February 24, 2022

What are file-based threats?

The nature of modern digital communication means that organizations create and share files in their billions on a daily basis. As such, they have become one of the ‘go to’ attack vectors used by cybercriminals and nation-state adversaries to gain access to networks, distribute malware or initiate ransomware attacks.

The risks are well known, with cyber hygiene and security training focusing on the need for user vigilance. Yet, our collective reliance on documents and files is so embedded into working culture that mistakes are inevitable.

What’s more, bad actors have become increasingly skilled in delivering email attachments that appear entirely genuine. As a result, organizations fall victim to cyberattacks that no amount of training can hope to prevent.

These risks are amplified by the inherent limitations of reactive security technologies – such as antivirus and sandboxing solutions – where new malicious content can remain undetected for up to 18 days before they are updated.

In contrast, Glasswall delivers proactive protection against file-based threats, safeguarding organizations from malware that can fly under the radar of legacy protection tools.

Our Content Disarm and Reconstruction (CDR) technology instantly cleans and rebuilds files (PDF, Excel etc) to match their ‘known good’ manufacturer’s specification – automatically removing potential cyber threats. This simple approach ensures every document entering or leaving the organization is safe, without sacrificing productivity, meaning users can trust every file.

Glasswall CDR addresses the five core categories of risk faced by organizations in their daily use of files:

1. Structural Deviations

Structural deviations are differences in how a file is composed, compared to that file type’s ‘known good’ specification. They represent a significant risk as malicious code can be hidden within.

How Glasswall Addresses Structural Deviations

Glasswall regenerates files to the safe standard of ‘known good,’ enforcing the format’s structural specification. Here’s how:

  1. Glasswall validates each structure in a file against its specification. Any that fail validation are marked non-conforming.
  2. Glasswall performs remediation on these non-conforming structures, bringing them back into line.
  3. Glasswall rebuilds the files with its structure in the new compliant and standardized form.
  4. Any malware that is hidden or obfuscated in the file structure has been disarmed, destroyed or removed.

2.Active Content

Active content is extra functionality in a file that can perform actions on end users' machines, such as macros, JavaScript and embedded files. It is frequently exploited to trigger malicious activity.

In particular, high-risk active content is delivered in a number of formats, including:

  • Macros & JavaScript are forms of active code, which may be benign in nature, but all too often are used by bad actors to mount an attack against the user or receiving system when expressed in a business document.
  • Dynamic Data Exchange (DDE) within Microsoft documents is known to present risk as the protocol may be used to execute malicious code on the recipient's computer.
  • Embedded objects within files may present a risk if they provide a way for active code to be triggered, or to hide data within a document.
  • An 'Acrobat Form', in addition to looking like a form, it may also contain active code (e.g. JavaScript) which could be malicious. They can also be used to hide objects inside other objects.
  • An action within a PDF may be benign in nature but is designed to make the document dynamic in nature. An attacker may use the action to trigger active code (e.g. JavaScript) or to send data to a URL. The functionality can be misused to cause harm to the recipient.

How Glasswall Addresses Active Content

Remove active content from files by applying policies and restricting features to only users who need them for specific business reasons. This means that users would not be exposed to unnecessary risks from active content.


3. Legacy Office Formats

There are a larger number of known vulnerabilities for legacy office formats which are still being exploited today.

For instance, the first version of Word, released in 1983, was for the MS-DOS operating system. It initially implemented the .doc format, but Word 2007 deprecated this format in favor of Office Open XML (.docx .xlsx and .pptx).

Legacy binary .doc .xls or .ppt files are an unnecessary risk for any organization. There’s no reason to use these old file types when the far safer XML formats have been available for over a decade.

How Glasswall Addresses Legacy Office Formats

Glasswall regenerates binary Office files to the safe standard of ‘known good,’ enforcing the format’s structural specification and eradicating high-risk active content, mitigating the risk from legacy Office formats.

4. High-Risk File Types

File types are deemed high risk if there are malware examples within the Glasswall Threat Intelligence data set. Examples include .html & .exe file types. These are more likely to be used for malicious purposes by attackers than by authorized users for legitimate purposes.​

How Glasswall Addresses High-Risk File Types​

Glasswall provides visibility and tooling to control which file types can enter the organization. As a result, users only receive file types compliant with corporate policy.

5. Identified Malware

Malware is software that’s intentionally been created to cause harm. Glasswall’s Threat Intelligence confirms when files have been identified as malware.

File-based threats and zero-trust

As organizations act to address changing security vulnerabilities, cybercriminals shift tactics in an effort to stay ahead. As a result, there has been significant growth in the adoption of zero-trust security – an approach that sees the world differently from other approaches to cybersecurity. In this context, no one is trusted by default, regardless of whether they are inside or outside a network because, without it, attackers can have unrestricted access across a network once they are inside.

Adding a Content Disarm and Reconstruction (CDR) capability to the cybersecurity stack plays a vital role in a rounded zero trust cybersecurity strategy, particularly in the fight against malicious file uploads. As recently highlighted by Gartner, “Restrict the file types to the minimum required. For allowed file types, there are essentially four options to limit the risk of malware upload: CDR provides the highest security.  Done well, CDR removes all threats from uploaded files without adding significant latency. Since it does not depend on the detection of known threats, it can even protect against completely new attack types.”

Further information:

To read more about file-based vulnerabilities and Glasswall CDR, visit our website.

Book a demo

Talk to us about our industry-leading CDR solutions

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.