Antivirus detects threats it already knows. The problem is that attackers know this very well and regularly modify their tools to bypass signatures. Zero-day exploits, advanced obfuscation techniques, attacks embedded in Office document macros or the active content of PDF files – these are threats that traditional antivirus handles poorly or not at all. Deep CDR from OPSWAT approaches the problem from a completely different direction.
Key findings
- Deep CDR (Content Disarm and Reconstruction) removes threats from files by deconstructing and reconstructing them
- Does not rely on malware detection – removes all potentially dangerous active content
- The result is a cleaned, fully usable file, free of known and unknown threats
- Deep CDR supports more than 100 file formats, including Office, PDF, images and archives
- It is particularly effective where traditional antiviruses fail – with zero-day and fileless attacks
Table of contents
- Why is traditional antivirus not enough?
- What is Deep CDR and how does it work?
- What items are removed during the CDR process?
- Supported file formats
- Deep CDR vs sandboxing – different approaches to the same problem
- Practical applications – when does Deep CDR make sense?
- Integration with MetaDefender
- FAQ
- Summary
Why is traditional antivirus not enough?
Traditional antivirus operates on the principle of signature matching – it compares a file or its hash with a database of known threats. This approach has a fundamental flaw: it will only work if the threat is already known. There is a time lapse between when a new malware is first used in an attack and when its signature hits the antivirus databases – and it is this time that is most dangerous.
Moreover, even known threats can be masked by simple code modification, changing file headers or using obfuscation techniques. Studies show that even simultaneous scanning with dozens of antivirus engines does not guarantee detection of all threats.
What is Deep CDR and how does it work?
Deep CDR (Content Disarm and Reconstruction) is a technology that reverses the approach to protection. Instead of looking for threats, it assumes that any file could contain a threat and removes all items that could be malicious – regardless of whether they are currently listed in any malware databases.
The process works in three steps. The first is deconstruction – the file is decomposed into its component parts according to the format specification. The second is cleanup – all active elements (macros, scripts, embedded objects, active content) are removed. The third is reconstruction – the file is put back together in a cleaned form, preserving its useful content.
What items are removed during the CDR process?
Deep CDR removes a wide range of potentially dangerous elements from files. In Office documents, these include VBA macros (the most common attack vector), embedded OLE objects (which can contain executable files), active content (links to external resources, forms) and auto-updating fields.
In PDF files, JavaScript (commonly used in PDF exploits), ActionScript scripts, embedded executables and links to external resources are removed. In images – hidden data in metadata and steganographically embedded payloads. In archives – the whole thing is analyzed recursively, file by file.
Supported file formats
OPSWAT’s Deep CDR technology supports more than 100 file formats, including all Microsoft Office formats (docx, xlsx, pptx and older binary versions), PDF, OpenDocument formats, images (JPEG, PNG, TIFF, BMP), HTML files, archives (ZIP, RAR, 7z) and many others.
That’s key – a solution is only useful if it supports the formats actually used in the organization. Support for Office’s legacy binary formats is especially important in environments where older .doc and .xls files are still in circulation.
Deep CDR vs sandboxing – different approaches to the same problem
Sandboxing is an alternative approach to protecting against unknown threats: a file is run in an isolated environment and its behavior is observed. If it behaves maliciously, it is blocked.
Deep CDR and sandboxing solve the same problem with different methods and work best together. Sandboxing takes time – the file must be started and watched, which can take minutes to tens of minutes. Deep CDR is lightning fast – it takes seconds to reconstruct a file. Sandboxing may fail to detect threats that activate only after certain conditions are met. Deep CDR removes threats regardless of activation conditions.
Practical applications – when does Deep CDR make sense?
Deep CDR makes sense wherever external files enter a protected environment: email gateways (clearing attachments before delivery), web portals accepting files from external users, transferring files between networks with different levels of trust, scanning removable media upon entry to a protected network.
It’s especially valuable in environments where response time matters – a mail gateway that cleans up files in seconds doesn’t delay the flow of communication.
Integration with MetaDefender
Deep CDR is one of the key technologies of the OPSWAT MetaDefender platform and works in conjunction with multiscanning and Proactive DLP. Multiscanning detects known threats, Deep CDR removes potentially unknown threats, and Proactive DLP protects against sensitive data leakage. Together, they form a multi-layered protection that addresses threats that cannot be effectively countered by a single method.
FAQ
Does Deep CDR spoil the files? Can they be opened normally after cleaning? The cleaned file is fully usable – it contains the original content (text, graphics, tables), only without active elements. If the file was formatted, the formatting is retained.
What happens when a file is too corrupted for reconstruction? OPSWAT offers a configurable policy – a file can be blocked, quarantined or marked for manual review.
Does Deep CDR work in real time? Yes – it takes from a fraction of a second to a few seconds to reconstruct a typical document, allowing it to be used in email gateways without noticeable delays.
Is CDR a replacement for antivirus? No – CDR and antivirus are complementary. CDR removes threats that antivirus does not see. Antivirus detects threats that CDR does not need to remove. Together, they provide a higher level of protection.
Summary
Deep CDR from OPSWAT is a technology that changes the approach to protecting against file-borne threats – from reactive detection to preventive removal. By purging every file of potentially malicious active content, Deep CDR protects against zero-day, macro viruses and advanced obfuscation techniques where traditional antivirus fails.
