Enhancing Threat Detection with Deep CDR & Adaptive Sandbox

This article applies to MetaDefender Core 5.12.1 (or higher) and Adaptive Sandbox 2.1.0 (or higher) releases deployed on Windows or Linux systems.

Integrating Deep CDR Analysis Mode with Adaptive Sandbox provides a layered approach to security, combining content disarmament (CDR) for immediate risk reduction with sandbox analysis for advanced zero-day detection.

  • Deep CDR acts as a pre-filter by stripping active content (e.g., macros, scripts) to mitigate risk but does not determine if the file was malicious.
  • Adaptive Sandbox is required for full threat analysis, identifying zero-day threats, hidden malware, and evasive techniques that CDR alone cannot detect.
  • Using CDR to trigger sandboxing ensures that high-risk files (those containing active content) are analyzed more deeply while reducing unnecessary sandbox scans for benign files.

Why This Matters

Stripping active content is a foundational step in securing a file. If a file was originally malicious, removing certain elements merely disarms the malicious content, its inherent untrustworthiness remains.

Sandbox analysis complements CDR to uncover the true threat and potential scale of an attack, allowing for a deeper inspection of Obfuscation, Behavioral Patterns and the identification of unknown malware.

Setup Deep CDR Analysis mode

If you prefer to retain your files without modifications while still leveraging the benefits of CDR integration, enable the CDR Analysis Mode. For more information, visit the Deep CDR analysis mode page.

Enable Deep CDR for archives

To submit archives for processing, ensure that Deep CDR Archive Processing is enabled in the Archive Compression Engine Workflow Settings. Additionally, activate the required archive types for your use case. For detailed instructions, refer to the Deep CDR advanced configuration page.

Setup Adaptive Sandbox Deep CDR Active Content trigger

Under Workflow Management -> Workflows -> (Name of the workflow) -> Adaptive Sandbox -> Advanced configuration There is an option "Enable for Active Content(s) found by Deep CDR":

By default, every supported Active Content is selected, but it can be configured to best suit the current application.

Key Takeaway

Deep CDR removes risky elements but does not determine trustworthiness—it is not a replacement for threat detection. Adaptive Sandbox is required to detect malware and unknown threats, ensuring true zero-trust security.

If Further Assistance is required, please follow the instructions on How To Create a Support Package, then proceed to create a support case or chat with our support engineer.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
How do I obtain my OPSWAT MetaDefender Cloud Reputation API Key?
On This Page
Enhancing Threat Detection with Deep CDR & Adaptive SandboxWhy This MattersSetup Deep CDR Analysis modeEnable Deep CDR for archivesSetup Adaptive Sandbox Deep CDR Active Content triggerKey Takeaway