Content disarm and reconstruction (CDR), also known as Threat Extraction, proactively protects against known and unknown threats contained in documents by removing executable content.

The solution is unique because it doesn’t rely on detection like most security solutions. Any executable content within a document is removed, whether or not it is detected as a potential threat to the user. This enables CDR to offer true zero-day prevention, while delivering files to users quickly.

Malware Infection Often Starts with a Document

The vast majority of malware infections start with a phishing email. Of these, a significant portion use a malicious document as the delivery mechanism. In 2020, more than 70% of malicious email attachments or links and about 30% of malicious web downloads were delivered through documents such as PDF, Microsoft Office Word, Excel and PowerPoint.

However, while a document may be weaponized, this doesn’t mean that it is completely malicious. Microsoft Office documents are structured as ZIP files, containing folders with a number of different files. This means that the malicious script within an Office file is only one of several files that it contains.

PDFs are similar in that they are also built from a collection of different pieces. A malicious PDF file contains a number of objects that combine to create the file that the recipient sees. However, only one or a few of these objects contain the malicious script code hidden within the document.

Introducing Content Disarm and Reconstruction

Forwarding a potentially malicious Microsoft Office or PDF file on to the intended recipient is very risky. There is always the chance that the recipient will open the file, enable macros, and infect their computer with maltare. Additionally, this approach relies upon detection of the malicious content. On the other hand, deleting the file entirely runs the risk that the recipient will miss important information that was included in the weaponized document. Content disarm and reconstruction offers a safe alternative to simply blocking malicious files.

In a weaponized Microsoft Office or PDF file, only a small fraction of the files or objects that make up the document are potentially malicious. These are any executable content embedded within the document. With CDR, these executable elements are excised from the document, and then the document is reconstructed using the remaining pieces. This often just requires rebuilding the files used by Microsoft Office or a PDF reader to remove references to the excised content.

Benefits of CDR

Check Point SandBlast’s Threat Extraction technology offers an industry-leading Content Disarm and Reconstruction (CDR) solution. SandBlast Threat Extraction provides a number of benefits for organizational cybersecurity and employee productivity, including:

  • Minimal Recipient Impact: Any malicious content is designed to be invisible to the recipient, so CDR has no impact on actual information conveyed by the file.
  • Safe Delivery: By removing the executable content from the document, the file becomes safe for the recipient, making it possible to send it on to them without risking malware delivery.
  • Zero Day Protection: CDR removes executable content whether or not it is detected as malicious. This enables it to protect against zero-day threats.
  • Rapid Delivery: CDR eliminates delays associated with traditional sandboxes and enables real-world deployment for zero-day protection in prevent mode, while delivering cleaned files to users quickly.
  • Original File Access: In some cases, access to executable content may be required for benign files. With Check Point SandBlast, the original file may be accessed by the user after it is confirmed to be benign after sandbox inspection.

Check Point Harmony Offers CDR Security Options Across the Board

While phishing emails are the most common and most well-known method of delivering malicious documents and malware to a recipient, they are far from the only option. Malicious content can be delivered over corporate collaboration platforms (like Slack and Microsoft Teams), via text messaging, over social media and other mobile apps, and via downloads from malicious or compromised websites.

For this reason, CDR must be deployed to protect all of these potential infection vectors in order to be effective. Check Point’s Harmony technology is available for all platforms with Harmony Endpoint (endpoint security), Harmony Mobile (mobile security), and Harmony Browse and Harmony Email (Avanan). 

By deploying Check Point’s Harmony technology, an organization can protect its users against the most common method of malware delivery while minimizing impacts on employee productivity. The multi-stage delivery of potentially malicious files (i.e. ones containing executable code) ensures that employees can receive files quickly but only access executable content once it has been verified to be benign.