How do security gateways neutralize payloads?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You open an email from a client, download their Word doc, and your security gateway silently rewrites it before it ever reaches your desktop. You get a clean file. No macros. No hidden scripts. Did you lose data? Maybe. Here's what's actually happening.
Most email security gateways neutralize dangerous content through a process called Content Disarm and Reconstruction (CDR). The idea is simple: instead of just scanning a file for known threats and either blocking or passing it, CDR takes the file apart, removes anything that could execute code, and rebuilds it from scratch. What lands in your inbox is a reconstructed version of the original.
The reconstruction process typically strips out a few specific things. Macros in Office documents are the big one. Macros are small programs embedded in Word or Excel files, and they're a favorite delivery mechanism for malware. CDR removes them entirely. It also strips embedded scripts, active content like form fields that trigger server calls, and any objects that can run code when the file opens.
The thing most people don't realize is that this does break some legitimate functionality. If your finance team sends over an Excel sheet with custom macros to automate reporting, and CDR strips those macros, the file still opens and the data is still there. But the automation won't work. The text, numbers, tables, and formatting survive. The executable logic doesn't. (That's the trade-off, and it's worth knowing about before someone complains that the file is "broken.")
And some gateways go a step further with format conversion. Rather than reconstructing the original file type, they flatten it into a safer format entirely. A Word document gets converted to a PDF. A PDF gets re-rendered as a new PDF without its interactive layers. You lose native formatting control, but you eliminate the entire attack surface of the original file type.
The risk CDR is designed to stop is straightforward. An attacker sends a Word doc. The document looks normal. But it contains a macro that, when enabled, silently downloads malware from a remote server. A traditional antivirus scan might miss it if the macro is obfuscated or brand new. CDR doesn't care whether the macro is malicious or not. It removes all macros. That's its strength and its limitation in one.
Not every file type can be cleanly reconstructed. Complex formats with lots of nested objects, or unusual file types the gateway doesn't fully understand, may get blocked outright rather than disarmed. And some gateways offer a "sanitized copy plus original on request" workflow, where you receive the CDR version immediately but can retrieve the original after manual review if you genuinely need the macro functionality.
If you're diagnosing why a legitimate attachment arrived stripped or modified, our free Email Header Analyzer can help you trace what happened in transit. Or if something's broken right now, the SOS hotline is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.