Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

Content disarm and reconstruction for antivirus

Content Disarm and Reconstruction (CDR) allows the FortiGate to sanitize Microsoft documents and PDF (disarm) by removing active content such as hyperlinks, embedded media, javascript, macros, etc. from the office document files without affecting the integrity of it's textual content (reconstruction).

This feature allows network admins to protect their users from malicious office document files.

Files processed by CDR can have the original copy quarantined on the FortiGate, allowing admins to observe them. These original copies can also be obtained in the event of a false positive.

Support and limitations

  • CDR can only be performed on Microsoft Office Document and PDF files.
  • Local Disk CDR quarantine is only possible on FortiGate models that contain a hard disk.
  • CDR is only supported on HTTP, SMTP, POP3, IMAP.
    • SMTP splice and client-comfort mode is not supported.
  • CDR does not work on flow based inspection modes.
  • CDR can only work on files in .ZIP type archives.

Network topology example

Configuring the feature

In order to configure antivirus to work with CDR, you must enable CDR on your antivirus profile, set the quarantine location, and then fine tune the CDR detection parameters.

To enable CDR on your antivirus profile:
  1. Go to Security Profiles > AntiVirus.
  2. Enable the toggle for Content Disarm and Reconstruction under APT Protection Options.

To set a quarantine location:
  1. Go to Security Profiles > AntiVirus.
  2. Select a quarantine location from the available options, including Discard, File Quarantine, and FortiSandbox.

    Discard The default setting which discards the original document file.
    File Quarantine Saves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiGate's log settings, visible through Config GlobalConfig Log FortiAnalyzer Setting.
    FortiSandbox Saves the original document file to a connected FortiSandbox.
To fine tune CDR detection parameters in the FortiGate CLI:
  • Select which active content to detect/process:
    • By default, all active office and PDF content types are enabled. To fine tune CDR to ignore certain content, you must disable that particular content parameter. The example below configures the CDR to ignore Microsoft Office macros.
      FGT_PROXY (vdom1) # config antivirus profile
      
      FGT_PROXY (profile) # edit av
      change table entry 'av'
      
      FGT_PROXY (av) # config content-disarm
      
      FGT_PROXY (content-disarm) # set ?
      original-file-destination    Destination to send original file if active content is removed.
      office-macro                 Enable/disable stripping of macros in Microsoft Office documents.
      office-hylink                Enable/disable stripping of hyperlinks in Microsoft Office documents.
      office-linked                Enable/disable stripping of linked objects in Microsoft Office documents.
      office-embed                 Enable/disable stripping of embedded objects in Microsoft Office documents.
      office-dde                   Enable/disable stripping of Dynamic Data Exchange events in Microsoft Office documents.
      office-action                Enable/disable stripping of PowerPoint action events in Microsoft Office documents.
      pdf-javacode                 Enable/disable stripping of JavaScript code in PDF documents.
      pdf-embedfile                Enable/disable stripping of embedded files in PDF documents.
      pdf-hyperlink                Enable/disable stripping of hyperlinks from PDF documents.
      pdf-act-gotor                Enable/disable stripping of PDF document actions that access other PDF documents.
      pdf-act-launch               Enable/disable stripping of PDF document actions that launch other applications.
      pdf-act-sound                Enable/disable stripping of PDF document actions that play a sound.
      pdf-act-movie                Enable/disable stripping of PDF document actions that play a movie.
      pdf-act-java                 Enable/disable stripping of PDF document actions that execute JavaScript code.
      pdf-act-form                 Enable/disable stripping of PDF document actions that submit data to other targets.
      cover-page                   Enable/disable inserting a cover page into the disarmed document.
      detect-only                  Enable/disable only detect disarmable files, do not alter content.
      
      FGT_PROXY (content-disarm) # set office-macro disable
      FGT_PROXY (content-disarm) #
  • Detect but do not modify active content:
    • By default, CDR will disarm any detected documents containing active content. To prevent CDR from disarming documents, you can set it to operate in detect-only mode. To do this, the option detect-only must be enabled.
      FGT_PROXY (vdom1) # config antivirus profile
      
      FGT_PROXY (profile) # edit av
      change table entry 'av'
      
      FGT_PROXY (av) # config content-disarm
      
      FGT_PROXY (content-disarm) # set detect-only ?
      disable    Disable this Content Disarm and Reconstruction feature.
      enable     Enable this Content Disarm and Reconstruction feature.
      
      FGT_PROXY (content-disarm) # set detect-only enable
      FGT_PROXY (content-disarm) #
  • Enabling/disabling the CDR cover page:
    • By default, a cover page will be attached to the file's content when the file has been processed by CDR. To disable the cover page, the paramater cover-page needs to be disabled.
      FGT_PROXY (vdom1) # config antivirus profile
      
      FGT_PROXY (profile) # edit av
      change table entry 'av'
      
      FGT_PROXY (av) # config content-disarm
      
      FGT_PROXY (content-disarm) # set cover-page
      disable    Disable this Content Disarm and Reconstruction feature.
      enable     Enable this Content Disarm and Reconstruction feature.
      
      FGT_PROXY (content-disarm) # set cover-page disable
      
      FGT_PROXY (content-disarm) #

Content disarm and reconstruction for antivirus

Content Disarm and Reconstruction (CDR) allows the FortiGate to sanitize Microsoft documents and PDF (disarm) by removing active content such as hyperlinks, embedded media, javascript, macros, etc. from the office document files without affecting the integrity of it's textual content (reconstruction).

This feature allows network admins to protect their users from malicious office document files.

Files processed by CDR can have the original copy quarantined on the FortiGate, allowing admins to observe them. These original copies can also be obtained in the event of a false positive.

Support and limitations

  • CDR can only be performed on Microsoft Office Document and PDF files.
  • Local Disk CDR quarantine is only possible on FortiGate models that contain a hard disk.
  • CDR is only supported on HTTP, SMTP, POP3, IMAP.
    • SMTP splice and client-comfort mode is not supported.
  • CDR does not work on flow based inspection modes.
  • CDR can only work on files in .ZIP type archives.

Network topology example

Configuring the feature

In order to configure antivirus to work with CDR, you must enable CDR on your antivirus profile, set the quarantine location, and then fine tune the CDR detection parameters.

To enable CDR on your antivirus profile:
  1. Go to Security Profiles > AntiVirus.
  2. Enable the toggle for Content Disarm and Reconstruction under APT Protection Options.

To set a quarantine location:
  1. Go to Security Profiles > AntiVirus.
  2. Select a quarantine location from the available options, including Discard, File Quarantine, and FortiSandbox.

    Discard The default setting which discards the original document file.
    File Quarantine Saves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiGate's log settings, visible through Config GlobalConfig Log FortiAnalyzer Setting.
    FortiSandbox Saves the original document file to a connected FortiSandbox.
To fine tune CDR detection parameters in the FortiGate CLI:
  • Select which active content to detect/process:
    • By default, all active office and PDF content types are enabled. To fine tune CDR to ignore certain content, you must disable that particular content parameter. The example below configures the CDR to ignore Microsoft Office macros.
      FGT_PROXY (vdom1) # config antivirus profile
      
      FGT_PROXY (profile) # edit av
      change table entry 'av'
      
      FGT_PROXY (av) # config content-disarm
      
      FGT_PROXY (content-disarm) # set ?
      original-file-destination    Destination to send original file if active content is removed.
      office-macro                 Enable/disable stripping of macros in Microsoft Office documents.
      office-hylink                Enable/disable stripping of hyperlinks in Microsoft Office documents.
      office-linked                Enable/disable stripping of linked objects in Microsoft Office documents.
      office-embed                 Enable/disable stripping of embedded objects in Microsoft Office documents.
      office-dde                   Enable/disable stripping of Dynamic Data Exchange events in Microsoft Office documents.
      office-action                Enable/disable stripping of PowerPoint action events in Microsoft Office documents.
      pdf-javacode                 Enable/disable stripping of JavaScript code in PDF documents.
      pdf-embedfile                Enable/disable stripping of embedded files in PDF documents.
      pdf-hyperlink                Enable/disable stripping of hyperlinks from PDF documents.
      pdf-act-gotor                Enable/disable stripping of PDF document actions that access other PDF documents.
      pdf-act-launch               Enable/disable stripping of PDF document actions that launch other applications.
      pdf-act-sound                Enable/disable stripping of PDF document actions that play a sound.
      pdf-act-movie                Enable/disable stripping of PDF document actions that play a movie.
      pdf-act-java                 Enable/disable stripping of PDF document actions that execute JavaScript code.
      pdf-act-form                 Enable/disable stripping of PDF document actions that submit data to other targets.
      cover-page                   Enable/disable inserting a cover page into the disarmed document.
      detect-only                  Enable/disable only detect disarmable files, do not alter content.
      
      FGT_PROXY (content-disarm) # set office-macro disable
      FGT_PROXY (content-disarm) #
  • Detect but do not modify active content:
    • By default, CDR will disarm any detected documents containing active content. To prevent CDR from disarming documents, you can set it to operate in detect-only mode. To do this, the option detect-only must be enabled.
      FGT_PROXY (vdom1) # config antivirus profile
      
      FGT_PROXY (profile) # edit av
      change table entry 'av'
      
      FGT_PROXY (av) # config content-disarm
      
      FGT_PROXY (content-disarm) # set detect-only ?
      disable    Disable this Content Disarm and Reconstruction feature.
      enable     Enable this Content Disarm and Reconstruction feature.
      
      FGT_PROXY (content-disarm) # set detect-only enable
      FGT_PROXY (content-disarm) #
  • Enabling/disabling the CDR cover page:
    • By default, a cover page will be attached to the file's content when the file has been processed by CDR. To disable the cover page, the paramater cover-page needs to be disabled.
      FGT_PROXY (vdom1) # config antivirus profile
      
      FGT_PROXY (profile) # edit av
      change table entry 'av'
      
      FGT_PROXY (av) # config content-disarm
      
      FGT_PROXY (content-disarm) # set cover-page
      disable    Disable this Content Disarm and Reconstruction feature.
      enable     Enable this Content Disarm and Reconstruction feature.
      
      FGT_PROXY (content-disarm) # set cover-page disable
      
      FGT_PROXY (content-disarm) #