Conceptual graphic suggests reconstructed elements.

What is Content Disarm and Reconstruction (CDR)?

Much of cybersecurity depends on detection—like the detection & response solutions we’ve written about recently. But there’s another, less common way to approach malware threats. Content Disarm and Reconstruction, or CDR, strips down a file’s active content and rebuilds the file with only known, safe elements. Sometimes called file sanitization, CDR delivers a clean, “sanitized” copy. It does this with every file, as a routine practice—so the need to detect and identify malicious files is bypassed. This is particularly helpful with zero-day attacks, which are difficult to find with standard detection methods. And considering that malware is the most common cyber threat, with over nine out of ten malware attacks delivered through email and hidden in common file types, CDR presents a viable alternative to signature-based detection methods.

What Does Content Disarm and Reconstruction Do?


There are a couple different ways CDR can work. One method, the first CDR technology to emerge, is to flatten files into PDF format before releasing them to end users. This creates a file incapable of activating malicious code. The downside is that a PDF is not editable, which can hinder productivity in shared projects. A more fine-tuned CDR method involves stripping out active content such as embedded objects. This removes most of the threat, but it still leaves the file only semi-functional. 

The most advanced form of CDR fully breaks down and rebuilds the file based on templates with only known, safe elements included. Since these clean templates include functional actions, there is no loss of functionality in the file. This can be done very quickly, providing sanitized, reconstructed files almost instantaneously.

Who Can Benefit from Content Disarm and Reconstruction?

Enterprises (both large and small) that involve a lot of file-sharing are particularly vulnerable to malware attacks. Whether files are shared among project teammates or with outside vendors and partners, more sharing means more opportunities for breaches. Many employees have a tendency to click on suspicious attachments, and exploits are sometimes waiting even in harmless-looking files. Industries that have made use of Content Disarm and Reconstruction include:

  • Banking, Financial Services & Insurance
  • Information Technology (IT)
  • Manufacturing
  • Wholesale Distribution
  • Construction
  • Non-profit Organizations
  • Food & Beverage
  • Retail
  • Hospitality
  • Government

Case Study: Clariter

Picture of Clariter employees on the job



One specific example of an organization that benefits from CDR is Clariter, an international company that upcycles plastic waste. Clariter uses state-of-the-art technology to transform used plastics into a number of solvents that then become ingredients in hundreds of new consumer products. As the company has grown over its nearly 20 years of existence, protection against malware has become more important. 

Graphic shows the process of CDR sanitization with odix's FileWall.

The solution they found was FileWall, the CDR offering from odix. FileWall was created as an add-on for Microsoft’s Exchange Online and is fully integrated with Azure Sentinel and Microsoft Graph Security API as well. It has a patented algorithm that breaks down files, eliminates any malware embedded in them, and then reconstructs clean versions of them. According to Clariter’s IT Manager Lance Soller, FileWall has provided unmatched protection and the company has seen a significant decrease in malware infiltration.

How to Deploy CDR

FileWall is a great option for CDR protection, especially if you work with Microsoft. Its native integration with Microsoft solutions allows for smooth delivery and added security. While Filewall is reconstructing files, suspicious and harmful events are still reported to Azure Sentinel simultaneously. Users can quickly access safe files while other security mechanisms continue to run in the background. And FileWall is designed to let administrators easily access a broad range of file and system controls to suit their needs best. If you’d like to deploy Content Disarm and Reconstruction, you can read more about FileWall and even sign up for a free plan here.

Also see: What is a Cloud-Native Application Protection Platform (CNAPP)?

Leave a Comment