Content disarm and reconstruction (CDR), also known as Threat Extraction, proactively protects against known and unknown threats contained in documents by removing executable content.
The solution is unique because it doesn’t rely on detection like most security solutions. Any executable content within a document is removed, whether or not it is detected as a potential threat to the user. This enables CDR to offer true zero-day prevention, while delivering files to users quickly.
The vast majority of malware infections start with a phishing email. Of these, a significant portion use a malicious document as the delivery mechanism. In 2020, more than 70% of malicious email attachments or links and about 30% of malicious web downloads were delivered through documents such as PDF, Microsoft Office Word, Excel and PowerPoint.
However, while a document may be weaponized, this doesn’t mean that it is completely malicious. Microsoft Office documents are structured as ZIP files, containing folders with a number of different files. This means that the malicious script within an Office file is only one of several files that it contains.
PDFs are similar in that they are also built from a collection of different pieces. A malicious PDF file contains a number of objects that combine to create the file that the recipient sees. However, only one or a few of these objects contain the malicious script code hidden within the document.
Forwarding a potentially malicious Microsoft Office or PDF file on to the intended recipient is very risky. There is always the chance that the recipient will open the file, enable macros, and infect their computer with malware. Additionally, this approach relies upon detection of the malicious content. On the other hand, deleting the file entirely runs the risk that the recipient will miss important information that was included in the weaponized document. Content disarm and reconstruction offers a safe alternative to simply blocking malicious files.
In a weaponized Microsoft Office or PDF file, only a small fraction of the files or objects that make up the document are potentially malicious. These are any executable content embedded within the document. With CDR, these executable elements are excised from the document, and then the document is reconstructed using the remaining pieces. This often just requires rebuilding the files used by Microsoft Office or a PDF reader to remove references to the excised content.
Check Point SandBlast’s Threat Extraction technology offers an industry-leading Content Disarm and Reconstruction (CDR) solution. SandBlast Threat Extraction provides a number of benefits for organizational cybersecurity and employee productivity, including:
While phishing emails are the most common and most well-known method of delivering malicious documents and malware to a recipient, they are far from the only option. Malicious content can be delivered over corporate collaboration platforms (like Slack and Microsoft Teams), via text messaging, over social media and other mobile apps, and via downloads from malicious or compromised websites.
For this reason, CDR must be deployed to protect all of these potential infection vectors in order to be effective. Check Point’s SandBlast technology is available for all platforms with SandBlast Agent (endpoint security), SandBlast Mobile (mobile security), and SandBlast Web (browser security).
By deploying Check Point’s SandBlast technology, an organization can protect its users against the most common method of malware delivery while minimizing impacts on employee productivity. The multi-stage delivery of potentially malicious files (i.e. ones containing executable code) ensures that employees can receive files quickly but only access executable content once it has been verified to be benign.
To learn more about Check Point’s SandBlast solutions, check out this video. To see how SandBlast technology can help to provide comprehensive protection to your organization against weaponized documents, request a free trial of SandBlast Agent, SandBlast Agent Cloud, SandBlast Mobile, and SandBlast Web.