyperlinks in file
    metadata: File metadata
    image: Sanitize images in file
    macro: Macro code removal
    ole_object: OLE object removal
    activex_object: ActiveX object removal
    dde: DDE payload removal
    embedded_file: Sanitize embedded files in document
excel_conf:
    hyperlink: Sanitize hyperlinks in file
    metadata: File metadata
    comment: Excel record comments
    image: Sanitize images in file
    macro: Macro code removal
    ole_object: OLE object removal
    activex_object: ActiveX object removal
    dde: DDE payload removal
    embedded_file: Sanitize embedded files in document
ppt_conf:
    hyperlink: Sanitize hyperlinks in file
    metadata: File metadata
    image: Sanitize images in file
    macro: Macro code removal
    ole_object: OLE object removal
    activex_object: ActiveX object removal
    dde: DDE payload removal
    embedded_file: Sanitize embedded files in document
opendocument_conf:
    hidden_text: Opendocument hidden text
    hyperlink: Sanitize hyperlinks in file
    macro: Opendocument scripting framework macro
    ole_object: OLE object removal
    image: Sanitize images in file
xml_conf:
    macro: macro objects
    script: script objects
    cdata: Character Data
archive_conf:
    zip_compress_all: Compress all files even if it's not sanitized
image_conf:
    lsb_image: Sanitize lsb bits(1 bit) from image (RGB, RGBA, L(grayscale), P(indexed color)) to prevent steganography

This flexible configuration allows organizations to define what elements should be neutralized or retained based on their security policies, thereby optimizing the effectiveness of the CDR process while maintaining document usability.

Yes, our Content Disarm and Reconstruction (CDR) technology supports the sanitization of encrypted archives, specifically ZIP files. If an encrypted ZIP file is provided, our CDR system can process and sanitize it given that the necessary decryption password is supplied. Users can input the password through two primary methods:

1. Threat.Zone UI: Users can manually enter the password when uploading the encrypted archive for sanitization via our user interface.

2. Manual Usage: During manual operations, the password can also be specified as an argument directly to the CDR process.

However, it is important to note that automated sanitization of encrypted archives is not supported in our system due to the absence of a mechanism to securely receive and handle passwords automatically. This ensures that sensitive data remains protected while allowing flexibility for manual input when necessary.

In our Content Disarm and Reconstruction (CDR) technology, whitelisting is primarily focused on resource-based criteria rather than file-based. This means that specific elements within files can be selectively preserved based on their type and perceived safety, rather than excluding entire files from sanitization based on their name or source. Our CDR configurations provide the flexibility to mark particular components of a document to remain intact during the sanitization process. Examples include:

• Resource-Based Whitelisting: Users can configure the CDR to avoid removing certain types of content like macros, hyperlinks, or embedded scripts, depending on their security policies and the trustworthiness of the content source.

• Metadata-Based Whitelisting: Metadata within files can also be preserved if deemed secure and necessary, allowing essential information about the file to remain unchanged.

• Hyperlink Whitelisting: Although hyperlinks are an integral part of navigating the web, they also pose a significant security risk as a common attack vector. To ensure the safety of users, hyperlinks are typically removed by default during the CDR process. However, we recognize that certain hyperlinks are essential for business operations. To address this need, we offer a flexible configuration that allows administrators to permit specific hyperlinks based on customizable regex patterns. This feature empowers administrators to define and allow only the links or domains that match safe, predefined patterns, striking a balance between usability and security.

  • Whitelist hyperlink supported file types: MS Office, HTML, PDF, Opendocument

It's important to note that there is no mechanism to whitelist entire files based on their attributes such as file name or origin. This approach ensures that all files undergo some level of scrutiny, enhancing overall security by not automatically trusting files based on potentially manipulable properties.

The logs generated by our Content Disarm and Reconstruction (CDR) technology are written directly to the host system where the CDR service is running. Specifically, when the CDR process is initiated within a Docker container, it is configured to mount a directory on the host server to store its log files. This setup allows users to access and review the log files directly from the specified directory on the server without the need to connect to the Docker container itself. This method provides a straightforward way for customers to monitor and audit the activities and outcomes of the CDR processes, ensuring transparency and ease of access to important operational data.