Content Disarm and Reconstruction (CDR) settings
- Pavel Novák
In the Content Disarm and Reconstruction (CDR) engine settings dialog, it is possible to adjust the engine settings for converting content to a safe format. The engine allows for the conversion of certain file types (typically Office documents) to PDF format without active content. Unlike the original file, which could theoretically contain malicious code (e.g., in the form of macros, embedded files, etc.), this converted file is safe as it contains no active content or attachments.
The following parameters can be set:
Maximum file size limit
Specifies the maximum file size for which processing (conversion) is conducted. The operation primarily uses memory, and it is recommended not to set this value higher than about 10% of the server's memory.
(default: 100 MiB)
Treat oversize as clean
If this is enabled and the conversion is skipped because the file is too big, the file is considered “clean”. If this is disabled, then such file is considered “unclean” and the whole package or file will be quarantined.
(default: enabled)
Allowed file types (extensions)
List of file extensions (separated by line breaks) to be sent for the conversion to a safe format. Types not listed will not be sent for conversion to a safe format and will remain only in their original form.
(default: bib, bmp, csv, dbf, dif, doc, doc6, doc95, docbook, docx, docx7, emf, eps, fodg, fodp, fods, fodt, gif, html, jpg, latex, mediawiki, met, odd, odg, odp, ods, odt, ooxml, otg, otp, ots, ott, pbm, pct, pdb, pdf, pgm, png, pot, potm, ppm, pps, ppt, pptx, psw, pwp, pxl, ras, rtf, sda, sdc, sdc3, sdc4, sdd, sdd3, sdd4, sdw, sdw3, sdw4, slk, stc, std, sti, stw, svg, svm, swf, sxc, sxd, sxd3, sxd5, sxi, sxw, text, tiff, txt, uop, uos, uot, vor, vor3, vor4, vor5, wmf, wps, xhtml, xls, xls5, xls95, xlsx, xlt, xlt5, xlt95, xpm)
In case of conversion failure, quarantine the file
If this option is enabled, successful conversion (of files sent to be converted) is mandatory. Only files of the specified types (extensions) are sent for conversion. If the conversion fails, the original file (or package) is quarantined.
If the option is disabled, then the failure of a file conversion causes no action. The original file remains in the package, accessible to users, and no safe conversion is created.
(default: disabled)
Place files of other (not allowed) types (extensions) in quarantine
If this option is enabled, files that are not of the listed types (extensions) are quarantined. This means the files, for which conversion to a safe format is not attempted at all.
If the option is disabled, files not undergoing conversion to a safe format are left in the package.
(default: disabled)
Delete the original file
If enabled and the file conversion to a safe format is successful, the original file will be deleted (only the safe conversion remains). If disabled, the original file stays in the package along with the safe conversion.
(default: disabled)
Forbidden MIME file types
List of MIME file types for which conversion is not performed, regardless of the extension. This prevents spoofing of file extensions, such as renaming an EXE to DOCX, which would cause conversion failure, generate nonsensical output, or otherwise disrupt functionality.
(default: executable, exe, zip, application/x-msdownload)
Quarantine files of unallowed MIME types
If this option is enabled, files that are forbidden MIME types (see above) are moved to quarantine. This serves as protection against file extension spoofing. For example, an exe file might be renamed to docx.
(default: disabled)
Configuration example
