Antivirus software does a genuinely good job at most of what it’s designed to catch. Run it, keep it updated, and you’ve blocked a huge chunk of the malware floating around the internet. The problem is the bit it wasn’t built for, and that bit happens to be how a lot of businesses get infected now.
Most successful attacks on small businesses don’t arrive as obviously dodgy executables. They arrive as documents. A PDF that looks like an invoice, a Word file claiming to be a delivery note, a spreadsheet sent by someone pretending to be a supplier. Files you’d open without thinking, and antivirus often won’t bat an eye when you do.
What’s actually inside a document
Office documents and PDFs aren’t simple containers for text and pictures. Underneath, they can carry macros (small programs that run automatically when the file opens), embedded scripts, links that trigger downloads in the background, and objects that execute code when clicked or even just viewed.
This functionality exists for good reasons. Excel macros save people genuine hours of work, embedded objects make complex documents possible, scripted PDFs power things like fillable forms. The same plumbing that makes documents useful is what’s turned them into the most popular delivery vehicle for malware.
When a malicious document arrives, the attack doesn’t announce itself. There’s no flashing warning, no pop-up. The file opens, you see whatever it was designed to show you, and behind the scenes a script runs, a connection opens to a server somewhere, and something gets installed. By the time anything feels off, you’re already compromised.
Roughly 87% of ransomware now arrives this way, through documents rather than executables. Attackers haven’t stopped writing malicious .exe files. They just don’t bother as much, because hardly anyone opens an unfamiliar .exe these days. PDFs and Word docs get opened all day long without a second thought, so that’s where the attacks went.
Why antivirus has a structural problem here
Antivirus works by recognising things it has already seen. It keeps a database of malware signatures (patterns of code lifted from previous attacks) and scans files looking for matches. When something matches, it blocks or quarantines the file. This is genuinely good at handling the bulk of common malware, which is why antivirus is still worth having.
The problem is the bit it can’t do. Every piece of malware starts out as something nobody has seen before. On day one, it has no signature. Antivirus scanning a brand new malicious document on day one will usually find nothing wrong with it, because there’s nothing in the database to compare it against. These are called zero-day attacks, and they’re built specifically to slip past signature-based scanning.
It gets worse. Sophisticated attackers build documents that behave themselves during automated scanning and only do something nasty under specific conditions. A certain amount of time has passed. A particular user opens the file. The document detects that nothing is watching it. Sandboxing (opening the file in an isolated environment to see what it does) helps with some of this, but attackers have learned to spot sandboxes too. They sit politely until the scan ends, then activate.
None of this means antivirus is useless. It catches huge amounts of malware and you should keep running it. But there’s a real structural limitation when it comes to document-based threats that weren’t in its database the moment you double-clicked.
A different approach: strip the threat instead of looking for it
Content Disarm and Reconstruction, usually shortened to CDR, takes a different angle on the problem. Rather than trying to work out whether a document is dangerous, it assumes every document might be, and removes anything that could be used to run code regardless of whether it looks suspicious.
The process runs in four stages. First, the file’s actual format is checked against what it claims to be, which catches files disguised as something they aren’t. Second, the document is pulled apart and everything with executable potential is stripped out: macros, scripts, embedded objects, active links, anything outside what a safe document genuinely needs to carry. Third, a clean version of the document is rebuilt from what’s left. Fourth, the clean version is delivered to you. It looks and reads exactly like the original, just without the bits that could have done you harm.
What makes CDR genuinely different is that it doesn’t need to know what the threat looks like. No signature database, no pattern matching. A zero-day buried inside a Word file gets stripped out the same way a known piece of malware would, because both rely on the same delivery mechanism: executable content inside a document. Take that out of every document and the attack vector goes with it.
This is why CDR sits well alongside antivirus rather than replacing it. Antivirus handles the wide world of known threats. CDR handles the specific problem of document-based attacks, including the ones nobody has seen yet. Red Eagle Tech’s CDR API runs files through exactly this pipeline and returns a clean, fully working document on the other side.
Who’s most exposed
The honest answer is anyone who opens documents that came from somewhere outside their own machine, which is everyone with a computer. But some situations carry more risk than others.
Small businesses are particularly exposed. They handle a steady flow of documents from customers, suppliers, and contractors, and they generally have fewer security layers than larger organisations. An accountancy practice opening client paperwork, a letting agent receiving applications, a medical practice processing referrals, a recruiter going through CVs. All of these involve opening documents from sources that can’t all be fully trusted, and most of them rely on antivirus alone.
Home users get hit too. Phishing campaigns lean heavily on document attachments precisely because they slip past standard defences. A PDF dressed up as a delivery notification, a Word doc made to look like a bank statement, a spreadsheet pretending to be a quote from a tradesperson. These arrive constantly and a meaningful chunk of them are carrying something nasty.
File upload portals are the area people forget about. If your website lets users upload documents, every single upload is a potential entry point. Without CDR on the receiving end, you’re trusting that everyone uploading files has a clean machine and good intentions. That’s not a reasonable bet to be making.
What sensible document security looks like
The goal isn’t to stop opening documents. That’s not realistic and it would grind your business to a halt. What you want is for any document you open to only be able to show you its content, not run code on your machine.
Antivirus belongs in everyone’s setup and handles the known stuff. Keeping it updated genuinely matters; a signature database from three months ago is much less useful than one that updated this morning. Email filtering at the gateway catches a lot of malicious attachments before they reach an inbox. Staying sceptical about unexpected attachments sounds basic but works, and the human in front of the screen is still the best malware filter most of the time.
CDR fills the gap the rest can’t reach: the document that looks completely clean because the threat in it isn’t catalogued anywhere yet. For businesses handling a steady flow of external documents, or anyone who’d rather not end up phoning an IT specialist after opening the wrong PDF, it’s worth knowing what’s available. There’s a broader walk-through of what actually moves the needle on small business security in our cybersecurity essentials guide, which covers the full picture rather than just the document-attack piece of it.
The documents in your inbox right now are almost certainly fine. The thing worth knowing is whether you’d notice if one of them wasn’t, and whether your current setup would catch it before it caused you a problem. For most people the honest answer is that antivirus gives you partial coverage, and the gap it leaves is exactly where the more sophisticated attacks aim.
