Metadefender Core v3.13.0.pdf - OPSWAT Knowledge Center

© 2016 OPSWAT, Inc. All rights reserved. OPSWAT®, MetadefenderTM and the OPSWAT logo are trademarks of OPSWAT, Inc.All other trademarks, trade names, service marks, service names, and images mentioned and/or used herein belong to their respective owners.

Table of Contents

About This Guide 15

Key Features of Metadefender Core 16

1. Installing or Upgrading Metadefender Core 17

1.1. System Requirements 17Hardware requirements 17Software requirements 18Browser requirements for the Metadefender Core Management Console 18Additional installation of 3rd party framework/components 18Additional installation of Windows services by Metadefender Core 19Ports that must be available 20Driver installation by Metadefender Core 20Whitelisting requirements 20

1.2. Installing Metadefender Core 20Optional components 21Installing Metadefender Core Using the Command Line 21Installing Metadefender Core Using the Install Wizard 24

1.3. Activating Metadefender Core Licenses 27Activating and Managing Metadefender licenses 27Activation Mechanisms (online vs. offline activation) 28License System Validation 28Trial licenses 28License types 28License Manager Command Line Interface 29Offline License Activation By Management Console 32Online License Activation By Management Console 35

1.4. Upgrading Metadefender Core 38Exporting process history 40Exporting your current configuration using the command line 40Exporting Quarantined file and email history 40Installing the upgrade 41Restoring your previous configuration using the Management Console 41

Importing your previous configuration using the command line 42Importing Quarantined File and Email history 42Importing process history 43Upgrading from Metadefender Core 3.5 or earlier 43Upgrading from Metadefender Core 3.12.5 and using Mail Agent 43

1.5. Performance and Load Estimation 44What to know before reading the results: Some factors that affect performance 44How test results are calculated 45Test Report 45Performance Report - Multi-Scanning 45

2. Configuring Metadefender Core 49

Using Management Console to configure Metadefender 49

Using the Command Line Utility to configure Metadefender 49

Configuration options available through the omsConfig.ini file 50

2.1. Scan Configuration (global configuration options) 50

2.2. Engine Configuration 52Applying Offline Updates 53Configuring Scan Engines 54Online Update Configuration 55

2.3. Sources Configuration 58Metadefender Client Configuration 58Metadefender Email Configuration 60Metadefender Proxy Configuration 60

2.4. Workflow Profile Configuration 612.4.1. Creating a New Workflow Profile 612.4.2. Pre-defined Workflow Profiles 652.4.3. Archive Handling 672.4.4. File Type Detection And Filtration Overview 70

2.5. Metadefender Core Logs 72Debug logs 72Application Log 72Email Event Log 73Email History 73File Log 74

Logging Configuration 75Windows Event Log 78

2.6. Quarantine Management 79Accessing the Quarantine tab in the Metadefender Core Management Console 79Scheduling quarantine reports 80

2.7. Filter CLI - Whitelisting/Blacklisting 81omsFilter - about 83omsFilter - addtoblack 83omsFilter - addtowhite 83omsFilter - list 84omsFilter - remove 85

2.8. Advanced Configuration Options 85CORS Configuration 85Enabling HTTPS 86Engine Specific Configuration 98Import/Export from Command Line 101Post Action Script 102RAM Disk Configuration 105REST Server Configuration 107

2.9. Non-Workflow Configuration (Deprecated) 109Caching 109ScanEx Configuration 110

3. Data Sanitization (CDR) 114

What is Data Sanitization? 114

Supported File Types 114

Single Output File or Multiple Output File 115

Data Sanitization Performance (speed) 116System Info 116Resources 116Test result 116

Preventing Unknown Threats 117

4. Developer Guide 123

Building Custom Engines 123What you need to do 123Installation and configuration 124Example 125When uninstalling or upgrading Metadefender Core 125C# Custom Engine Template 125Custom Engine C Interface 134

COM Interface 146Important Return Type 153COM Connection Points 155Deprecated COM interface 171Methods 180Sample Code 200

Command Line Utility 202Exit code (for scan command) 202Process a File Command 202

Java Sample 204With the Eclipse IDE running: 204Running on the Command Line: 204

REST API (v2) 204API key-based authentication 205Getting Started 205Compatibility with Core v4 and Metadefender.com 205Advanced Usages 205Look Up Hash and Process (Scan / Sanitize) A File 222Response Description 233Creating Cpp library for REST API 247

5. Release Notes 253

New features 253

Other changes 253

General and Known Issues 253General 253Known issues 253

6. Important Concepts and Terminology 256

Usable AVs (antivirus) 256

Current AVs 256

Customer licensed engine 257

Synchronous/asynchronous scan 257

Valid file name 257

7. Metadefender / Client 258

About This Guide 258

Key Features of Metadefender Client 258

Available Metadefender Client Packages 259Metadefender Client 259Metadefender USB Client 259Metadefender Cloud Client 259

Metadefender Client Configuration in Metadefender Core 3.x 259

Release Notes 261Changes in 3.12.5 261

8. Metadefender / Email 263

Second Layer of Defense for Your Email Security Gateway 263

Key Features 263

Deployment Options 263Mail Proxy Deployment (Generic) 263Cloud Deployment 264Onsite Microsoft Exchange Deployment 264

Metadefender Email Does Not 265

1. Before Installation 265Increase Capacity and Resiliency 265System Requirements 266

2. Mail Proxy Deployment (Generic) 268

Configuring Incoming Threat Protection 268Configuring Outgoing Threat Protection 273Configuring Recipient Verification 277TLS support (Incoming/Outgoing emails) 279

3. Cloud Deployment 286Overview 286Steps 286Limitation 286Google Apps integration 287Microsoft Office 365 Integration 293

4. Onsite Microsoft Exchange Deployment 299How To Verify 300

5. Notification and Report 300Available Notification / Report 300Email Server For Notification 301Customizing Disclaimers 301Error Email Notification 302Infection Email Notification 304Quarantine Reports 305Sanitized Email Notifications 306

6. Additional Configuration 306Advanced Configuration 306Email Processing Workflow (Metadefender Core) 327Quarantine Email 328Skip Email Analysis 331

7. (Email) Release Notes 332New Features 332Other Changes 332(Email) General and Known Issues 332

9. Metadefender / ICAP Server 333

Web Proxy Integration 333

Reverse Proxy Integration 334

Web Proxy Servers Supported 334

1. ICAP server Configuration 335

Configuration via Metadefender Core Management Console 335Configuration via INI 335Enabling profiling logging 339TLS support 340

2. ICAP response headers 342

3. Web Proxy Integrations 344ICAP URL 346ARA network JAGUAR5000 346BlueCoat ProxySG 348F5 BIG IP 362McAfee Web Gateway 371Squid 375

4. Using ICAP server for Metadefender Core v4.x (BETA) 379For Windows 379For Linux (Ubuntu 16.04) 379Configuration via INI 380

10. Metadefender / Kiosk 385

Overview 385

Key Features 385

User authentication 386

Peripheral media 386

Encrypted USB devices 386

Media handling 387

Processing files 387

Scanning session results 388

Customizable interface 388

System hardening 388

1. Installing / Upgrading Metadefender Kiosk 3881.1. Kiosk System Requirements 3891.2. Installing Metadefender Kiosk Using the Install Wizard 3911.3. Installing Metadefender Kiosk from the Command Line 395

1.4. Managing License Information 3961.5. Upgrading Metadefender Kiosk 398

2. Kiosk Hardening 399User Access Control (UAC) 400Windows Update 401Setting the screen saver and power saving options 401Disabling mouse cursor pointer 401Disabling hotkeys 402Other system hardening configuration 402CORS Configuration 4022.1. Configuring the Web Server 4022.2. Disabling Windows Hot Keys 407

3. Management Console for Administration 409

4. Kiosk Authentication / User Workflow 4104.1. Workflow Profiles Page 4114.2. Properties & Membership 4144.3. Managing User Questions 4144.4. Allowed Media Types 4154.5. Selecting A Metadefender Core Workflow 4154.6. Selecting How to Handle Processed Files 4164.7. Custom Command Line Script 4194.8. Managing Printing Options 4224.9. Email Session Report 423

5. Configuring a Metadefender Core Server 423Detecting the Metadefender Core server URL 424Authenticating your configuration 424Associating workflows in Metadefender Kiosk to workflows in Metadefender Core 4275.1. Trusting an HTTPS Metadefender Core Server 427

6. Configuring with SFT 433Change on management console 433SFT account options for file uploads 4346.1. Arbit Data Diode configuration 434

7. Additional Kiosk Configuration 435Dashboard 435Configuration 4377.1. UI Localization / Customization 4387.2. Watchdog Behavior 440

7.3. Configuring User Settings 4417.4. Session Logs 4507.5 Alert Sound Customization 455

8. Launching Metadefender Kiosk 4568.1. Exiting the Kiosk User Interface 456

9.1. Logging In on the User Authentication Screen 457Answering User Questions 458

9.2. Inserting Digital Media 459

9.3. Unlocking Encrypted Devices 459

9.4. Processing Digital Media 460

9.5. Processing Encrypted Archives 461

9.6. Copying Files to Another Media 462

9.7. Viewing and Printing the Session Results 464Viewing details about copied files 464Viewing details about blocked files 465Viewing details about mismatched results 466Data Included in Metadefender Kiosk Log Files 466Example of a Scan Log File 473

10. Developer Guide 47610.1. Custom Authentication Module 476

11. Release Notes 490New features 490Other changes 49011.1. Archived Kiosk Release Notes 49011.2. Known Limitations of Metadefender Kiosk 502

11. Legal 504

Copyright 504DISCLAIMER OF WARRANTY 504COPYRIGHT NOTICE 504

Export Classification EAR99 504

12. Knowledge Base Articles 505

Are Metadefender Core upgrades free? 505

Avira engine not updating 506

Can I control access to the RAM disk? 506

Can I disable (and later re-enable) any of the antivirus engines in Metadefender Core? 507

Can I force an uninstall of Metadefender Core when the native uninstall does not work? 508

Can I install Metadefender Core v3 silently from a command line? 509

Can I run Metadefender Core without IIS? 509

Can I whitelist or blacklist a file so that Metadefender Core will always treat it as clean or dirty, respectively? 510

Can Metadefender Core scan attachments from within a PDF file? 511

Do any of the custom engines have updating limitations? 511

Does Metadefender Core offer real-time antivirus protection on the system where it is installed? 513

Does Metadefender Core v3.x require lots of memory for MongoDB usage? 513

Does the RAM Disk operate like other drives? 514

Does the RAM Disk size actually take space from the server-available hard disk space? 514

How are Metadefender Core remote clients licensed? 515

How can I purchase Metadefender licenses? 515

How can I see the number of files queued to be scanned? 515

How come the AnalyzeFileType API returns a failed result when scanning the System32 directory? 516

How do I change the directory Metadefender Core uses for archive extraction? 516

How do I change the location of Metadefender Core logs? 517

How do I configure Metadefender Core to only use one or several scan engines using the CLI? 518

How do I delete all scan logs from MongoDB and reset the database? 519

How do I disable real-time protection of my anti-malware software if it is not allowed by corporate policy? 520

How do I find my serial key / license key? 521

How do I install a RAM drive on an existing Metadefender Core installation? 521

How do I make Metadefender Core upload clean files to the FTP file server? 522

How do I modify the file size limit of the REST server in a remote Metadefender Core (formerly Metascan) configuration? 524

How do I set a password for the Metadefender Core Management Console? 525

How do I update my Metadefender Core Engines online? 525

How do I update the AhnLab engine? 526

How do I upgrade Metadefender Core while preserving configuration? 527

How do I upgrade to the latest release of Metadefender Core v3? 528

How fast can Metadefender Core process files? 529

How is MongoDB usage secured with Metadefender Core? 529

How long is the support life cycle for a specific version/release of Metadefender Core v3? 530

How would you recommend setting the RAM Disk size? 531

If I have an issue with Metadefender Core, what information does OPSWAT need in order to quickly troubleshoot my case? 532

Is it normal for Metadefender Core to consume 100% of my CPU? 533

Is it safe to use Metadefender Core COM APIs in Multi-threaded Apartment? 534

Is Metadefender Core available on 64-bit operating systems? 534

Is Metadefender Core compatible with .NET Framework 4.5.2? 534

Is there a .NET version of Metadefender Core? 535

Is there a virus test I could use to test Metadefender Core? 535

Metadefender Core shows a large number of files that failed to scan. What can I do? 535

My Customer Licensed Engine is not showing in Metadefender Core. What can I do? 536

Test cases for different scan results on Metadefender Core 536

Updated archive handling libraries 538

What are the maximum values for archive extraction settings? 538

What does "This key has reached the maximum usage" mean? 539

What do the 'skipped clean' and 'skipped dirty' scan results mean? 539

What file type conversions are supported in Metadefender Core 3.x? 540

What is a Customer Licensed Engine? 542

What is a Metadefender Client for licensing purposes? 543

What is a sanitized file? 543

What is Metadefender Core file type detection? 544

What is the difference between Scan, PutToScanQueue, and ScanEx? 545

What is the frequency of signature / definition updates? 545

What is the maximum file upload size limit when accessing Metadefender Core through the REST server? 546

What is the RAM Drive or Ram Disk and how is it used in Metadefender Core? 546

What is the support lifecycle for OPSWAT Appliances? 547

What operating system patches should I apply to the system hosting Metadefender Core? 547

What should you do if you have anti-malware on the same machine as Metadefender Core (formerly Metascan) ? 548

What URLs must be whitelisted to allow access to virus definition updates? 548

When I click Apply after I change the maximum total size of extracted files, I get an "Update failed" message. Why is that? 552

When will the updates for ThreatTrack and Agnitum no longer be available ? 552

Where are all of the Metascan knowledge base articles that I used to access? 552

Where can I submit false positives detected by Metadefender Core? 553

Where is Metadefender Core's temp directory located? 555

Which antivirus engines are designated by Metadefender Core as "customer licensed engines"? 556

Which antivirus products are compatible with Metadefender Core? 557

Why am I getting a COM UnauthorizedAccessException error: 80070005 when working with Metadefender Core from ASP? 557

Why did Metadefender Core stop working on Windows 10 ? 558

Why did the AVG engine disappear from the Metadefender Core Management Console? 559

Why does my Customer Licensed Engine (antivirus) always return "failed to scan"? 559

Why do I get a prompt to install OPSWAT by Christiaan Ghijselinck? 560

Why do MongoDB logs have a "You are running on a NUMA machine" warning? 561

Why is Bitdefender engine no longer working? 561

Why is engine heuristic scanning for some engines turned off by default in Metadefender Core? 561

Why is K7’s heuristic scanning turned off by default in Metadefender Core? 562 562

Why is Metadefender Core REST API returning different results than the Metadefender Management Console? 562

Why is Metadefender Core taking so long to start? 563

Why is my Avira engine no longer running? 563

Why is my Kaspersky engine no longer running? 564

Why isn't the Metadefender Email Agent processing my emails? 565

Why should I upgrade my Metadefender Core? 565

v3.13.0 15

About This Guide

Welcome to the Metadefender v3 guide. This guide is intended to provide the information you need to:

Install, configure, and manage Metadefender Core v3.

Integrate to other applications either through the Metadefender APIs or as a "Custom Engine".

Implement and use other Metadefender modules such as Email Agent, ICAP Server, Kiosk, Client, etc. (note that some of these modules require licenses that need to be purchased separately)

Learn about new features, updated features, and bug fixes on each Metadefender Release (i.e. each product version's release notes)

Learn about frequently asked questions and additional concepts through our library of knowledge base articles

While we offer the option to download this guide to a PDF file, it is optimized for online browser viewing. OPSWAT updates the online version of the guide regularly on an "as needed" basis. By viewing the document online, you are assured that you are always seeing the most recent and most comprehensive version of the guide.

v3.13.0 16

Key Features of Metadefender Core

File sanitization (aka Content Disarm and Reconstruction) using 90 data sanitization engines

Multi-scanning for malware with more than 30 leading anti-malware engines

Heuristic analysis to detect more unknown and targeted attacks

File Type Verification

Archive Extraction

Workflow Engine

Flexible APIs (REST, COM, Java, CLI)

High performance processing

https://www.opswat.com/products/metadefender/core/data-sanitization


https://www.opswat.com/products/metadefender/core/multi-scanning

https://www.opswat.com/heuristics

v3.13.0 17

1. Installing or Upgrading Metadefender Core

1.1. System Requirements

Hardware requirements

Metadefender v3 hardware requirements are dependent on your Metadefender Package Size (which is related to the number of AV engines). The table below lists the requirements that need to be dedicated to the Metadefender application the underlying Operating System. It assumes there are no other applications or services other than those related to Metadefender or the Operating System

Package Size Minimum System RAM*

Minimum Free Hard Drive Space Minimum CPU

Metadefender Core 1

4 GB 16 GB + 1.5 GB / one million scan data

4 core

Metadefender Core 4


4 core

Metadefender Core 8


4 core

Metadefender Core 12


4 core



4 core



4 core

Metadefender 20+ Consult with OPSWAT Technical Support.

* Minimum RAM requirement excludes additional RAM required if you plan to use the RAM Drive

v3.13.0 18

Software requirements

Operating System: Windows 7 / 8 / 8.1 / 10 / 2008 R2 / 2012 / 2012 R2

Bitness: 64-bit only

Windows Installer 4.5 or higher

Windows hotfix for Windows Server 2008 R2 or Windows 7

Beginning with version 3.11.2, Metadefender Core is only supported on Windows 64 bit operating systems.

Browser requirements for the Metadefender Core Management Console

Internet Explorer 10 or later

Safari 5.1 or later

Firefox 3.5 or later

Chrome

Additional installation of 3rd party framework/components

The following framework/component may be shared with other applications. Uninstalling may result in unexpected behavior of other applications.

Name Details Optional

IIS express IIS express 7.5 (Metadefender Core 3.11.0 or older)

(Metadefender Core 3.11.1 IIS express 8.0or newer)

REQUIRED

.NET framework 4 Client ProfileExtended

REQUIRED

http://support.microsoft.com/kb/2731284

http://www.iis.net/learn/extensions/introduction-to-iis-express/iis-75-express-readme#Installation

http://www.iis.net/learn/extensions/introduction-to-iis-express/iis-80-express-readme

v3.13.0 19


Microsoft Visual C++ redistributable

Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 RedistributableMicrosoft Visual C++ 2008 Redistributable - x86Microsoft Visual C++ 2008 Redistributable - x64Microsoft Visual C++ 2010 Redistributable - x86Microsoft Visual C++ 2012 Redistributable - x86Microsoft Visual C++ 2013 Redistributable - x86

REQUIRED

VMware Virtual Disk Development Kit

version 5.1.1.1042608 REQUIRED

Additional installation of Windows services by Metadefender Core

Name Service Name Optional

Metadefender Generic Mail Agent mdfExgEmailAgent by default

Metascan Metascan by default

Metascan Helper Metascan Helper by default

Metascan ICAP omsICAP by default

Metascan Quarantine omsQuarantine by default

Metascan REST omsRest by default

https://www.vmware.com/support/developer/vddk/

v3.13.0 20

Ports that must be available

component/service port

mail agent service, quarantine service 8001

Quarantine REST 8000

Metascan REST 8008

mongodb 27018

Driver installation by Metadefender Core

RAM drive (if you choose to install OPSWAT RAM drive)

Whitelisting requirements

Any process running out of the Metadefender Core install directory should be whitelisted. It is best to exclude the folder from any real time protection

1.2. Installing Metadefender Core

OPSWAT recommends that you install the latest released version of Metadefender v3. You can get this version on our . Make sure that you are choosing the Portal in the Downloads tab"Metadefender Core v3" section within the page and the correct package size (Metadefender Core 1, Metadefender Core 4, Metadefender Core 8, etc.). Your purchased and/or trial license is specific to v3 and to a specific package size, so it is important that you

.download the corresponding installer

Note that OPSWAT offers the Metadefender Core v3 downloads as either an .exe file of an .iso file, except in the case of Metadefender Core 20, which only comes as an .iso file (it is too large to come as an .exe file). If you choose to download the .iso file, you will need to either (1) use software that can mount the .iso as a drive on your computer or (2) burn the .iso file to a CD, and then use a CD reader.

Once you have the installer, you can install Metadefender Core either by using the Install or through the .Wizard command line interface

https://portal.opswat.com/en/product-categories/metadefender-core

https://opswat.atlassian.net/wiki/display/MDM/Installing+Metadefender+Core+Using+the+Install+Wizard

https://opswat.atlassian.net/wiki/display/MDM/Installing+Metadefender+Core+Using+the+Install+Wizard

https://opswat.atlassian.net/wiki/display/MDM/Installing+Metadefender+Core+Using+the+Command+Line

v3.13.0 21

In addition to the standard Metadefender Core installation, there are optional components that can be installed, based on your requirements.

Optional components

RAM drive

RAM drive installation will appear in a separate pop-up window. Click to continue the Installinstallation of the RAM drive component. For more information on installing on Core servers that are already running without reinstalling Metadefender Core, click .here

Installing Metadefender Core Using the Command Line

Installing Metadefender Core from the command line requires Windows Installer 3.0 or Note:higher.

Command line options

Important: Command line options for Metadefender Core 3.7 and later are different than the command line options available for versions 3.6 or older. Older command line options will not work with versions 3.7 or later.

The following command line options are available with Metadefender Core. Note: All arguments are case sensitive. The Packages column indicates which Metadefender

Core package(s) each command line switch is available for: either 1, 4, 8, 12, 16, or ALL.

Command Line Option Description Example Packages

/install Install Metadefender Core

C:\Metadefender_Core.exe /install

ALL

/uninstall ALL

https://portal.opswat.com/en/knowledge-base/articles/208211773

v3.13.0 22


Uninstall Metadefender Core and delete all files installed by Metadefender Core

C:\Metadefender_Core.exe /uninstall

/log <log-file-name> Create installation log file

C:\Metadefender_Core.exe /log C:\omsinst.log

ALL

/silent Run Metadefender Core installation silently

C:\Metadefender_Core.exe /silent

ALL

INSTALLLOCATION=<install-path>

Sets the install location for Metadefender Core

c:\Metadefender_Core.exe /i c:\Metascan.msi INSTALLLOCATION="c:\Metascan"

ALL

ADDLOCAL=<comma-separated-feature-list>

Install selected features only. Please see table below for list of features.

c:\Metadefender_Core.exe ADDLOCAL="RamdrvSupport, EsetEng,CaEng"

ALL

REST=0 This will avoid IIS Express, the webserver and all features that rely on the webserver to work.

This includes all REST APIs, Web Management Console, Mail Agent, & Metascan Client.

C:\Metadefender_Core.exe REST=0

ALL

UPDATEOFF=0 C:\Metadefender_Core.exe UPDATEOFF=1

ALL

v3.13.0 23


This installs Metadefender Core with automatic engine updates turned off.

Not officially documented yet.

Note that command line options were changed with the release of Metadefender Core 3.7 (which was then branded as Metascan 3.7). Command line options from earlier versions are no longer applicable. For example, “Repair Metascan” is no longer supported

Feature options

The features below can be added by using the ADDLOCAL command line option, as described in the table above.

Entries in the Feature Name column are case-sensitive. T Note: he Packages column indicates which Metadefender Core package(s) each command line switch is available for: either 1, 4, 8, 12, 16, or ALL.

Feature Name Description Package

RamdrvSupport RAM Drive ALL

Docs Documentation ALL

MetascanClient Metascan Client ALL

ClamavEng ClamAV scan engine ALL

AhnlabEng Ahnlab scan engine 4, 8, 12, 16, 20

AviraEng Avira scan engine 4, 8, 12, 16, 20

EsetEng ESET scan engine 4, 8, 12, 16, 20

CaEng Total Defensescan engine 8, 12, 16, 20

v3.13.0 241.

Feature Name Description Package

ZillyaEng Zillya! scan engine 8, 12, 16, 20

QuickhealEng Quick Heal scan engine 8, 12, 16, 20

BitDefenderEng BitDefender scan engine 8, 12, 16, 20

IkarusEng Ikarus scan engine 12, 16, 20

IncaEng nProtect scan engine 12, 16, 20

K7Eng K7 scan engine 12, 16, 20

AVGEng AVG scan engine 12, 16, 20

VirusBlokAdaEng VirusBlokAda scan engine 16, 20

EmsisoftEng Emsisoft scan engine 16, 20

FriskEng F-Prot scan engine 16, 20

KasperskyEng Kaspersky scan engine 16, 20

McAfeeEng McAfee scan engine 20

NanoEng NanoAV scan engine 20

SophosEng Sophos scan engine 20

TGSoftEng Vir.IT eXplorer scan eigne 20

Installing Metadefender Core Using the Install Wizard

To install Metadefender Core using the Install Wizard, follow the steps below: If you have Note:a previously installed version of Metadefender Core already installed, you must uninstall it as instructed in .Upgrading Metadefender Core

v3.13.0 25

1.

2.

3.

4.

5.

Locate the Metadefender Core Installation File. If this was not provided to you by OPSWAT, it can be found by clicking and scrolling down to the Metadefender Core hereV3 section.

This file is named Metadefender_Core___.exe where is the Metadefender Core Note:package you are installing, is the version of Metadefender Core, and is the build number.

Double-click on the desired Metadefender Core installation file to launch the Metadefender Core installer. If this does not work, right-click on the file and select . Open

The Welcome window is displayed. Click .Start

The setup Wizard is displayed. Click .Next

Accept the agreement and click .Next

https://portal.opswat.com/en/product-categories/metascan

v3.13.0 26

5.

6.

7.

8.

9.

Select the components you would like to add or remove from the installation. A drop-down menu is available to select whether to install the component or make it unavailable. After making your selections, click .Next

Click . Install

Click to exit the Setup Wizard.Finish

Click . Close

v3.13.0 27

Optional components

RAM drive

If you choose RAM Drive in the custom setup screen (step 6 above), the installation will appear in a separate pop-up window. Click to continue the installation of the RAM drive Installcomponent. For more information on installing the RAM drive, click .here

1.3. Activating Metadefender Core Licenses

Metadefender is operational only after an active license has been applied. In addition to the core license, some of the components require component-specific licenses either to activate them or to increase volume thresholds beyond the default settings. You should apply a Metadefender license as the next step right after installation, before you attempt any other activity with the product. (The one exception to this guideline is if you are trialing one of the smaller Metadefender v3 packages that comes pre-set with a short lived trial license, in which case you can delay license application for up to two weeks).

Activating and Managing Metadefender licenses

All types of Metadefender Core are activated through the Metadefender Core licenses typesManagement Console or through the License Manager CLI:

You can use the Licenses tab on the Metadefender Core Management Console:Management Console to activate your license or . You can also use it to online offlinecheck your license status.


v3.13.0 28

1.

2.

License Manager Command Line Interface : You can use the License Manager CLI to apply, update, or activate a Metadefender Core license ( or ), or to check the online offlinelicense status of Metadefender Core or Remote Clients. For more on using this tool, see

Metadefender Core should be restarted . License Manager Command Line Interfacewhenever a new license has been applied via command line.

REST API for advanced users

Activation Mechanisms (online vs. offline activation)

OPSWAT provides both an online and offline mechanism to apply licenses:

:Online activation Metadefender Core licenses can be activated online if the Metadefender Core server is connected to the Internet.

:Offline activation If the Metadefender Core Server is not connected to the Internet, Metadefender Core licenses can be activated offline through the OPSWAT Activation Portal.

License System Validation

Metadefender Core licenses are strongly bound to the Volume ID, MAC address and NetBIOS name of the computer. Changing any of these attributes will disable Metadefender Core, even if you have not yet activated Metadefender Core with a license. If one of these values has changed, please to receive a new license. For information on purchasing contact support Metadefender Core licenses, contact our .Sales Team

Trial licenses

Metadefender Core 1, 4 and 8 packages are pre-set with a 15-day trial license. For Metadefender Core 12, 16, and 20 trial licenses, please contact our . Requests for Sales Teamtrial licenses for other components are evaluated on a case-by-case basis. Please contact our

if you feel that you need a component specific license.Sales Team

Once the trial period is completed, the trial license key will be inactive and Metadefender will stop operating properly. If you intend to continue using Metadefender beyond the trial period, you must apply an active license to Metadefender. Work with your OPSWAT sales representative to make sure you have this license. Note that once you activate a trial license, uninstalling and re-installing Metadefender Core will not extend the evaluation period.

License types

Metadefender Core utilizes the following types of licenses:

https://opswat.atlassian.net/wiki/display/MDM/Online+License+Activation

https://opswat.atlassian.net/wiki/display/MDM/Offline+License+Activation

https://my.opswat.com/hc/en-us/requests/new?ticket_form_id=30054

http://www.opswat.com/buy



v3.13.0 29

The main license, which must be activated in order to Metadefender Core (Required):use the product and for scanning. Other licenses (below) are not activated until the main license is activated.

This license increases the maximum number of Metadefender Clients (Optional):clients that can connect remotely to the server to perform scanning via REST APIs. With the main license only, you can use up to 1 customer-licensed engine.

This license increases the maximum number Customer-Licensed Engines :(Optional)of pre-installed anti-malware engines not embedded in Metadefender Core that can be used for scanning. With the main license only, you can use up to 1 customer licensed engine.

This license increases the maximum number of OPSWAT-Custom Engines :(Optional)provided custom engines that can be used simultaneously. With the main license only, you can use up to 1 custom engine.

License Manager Command Line Interface

You can use the License Manager CLI to apply, update, or activate a Metadefender Core license. You can also use it to check the license status of Metadefender Core or Remote Clients. This tool (omsLicMgrCLI.exe) is installed in the Metadefender Core installation directory.

To use this tool, open a command prompt by going to , and then enter start Start > Run > CMDomsLicMgrCLI.exe

Command Arguments Description

help Display each available command and its parameters.

checklicense [package]* Retrieve license status. *Optional.

Will pick a default based on directory that it is running in.

installcode Retrieve install code which is required for generating unlock keys in order to activate offline.

activateonline <serial key>

<email>

<company>

[package]

Activate license with a serial key through the Internet. The Metadefender Core Server where the license is being activated must have an Internet connection.

v3.13.0 30

activateoffline <serial key>

<company>

<unlock key>

<unlock key2>

<package>

Activate license on a Metadefender Core Server without a direct connection to the Internet. This command requires a serial key and 2 unlock keys.

Obtain the two unlock keys following the steps in Offline .License Activation By Management Console

finishactivation <unlock key>

<unlock key2>

[package]

Finish activation if the license status is “Activation Required”.

Argument values

Arguments Value Description

[package] 1

4

8

12

16

20

Metadefender Kiosk

Optional parameter, if not specified, package of the currently installed Metadefender Core service will be used.

1: Metadefender Core 1






Metadefender Kiosk

<serial key>

Serial number consisting of 6 blocks of 5 characters

The serial number is your proof of purchase. It is unique and will look like this:

dO8uc-G1iC9-jOGeA-BqgEX-U71lD-0V1VX

v3.13.0 31

Arguments Value Description

Although the serial key and unlock key have the same format, their properties are completely different. You must not mix them up and should keep them separate.

<email> Email address An email address of the contact who is responsible for Metadefender Core licenses.

e.g. [email protected]

<company> Name of company who owns the license

Used for the “company” property in Metadefender Core.

<unlock key>

<unlock key2>

Serial number consisting of 6 blocks of 5 characters

Keys tied to a unique machine and serial key. These are obtained from OPSWAT through phone, email, or the web activation portal for offline activation.

Common license activation errors

The following are common errors encountered during activation and their potential causes.

Error Possible Causes Notes

INVALID KEY

An unrecognized serial key was entered.

A serial key is specific to the type of Metadefender Core package. For example, a serial key for Metadefender Core 4 cannot be used for Metadefender Core 8 or 12.

invalid unlock keys

An unrecognized unlock key was entered.

Unlock keys are tied to a specific serial key and machine where the Install Code was generated. Using an unlock key on a different system, or with a different serial key will result in this error.

No internet connection

Metadefender Core is unable to connect to the Metadefender Core license server.

Check your Internet connection or follow the steps for offline activation.

v3.13.0 32

1.

Error Possible Causes Notes

Other In cases of other errors, an error code will be displayed along with this message.

Please contact OPSWAT support (support@opswat.) with the error code.com

Offline License Activation By Management Console

The following are required for offline activation:

A Metadefender Core Server

A serial key that matches the Metadefender Core package installed on that Metadefender Core Server. Metadefender Core licenses can only be used with the package for which they were created (1, 4, 8, 12, 16, 20 and Custom). For example, a serial key for Metadefender Core 4 will not work with Metadefender Core 8.

You can use the following methods for offline license activation:

The Metadefender Core Management Console included with the Metadefender Core installation

The License Manager Command Line Interface (CLI)

Offline activation of licenses using the Metadefender Core Management Console

The Metadefender Core Management Console is installed by default and can be launched from the Start menu or in any browser with network access to the Metadefender Core Server.

In the Metadefender Core Management Console, click the tab to check the Licensescurrent license information.

v3.13.0 33

1.

2.

3.

Select the option and copy or take note of the Install Code, which is Activate Offlineneeded to obtain the unlock keys.

To obtain the unlock keys, visit the Metadefender Core offline activation portal at .https://portal.opswat.com/activation

https://portal.opswat.com/activation

v3.13.0 34

3.

4.

5.

6.

7.

Enter your company name and other contact information.

Enter your serial key and the Install Code from step 2.

Click , which displays a page with two unlock keys. Copy or take Request Unlock Keynote of both of these.

Go back to the Metadefender Core Management Console. Enter the license key and unlock keys in the dialog box along with the company name.

v3.13.0 35

8.

1.

Click and confirm that the license expiration date has been updated and that it Activatematches the Metadefender Core contract.

Offline activation of licenses using the License Manager Command Line Interface (CLI)

See the "activateoffline" command in for more License Manager Command Line Interfaceinformation.

Online License Activation By Management Console

The Metadefender Core Server must be connected to the Internet for online activation.Note:

The following are required for online activation:

A Metadefender Core Server

A serial key that matches the Metadefender Core package installed on that Metadefender Core Server. Metadefender Core licenses can only be used with the package for which they were created (1, 4, 8, 12, 16, 20 and Custom). For example, a serial key for Metadefender Core 4 will not work with Metadefender Core 8.

You can use the following methods for online license activation:

The Metadefender Core Management Console included with the Metadefender Core installation

The License Manager Command Line Interface (CLI)

Online activation of licenses using the Metadefender Core Management Console

The Metadefender Core Management Console is installed by default and can be launched from the Start menu. You can also access the Metadefender Core Management Console directly from any machine with network access to the Metadefender Core Server at http://<metadefender core server>:8008/management.

v3.13.0 36

1.

2.

3.

4.

1.

In the Metadefender Core Management Console, navigate to the tab to check Licensesthe current license information.

Enter the Metadefender Core serial key, company name, and contact email address for the instance of Metadefender Core you wish to activate. For example,

Click to apply the license. Activate

Confirm that the license activation was successful and that the license expiration date matches the expiration date on your Metadefender Core contract.

Online activation of licenses using the License Manager CLI

Open a command prompt by going to .Start > Run > CMD

v3.13.0 37

1.

2.

3.

4.

Change the working directory to the Metadefender Core install directory by entering cd <Metadefender Core install dir> (e.g., cd “c:\Program Files (x86)\OPSWAT\Metadefender Core 4”).

Verify that your installation of Metadefender Core is NOT already activated by entering omsLicMgrCLI.exe checklicense [package] (e.g., omsLicMgrCLI.exe checklicense 4).

Activate the license by entering omsLicMgrCLI.exe activateonline <license key> “<email>” “<company>” [package]

v3.13.0 38

4.

5. After Metadefender Core activation completes successfully, the updated license status is displayed. Verify that the license status listed is “Activated” and that the expiration date matches the expiration date on your Metadefender Core contract.

Note: If online activation is not successful, check to ensure the Metadefender Core Server’s Internet connection is working. If online activation is still unsuccessful, follow the steps for

.offline activation

For more on using this tool, see .License Manager Command Line Interface

1.4. Upgrading Metadefender Core

To upgrade from one Metadefender Core version to another, you must uninstall the version you currently have and install the newer version. Before doing this, you should back up your current configuration so that you can restore the settings into your upgraded version. You can back up these settings either by using your Metadefender Core Management Console, or by exporting the settings using the command line.

Your Metadefender Core license is automatically retained as long as you are upgrading to same packages without additional add-ons.

Backup Using The Management Console

v3.13.0 39

1.

2.

3.

4.

5.

Backup using the management console does NOT contain process history and other application logs. If you want to backup process history, refer to "Exporting process history" section below.

If using Mail Agent see Mail Agent Upgrade

The preferred method of backing up your settings is by using the Metadefender Core Management Console. The following procedure downloads your current configuration settings in a file to a location of your choosing. The "Maximum File Size for files scanned through Note:the web interface" setting (found on the Configuration > Scan Configuration page of the Metadefender Core Management Console) is NOT backed up and must be manually reconfigured, if necessary, after upgrading Metadefender Core.

.Access the Metadefender Core Management Console

Click the tab. Backup/Restore

Optionally, you can select to create a Encrypt Backup with the following passwordpassword for your download.

Click . DOWNLOAD BACKUP

Save the download to the location where you want to store the backup.

v3.13.0 40

1.

2.

3.

1.

2.

3.

Exporting process history

Optionally, you can export your process history (scan results) and then import them after you have installed the upgrade.

Open the Windows command line as an administrator.

Navigate to <Metascan installation folder>\Mongo\64+ (e.g. C:\Program Files (x86)\OPSWAT\Metadefender Core 4\Mongo\64+).

Run the following command:

mongoexport.exe --host localhost --port 27018 --db metascan --collection files --out C:\output_files.json

"C:\output_files.json" is created, containing all scan records in Mongo DB.

Exporting your current configuration using the command line

Export the Metadefender Core configuration.

omsConfig.exe export <directory> [<option>]

The following command exports the Metadefender Core Properties (e.g., max archive size or temporary directory), database settings, REST server settings (e.g., API keys or REST port), SYSLOG settings, and MongoDB settings into a zip file.

[<option>] is optional, it should be in the format /pass=password

Exporting Quarantined file and email history

If you would like to export your quaratined file and email history for import after an update we recommend you use mongodump.exe.

Open a Windows command prompt as administrator



v3.13.0 41

1.

2.

3.

1.

2.

3.

4.

1.

2.

3.

mongodump.exe --host localhost --port 27018 --db MetadefenderQuarantine --out <path>

Replace <path> with a path to where you would like to save the exported database. See for more https://docs.mongodb.com/manual/reference/program/mongodump/#bin.mongodump

information about mongodump.exe.

Exporting/Importing the MetadefenderQuarantine database is a slow process and may take hours if your database is larger than a few GB.

Installing the upgrade

Uninstall Metadefender Core using your Windows Control Panel.

Double-click the Metadefender Core installer file for the version that you are upgrading to.

Follow the prompts to install the upgrade.

Note: If you are upgrading and your previously-set management console password stops working, perform the following steps:

Open the Windows Registry (regedit.exe).

Navigate to the Metadefender Core registry: hiveHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OPSWAT\Metascan.

Double-click on the rest_stat_admin_apikey string item in the list and erase any value data.

Restart the Metadefender Core services (Metascan and Metascan REST).

Restoring your previous configuration using the Management Console

After installing your upgrade, you can restore your previous configuration. The preferred method of restoring your settings is by using the Metadefender Core Management Console.


Click the tab. Backup/Restore

https://docs.mongodb.com/manual/reference/program/mongodump/#bin.mongodump

v3.13.0 42

2.

3.

4.

1.

Click , scroll to the locations where you stored the backup, and select the Browsebackup.

Click . RESTORE FROM BACKUP

Importing your previous configuration using the command line

If you exported your configuration using the command line, you can import those settings into your upgrade.

omsConfig.exe import <file path> [<option>]

omsConfig.exe is installed in the Metadefender Core Installation directory (e.g., C:\Program Files (x86)\OPSWAT\Metadefender Core 4).

: All settings will take effect after a restart of Note Metadefender services

Importing Quarantined File and Email history

If you exported your MetadefenderQuarantine database you can import this information back after upgrading

v3.13.0 43

1.

2.

3.

1.

2.

3.

Open a Windows command prompt in administrator mode

Navigate to <Metascan installation folder>\Mongo\64+ (e.g. C:\Program Files (x86)\OPSWAT\Metadefender Core 4\Mongo\64+)


mongorestore.exe --host localhost --port 27018 --db MetadefenderQuarantine <path>

Replace <path> with the directory where you saved the MetadefenderQuarantine database export. See https://docs.mongodb.com/manual/reference/program

for more information about mongorestore.exe/mongorestore/#bin.mongorestore

Exporting/Importing the MetadefenderQuarantine database is a slow process and may take hours if your database is larger than a few GB.

Importing process history

If you exported your scan results history as described above, you can import the history after you have completed upgrading.

Open the Windows command line as an administrator.



mongoimport.exe --host localhost --port 27018 --db metascan --collection files --file C:\output_files.json

Upgrading from Metadefender Core 3.5 or earlier

Metadefender Core 3.5 and earlier versions used a different licensing mechanism that is not supported in the current release of Metadefender Core. To obtain a new license key that will work with the current version of Metadefender Core, please contact technical support.

Upgrading from Metadefender Core 3.12.5 and using Mail Agent

Disable API keys on REST API calls if enabled.

https://docs.mongodb.com/manual/reference/program/mongorestore/#bin.mongorestore

https://docs.mongodb.com/manual/reference/program/mongorestore/#bin.mongorestore

v3.13.0 44

Make a copy of Metadefender.Email.Engine.Service.exe.config and Metadefender.Email.Engine.Generic.Agent.dll.config.

The files are located in the Metadefender Core installation directory (e.g. C:\Program Files (x86)\OPSWAT\Metadefender Core 4\Metadefender Mail Agent)

Follow the steps for "Backup Using The Management Console"

For installing Mail Agent on the newer version refer to the Metadefender Email User Guide.

Follow the steps for "Restoring your previous configuration using the Management Console"

Re-enable the REST API keys if previously enabled.

Copy over the saved Metadefender.Email.Engine.Service.exe.config and Metadefender.Email.Engine.Generic.Agent.dll.config.

The installation directory changed on the newer version, now located at C:\Program Files (x86)\OPSWAT\Metadefender Mail Agent

Restart the .Metadefender services

1.5. Performance and Load Estimation

Disclaimer: These results should be viewed as guidelines and not performance guarantees, since there are many variables that affect performance (file set, network configurations, hardware characteristics, etc.). If throughput is important to your implementation, OPSWAT recommends site-specific benchmarking before implementing a production solution.

What to know before reading the results: Some factors that affect performance

Metadefender product version

Metadefender package and configuration

set of engines (which and how many)

product configuration (e.g., thread pool size)

system environment

server profile (CPU, RAM, hard disk)

client application location - remote or local

system caching and engine level caching

v3.13.0 45

dataset

encrypted or decrypted

file types

different file types (e.g., document, image, executable)

archive file or compound document format files

file size

bad or unknown (assume to be clean)

performance tool itself

How test results are calculated

Performance (mainly scanning speed) is measured by throughput rather than unit speed. For example, if it takes 10 seconds to process 1 file, and it also takes 10 seconds to process 10 files, then performance is quantified as 1 second per file, rather than 10 seconds.

total time / total number of files processed: 10 seconds / 10 files = 1 second / file.

Test Report

Performance Report - Multi-Scanning

Performance Report - Multi-Scanning

Disclaimer: These results should be viewed as guidelines and not performance guarantees, since there are many variables that affect performance (file set, network configurations, hardware characteristics, etc.). If throughput is important to your implementation, OPSWAT recommends site-specific benchmarking before implementing a production solution.

v3.13.0 46

Setup / Configuration

Metadefender version

v3.13.0

System environment

OS: Windows 2008 R2 64 bit

CPU: 2.10GHz 4 core vCPUs

RAM:

16 GB RAM (for Metadefender Core 12, Metadefender Core 20)

8 GB RAM (for Metadefender Core 8)

Hard disk: 100 GB HDD

Product configuration

No. of threads: 20

Archive library: disabled

Workflow: default

Dataset All decrypted

Mixed 4% infected

Method REST v2

Others System caching and engine-level caching is ignored

Auto update disabled

Caching disabled

Test results

Total size (MB)

Average file size (MB)

M8*(sec/file)

M12*(sec/file)

M20*(sec/file)

Documents(1227 files)

<500KB 84.8 0.173 0.077 0.146 0.169

500kb~1m 88.9 0.723 0.189 0.17 0.272

v3.13.0 47

Total size (MB)


M8*(sec/file)

M12*(sec/file)

M20*(sec/file)

1m~5m 930 2.467 0.912 0.593 0.585

5m~10m 1679.36 7.116 3.156 2.026 1.911

Executables(1249 files)

<500KB 59.8 0.120 0.136 0.192 0.327

500kb~1m 93.4 0.697 0.451 0.525 0.887

1m~5m 902 2.412 0.764 0.942 1.707

5m~10m 1699.84 7.053 1.38 1.763 2.524

Graphic Images(1250 files)

<500KB 85.1 0.170 0.068 0.073 0.076

500kb~1m 96.6 0.716 0.113 0.152 0.156

1m~5m 943 2.482 0.326 0.296 0.327

5m~10m 1597.44 6.798 1.134 1.027 0.868

Media(1249 files)

<500KB 88.3 0.177 0.072 0.079 0.092

500kb~1m 92.8 0.658 0.115 0.126 0.168

1m~5m 934 2.538 0.449 0.386 0.313

5m~10m 1689.6 7.011 1.44 1.176 0.934

Other Misc(1031 files)

<500KB 81.9 0.172 0.083 0.099 0.159

500kb~1m 89.9 0.719 0.118 0.18 0.255

1m~5m 603 2.319 0.255 0.391 0.482

5m~10m 1259.52 7.453 0.552 0.815 0.834

v3.13.0 48

Total size (MB)


M8*(sec/file)

M12*(sec/file)

M20*(sec/file)

PDF(1246 files)

<500KB 85.8 0.173 0.096 0.105 0.156

500kb~1m 100 0.730 0.192 0.242 0.358

1m~5m 929 2.477 0.365 0.473 0.611

5m~10m 1638.4 6.913 0.876 1.121 1.362

Text(1248 files)

<500KB 91.4 0.183 0.227 0.284 0.539

500kb~1m 94.3 0.704 0.25 0.497 0.675

1m~5m 905 2.394 0.366 0.603 0.775

5m~10m 1628.16 6.899 0.875 1.471 2.251

Average scan time (sec/file) 0.537 0.570 0.706

M8: Metadefender 8 (Ahnlab, Avira, BitDefender, ClamAV, ESET, Quick Heal, Total Defense, Zillya!)

M12: Metadefender 12 (M8 + AVG, nProtect, Ikarus, K7)

M20: Metadefender 20 (M12 + Kaspersky, Emsisoft, F-Prot, QuickHeal, McAfee, Sophos, Vir.IT eXplorer, NanoAV)

v3.13.0 49

1.

2. Configuring Metadefender Core

Metadefender Core is designed to support many different use cases and security requirements. As a Metadefender Core administrator, you can tailor the product to your organization's specific needs through a set of configuration options available to you. There are two ways to access these configuration options: (1) Through the Metadefender Core Management Console, which is a web-based user interface, or (2) through a command line utility, which you access through a command line interpreter. There are also a few less commonly adjust settings that are stored in a omsConfig.ini file.

Using Management Console to configure Metadefender

You can access the Metadefender Core Management Console through any browser that has access to the Metadefender Core system. A link to the Management Console (named "Metadefender Core Management Console") is added to the Start menu during installation.

The Management Console can also be accessed directly in any web browser by going to http://<Metadefender Core Server>:8008/management. <Metadefender Core Server> is the name or IP address of the system where Metadefender Core is installed.

Using the Command Line Utility to configure Metadefender

Metadefender Core also provides a command line utility that lets you run Metadefender Core operations, such as scanning a file or setting preferences/properties, etc.

The command line utility is omsCmdLineUtil.exe. You type this command line followed by a relevant parameter to set a specific configuration or perform a specific action. You can display the inventory of supported parameters by using the "config" parameter: "omsCmdLineUtil.exe config" (exclude the quotes). Note that the command line utility must be run from the directory where Metadefender Core is installed.

Go to , and then click .Start > Run > cmd OK

v3.13.0 50

1.

2.

3.

Change the directory to the directory where Metadefender Core is installed.

Run the config command with omsCmdLineUtil.exe to bring up a list of options to configure.

In the subsequent sections of this guide, the command line utility commands/parameters are provided for each configuration setting.

Configuration options available through the omsConfig.ini file

There are some options that are set in the omsConfig.ini file, located in the installation directory of Metadefender Core. These are typically options that are not commonly adjusted from the default settings that come with product. You must restart the Metadefender Core service after making any changes to this file.

2.1. Scan Configuration (global configuration options)

The Scan Configuration settings affect the global behavior of Metadefender Core when scanning files; i.e. these configurations apply to all files being scanned, regardless of which workflow is being used.

v3.13.0 51

As with most configuration options, these can be set through the Management Console or through the command line utility. If you plan to use the console, see the diagram below to see where to access these settings. If you plan to use the command line, see the table below the diagram to get the respective CLI parameter nomenclature.

The table below explains each configuration option found on this console page, specifies the default value (the value provided on a fresh install of the product), and provides the equivalent command line utility command:

Configuration Name

Description Default Value

CLI Command Parameter

Detect Scan Failures

Specifies the number of engines that can fail to scan a file before the overall result to be 'failed to scan'. For example, if set to 1, then a single engine failing will not result in the file being labeled 'failed to scan' but if two or more engines fail the overall result will be 'failed to scan.'

0 dsf=<0-n-1>, where n is the total number of current AV engines.

Primary Temp Directory

Directory used to copy files for scanning.

RAMDisk (if installed) or the system temporary directory

td=<directory|secondary directory>

v3.13.0 52

Configuration Name

Description Default Value

CLI Command Parameter

Secondary Temp Directory

Optional. Will be used only if the size of an extracted archive exceeds the space available in the primary directory.

Number of simultaneous scans

The number of scans that can run at the same time. It is recommended to set 4 times the number of cores or just 20, which ever one is higher, but also less than 100, which can happen for example on a machine that has 32 cores. For example, if your machine has 100 cores you may see improved performance with 200 threads.

20 tp=<0-400>

Terminate engine if scan exceeds

The amount of time that Metadefender Core will wait for an engine to complete scanning before it terminates the engine process.

5 minutes te=<time in seconds>

Maximum File Size for files scanned through the web interface

The largest allowable size for files scanned through the Metadefender Core web interface.

Do not calculate hashes for files larger than

The maximum size of files to compute the hash. Computing hashes for very large files can take a long time and can significantly affect Metadefender Core's performance.

100 MB tfi=<size>

2.2. Engine Configuration

v3.13.0 53

1.

2.

3.

Applying Offline Updates

If your Metadefender Core server is deployed in an offline environment without connectivity to the Internet, you can deploy engine definition updates through the Update by File Upload section of the Engines Configuration page.


To configure the Engines section and apply offline updates, click the tab Configuration and then click .Engines

Scroll down to the Update by File Upload section.

You can download these update packages from the OPSWAT Portal or with the Automatic Definition Update Download Utility. For more information on how to download these updates, please visit the OPSWAT Portal, click , and then click Downloads Download Offline

. Definition Updates

v3.13.0 54

1.

2.

Configuring Scan Engines

Using the Metadefender Core Management Console


To configure the Engines section and apply offline updates, click the tab Configuration and then click .Engines

All bundled engines as well as custom and customer licensed engines that can be used in Metadefender Core are listed on this page. Each engine can be activated or deactivated by selecting the checkbox and then clicking Apply at the bottom of the page.

If applicable, an engine’s heuristic scanning feature can be activated or deactivated as well. These changes take effect after the Metadefender Core service has been restarted.

Any customer-licensed engine will not be enabled by default for Metadefender Core 4, 8, 12, 16, and 20 packages. You must enable customer-licensed engines before they can be used by Metadefender Core to process scan requests.

Using the command line interface

If you would like to enable or disable engines from the command line interface, run the following commands from the Metadefender Core installation directory.

Retrieving the list of available engines

omsCmdLineUtil.exe getinfo

v3.13.0 55

1.

2.

Enabling an engine

omsCmdLineUtil.exe config in=<engine(s) to be included>e.g., omsCmdLineUtil.exe config in="eset scan engine|avira scan engine"

Disabling an engine

omsCmdLineUtil.exe config ex=<engine(s) to be excluded>e.g., omsCmdLineUtil.exe config ex="eset scan engine|avira scan engine"

If you are enabling or disabling multiple engines, separate the engine names with a ‘|’ character.

Supporting customer-licensed engines

omsCmdLineUtil.exe config sp={0|1}e.g., omsCmdLineUtil.exe config sp=1

This property determines whether Metadefender Core will attempt to use antivirus engines that are installed on the system outside of Metadefender Core. These engines will often have reduced performance compared to embedded engines and may also reduce overall Metadefender Core performance. By default, customer licensed engines will be enabled in Metadefender Core 1 and disabled in Metadefender Core 4, 8, 12, 16, and 20 packages.

Online Update Configuration


v3.13.0 56

2.

3.

4.

To configure the Online Updates section, click the Configuration tab and then click Engines .

Scroll down to Online Updates.

Select your settings based on the following tables, and then click . Apply

The following settings apply to Metadefender Core's automatic engine definition update functionality:

Property Description Default Value

CLI config

During Updates

Specifies scanning behavior when an engine is in the process of having its definitions updated.

Scans can configured to either be skipped or paused during updates.

Skip Scans

(Pause) wu=<0|1>

(Skip) su=<0|1>

v3.13.0 57


CLI config

Update Timeout

Specifies how long Metadefender Core should wait for an update to happen before timing out.

600 seconds

to=<time in milliseconds>

Update Interval

Specifies how often engines should be updated. 1440 minutes (1 day)

um=<time in minutes>

Proxy settings can also be defined in the omsConfig.ini configuration file (located in the Metadefender Core installation directory). Proxy settings defined in omsConfig.ini will only be used if the proxy configuration is not set in the Metadefender Core Management Console.


omsConfig.ini Property

Enable Updates Through Proxy

Specifies whether the Metadefender Core server will be retrieving engine updates through a proxy server.

disabled enable_proxy

Server Address

The proxy server to use. proxy_server

Port The proxy server port to use. proxy_port

Username If authentication is required, the username for the proxy server.

proxy_user

Password If authentication is required, the password for the proxy server.

proxy_password

v3.13.0 58

1.

2.

2.3. Sources Configuration

The Management Console's Sources tab contains the configuration settings for Metadefender modules such as Metadefender Client, Metadefender Proxy, and Metadefender Email. Navigate to this tab and follow the instructions in the subsections below if you plan to use any of these modules.

Metadefender Client Configuration

"Metadefender Client Download Configuration" lets you specify the settings for the Metadefender Client package that you generate and download from the bottom of the page. After a client has been generated, the Metadefender Client download page (<ip or dns address>:8008/#/client) can be shared with anyone who should be able to use Metadefender Client to scan files with this Metadefender Core server.

Access the Metadefender Core Management Console .

Click the Sources tab and then c lick Metadefender Client .

Note: The Windows Metadefender Client is supported to run only on endpoints running Windows 7 or later.

The following properties can be set for the Metadefender Client download package.


Metadefender Core

Local Metadefender Core

<IP Address>:8008/metascan_rest/

v3.13.0 59


This is the address that Metadefender Client will use to access the Metadefender Core server. This should be an address (IP address or machine name) that will be accessible from every machine where Metadefender Client will be run.

Scan Options

File Size Limit

The maximum size of files to be scanned by Metadefender Client. Files larger than this size will not be scanned. Maximum file size limit: 2GB

50 MB

Scan Type

Set a default behavior

Select option to be used as the default behavior:

Full Scan: scans system drives, physical drives, running memory processes, and removable drives

Process (Quick Scan): scan running memory processes

Custom: select which system components to scan

Process (Quick Scan)

Allow custom selection in the client

Allows a user of Metadefender Client to select to which system components to scan.Enabling components will show the components to be selected upon startup of the Client.

No components are selected

Local Log Directory

Save scan log

The directory where Metadefender Client will log all scanning activity

Enabled

Destination: %AppData%\Metadefender-Local

Enabled

v3.13.0 60


Allow App to Exit

Specifies whether the Metadefender Client can be exited from the system tray

After configuration changes have been made, you can generate a new Metadefender Client downloadable package by clicking . Update Client

Metadefender Email Configuration

From this release, Metadefender Email will not be installed along with Metadefender Core V3. Users should go to Metadefender Email download page to download Metadefender Email installer and manually install it.

For Metadefender Email configuration, refer to the Metadefender Email User Guide.

Metadefender Proxy Configuration

For Metadefender Proxy configuration, refer to the Metadefender Proxy User Guide.

v3.13.0 61

1.

2.

3.

4.

2.4. Workflow Profile Configuration

Workflow profiles let you differentiate how files gets processed based on the source or user submitting the file. The workflows are defined in the Management Console. They can be used within the process logic of the file REST API.

Metadefender Core allows the definition of as many different workflow profiles as are needed to meet security requirements. The Default profile is used to process requests that are not mapped to any other profiles. Section 2.4.2 lists the profiles that are included out-of-the-box by OPSWAT in the Metadefender Core installation.

2.4.1. Creating a New Workflow Profile


Click the Configuration tab and then click Workflows .

Click . CREATE NEW PROFILE

v3.13.0 62

4.

5.

6.

Enter a name and description of the new workflow profile, and specify which user agents should use this profile. (Type "|" between the agents.) These values can be changed for

Click .all profiles except for the Default profile. CONTINUE

If you enable archive handling, Metadefender Core extracts archives and scans the individual files within the archive. For more information about the archive handling options, refer to . After completing your selections, click 2.4.3. Archive Handling

CONTINUE .

v3.13.0 63

6.

7.

8.

The Profile File Type and Filtration screen is displayed. Select how you want file type mismatches to be scanned and file type filters to be applied. For additional information, refer to .2.4.4. File Type Detection And Filtration Overview

After selecting the the file types and filtration, click . Continue

The Scan page is displayed, which allows you to enable or disable scanning by the active Metadefender Core engines or specify files that will be skipped. By default, large video files are excluded from scanning for efficiency purposes. Select an option and click

v3.13.0 64

8.

9.

10.

. Continue

The Sanitization Rules page is displayed, allowing you to select if and how long files that have been sanitized by Metadefender Core workflows are available through the REST API. If sanitization is enabled, Metadefender Core automatically deletes the sanitized version of files after the specified time. This configuration determines how files are handled after processing is complete.Both allowed and blocked files can be configured to sanitize specific types of files and convert them to other formats. This can remove any threats embedded within the original file. If configured, the original file can be deleted after the sanitization.Select your options and click . APPLY

v3.13.0 65

10.

11.

Select whether to sanitize allowed and blocked files and then click . Continue

The File Handling screen is displayed, allowing you to select how files are handled after data sanitization is complete. File handling is configured separately for allowed and blocked files.You can configure blocked files to be removed, either by quarantining or deleting the blocked file. You can configure both blocked and allowed files to be copied to a specified directory path.Make your selections and click . FINISH

2.4.2. Pre-defined Workflow Profiles

Several profiles are included out-of-the box in every Metadefender Core installation:

Profile Name Description

Default Used to process requests that are not mapped to any other profiles

v3.13.0 66

Profile Name Description

Block EXE Blocks executable files

Client Used by the new Metadefender Client

Convert Docs Only allows documents and converts all documents to safe formats

Guest Used to process files by guests that do not have a defined account within an organization

High Security Recommended for usage in high security environments

Kiosk Used to process files with the Metadefender Kiosk

Mail Agent Used by the Metadefender Mail Agent

No EXE/Archives

Blocks all archives and executables

Only Docs Profile for users that only need to bring in office documents

Proxy Used by Metadefender Proxy

SFT Used by SFT

Web Scan Used to process requests made through the Web Scan page

v3.13.0 67

2.4.3. Archive Handling

The Archive Handling configuration determines how archives are handled within Metadefender Core. If archive handling is enabled, Metadefender Core extracts archives and scans the individual files within the archive.

Most common archive formats are supported, including Zip, PKLite, 7z, Jar, Jarc, rar, rar5, tar, taz, ISO, Gzip, CAB, ARC, ARJ, LZH, RPM, DEB, LZMA, WIM, SFX, XZ. Metadefender Core can also extract self-extracting archives created by both 7zip and WinRAR.

MS Office file (from 2007) by default are treated as archive files when scanning. This can be disabled in the Workflow editor in the Archive section. See screenshot below:

The following settings apply if archive handling is enabled:

v3.13.0 68


CLI config Additional info

Enable Archive Handling

Enables Metadefender Core’s archive library handling.

Enabled le=<0|1>

Max Recursion Level

The maximum depth that Metadefender Core will continue to extract archives for scanning. After this depth is reached, Metadefender Core does not extract further archives but scans those archives as entire files. If the setting is 0, archives are not extracted.

5 rl=<levels> Maximum value: 2147483646

Number of Files

The maximum number of files that can be in an archive that Metadefender Core is extracting. If the number of files in an archive exceeds this value, Metadefender Core returns the result as a potential threat.

50 an=<number> Maximum value: 2147483646

Total Size The maximum total size of files that can be in an archive that Metadefender Core is extracting. If the total size of files in an archive exceeds this value, Metadefender Core returns the result as a potential threat.

2 GB as=<size in MB>

Maximum value:

Half the current available free space of the Metadefender Core temporary directory.

v3.13.0 69



If two temporary directories are set from different drives, the highest available space will be used.

Simultaneous Specifies if multiple archive files undergo extraction concurrently. This will increase speed of archive file extraction performance while disk space usage on temporary directory and disk I/O will increase which may impact overall performance drop. In other words, enable only if disk I/O has high capacity and enough disk space to handle temporary files.

Disabled ec=<0|1>

Self-Extracting

Specifies whether self-extracting archives should be extracted and treated as archives.

Disabled sx=<0|1>

Scan Original Un-extracted File

In addition to scanning files inside of an archive after extraction, un-extracted archives are sent directly to engines for scanning.

Disabled soa=<0|1>

v3.13.0 70



If “extract_archive” for an Note: engine is enabled, this potentially exposes performance overhead because extraction happens twice, once by Metadefender Core and once by the engine.

Microsoft Office Documents

Specifies whether or not Microsoft Office Files will be treated as archive files or as a regular file.

Enabled eod=<0|1>

Note: Microsoft Office Documents (e.g., DOCX files) are detected as archive files by default. If you would like to scan the Office file itself, OPSWAT recommends that you either enable the option to scan the original un-extracted archive or disable the option to detect these files as archives. Please note that you WILL NOT get extracted file details if the option to treat Office documents as archives is disabled.

2.4.4. File Type Detection And Filtration Overview

File type detection

The file type analysis configuration allows the administrator to specify whether file type analysis should be performed, and how Metadefender Core should handle file type mismatches (where the detected type of the file differs from its extension).

Common uses of file type detection include:

Monitoring for discrepancies between a file extension and a detected file type.

Altering the workflow of files based on certain file types (e.g., blocking files of a certain file type from entering a file system).

You can configure this setting in the Workflow tab via the link on the left-side menu.File Type

v3.13.0 71

Metadefender file type detection is driven by an OPSWAT proprietary algorithm that combines the logic as well as logic. Right now, there are 5837 file types that can be "Magic Number" TrID detected and compared to the file extension; a complete listing can be found at the .TrID site

File type detection/analysis is not as accurate as other file metadata analysis. There will be cases where the Metadefender file identification engine will not be able to correctly analyze the file type. In these cases, you can submit a ticket with the file to OPSWAT Support for more investigation. However, we cannot guarantee that we will be able to fix the underlying issue and we cannot provide an expected turnaround time to provide an answer. Please do not open an express ticket for false file type detection.

Note that while file type detection functionality is based on the logic above, file scanning functionality is not limited to these file types.

File type detection is also referred to as 'file type analysis', 'file type mismatch', and 'file mismatch analysis'.

Detect file type mismatch

If this is enabled, detected file type extension will be used to validate file path. If any of file inside of an archive file is detected as mismatch, the archive file will be marked as mismatch and blocked.

http://en.wikipedia.org/wiki/File_format#Magic_number

http://mark0.net/soft-trid-deflist.html


v3.13.0 72

Filtration

The Filtration configuration allows a Metadefender Core administrator to specify that certain file types should be blocked, or that only certain file types should be allowed.

If File Type Detection is turned on, filtering will happen based on the type returned. However, only the following types will be checked for mismatches: D, P, A, E, G. (Documents, PDFs, Archives, Executable & Images)

If File Type Detection information is not available, filtering is only based on the file extension.

2.5. Metadefender Core Logs

Metadefender Core stores the results of file scans for a period of time determined by its Log settings.Retention

Debug logs

On each log page, you can generate debug information if needed for troubleshooting purposes. To generate the debug log packages, click , and then click one of the links to either Downloadexport a quick or verbose debug log.

Application Log

This section of the Metadefender Core logs contains internal Metadefender Core DB event logging.

To access the Application Log from the Logs tab, click . Application Log

http://sf-small-conf.us.opswat.com:8090/pages/viewpage.action?pageId=4436201

v3.13.0 73

Email Event Log

The Email Event Log contains email event logs. Information includes the severity of the event, the time the event was logged, and a description of the event.

To access the Email Event Log from the Logs tab, click . Email Event Log

Email History

The Email Scan History page allows you to view the history of processed emails.

v3.13.0 74

1.

2.

To access the Email Scan History from the Logs tab, click . Email History

Description of fields

Field name Description

SENDER The sender of the email.

RECIPIENT The recipient(s) of the email.

SUBJECT The subject of the email.

DATE/TIME The date and time when email was processed.

RESULT The result of processing the email.

File Log

To access Metadefender Core's file scan history, do the following:


Click the Logs tab and then the tab.File Log

v3.13.0 75

You can filter file results to display a specific time period. To view detailed scan results, select a file name from the list.

The following values display for each file in the file scan history:

Field Name Description

File Name The filename specified at the time of the scan request. This is determined by the following for the different Metadefender Core interfaces:

REST: The value specified in the 'filename' header in the scan request.

COM: The name of the file from where it is scanned on the Metadefender Core system.

ICAP: The value of the 'filename' header in the ICAP request. If this is not specified, then this will be the portion of the URL after the final forward slash (/).

Reason Provides detailed information why the file is blocked by Metadefender Core. For a complete list of possible block reasons, refer to Callback for Processing

.a File (COM)

Workflow Applied

Indicates which workflow profile is used for the specific file. Click the workflow name to go to the workflow profile detail page and view the profile's configurations.

Source The client IP address where the process initiated from.

Start Time The timestamp of when the scan started.

Logging Configuration

You can configure all events in the Event Log section to be sent to a Syslog server.

To access the Configuration section from the Logs tab, click Configuration .

v3.13.0 76

The following settings apply to Metadefender Core's Syslog logging functionality:


Enable syslog messages

Indicates whether the following settings will be used to send messages to a Syslog server.

Off

IP Address The IP address of the Syslog server.

Port The port that the Syslog server is listening on. 514

Facility Level The facility level can be configured for an additional level of filtering of messages on the Syslog server.

User-Level

Example of Metadefender Core event and dirty result log in syslog:

2014-06-19 15:05:15 User.Notice 10.0.3.101 Metascan: Changed property [thread_pool_size] = [20]

v3.13.0 77

2014-06-19 15:05:15 User.Notice 10.0.3.101 Metascan: Changed property [enable_cache_scan] = [1]

Note: Only infected files scanned through Metadefender Core's REST API result in syslog messages. Files scanned through any other interface do not produce syslog messages. Files scanned using Metadefender Core's workflows are not logged to syslog.

Log Retention

Logging can use a significant amount of disk space while the server is running. By default, Metadefender Core retains 30 days of logging for the File Log, Application Log, and Quarantine. You can change this default value in the Metadefender Core Management Console.

Log Type Default Minimum Maximum

File Logs 30 DAYS 5 minutes

Setting 0 removes all records when check is performed

10675199 days

Application Logs

30 DAYS 0 days (removes all records when check is performed)

10675199 days

Quarantine 30 DAYS 0 days (removes all records when check is performed)

10675199 days

0 days (removes all records when check is performed)

Changing the number of days Metadefender Core stores log files

You can change the number of days Metadefender Core stores the log files for File Logs, Application Logs, and Quarantine by going to in the Metadefender Core Logs > Configuration Management Console.

v3.13.0 78

To make changes to this page, move the slider to . After making changes to the default Onnumber of days for any of the logs, click . Apply

Windows Event Log

The Windows Event Log contains system application event logging of all Metadefender Core-related components.

To access the Windows Event Log from the Logs tab, click . Windows Event Log

v3.13.0 79

1.

2.

2.6. Quarantine Management

Email messages or files that have been quarantined by Metadefender Core are listed in the Quarantine tab. From this tab, an administrator can choose to delete, download, or release files and emails that have been quarantined. An administrator can also schedule and send quarantine reports.

Quarantine reports contain emails which have been quarantined by Metadefender Core. Quarantine reports include a summary of quarantined email information (subject, quarantine reason, and sending time). They also contain a link to detailed scan results in the Metadefender Core Management Console. Administrators can choose further action for the quarantined email (such as delete, release email, and download.).

Quarantine reports are the only way to be notified about quarantined emails, other than viewing the Quarantine tab. If activated, quarantined reports are sent daily by default.

Accessing the Quarantine tab in the Metadefender Core Management Console


Click the Quarantine tab .

v3.13.0 80

1.

2.

3.

4.

a.

b.

c.

Note: Port 8000 must be open on the Metadefender Core server for the Quarantine history to be displayed correctly.

Scheduling quarantine reports

To set up and schedule quarantine reports, do the following:

From the Metadefender Core Management Console, click the .Quarantine tab

Click . Configure Quarantine Reports

To update SMTP settings, click . Update

Enter the following SMTP server information in the SMTP Settings section:

Host: The SMTP server's IP address or hostname.

Port: The SMTP server's connection port.

v3.13.0 81

4.

c.

d.

5.

6.

7.

8.

Enable SSL: If the SMTP server enables SSL, select this checkbox to allow Metadefender Core to send the quarantine report email via SSL.

Username/Password: The username and password for the SMTP server.

Click . Save

Move the Scheduled Quarantine Reports On/Off slide to . On

Enter which files to include, the quarantine schedule, and email information in the section. Schedule Quarantine Reports

Note: Separate multiple email addresses in the field with a comma or a semi colon.To

Click . Save

2.7. Filter CLI - Whitelisting/Blacklisting

Title Description Syntax

omsFilter - remove remove specific file from the lists remove <sha256>

v3.13.0 82

Title Description Syntax

omsFilter - list retrieve whitelist and blacklist list <type>

omsFilter - addtowhite

add the file to the whitelist addtowhite <path> <type>

omsFilter - addtoblack

add the file to the blacklist addtoblack <path> <type> <threat>

omsFilter - about Shows the info of the current version

about

omsFilterCLI.exe

C:\Program Files (x86)\OPSWAT\Metadefender Core 4>omsFilterCLI.exe Metascan(R) Filter Command Line Utility 3.12.3.28579 (C) OPSWAT, Inc. 2002-2016 Command Description ------- ----------------------------------- addtoblack <path> <type> <threat> add the file to the blacklist addtowhite <path> <type> add the file to the whitelist remove <sha256> remove specific file from the lists list <type> retrieve whitelist and blacklist about shows the info of the current version Arguments Description ---------- ------------------------------------- <type> 0: all, 1: archive library, 2: engines <threat> Name of threat for reference <path> Absolute file path

v3.13.0 83

omsFilter - about

Syntax about

Description Shows the info of the current version

about

C:\Program Files (x86)\OPSWAT\Metadefender Core 4>omsFilterCLI.exe about Metascan(R) Filter Command Line Utility 3.12.2.28579 (C) OPSWAT, Inc. 2002-2016

omsFilter - addtoblack

Syntax addtoblack <path> <type> <threat>

Description add the file to the blacklist

addtoblack

C:\Program Files (x86)\OPSWAT\Metadefender Core 4>omsFilterCLI.exe addtoblack C:\Files\200\10.txt 0 sampleThreatNameFile 'C:\Files\200\10.txt' successfully added to blacklistRestarting Metascan is required for changes to take effect

omsFilter - addtowhite

Syntax addtowhite <path> <type>

Description add the file to the whitelist

addtowhite

C:\Program Files (x86)\OPSWAT\Metadefender Core 4>omsFilterCLI.exe addtowhite C:\Files\200\10001.txt 0

v3.13.0 84

File 'C:\Files\200\10001.txt' successfully added to whitelistRestarting Metascan is required for changes to take effect

omsFilter - list

Syntax list <type>

Description retrieve whitelist and blacklist

list

C:\Program Files (x86)\OPSWAT\Metadefender Core 4>omsFilterCLI.exe list 0 <list><black_list><object><sha256_hash>1C403526E3A858775C88D113DF46ECEA85269964</sha256_hash><filter_type>0</filter_type><threat_name>Archbomb.ZIP trojan</threat_name></object><object><sha256_hash>753690994A18CF58ED0FE3749D16448B763047B8</sha256_hash><filter_type>0</filter_type><threat_name>Archbomb.ZIP trojan</threat_name></object><object><sha256_hash>75F2667CCACCE7C7947C186DCA5029FFEE720C01</sha256_hash><filter_type>0</filter_type><threat_name>Archbomb.ZIP trojan</threat_name></object><object><sha256_hash>541DF8E3BD1A55BCF3DC9839A0A1BBB7E7737EB7</sha256_hash><filter_type>0</filter_type><threat_name>Archbomb.ZIP trojan</threat_name></object><object><sha256_hash>12CF28C37E9BC65D67F30ED24154D1DE4503D7BD</sha256_hash><filter_type>0</filter_type><threat_name>Archbomb.ZIP trojan</threat_name></object><object><sha256_hash>54E65A7B23E3E5C3771C041BFA3198E877015925</sha256_hash><filter_type>0</filter_type><threat_name>Archbomb.ZIP trojan</threat_name></object><object><sha256_hash>C2AAB6A66924B29828C52E27AF9E8A8038E54EE0</sha256_hash><filter_type>0</filter_type><threat_name>yoda</threat_name></object></black_lis

v3.13.0 85

t><white_list></white_list></list>

omsFilter - remove

Syntax remove <sha256>

Description remove specific file from the lists

Version supportedSupported in Core version 3.12.3+

removefromblack

C:\Program Files (x86)\OPSWAT\Metadefender Core 4>omsFilterCLI.exe remove D7B0FD22C8741846EC35E43B224DED709A9A5E558BA6536F9CAC0BA5BB608658 File with hash of 'D7B0FD22C8741846EC35E43B224DED709A9A5E558BA6536F9CAC0BA5BB608658' successfully removedRestarting Metascan is required for changes to take effect

2.8. Advanced Configuration Options

CORS Configuration

You can harden the Metadefender Core's cross-origin resource sharing (CORS) configuration to only allow access from a restricted list of systems.

The following edits can be made in C:\Program Files (x86)\OPSWAT\Metadefender Core X\REST\Web\web.config.

To restrict access to the local system, the line

<add name="Access-Control-Allow-Origin" value="*"/>

can be changed to

v3.13.0 86

1.

2.

3.

4.

<add name="Access-Control-Allow-Origin" value="http://localhost"/>

Then add a new rule to <system.webServer><rewrite><outboundRules>

<rule name="Allow CORS on specify ip/subnet" > <match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern=".+" /> <conditions> <add input="{REMOTE_ADDR}" pattern="^(192.168.200.*|192.168.201.102)$" /> </conditions> <action type="Rewrite" value="*" /></rule>

Enabling HTTPS

By default, communication with the RESTful web server is not encrypted. By setting up an HTTPS server, the server can enforce secure connections between client and server on an SSL channel. Steps to configure IIS Express to host an HTTPS server are outlined in the sections below.

Requirements

To enable HTTPS, you must install a trusted certificate issued by a certificate authority OR a self-signed certificate used for development testing. The procedures detailed below cover how to install self-signed server certificate.

To install a CA (Certificate Authority) signed server certificate, go to Microsoft's TechNet website. If you enable HTTPS and are using a self-signed Install a Server Certificate

certificate, you MUST install the self-signed certificate.

Overview

The following high-level steps are covered on this page.

Obtain a certificate (we will use self-signed certificate in this documentation).

Install the certificate.

Configure IIS with HTTPs.

Restart Metadefender REST service.

https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/a2f35fcd-d3b6-4f39-ba93-041a86f7e17f.mspx?mfr=true

v3.13.0 87

1.

2.

a.

1.

2.

3.

a.

b.

c.

1.

Generating a self-signed certificate

For Windows 8.1, Windows 2012 or newer

open Powershell as administrator

run New-SelfSignedCertificate -DnsName {DNS_NAME} -CertStoreLocation Cert:\LocalMachine\My\

replace {DNS_NAME} with the DNS name of your server

For Windows 7 or Windows 2008

Download Microsoft Windows SDK for Windows 7 and .NET Framework 4

You only need to install .NET Development → Tools

From an administrator command line navigate to the SDK install dir and run makecert.exe

cd "C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\x64\makecert.exe"

makecert.exe -n "CN={DNS_NAME}" -a sha256 -sr LocalMachine -ss MY -r

replace {DNS_NAME} with the DNS name of your server

Installing the certificate

Install Certificate from a command prompt run certutil -store MY

v3.13.0 88

1.

2.

1.

2.

3.

4.

1.

2.

3.

Copy the Cert Hash from the certificate that has Issuer: CN={DNS_NAME}. Edit the hash so that it does not have spaces (e.g., ef8a0fc5620b621a54fb367f1e7ee45e1ba6d006).

Create a new GUID at (e.g., https://www.guidgenerator.com/online-guid-generator.aspx{CDA52389-5954-44C2-8CF0-38062D1572F8}).

Open a command prompt.


netsh http add sslcert ipport=0.0.0.0:443 appid={<guid retrieved from previous step>} certhash=<certificate thumbprint retrieved from previous step>

Confirm that the SSL Certificate is successfully added, as indicated by the example below.

Enabling HTTPS on IIS Express

The following procedure enables HTTPS on IIS Express.

Open the <Metadefender Core installation directory>\REST\Config folder (e.g., C:\Program Files (x86)\OPSWAT\Metadefender Core X\REST\Config).

Open the applicationhost.config file in a text editor.

https://www.guidgenerator.com/online-guid-generator.aspx

v3.13.0 89

3.

a.

4.

5.

6.

Go to the <sites> tag and change metascan_rest website binding to HTTPS as shown in the example below. This port cannot be in use by any other application.

Original New

<bindings>  <binding protocol="http" bindingInformation=":8008:"/></bindings>

<bindings>  <binding protocol="https" bindingInformation=":443:"/> </bindings>

If you are also going to install Metadefender SFT on the same machine and will also be configuring this for HTTPS as well ( ), please make sure 4.6. Enable HTTPSto include a domain in bindingInformation in Step 3 above. For example: bindingInformation=":443:localhost"

Save and close the ‘applicationhost.config’ file.

Restart the service 'Metascan REST'.

Test that the site works by going to . The following webpage should be https://localhostdisplayed:

https://localhost/

v3.13.0 90

7.

1.

2.

Click . Continue to this website

Enabling HTTPS for Quarantine

Perform these steps only if Metadfender Core has been configured to exclusively use HTTPS (Step 4 in section 'Enabling HTTPS on IIS Express').

Navigate to the Quarantine folder (by default, this is C:\Program Files (x86)\OPSWAT\Metadefender Core X\Metascan Quarantine).

Open Metadefender.Quarantine.Service.exe.config in a text editor and change the following section leaving the replace value with what is on the original. *DNS_or_IP*

Original New

<setting name="RestBaseUrl" serializeAs="String"> <value>http://*DNS_or_IP*:8000</value></setting><setting name="QuarantineBaseUrl" serializeAs="String"> <value>http://*DNS_or_IP*:8000</value></setting>

<setting name="RestBaseUrl" serializeAs="String"> <value>https://*DNS_or_IP*</value></setting><setting name="QuarantineBaseUrl" serializeAs="String"> <value>https://*DNS_or_IP*</value></setting>

v3.13.0 91

2.

3.

1.

2.

Original New

<setting name="QuarantineProtocol" serializeAs="String"> <value>REST</value></setting><setting name="MetascanUrl" serializeAs="String"> <value>http://*DNS_or_IP*:8008/metascan_rest/</value></setting><setting name="WebBaseUrl" serializeAs="String"> <value>http://*DNS_or_IP*:8008/management/#</value></setting>

<setting name="QuarantineProtocol" serializeAs="String"> <value>REST</value></setting><setting name="MetascanUrl" serializeAs="String"> <value>https://*DNS_or_IP*/metascan_rest/</value></setting><setting name="WebBaseUrl" serializeAs="String"> <value>https://*DNS_or_IP*/management/#</value></setting>

Restart the service 'Metadefender Quarantine'.

Enabling HTTPS for Mail Agents

Perform these steps only if:

Metadfender Core has been configured to exclusively use HTTPS (Step 4 in section 'Enabling HTTPS on IIS Express').

Mail Agent has been installed before switching to HTTPS. Any Mail Agent package downloaded from Metadefender Core after applying HTTPS will automatically have the correct configuration settings.

If you use a self-signed certificate and have deployed Mail Agent on other servers than the MD Core server, you must also complete steps 1-27 in the section 'Trusting local or remote self signed security certificate' on each Mail Agent server.

Navigate to the Metadefender Mail agent folder (by default, this is C:\Program Files (x86)\OPSWAT\Metadefender Mail Agent).

v3.13.0 92

2.

3.

4.

a.

b.

Open Metadefender.Email.Engine.Service.exe.config in a text editor and change the following section, replacing with your Mail Agent server's *DNS_or_IP_of_Mail_Agent*real DNS hostname or IP address and with your *DNS_or_IP_of_MD_Core*Metadefender Core server's real DNS hostname or IP address.

Original New

<setting name="RestBaseUrl" serializeAs="String"> <value>http://*DNS_or_IP_of_Mail_Agent*:8000</value></setting><setting name="QuarantineBaseUrl" serializeAs="String"> <value>http://*DNS_or_IP_of_MD_Core*:8000</value></setting><setting name="QuarantineProtocol" serializeAs="String"> <value>REST</value></setting><setting name="MetascanUrl" serializeAs="String"> <value>http://*DNS_or_IP_of_MD_Core*:8008/metascan_rest</value></setting>

<setting name="RestBaseUrl" serializeAs="String"> <value>https://*DNS_or_IP_of_Mail_Agent*</value></setting><setting name="QuarantineBaseUrl" serializeAs="String"> <value>https://*DNS_or_IP_of_MD_Core*</value></setting><setting name="QuarantineProtocol" serializeAs="String"> <value>REST</value></setting><setting name="MetascanUrl" serializeAs="String"> <value>https://*DNS_or_IP_of_MD_Core*/metascan_rest</value></setting>

Restart the service 'Metadefender Generic Mail Agent'.

If the Mail Agent is installed on an Exchange Server, complete the following steps:

Open Metadefender.Email.Engine.Exchange[version].dll.config in a text editor and change the 'RestBaseUrl' setting to the same as above (https://*DNS_or_IP_of_Mail_Agent*).Note: Modify the configuration file that corresponds to your Exchange Server version. For Exchange Server 2016, the 2013 file is used.

Restart the service 'Microsoft Exchange Transport'.

v3.13.0 93

1.

2.

3.

4.

Trusting local or remote self signed security certificate

If you use a self-signed certificate you must follow these steps for Metadfender to work as expected.

if you are using this guide on the local computer you should access and install the certificate from the DNS address (e.g. https://frosty7c/)

Open Internet Explorer and access the Metadefender Core dashboard (e.g. https://frosty7c/)

Click Continue to this website

Click certificate error

Click view certificates

v3.13.0 94

4.

5.

6.

7.

Click Install Certificate...

Select either Current User or Local Machine and click next

Select "Place all certificates in the following store" and click browse

v3.13.0 95

7.

8.

9.

10.

11.

12.

13.

Select "Trusted Root Certification Authorities" and Click OK

Select Next then select Finish

Restart your Internet Explorer and navigate to the same page again

You should now see a locked lock instead of certificate error

Run certmgr.msc

Select Trusted Root Certification Authority → Certificates

v3.13.0 96

13.

14.

15.

16.

17.

18.

19.

20.

Right click the DNS name → All Tasks → export

Click Next → Next →Browse

Choose anywhere to save the certificate and hit save

Click Next→finish

Run mmc

File → add/remove Snap-in

Select Certificates and click add

v3.13.0 97

20.

21.

22.

23.

24.

Select Computer account and hit next

Click finish then click ok

Select Trusted Root Certification Authority → Certificates

v3.13.0 98

24.

25.

26.

27.

Right click certificates → all tasks → Import

Click next

Select the file you created previously

Click next->next→finish

Engine Specific Configuration

Configuration specific to each built-in engine should be done via the configuration file: omsConfig.ini. This file is located in the directory where Metadefender Core is installed. The following table shows which configurations are available for each engine.

Important: The Metadefender Core service must be restarted to apply any changes.

Heuristic scan / extract archive

Some engines allow you to scan files using heuristics, which can detect viruses that are not yet in the engine’s virus definition database. Enabling heuristic scanning for engines increases detection of potential new viruses, but also increases the false positive rate.

v3.13.0 99

Note: Enabling heuristic scanning can also increase the engine's scan time.

Engine [CATEGORY] Configuration [ATTRIBUTE] Value

Ahnlab [ahnlab] Heuristic scan [heuristic_scan] 1: Enable

0: Disable

No entry: default levelArchive library [extract_archive]

AVG [avg] Heuristic scan [heuristic_scan]

Archive library [extract_archive]

Avira [avira] Heuristic scan [heuristic_scan]


Bitdefender [bitdefender] Archive library [extract_archive]

Clam AV [clamav] Heuristic scan [heuristic_scan]


Emsisoft [emsisoft] Heuristic scan [heuristic_scan]


v3.13.0 100

ESET [eset] Heuristic scan [heuristic_scan]


F-Prot [f-prot] Heuristic scan [heuristic_scan]


Ikarus [ikarus] Archive library [extract_archive]

K7 [k7] Heuristic scan [heuristic_scan]


Kaspersky [kaspersky] Heuristic scan [heuristic_scan]


McAfee [mcafee] Heuristic scan [heuristic_scan]


NANOAV [nanoav] Heuristic scan [heuristic_scan]


nProtect [nprotect] Heuristic scan [heuristic_scan]

Quick Heal [quickheal] Heuristic scan [heuristic_scan]


Sophos [sophos] Heuristic scan [heuristic_scan]


Vir.IT eXplorer [vir.itexplorer] Archive library [extract_archive]

v3.13.0 101

Engine [CATEGORY] Configuration [ATTRIBUTE] Value

Total Defense [totaldefense] Heuristic scan [heuristic_scan]


Zillya! [zillya!] Heuristic scan [heuristic_scan]


Import/Export from Command Line

Import/export configuration

You can import and export your Metadefender Core configuration using the omsConfig.exe command line utility. This can be useful for preserving configurations during an upgrade or when deploying multiple Metadefender Core installations with the same configuration.

Help

Syntax: help

This function prints the available command line options.

Import

Syntax: import <full file path> [<option>]

This command imports configurations from a file. All settings will take effect after a restart of the Metadefender Core services.

Export

Syntax: export <directory> [<option>]

This command exports current configurations to a file.

Options

The following argument can be used with the import and export commands.

v3.13.0 102

Option Description

/pass Password to encrypted & extract configuration.

Post Action Script

Using Post Action Script is not recommended. If you plan to use post action script, please contact OPSWAT Technical Support to see if there are different ways of achieving the same goal. For example, if you want to copy files after scan, use the Workflow - copy to directory feature instead.

Running scripts on clean/infected files

Creating a post action script provides the capability to handle simple or advanced application logic. Once a file is scanned by engines, the script will be executed on a file based on scan results.

XML format for post action script

<post_action> <scripts> <if type="[scan result]">[script]</if> … <if type="[scan result]">[script]</if> </scripts> <user_vars> <user_var name="[user variable]">[user variable string]</user_var> … <user_var name="[user variable]">[user variable string]</user_var> </user_vars></post_action>

Item Description Example

[script] Batch script supported by cmd.exe. For multiline scripts,use “&&”. (“&&” for xml)

DEL c:\eicar.com

http://eicar.com

v3.13.0 103

Item Description Example

[scan result]

Refer to asynchronous scan API in Software Developer Guide

for clean files,

0

[user variable]

Variables that you define data_folder

[user variable string]

Value for user variables C:\ data_folder_for_archiving

Pre-defined variables

Variables Description Note

%%%file_path%%% Absolute path to the file to be scanned.

This variable is supported only on local COM scans.

%%%threat_name%%%

Name of threats found by engines.

Applies only to infected(“1”) scan result.

%%%scan_finished%%%

The time when scan is finished.

Applying post action script

Property Name

post_action

Description XML-formatted scripts applied per scan result with support of pre-defined variables and user-defined variables.

CLI omsCmdLineUtil.exe config pa=<xml file path>

Management Console

On the Metadefender Core Management Console, use only the script in the text box, instead of the XML format for Post Action Script described in the above section.

v3.13.0 104

Property Name

post_action

Remark Any character that has special meaning to XML (e.g., &, <, >) must be escaped.

Example of post action script XML

Note: In the following examples, any variable surrounded with %%% that is not already defined in pre-defined variables, need to either be defined in your post action XML or replaced with the actual values you intend to use.

Moving clean file and infected files to different folder

<post_action> <scripts> <if type="0">move %%%file_path%%% c:\archive_data\clean</if> <if type="1">move %%%file_path%%% c:\archive_data\infected</if> </scripts></post_action>

Uploading infected file to ftp server

<post_action>

v3.13.0 105

1.

2.

<scripts> <if type="1">echo OPEN %%%server%%%> ftp.scr&&echo %%%username%%%>> ftp.scr&&echo %%%password%%%>> ftp.scr&&echo cd test_post_action>> ftp.scr&&echo put %%%file_path%%%>> ftp.scr&&echo CLOSE>> ftp.scr&&echo quit>> ftp.scr &&ftp -s:ftp.scr </if> </scripts> <user_vars> <user_var name="server">127.0.0.1</user_var> <user_var name="username">ftp_user</user_var> <user_var name="password">1234abcd</user_var> </user_vars> </post_action>

RAM Disk Configuration

Overview

You can configure the RAM Disk (or RAM Drive) from the Windows device property dialog box.

The RAM Disk turns a chunk of your system’s RAM into a disk drive. The RAM Disk is more secure than a fixed disk because the contents of the disk will be wiped clean on a system reboot. It provides speed optimization because the AV scanners being used do not have to fetch the data from a physical disk. The file is already stored in RAM.

Below are two use cases:

Temporary directory for extracting archive files before scanning

Set the temp_dir property of Metadefender Core to RAM Disk

As a temp directory for your application

You could use the RAM Disk if your application accepts files which are uploaded by your customers and you want to perform some temporary actions on that content before scanning.

RAM Disk as Temporary Directory

When you use the RAM Disk as a temporary directory, Metadefender Core uses this directory for the following purposes:

Extracting archive files (when “internal_archive_lib” is set to “1” (true))

v3.13.0 106

1.

2.

3.

Writing data to a file in this directory if using any of the Metadefender Core Buffer (stream) APIs

If the buffer is bigger than the available RAM Disk space, scan APIs will return Note:E_FAIL.

If the RAM Disk is used as the primary temp directory, the maximum extracted archive file size will be half the size of the RAM Disk for a single archive. If an archive exceeds that size, an error will be returned unless a secondary temp file is configured. If a secondary temp file is configured, then the archive will use it to extract the archive. The size of the secondary temp files is always half the available space on the drive.

Device Property

In order to change the RAM Disk properties, open the Device Manager using the following steps:

Go to and enter devmgmt.msc, and then press .Start > Run Return

Select the category.Ram Drive

Right-click on OPSWAT Secure RAM Disk and select .Properties

v3.13.0 107

1.

2.

REST Server Configuration

Enabling IIS Logging

By default, Internet Information Services (IIS) logging is disabled in the Metadefender Core REST server. In order to enable IIS logging, please follow these steps:

Go to the the REST\Config folder inside Metadefender Core's installation directory and open the applicationhost.config file. For example: C:\Program Files(x86)\OPSWAT\Metadefender Core X\REST\Config\applicationhost.config.

v3.13.0 108

2.

1.

2.

1.

2.

3.

Uncomment these 2 properties in the applicationhost.config file.

<! -- <add name="HttpLoggingModule" image="%IIS_BIN%\loghttp.dll" /> --><! -- <add name="HttpLoggingModule" lockItem="true" /> -->

Restart the Metadefender Core REST server using the following steps:

Using the Windows Control Panel:

Go to and click . (In Windows 10, open the Start > Administrative Tools ServicesControl Panel and click > and then double-System and Security Administrative Toolsclick .) Services

In the Services panel, right-click on Metascan REST Service and click . Start

Using the command line:


To stop the service, execute the ‘net stop omsrest’ command.

To restart the service, execute the ‘net start omsrest’ command.

Load Balancing With Multiple Instance

When multiple instances of Metadefender Core are serving multiple clients with higher load than one Metadefender Core can handle, clients should make progress (file\<data_id>) on a specific server. Setting this value results in initial file upload response to provide rest_ip information so that the client can make follow up requests to this specific server. You can configure this in the Metascan registry key (HKEY_LOCAL_MACHINE\SOFTWARE \OPSWAT\Metascan on x86, HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OPSWAT\Metascan on x64).

String value Value Description

rest_ip integer <IP address or URL> that client uses

v3.13.0 109

Storing File on the REST server

The server can be configured so that any data requested for scanning can be stored. This should be configured on the Metascan registry key (HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\Metascan on x86, HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OPSWAT\Metascan on x64). You must restart the Metadefender Core REST service after this key has been updated for the change to take effect.

String value Value Description

rest_filedb_type NONE or mongoDB

Set to mongoDB to enable storing files, the default is NONE. This key does not exist by default and must be created on the Metadefender Core system.

rest_store_file 0 or 1 Set to 1 to enable storing files, the default is 0.

Enabling storing files on the server side will consume disk space rapidly, depending on the load. Sufficient disk space must be apportioned according to the load. You can monitor disk space usage on the management console dashboard.

2.9. Non-Workflow Configuration (Deprecated)

Caching and ScanEx configurations are no longer recommended by OPSWAT, but may be used under certain circumstances. Please contact OPSWAT customer support (https://www.

) before using one of these methods.opswat.com/support#support-levels

There is no caching needed in the workflow API, because each process request is treated as new. There are a lot data processing in the workflow (e.g., file analyze, data sanitization, etc.). The workflow covers all ScanEx functions as well.

Caching

The caching configuration determines the size and behavior of the Metadefender Core scan result cache. The cache allows Metadefender Core to return results from a previous file scan with Metadefender Core if those scan results were cached and have not yet expired. Caching can only be configured through omsCmdLineUtil.exe.

The following settings apply if caching is enabled:

https://www.opswat.com/support#support-levels


v3.13.0 110

1.

2.

3.


CLI config

Enable Caching

This enables Metadefender Core's scan result caching. Disabled cs=<0|1>

Reset cache on engine update

Specifies whether the cache should be reset (and all cached results discarded) whenever there has been an engine definition update.

Disabled rc=<0|1>

Cache Expiration

Specifies how long (in hours) cached results remain available after a scan. After this time the cached results will be deleted.

72 hours kc=<time in seconds>

Maximum Cache Size

The maximum size of the cache in RAM. This is only the amount of space required to store the cached scan results, not the files themselves.

100 MB ms=<size in MB>

To manually reset the cache, do the following.

Stop the Metadefender Core service (net stop metascan).

Delete the cache database (<installation directory>\Data\omsCK_KN.db3).

Restart the Metadefender Core service (net start metascan).

ScanEx Configuration

This configuration is used when calling the Metadefender Core APIs that do not use the Metadefender Core workflows, and only scan files. This includes files scanned through Metadefender Core's ICAP interface, files scanned with Metascan Client, files scanned through the Java API, and the sample code provided on the OPSWAT Portal.

Archive handling

The archive handling configuration options determine how archives are handled.

If archive handling is enabled, Metadefender Core will extract archives and scan the individual files within the archive.

v3.13.0 111

Most common archive formats are supported, including 7z, XZ, BZIP2, GZIP, TAR, ZIP, WIM, ARJ, CAB, CHM, CPIO, CramFS, DEB, DMG, FAT, HFS, ISO, LZH, LZMA, MBR, MSI, NSIS, NTFS, RAR, RPM, SquashFS, UDF, VHD, WIM, XAR and Z. Metadefender Core can also extract self-extracting archives created by both 7zip and WinRAR.

The following settings apply if archive handling is enabled:



Enable Archive

This enables Metadefender Core's archive library handling.

Enabled le=<0|1>

Max Recursion Level

The maximum depth that Metadefender Core will continue to extract archives for scanning. Once this depth is reached, Metadefender Core will not extract further archives but will scan those archives as entire files. If this is set to 0, archives will not be extracted.

5 rl=<levels> Maximum value: 2147483646

Number of Files

The maximum number of files that can be in an archive that Metadefender Core is extracting. If the number of files in an archive exceeds this value, Metadefender Core will return the result as a potential threat.

50 an=<number> Maximum value: 2147483646

Total Size 2 GB

v3.13.0 112



The maximum total size of files that can be in an archive that Metadefender Core is extracting. If the total size of files in an archive exceeds this value, Metadefender Core will return the result as a potential threat.

as=<size in MB>

Maximum value:

Half the current available free space of the Metadefender Core temporary directory.

If two temporary directories are set from different drives, the highest available space will be used.

Simultaneous Specifies if multiple archive files undergo extraction concurrently. This may improve performance on a multi-core CPU, but means that the RAM-drive size should be increased (since more unpacked archives may reside on it at the same time).

Disabled ec=<0|1>

Self-Extracting

Specifies if self-extracting archives should be extracted and treated as archives

Disabled sx=<0|1>

Disabled soa=<0|1>

v3.13.0 113



Scan Original Un-extracted File

In addition to scanning files inside of an archive after extraction, un-extracted archives are sent directly to engines for scanning.

Note: If “extract_archive” for an engine is enabled, this potentially exposes performance overhead since extraction happens twice, once by Metadefender Core and once by the engine.

Note: DOCX and DOCM files can be detected as archive files. OPSWAT recommends that the option to scan the original un-extracted archive is enabled so that these files are properly scanned.

Post processing configuration

The Post Processing configuration allows an administrator to specify a script that should be executed for all allowed and/or blocked files. By clicking on ‘Run custom command line script’, a message can be put in place for both infected and clean files.

An administrator can also choose to delete or quarantine infected files.

v3.13.0 114

3. Data Sanitization (CDR)

What is Data Sanitization?

An increasingly popular and effective method of compromising computer security, especially as part of a targeted attack, involves sharing common document types or image files with victims. Even though the original versions of these files do not contain executable data, attackers have found ways to trigger these files to execute embedded malicious code. Popular techniques used to accomplish this include VBA macros, exploit payloads, and embedded Flash or JavaScript code. This type of attack has a high success rate because most users don’t expect common file types to contain infections. For high-risk files or scenarios, Data Sanitization, also known as Content Disarm & Reconstruction (CDR), prevents any possibility of malicious content (including zero-day threats) from executing. High-risk files can be sanitized through several different methods:

Removing hidden exploitable objects (scripts, macros, etc.)

Converting the file format

Supported File Types

Source File Type Target Sanitized Types

doc doc, pdf

xls xls, pdf

ppt ppt, pdf

rtf rtf

docx docx, txt, html, pdf, ps, jpg, bmp, png, tiff, svg

xlsx xlsx, csv, html, tiff, pdf, ps, jpg, bmp, png, svg

pptx pptx, pdf

htm/html html, pdf, ps, jpg, bmp, png, svg

v3.13.0 115

Source File Type Target Sanitized Types

pdf pdf, html, svg, jpg, bmp, png, tiff, txt

jpg jpg, bmp, png, tiff, svg, gif, ps, eps, pdf

bmp bmp, jpg, png, tiff, svg, gif, ps, eps, pdf

png png, jpg, bmp, tiff, svg, gif, ps, eps, pdf

tiff tiff, jpg, bmp, png, svg, gif, ps, eps

svg jpg, bmp, png, tiff, gif, ps, eps

gif jpg, bmp, png, tiff, svg, ps, eps, pdf

Single Output File or Multiple Output File

If target contains only one file, it will be not zipped and treat as single output file. For example, If a PDF file has only one page, converts to JPG will be JPG. If a PDF file has more than one page, there will be multiple JPG files and will result in a ZIP file. The following sanitization result in potentially multiple files (single ZIP file).

PDF->HTML

PDF->IMG

DOCX→HTML, IMG

XLSX->HTML, CSV, IMG

PPTX→HTML, IMG

Data Sanitization is only available on Windows OS.

v3.13.0 116

Data Sanitization Performance (speed)

Disclaimer: We do not guarantee same performance in your own environment. Performance can vary significantly depending on datasets and systems used when running the tests. The sole purpose of this section of the User Guide is to provide a high-level indicator of performance impact when enabling sanitization in your business logic.

System Info

RAM : 2GB

CPU: 2 core

OS: Windows Server 2008 x64

Harddisk: HDD

Resources

Dataset : 2000~5000 samples for each file type.

Metadefender Core version

v3.x: Metadefender Core v3.12.2.29144

v4.x: Metadefender Core v4.4.0.173-1

Configuration

Disabled multi-scanning

Test result

Sanitization Path AVG time (s) with Core v4.x AVG time (s) with Core v3.x

DOC->DOC 0.09 0.13

XLS->XLS 0.80 0.35

PPT->PPT 2.02 3.05

XLSX→XLSX 0.27 0.25

v3.13.0 117

Sanitization Path AVG time (s) with Core v4.x AVG time (s) with Core v3.x

DOCX→DOCX 0.11 0.22

PPTX→ PPTX 0.38 0.76

RTF->RTF 0.31 0.18

PDF->PDF 0.52 0.66

JPG->JPG 0.72 0.87

TIFF->TIFF 1.13 1.40

GIF->JPG 0.41 0.46

SVG->JPG 0.20 0.48

BMP->JPG 0.39 0.48

PNG->JPG 0.32 0.34

HTML->PDF 5.84 5.44

Preventing Unknown Threats

In this section, we describes the details how threats are being prevents with the details what hidden objects are being removed during sanitization. For same file type sanitization, this is customizable via configuration file which objects to be removed. For example, you can configure to remove macro while keeping hyperlinks. We have only documented subset of popular threats that sanitization can prevents.

file type

(supported) potential threats

configuration sample

doc OLE Objects

[X2X]remove_macro=1

embedded eicar

infected image

infected macro

https://www.metadefender.com/#!/results/file/ZTE2MTIxNFN5Wm81eElrRWdTa01vY2dVSjR4/document/analysis

https://www.metadefender.com/#!/results/file/ZTE2MTIxNUh5VTB1Y3RrRWxyeXYwZGNGeUVs/document/analysis

https://www.metadefender.com/#!/results/file/ZTE2MTIxNUJKSWcyVjVGSjR4SDF3ZzNWcXRKTng/document/analysis

v3.13.0 118

file type



Crafted Embedded Multimedia

Macros

Embedded Objects

Script enabled ActiveX Controls

Crafted Images

Hyperlink

Chart

remove_embedded_object=1remove_hyperlink=1process_image=1

remove_macro will remove javascript and document open action

remove_embedded_object will remove all embedded objects in file

include: attachments, embedded files, activeX, ole object ...

CVE-2013-1331 crafted image

CVE-2012-0158 ActiveX control

xls infected embedded object

infected macro

ppt infected embedded object

infected image

https://www.metadefender.com/#!/results/file/ZTE2MTIxOUhrQ3hwR05PQkVsSHl5WmFmVl9CVmc/document/analysis

https://www.metadefender.com/#!/results/file/ZTE2MTIxOUhrQ3hwR05PQkVsSHl5WmFmVl9CVmc/document/analysis

https://www.metadefender.com/#!/results/file/ZTE2MTIxOUJ5RnRuU3RITmdTa2NGbkhZck5s/document/analysis

https://www.metadefender.com/#!/results/file/ZTE2MTIxOUJ5RnRuU3RITmdTa2NGbkhZck5s/document/analysis

https://www.metadefender.com/#!/results/file/ZTE2MTIxNUhrQmZTYjZrRXhySklHQldweTR4/document/analysis



https://www.metadefender.com/#!/results/file/ZTE2MTIxNXIxN2xkVlp0MVZ4U2tObE80LXRKVng/document/analysis

https://www.metadefender.com/#!/results/file/ZTE2MTIxNXJ5WHB6TDlrNGVIa0U2ZlVxMVZl/document/analysis



https://www.metadefender.com/#!/results/file/ZTE2MTIxNVN5aDIyVTl5NGxIeWFoaFU1Sk5l/document/analysis

v3.13.0 119

file type



rtf Embedded object

Embedded html

No configuration embedded eicar

infected embedded html code

docx Macro

Embedded objects

OLE Objects

attachment

embedded binary file

script enabled ActiveX Controls

Chart (not support for xlsx)

Crafted Images

Hyperlink

Timing node (pptx only)

[X2X]remove_macro=1remove_embedded_object=1remove_hyperlink=1process_image=1


remove_embedded_object will remove all embedded objects in file included: attachments, embedded files, ...

infected macro

embedded eicar

infected active X control

infected image

xlsx embedded eicar

infected image

infected macro

pptx embedded_eicar

infected image

infected macro

https://www.metadefender.com/#!/results/file/ZDE2MTIxNEh5WGdGZk1MeVZ4cms0ZXRHZlVrTmU/document/analysis

https://www.metadefender.com/#!/results/file/ZDE2MTIxNEJrTlZnNzhKNHhISlNWZ21MeUV4/document/analysis



https://www.metadefender.com/#!/results/file/YTE2MTIxNVMxd0N6Q1VrVnhySk9BekE4eUVl/document/analysis

https://www.metadefender.com/#!/results/file/YTE2MTIxNUhKZWxaX1RMSkVnckpiZVdPYUxrRWc/document/analysis

https://www.metadefender.com/#!/results/file/YTE2MTIxNXJKU0JoQVV5RWxTa0xCbkNMSkVs/document/analysis

https://www.metadefender.com/#!/results/file/YTE2MTIxNXJKU0JoQVV5RWxTa0xCbkNMSkVs/document/analysis

https://www.metadefender.com/#!/results/file/YTE2MTIxNUIxcmVBYVVrNGVTSkllQWE4Sk5s/document/analysis

https://www.metadefender.com/#!/results/file/YTE2MTIxNVNKd0k5czVKRWxyeWRJY2pxMUVs/document/analysis

https://www.metadefender.com/#!/results/file/YTE2MTIxNVN5bWd5MWhjMVZsQjFFZ2t5aDlrVmc/document/analysis

https://www.metadefender.com/#!/results/file/YTE2MTIxNUhKLWFoNG9rTnhIa3pUM1ZveVZl/document/analysis

https://www.metadefender.com/#!/results/file/YTE2MTIxNVMxamJwbHYxVmxTeTJiNmVQMUVl/document/analysis

https://www.metadefender.com/#!/results/file/YTE2MTIxNVMxZWxqeWd2Sk5scjFaZ3MxbHYxRXg/document/analysis

https://www.metadefender.com/#!/results/file/YTE2MTIxNVN5c0EybjUxVmxTa24wbmg1Sk5n/document/analysis

v3.13.0 120

file type



infected timing node

htm/html

Scripts

Forms

Frames

Comments

Images

Embedded Objects

Embedded Java applets

Href

[html2html]remove_script=1remove_object=1remove_applet=1remove_form=1remove_comment=1remove_iframe=1process_tags=2

process_tags has value: 0|1|2;0: do nothing;1: Ex1: Please click <a href="<script>....</script>">here</a> => Please click here ;Ex2: Please click <a href="https://www.opswat.com">https://www.opswat.com</a> => Please click https://www.opswat.com ;Ex3: Please click <a href="https://www.opswat.com">here</a> => Please click here (https://www.opswat.com);2: remove "href" attribute

iframe

form

comment

PDF Hyperlink

Actions/Java Script

Annotation

[pdf2pdf]remove_macro=1remove_embedded_object=1

infected javascript

https://www.metadefender.com/#!/results/file/YTE2MTIxNVMxOC12QTUxTnhISndiRDBxMTRs/document/analysis

https://www.metadefender.com/#!/results/file/YTE2MTIxNVMxOC12QTUxTnhISndiRDBxMTRs/document/analysis

https://www.metadefender.com/#!/results/file/ZDE2MTIxNUIxTGpBbGgxRWVCa0RzQWcyMU54/document/analysis

https://www.metadefender.com/#!/results/file/ZDE2MTIxNUhrMkEtbG95NGdIa3BSLWxveVZs/document/analysis

https://www.metadefender.com/#!/results/file/ZDE2MTIxNUJKNm5FZ2kxVnhTMUFoTmVvSk5l/document/analysis

https://www.metadefender.com/#!/results/file/cDE2MTIwOEhrUEJlcjM4UWdCMXVCZ3IyODds/document/analysis

https://www.metadefender.com/#!/results/file/cDE2MTIwOEhrUEJlcjM4UWdCMXVCZ3IyODds/document/analysis

v3.13.0 121

file type



Attachments

Forms/Fields

Multimedia Objects

Images

Embedded font

process_image=1remove_embedded_font=0


remove_embedded_object will remove all embedded objects in pdf file included: attachments, embedded files, ...

remove_embedded_font will remove all embedded fonts in pdf file; if enable, it will break the Hebrew or Arabic (non-English) content

PDF.Exploit.CVE-2008-2992.A

CVE-2010-0188

eicar attachments

jpg Embedded malicious code

HTML

PHP

JAVA script

exploit codes

No configuration HTML code in JPG

PHP code in JPG2

Exploit in BMP

PHP code in PNG

CVE-2010-0188 in TIFF

HTML code in GIF

JAVA script in SVG

Buffer Overflow CVE-2004-0200

bmp

png

tiff

gif

svg

https://www.metadefender.com/#!/results/file/cDE2MTIxNUgxdjBrdWhrRXhCSk9Da19oMUVs/document/analysis



https://www.metadefender.com/#!/results/file/cDE2MTIyMnJrWWxRQW5PTmdCMXFnUUNuXzRn/document/analysis

https://www.metadefender.com/#!/results/file/cDE2MTIxNUJrYmtZd25KNGxCSkxsRF9xaHlOeA/document/analysis

https://www.metadefender.com/#!/results/file/cDE2MTIxNUJrYmtZd25KNGxCSkxsRF9xaHlOeA/document/analysis

https://www.metadefender.com/#!/results/file/ZzE2MTIxNXIxWnRjZml5VmxyeUdLcWZpSjRn/document/analysis

https://www.metadefender.com/#!/results/file/ZzE2MTIxNXIxWnRjZml5VmxyeUdLcWZpSjRn/document/analysis

https://www.metadefender.com/#!/results/file/ZzE2MTIxNVNKb1NXUW8xRXhIeTNyYlhva1Zl/document/analysis

https://www.metadefender.com/#!/results/file/ZzE2MTIxNVNKb1NXUW8xRXhIeTNyYlhva1Zl/document/analysis

https://www.metadefender.com/#!/results/file/ZzE2MTIxNUJKblBFbWpKRWxyeTZQTlFzMVZs/document/analysis

https://www.metadefender.com/#!/results/file/ZzE2MTIxNUJrWmJ3N3NrTnhCeXotUFhzMTRl/document/analysis

https://www.metadefender.com/#!/results/file/ZzE2MTIxNUJrWmJ3N3NrTnhCeXotUFhzMTRl/document/analysis

https://www.metadefender.com/#!/results/file/ZDE2MTIxNVN5Y2dZN2lrTmVTMW94WVFzMUVn/document/analysis

https://www.metadefender.com/#!/results/file/ZDE2MTIxNVN5Y2dZN2lrTmVTMW94WVFzMUVn/document/analysis

https://www.metadefender.com/#!/results/file/ZzE2MTIxNVNKSGZBN28xNGdya1VHMDdpMU5s/document/analysis

https://www.metadefender.com/#!/results/file/ZzE2MTIxNVNKSGZBN28xNGdya1VHMDdpMU5s/document/analysis

https://www.metadefender.com/#!/results/file/ZDE2MTIxNUhrdmpaRW95NGxTeXVzVzRqMUVl/document/analysis

https://www.metadefender.com/#!/results/file/ZDE2MTIxNUhrdmpaRW95NGxTeXVzVzRqMUVl/document/analysis

https://www.metadefender.com/#!/results/file/ZzE3MDExMEJKTFJ3ZUNmSWVySndDUHhDR0xn/document/analysis

https://www.metadefender.com/#!/results/file/ZzE3MDExMEJKTFJ3ZUNmSWVySndDUHhDR0xn/document/analysis

v3.13.0 122

file type



The configuration is only available with Metadefender Core v3.x at this moment. For configuration change, it requires of restarting Metadefender service. You can locate the ini file under <Metadefender Core v3.x install directory>\omsDSConfig.ini

v3.13.0 123

1.

2.

3.

4.

5.

6.

4. Developer Guide

OPSWAT is committed to making the Metadefender Core API backward compatible to any older version of Metadefender Core. With the growing capabilities and features of Metadefender Core, it is necessary to add new APIs, new COM Connection Points, and new return types. When you upgrade your integration to Metadefender Core to a newer version, please keep the following factors in mind:

COM API integration in C/C++: By the design of COM, all Connection Points are required to be implemented in your application. Please check Metascan.idl for newly added Connection Points.

Beginning with Metascan 3.8.1, OPSWAT supports only using the JSON-based (v2) REST API and XML-based (v1) REST API is deprecated.

Building Custom Engines

You can develop your own custom engine integration. We provide documentation on how to do this as well as sample code in C & C#.

What you need to do

Install Metadefender Core 3.8.0 or newer.

Download the custom engine template package . This download includes the herefollowing templates:• Template for C custom engine (vc10)• Template for C# custom engine (vc10)

Obtain Metadefender Core custom engine handler (omsCEHandler.exe). This file is included in the template package's bin folder.

Implement the custom engine interface.

Build the custom engine library (DLL).

Deploy the custom engine library (DLL) with the Metadefender Core custom engine handler (omsCEHandler.exe).

https://portal.opswat.com/en/content/metadefender-core-sample-code

v3.13.0 124

Installation and configuration

This section covers the configuration of Metadefender Core in order to load and use your custom engine. The following properties must be defined and configured in the omsConfig.ini, located in the Metadefender Core installation directory.

Section or attribute Value Description

[custom_engine_***] Replace *** with a unique identifier for your engine. (e.g., [custom_engine_myav] or [custom_engine_mycompany])

A unique section name to group the settings for your custom engine. This section must be unique and begin with “custom_engine”. If you do not name the section appropriately, Metadefender Core will not detect your custom engine.

custom_engine_dir Absolute path to the directory. Do not end this path with a trailing separator.

e.g., c:\my Custom Engine AV

The directory where your custom engine binaries reside. At a minimum, this includes omsCEHandler.exe and the C interface DLL.

custom_unique_id 4-10 characters starting with “ce” prefix

e.g., ce01

This is used for communication between Metadefender Core and the omsCEHandler processes. If you have multiple custom engines, this must be unique for each engine.

custom_dll_name Custom engine DLL name

e.g., sampleCustomEng.DLL

The sample custom engine project generates “sampleCustomEng.DLL” by default, but you can modify as you wish.

custom_engine_type Numerical value

0 – Indicates the engine is a scan engine

support_multithread Numerical Value.

v3.13.0 125

Section or attribute Value Description

0 – No

1 – YesYou must set this attribute to 0 if your custom engine is not thread-safe. If you are not sure, set to 0.

Example

The following is an example of the properties that need to be configured for the omsConfig.ini file.

custom_engine_myavcustom_engine_dir= c:\my Custom Engine AVcustom_dll_name=sampleCustomEng.dllcustom_engine_type=0support_multithread=0custom_unique_id=ce01

When uninstalling or upgrading Metadefender Core

Any configuration pertaining to the custom engines will not be preserved if you uninstall and reinstall Metadefender Core. You must backup and then restore the following changes after your installation or upgrade is complete:

omsConfig.ini (changes made pertaining to the custom engines)

Any custom engine directories located under the Metadefender Core installation folder

C# Custom Engine Template

Title/API Function

NReloadDatabase This method provides a way for Metadefender Core to explicitly reload the definition database of the engine, especially for a malware engine. During this call, any requests to scan should return ‘Not Scanned.’ If there is no specific step required for reloading the database, it should still return "0" to indicate that the engine is ready.

NGetDefinitionInfo This method is used to retrieve additional attributes about the definition files in use by the custom engine.

v3.13.0 126

1.

Title/API Function

NGetDefinitionTime This is used to retrieve the timestamp of the definition files currently in use by the custom engine. Memory is allocated by Metadefender Core.

NPerformUpdate This is called to initiate an update of the custom engine. This call should be a synchronous call and wait until the update completes.

NScan This is the main function of the custom engine. The scan result returned from this function call is used by Metadefender Core's scan-related API.

NGetProductName This method provides the name of the custom engine. Metadefender Core uses this for display purposes.

NDeinitCE This is called when Metadefender Core is shut down. Any resources acquired by your engine will be released and any unsaved data will be stored.

NInitCE This is the first method called. It allows you to initialize your engine. Metadefender Core will recognize your engine only if this method returns successfully (returns "0").

Additional steps for VB/C# custom engine

Place C wrapper DLL (Dynamic Link Library) with the custom engine DLLs.

If you compile the VB sample solution or C# solution, you get 2 DLLs, one for the cwrapper provided by OPSWAT and the other for your custom engine.

NDeinitCE

API NDeinitCE

Function This is called when Metadefender Core is shut down. Any resources acquired by your engine will be released and any unsaved data will be stored.

v3.13.0 127

Function prototype

int NDeinitCE()

Arguments

No arguments are required for this function.

NGetDefinitionInfo

API NGetDefinitionInfo

Function This method is used to retrieve additional attributes about the definition files in use by the custom engine.

Function prototype

int NGetDefinitionTime( ref string reserved, ref string defVer, ref string defSig, ref string engVer,)

Arguments

Argument Description

defVer Definition version you would like to report. Metadefender Core does not use this information for any logic. It is used only for display purposes.

defSig Definition signature count you would like to report. Metadefender Core does not use this information for any logic. It is used only for display purposes.

v3.13.0 128


engVer Engine version you would like to report. Metadefender does not use this information for any logic. It is used only for display purposes.

reserved Reserved for future use.

Return value

Value Description

0 Information successfully retrieved.

1 Information unavailable.

NGetDefinitionTime

API NGetDefinitionTime

Function This is used to retrieve the timestamp of the definition files currently in use by the custom engine. Memory is allocated by Metadefender Core.

Function prototype

int NGetDefinitionTime( ref int defYear, ref int defMon, ref int defDay, ref int defHour, ref int defMin, )

v3.13.0 129

Arguments


defYear Year portion of definition time.

defMon Month portion of definition time.

defDay Day portion of definition time.

defHour Hour portion of definition time.

defMin Minute portion of definition time.

Return value

Value Description



NGetProductName

API NGetProductName

Function This method provides the name of the custom engine. Metadefender Core uses this for display purposes.

Function prototype

int GetProductName(ref string productName)

Arguments

v3.13.0 130

Arguments


productName The name of the custom engine.

Return value

Value Description

0 To indicate that the product name is successfully returned.

Other value Not supported. Reserved for future usage.

NInitCE

API NInitCE

Function This is the first method called. It allows you to initialize your engine. Metadefender Core will recognize your engine only if this method returns successfully (returns "0").

Function prototype

public int NInitCE()

Arguments

No argument.

Return value

Value Description

0 To indicate that the engine initialized correctly.

v3.13.0 131

Value Description

1 To indicate initialization failed and the engine should not be used.

NPerformUpdate

API NPerformUpdate

Function This is called to initiate an update of the custom engine. This call should be a synchronous call and wait until the update completes.

Function prototype

int PerformUpdate()

Return value

Value Description

0 Update completed successfully.

1 Failed to start or finish updating.

2 Engine is already up to date.

3 Failed to update due to network problem.

4 Engine is already updating.

5 Failed downloading update.

6 Failed reloading database.

v3.13.0 132

NReloadDatabase

API NReloadDatabase

Function This method provides a way for Metadefender Core to explicitly reload the definition database of the engine, especially for a malware engine. During this call, any requests to scan should return ‘Not Scanned.’ If there is no specific step required for reloading the database, it should still return "0" to indicate that the engine is ready.

Function prototype

int ReloadDatabase(ref string srcDir,)

Arguments


srcDir If specified, path to the folder where new definition files are placed.

Return value

Value Description

0 Database is successfully reloaded or nothing needs to be done to reload database.

1 Fail to reload database (same result as fail to init).

v3.13.0 133

NScan

API NScan

Function This is the main function of the custom engine. The scan result returned from this function call is used by Metadefender Core's scan-related API.

Function prototype

int NScan( int reserved, string filepath, ref int scanResult, ref string threatName,)

Arguments


reserved Reserved for future.

filepath Path to the file needed to scan.

scanResult Scan result to be returned.

0: clean

2: suspicious

1: found threat

3: failed to scan

10: not scanned (during update)

threatName Threat name to be returned.

v3.13.0 134

Return value

Value Description

0 Scan completed successfully.

1 Failed to start or finish scanning.

Custom Engine C Interface

Interface

API Function

FreeString This is called to free allocated memory for wchar **. Metadefender Core calls this after Metadefender Core is finished with the values allocated by your functionality.

GetDefinitionInfo This method is used to retrieve additional attributes about the definition files in use by the custom engine.

GetDefinitionTime This is used to retrieve the timestamp of the definition files currently in use by the custom engine. Memory is allocated by Metadefender Core.

GetEngineProperty This method is used to get engine properties such as extract archive, heuristic.

GetExpirationDate This method is used to retrieve the expiration date of engine.

GetProductName This method provides the name of the custom engine. Metadefender Core uses this for display purposes.

InitCE This is the first method called. It allows you to initialize your engine. Metadefender Core recognizes your engine only if this method returns successfully (returns 0).

PerformUpdate

http://sf-small-conf.us.opswat.com:8090/display/MDC/GetEngineProperty

v3.13.0 135

API Function

This is called in order to initiate an update of the custom engine. The call is synchronous and waits until the update completes.

ReloadConfig This is used to reload any or all specific engine configurations. If there is no specific engine configuration that needs to be reloaded, this function returns "0" without any re-initialization of engines.

ReloadDatabase This method provides a way for Metadefender Core to explicitly reload the definition database of the engine, especially for a malware engine. During this call, any requests to scan return "Not Scanned." If there is no specific step required for reloading the database, it still returns "0" to indicate that the engine is ready.

Scan File This is the main function of the custom engine. The scan result returned from this function call is used by Metadefender Core’s scan-related API.

SetEngineProperty This method is used to set engine properties such as extract archive and heuristic.

DeinitCE

API DeinitCE

Function This is called when Metadefender Core is shut down. Any resources acquired by your engine are released and any unsaved data is stored.

Function prototype

int DeinitCE ()

Arguments


http://sf-small-conf.us.opswat.com:8090/display/MDC/SetEngineProperty

v3.13.0 136

Return value

Value Description

0 Indicates that the engine deinitialized correctly.

1 Indicates that deinitialization has failed.

FreeString

API FreeString

Function This is called to free allocated memory for wchar **. Metadefender Core calls this after Metadefender Core is finished with the values allocated by your functionality.

Function prototype

void FreeString ( wchar ** stringToFree)

Arguments

Argument Description Other

stringToFree Double pointer to wchar

Must be deallocated in the same way that memory is allocated.

v3.13.0 137

GetDefinitionInfo

API GetDefinitionInfo

Function This method is used to retrieve additional attributes about the definition files in use by the custom engine.

Function prototype

int GetDefinitionTime( wchar_t** reserved, wchar_t** defVer, wchar_t** defSig, wchar_t** engVer, void** reserved2)

Arguments


defVer Definition version you would like to report. Metadefender Core does not use this information for any logic. It is used only for display purposes.

Implementer must allocate the memory required.

defSig Definition signature count you would like to report. does not information for any Metadefender Core use this

logic. It is used only for display purposes.


engVer Engine version you would like to report. Metadefender Core does not information for any logic. It is used only for use this display purposes.


reserved,

reserved2

Reserved for future use.

v3.13.0 138

Important: defVer, defSig, engVer are double pointers to wchar_t or NULL. They must be allocated by the custom engine in a way that can be deallocated by the FreeString function unless NULL pointer is passed.

Return value

Value Description



GetDefinitionTime

API GetDefinitionTime

Function This is used to retrieve the timestamp of the definition files currently in use by the custom engine. Memory is allocated by Metadefender Core.

Function prototype

int GetDefinitionTime( int * defYear, int * defMon, int * defDay, int * defHour, int * defMin, void** reserved)

Arguments


defYear Year portion of definition time

defMon Month portion of definition time

v3.13.0 139


defDay Day portion of definition time

defHour Hour portion of definition time

defMin Minute portion of definition time

Return value

Value Description



GetExpirationDate

API GetExpirationDate

Function This method is used to retrieve the expiration date of engine.

Function prototype

int GetExpirationDate( int *licYear, int *licMon, int *licDay, void** reserved)

Arguments


licYear Year portion of license time.

v3.13.0 140


licMon Month portion of license time.

licDay Day portion of license time.


Return value

Value Description



GetProductName

API GetProductName

Function This method provides the name of the custom engine. Metadefender Core uses this for display purposes.

Function prototype

int GetProductName( wchar_t ** productName void ** reserved)

Arguments


productName The name of the custom engine


v3.13.0 141

reserved Reserved for future use

Return value

Value Description

0 To indicate that product name is successfully returned.

Other value Not supported. Reserved for future use.

InitCE

API InitCE

Function This is the first method called. It allows you to initialize your engine. Metadefender Core recognizes your engine only if this method returns successfully (returns 0).

Function prototype

int InitCE ( void **reserved)

Arguments


reserved Reserved for future usage

v3.13.0 142

Return value

Value Description

0 To indicate that the engine initialized correctly.

1 To indicate initialization failed and the engine should not be used.

PerformUpdate

API PerformUpdate

Function This is called in order to initiate an update of the custom engine. The call is synchronous and waits until the update completes.

Function prototype

int PerformUpdate( void ** reserved)

Arguments



Return value

Value Description

0 Update completed successfully.

1 Failed to start or finish updating.

v3.13.0 143

Value Description

2 Engine is already up to date.

3 Failed to update due to network problem.

4 Engine is already updating.

5 Failed downloading update.

6 Failed reloading database.

ReloadConfig

API ReloadConfig

Function This is used to reload any or all specific engine configurations. If there is no specific engine configuration that needs to be reloaded, this function returns "0" without any re-initialization of engines.

Function prototype

int ReloadConfig( const wchar_t * reservedI, void** reservedIO)

Arguments


reservedI, OreservedI Reserved for future use

v3.13.0 144

Return value

Value Description

0 Successfully reloaded configuration.

1 Failed to reload configuration.

ReloadDatabase

API ReloadDatabase

Function This method provides a way for Metadefender Core to explicitly reload the definition database of the engine, especially for a malware engine. During this call, any requests to scan return "Not Scanned." If there is no specific step required for reloading the database, it still returns "0" to indicate that the engine is ready.

Function prototype

int ReloadDatabase( const wchar_t * srcDir, void ** reserved)

Arguments


srcDir If specified, path to the folder where new definition files are placed.


Important: If srcDir is used, the folder and its contents must be consumed and deleted by engine.

v3.13.0 145

Return value

Value Description

0 Database is successfully reloaded or nothing needs to be done to reload the database.

1 Failed to reload database (same result as fail to init).

Scan File

API Scan

Function This is the main function of the custom engine. The scan result returned from this function call is used by Metadefender Core’s scan-related API.

Function prototype

int Scan( int dataType, const void * data, int * scanResult, wchar_t ** threatName, void ** reserved)

Arguments


dataType 0: if data is a file path string (wide characters)

Other dataType values are not supported with 3.2.5

data When dataType indicates a file path, you must cast to a const wchar_t pointer.

e.g.,

wstring filePathToScan = (const wchar_t *)data;

v3.13.0 146


scanResult Scan result to be returned:

0: clean

1: found threat

2: suspicious

3: failed to scan

10: not scanned (during update)

threatName Threat name to be returned.

reserved Reserved for future.

Important: threatName is a double pointer to wchar_t. It must be allocated by the custom engine in a way that can be deallocated by the FreeString function.

Return value

Value Description

0 Scan completed successfully.

1 Failed to start or finish scanning.

COM Interface

The Metadefender Core COM server externalizes COM (Microsoft’s Component Object Model) interfaces. The interfaces are all based on the IDispatch automation interface making integration possible from many scripting languages.

When the Metadefender Core Server starts (this happens when you log in or upon the first invocation of the server from a client), it starts updating all the supported antivirus engines on the system. The server repeats the update process at configurable intervals.

Before any method is called, a client instance must be initialized by calling Init or InitEx (deprecated). For APIs via callbacks, please refer to .COM Connection Points

v3.13.0 147

Title Note Method Description

Stop ongoing scan (COM)

StopScan This method purges all scan requests and ongoing scans. Method returns only when all requests are purged.

Sanitize a file (COM)

ConvertFileType This method converts the specified input file into a different format.

Analyze file type III (COM)

AnalyzeEx This method is an extensible file type analysis API that allows the user to set various analyze file type options that can be configured for each file type analysis request. It can be used as a wrapper of the other file type analysis APIs. It also supports specifying custom ticket ID and session ID to associate file type analysis and scan.

Analyze file type II (COM)

AnalyzeFileTypeEx2 This method analyzes a file (or buffer) and attempts to guess its type, detects files of which the file extensions may have been altered, and recursively analyzes contents of archive files.

Get an engine info (COM)

GetUpdateStatusEx This method returns information about the virus definition files of the requested product.

Set a property value (COM)

SetProperty Modify one of Metadefender Core's internal properties.

GetProperty

v3.13.0 148


Get a property value (COM)

Reads one of the internal properties.

Update an anti-malware engine (COM)

UpdateEngine This method is called to initiate an update of a specific anti-malware engine on the local machine.

Update anti-malware engines (COM)

UpdateAntiViruses This method is called to initiate an update of all anti-malware engines at the same time on the local machine. It is recommended to perform updates via automatic periodic update, which is performed at predetermined intervals as configured in “Update Interval” property.

Scan a file (COM)

ScanEx This method is an extensible scan API which allows the setting of various scan options that can be configured for each scan request.

Process a file (COM)

Process This method processes a file through a workflow based on the specified user agent.

Initialize (COM)

Init This method is called to initialize the connection to the Metadefender Core service. This method needs to be called before any other method can be called.

v3.13.0 149


Callback for Processing a File (COM)

Connection Points

OnProcess This callback is fired after each Process method when a pre-defined event is found.

Callback For Archive File Info (COM)

Connection Points

OnFileInArchiveInfoAvailable This callback method is invoked when Metadefender Core's archive library is enabled and a file from within an archive is analyzed (not a scan result). This callback can be used to obtain more discrete information of a file contained within an archive.

Callback For Scan Started Report (COM)

Connection Points

ScanStartReport This callback method is invoked when each engine begins the scan. It is used when a scan request begins. This callback is fired on if “report_on_scan_start” is set to “1” (true).

Callback For Update Completion (COM)

Connection Points

MyOnUpdateComplete This callback method is invoked when an update completes. It is fired to all Metadefender Core client objects that are registered to this connection point. However, if there is already an update request that has not completed, only the Metadefender Core client that requested the update will get a callback with the update result of “updateAlreadyRequested(2)”.

Connection Points

MyOnUpdateProgressReport

v3.13.0 150


Callback For Update Progress Report (COM)

This callback method is invoked when an update for each engine completes. It is fired to the Metadefender Core client object that initiates the update.

Callback For Additional Scan Progress Report (COM)

Connection Points

MyScanProgressReport This callback method is invoked when each engine completes the scan. The callback can be used for a scan progress report when more than one engine is used. If an engine is not used for any reason such as encrypted archive or scan request on a known file inside the folder, no progress report will be fired for the specific file.

Callback For Scan Progress Report (COM)

Connection Points

MyScanProgressReport This method is called to initialize the connection to the Metadefender Core service. This method needs to be called before any other method can be called.

Callback for Scan Completion (COM)

Connection Points

MyOnScanComplete This connection point is fired whenever a scan is completed. This event is not global, but is specific to the client that makes this scan request. In other words, when scanning is requested by a client, other client objects will not get a callback when the scanning is completed.

deprecated UnsubscribeGlobalEvents

v3.13.0 151


Unsubscribe from global events (deprecated)

This method is called to unsubscribe to specific or all events. If you subscribe to a specific type of event, you must unsubscribe to that type of event. For example, if you subscribe to scan event type and update event type, you must unsubscribe to both scan event type and update event type. Calling to unsubscribe to events to which you are not subscribed has no effect.

Subscribe to global events (deprecated)

deprecated SubscribeGlobalEvents If you want to receive global callbacks such as OnLogAvailable, you must subscribe to global events with an appropriate event type through this call. If you subscribe to a specific type of event, you must unsubscribe to that type of event. For example, if you subscribe to a scan event type and update event type, you must both unsubscribe to the scan event type and update the event type.

Analyze file type (deprecated)

deprecated AnalyzeFileType This method analyzes the contents of a file and attempts to guess its type.

Get updated virus definition files (deprecated)

deprecated GetUpdateStatus This method returns information about the virus definition files of the requested product.

v3.13.0 152


Put in scan-and-clean queue (deprecated)

deprecated PutToScanAndCleanQueue This method places a file to the scan-and-clean queue. In other words, the scan request will be processed asynchronously.

Put in scan queue (deprecated)

deprecated PutToScanQueue This method is called to place a file to the scan-queue. In other words, the scan request will be processed asynchronously.

Scan and clean file (deprecated)

deprecated ScanAndClean This method is called to scan and clean a file. This is done in a synchronous (blocking) fashion - the method returns only after the scan is complete.

Scan file (deprecated)

deprecated Scan This method is called to scan a file or a memory buffer. This is done in a synchronous (blocking) fashion - the method returns only after the scan is complete.

Initialize object (deprecated)

deprecated InitEx This method can still be used for the purpose of initializing an instance of a Metadefender Core object. However, with more flexible and extensive DB controller, the ability to have its own log writer per instance is disabled.

v3.13.0 153

Important Return Type

Scan outcome Return Type

Return value

Description Note

0 No threat found

No threat detection or the file is empty.

1 Infected/Known

Threat is found.

2 Suspicious Classified as possible threat but not identified as specific threat.

3 Failed To Scan

Scanning is not fully performed (For example, invalid file or no read permission). If no engine is included and scan is enabled, this will be the final result.

4 Cleaned Threat is found and file is cleaned (repaired or deleted).

5 Unknown Unknown scan result.

6 Quarantined File is quarantined.

7 Skipped Clean

Scan is skipped because this file type is in whitelist.

8 Skipped Dirty

Scan is skipped because this file type is in blacklist.

9 Exceeded Archive Depth

Threat is not found, but there are more archive levels that were not extracted. This is affected by the Metadefender Core property,‘internal_archive_recursive_level’.

10 Not Scanned

Scan is skipped by the engine, either due to update or other engine specific reason. If scan is disabled, this is the final result.

11 Aborted All ongoing scans are purged by StopScan API call.

v3.13.0 154

12 Encrypted File/buffer is not scanned because the file type is detected as encrypted (password-protected). If the Internal Archive Library is ON,

return type is going to be returned through encrypted notMetadefender Core scan progress callbacks because the engines do not perform any scan operations. If the Internal Archive Library is OFF, Metadefender Core passes the files to the engines encrypteddirectly, bypassing the detection.

13 Exceeded Archive Size

The extracted archive is larger than set in the maximum file size for archive. (For more details, refer to “archive_lib_max_size” properties in the topic.)Config

14 Exceeded Archive File Number

There are more files in the archive than set in the maximum number of files extracted. (For more details, refer to “archive_lib_max_num_files” properties in the Config topic.)

15 Password Protected Document

Only workflow has this result.

Others

Return Type Values API/Connection points which use this return type

ThreatList A threat list found on the scanned object, otherwise null (Threat name should NOT be used in a way that affects the application logic. For example, a threat name can be an empty string )

Scan

ScanEx

ScanAndClean

PutToScanQueue

PutToScanAndCleanQueue

FileTypeShort “E” – Executable (EXE, DLL, …)

http://sf-small-conf.us.opswat.com:8090/display/MDC/Config+CLI+command

http://sf-small-conf.us.opswat.com:8090/display/MDC/Config+CLI+command

v3.13.0 155

Return Type Values API/Connection points which use this return type

“D” – Document (MS Office word document, MS Office excel sheet)

“A” – Archive (Zip, Rar, Tar, …)

“G” – Graphical format (Jpeg, GIF, TIFF, BMP, …)

“F” – Folder

“Y” – Logical drive

“I” – Disk image

“T” – Text

“P” – PDF format

“M” – audio or video format

“Z” – mail messages (MSG, …)

“O” – Other (anything that is not recognized as one of the above)

Note: An ISO is treated as an archive file type (type “A”) and not as a disk image (type “I”).

COM Connection Points

The Metadefender Core server provides callback methods by allowing client objects to register connection points. In order to use Metadefender Core API in C/C++ development, all connection points must be implemented. For other languages such as C# or , only ASP.net desired methods can be implemented.

v3.13.0 156

Callback For Additional Scan Progress Report (COM)

Method MyScanProgressReport

Description This callback method is invoked when each engine completes the scan. The callback can be used for a scan progress report when more than one engine is used. If an engine is not used for any reason such as encrypted archive or scan request on a known file inside the folder, no progress report will be fired for the specific file.

Note Connection Points

Function prototype

void MyScanProgressReport( VARIANT ticket, VARIANT result, VARIANT threatList, VARIANT productName, VARIANT scanStartTime VARIANT scanEndTime VARIANT filePath)

Arguments

Argument Description Data Type

ticket The ticket which is generated when this scan has been requested.

UINT32

result A UINT32 value that specifies the scan outcome. UINT32

threatList An array of strings(String []). Each string element in the array is the name of the virus which has been detected.

Array of strings

v3.13.0 157


productName The description of the product. string

scanStartTime The time when the scan is started. date

scanEndTime The time when the scan is finished. date

filePath The path to the file which is scanned. string

Callback For Archive File Info (COM)

Method OnFileInArchiveInfoAvailable

Description This callback method is invoked when Metadefender Core's archive library is enabled and a file from within an archive is analyzed (not a scan result). This callback can be used to obtain more discrete information of a file contained within an archive.


Function prototype

void OnFileInArchiveInfoAvailable( VARIANT SessionID, VARIANT Ticket, VARIANT FileName, VARIANT MD5, VARIANT SHA1, VARIANT SHA256, VARIANT FileSize, VARIANT FileTypeDesc, VARIANT Reserved)

v3.13.0 158

Arguments


SessionID Reserved for future use.

Ticket The ticket that is generated when this scan has been requested. UINT 32

FileName The name of the file contained in the archive with the file path of the root archive preceding it.

string

MD5 MD5 signature of the file. string

SHA1 SHA1 signature of the file. string

SHA256 SHA256 signature of the file. string

FileSize Reserved for future use.

FileTypeDesc Reserved for future use.

Reserved Reserved for future use.

Callback for Processing a File (COM)

Method OnProcess

Description This callback is fired after each Process method when a pre-defined event is found.


v3.13.0 159

Function prototype

void OnProcess( [out] VARIANT *OutDetail, [out, retval] VARIANT *OutArgsArray)

Arguments


OutDetail The details from this event. The JSON schema depends on the callback type. See ‘‘callback types’’ for more details.

string

OutArgsArray 0: CallBackType: Since OnProcess is a general callback that is fired for different events, this specifies the event type. See the callback types for details of the type.

1: Ticket: The ticket returned from the Process API. For example 974989300.

2: The final result of processing the specified file through a workflow

1 = The file was allowed. JSON equivalent is "Allowed"

2 = The file was blocked. JSON equivalent is "Blocked"

3 = The file is currently being processed. JSON equivalent is "Processing"

Safearray of variants with the following order

0: UINT32

1: string

2: UINT32

Callback types

Callback Type

Description and example

2

v3.13.0 160

Callback Type


This callback method is invoked whenever each engine completes the scan. This callback can be used for a progress report of scanning when more than one engine is used. If engines are not used for any reason such as encrypted archive or scan request on a known file, no progress report is fired.

Example

{ "type": "ScanProgressReport", "ticket": 974989300, "scan_result": "1", "threat_list": [ "eicar", "eicar" ], "product_name": "Clamwin Scan Engine", "scan_start_time": "6/5/2014 2:32 PM", "scan_end_time": "6/5/2014 2:32 PM", "scan_time_(ms)": "1", "file_path": "C:\\some\\file.txt", "process_result": "Processing"}

4 This connection point is fired whenever a scan is completed. This event is not global but specific to the client that makes this scan request. In other words, when scanning is requested by a client, other client objects will not get a callback when the scanning is completed.

Example

{ "type": "OnScanComplete", "ticket": 974989300,

v3.13.0 161

Callback Type


"scan_result": "1", "threat_list": [ "eicar", "eicar" ], "scan_start_time": "6/5/2014 2:32 PM", "scan_end_time": "6/5/2014 2:32 PM", "scan_time_(ms)": "2", "file_path": "C:\\some\\file.txt", "process_result": "Processing"}

7 This callback method is invoked when Process' archive handling is enabled and an archive was successfully extracted.

This callback can be used to determine if a processed file is an archive.

Example

{ "type": "ArchiveFileInfo", "ticket": 783676241, "file_path": "2files_dirty.zip", "process_result": "Processing"}

8 This is fired after a file has been fully processed through each stage of a workflow.

If Data Sanitization (DS) is enabled and copy/move is disabled, the sanitized file will appear next to the original file.

If DS and copy/move are enabled, the sanitized filename will be reported in "post_processing.copy/move_destination"

v3.13.0 162

Callback Type


Collisions are handled by incrementing the file name: file_name.txt , file_name_1.txt , file_name_2.txt , ..

Possible Blocked ReasonsFailed to start the processing job: "Process Failed"

Mismatch detected: "Mismatch"

File type disallowed: "Filtered"

Scan Result: "Known | ("Dirty" or "Infected") | Suspicious |Failed | Cleaned | Unknown |("Skipped Dirty" or "Skipped Infected") | Not Scanned |Aborted | Password Protected Document"

Archive: "Encrypted Archive | Missing File During Extraction |Insufficient Space For Archive Extraction |Exceeded Archive Size | Exceeded Archive File Number |Archive Extraction Error | Exceeded Archive Depth |Archive Error"

Post Action: "Sanitization Failed"(Copy or Quarantine failure will not cause blocked result)

Possible Process Results"Allowed": the file is allowed

"Blocked": the file is blocked

"Processing": the file is currently being processed

Possible Action Ran ResultsSanitized

Copied

Moved

Quarantined

v3.13.0 163

Callback Type


Deleted

Ran Script

*Copied and Moved will never exist together*Quarantined and Deleted will never exist together*(Copied/Moved) and (Quarantined/Deleted) will never exist together

JSON Key Explanation Info

scan_all_result_i Final consolidated scan result

Normally, for single files, these values can be retrieved from the OnScanComplete type callback.However, for a final consolidated archive scan result (e.g. the scan result for each file in an archive is consolidated to represent the final archive scan result), these values can be useful.

scan_all_result_a String description of the final scan result

Example

{ "type": "ProcessComplete", "ticket": "974989300", "process_result": "Allowed", "file_path": "C:\\some\\file.txt", "user_agent": "metascan_rest", "profile": "Default", "file_type_skipped_scan": false, "blocked_reason": "", "scan_all_result_i": "0", "scan_all_result_a": "No Threat Detected"}

If Post Processing/File Handling is ran:

Example

v3.13.0 164

Callback Type


{ "type": "ProcessComplete", "ticket": "974989300", "process_result": "Allowed", "file_path": "C:\\some\\toConvert.docx", "user_agent": "metascan_rest", "profile": "Default", "file_type_skipped_scan": false, "blocked_reason": "", "scan_all_result_i": "0", "scan_all_result_a": "No Threat Detected", "post_processing": { "actions_ran": "Sanitized | Quarantined | Moved", "actions_failed": "Delete Failed", "converted_to": "pdf", "copy_destination": "C:\\toConvert.pdf" }}

9 This callback is fired for AnalyzeFileType. It will be fired for a single file as well as for individual files within an archive.

For a single file it will be a fully qualified path, such as: "C:\\level1\\file.txt"For a file inside an archive it will be prefixed with \\, such as: "\\level1\\file.txt"

Example

{ "type": "FileTypeAnalyze", "ticket": "974989300", "file_path": "C:\\some\\toConvert.docx", "file_size": 5134, "file_type_category" : "E", "file_type_description" : "Win64 Executable", "file_type_extension" : "EXE/DLL", "md5": "20A2DFB5...", "sha1": "6D5052F...", "sha256": "4A7C7...", "process_result": "Processing"}

v3.13.0 165

Callback for Scan Completion (COM)

Method MyOnScanComplete

Description This connection point is fired whenever a scan is completed. This event is not global, but is specific to the client that makes this scan request. In other words, when scanning is requested by a client, other client objects will not get a callback when the scanning is completed.


Function prototype

void MyOnScanComplete( VARIANT ticket, VARIANT * result, VARIANT * threatList, VARIANT * scanStartTime VARIANT * scanEndTime)

Arguments


ticket The ticket that is generated when this scan has been requested. UINT32


threatList An array of strings (String []). Each string element in the array is the name of the virus which has been detected.

Array of strings

scanStartTime The time when the scan is started. Date

v3.13.0 166


scanEndTime The time when the scan is finished. Date

Callback For Scan Progress Report (COM)

Method MyScanProgressReport

Description This method is called to initialize the connection to the Metadefender Core service. This method needs to be called before any other method can be called.


Function prototype

void MyScanProgressReport( VARIANT ticket, VARIANT result, VARIANT threatList, VARIANT productName, VARIANT productNum, VARIANT totalNumberOfProducts, VARIANT scanStartTime VARIANT scanEndTime)

Arguments


ticket The ticket that is generated when this scan has been requested.

UINT32


v3.13.0 167


threatList An array of strings(String []). Each string element in the array is the name of the virus which has been detected.

Array of strings


productNumber The order of scan completion among the usable AVs. UINT32

totalNumberOfProducts The number of products scan is requested for this ticket.

UINT32

scanStartTime The time when the scan is started. date

scanEndTime The time when the scan is finished. date

Callback For Scan Started Report (COM)

Method ScanStartReport

Description This callback method is invoked when each engine begins the scan. It is used when a scan request begins. This callback is fired on if “report_on_scan_start” is set to “1” (true).


Function prototype

void ScanStartReport( VARIANT ticket, VARIANT productName, VARIANT filePath)

v3.13.0 168

Arguments


ticket The ticket which is generated when this scan has been requested.

UINT32


filePath The path to the file which is scanned. string

Callback For Update Completion (COM)

Method MyOnUpdateComplete

Description This callback method is invoked when an update completes. It is fired to all Metadefender Core client objects that are registered to this connection point. However, if there is already an update request that has not completed, only the Metadefender Core client that requested the update will get a callback with the update result of “updateAlreadyRequested(2)”.


Function prototype

void MyOnUpdateComplete( VARIANT updateResult, VARIANT updateReport)

v3.13.0 169

Arguments


updateResult A UINT32 value which contains the update result:

0: updateFinished

1: updateFailed

2: updateAlreadyRequested

3: updateUnknown

UINT32

updateReport XML-formatted string consisting of engine names and engine update results. Engine update result is one of the following:

updateOk

updateUpToDate

updateFailed

updateUnknown

updateNetworkProblem

updateTimeOut

updateNotImplemented

updateNotSupported

updateAlreadyInProgress*

string

* updateAlreadyInProgress - If any update on the antivirus product is already running, no additional updates will be queued. This means that the update that has previously been started will return the UpdateResult through the connection point after completion.

v3.13.0 170

Callback For Update Progress Report (COM)

Method MyOnUpdateProgressReport

Description This callback method is invoked when an update for each engine completes. It is fired to the Metadefender Core client object that initiates the update.


Function prototype

void MyOnUpdateProgressReport( VARIANT productName, VARIANT updateState, VARIANT updateReport, VARIANT productNum, VARIANT totalNumberOfProducts, VARIANT startTime, VARIANT elapsedMiliSec, VARIANT reserved)

Arguments


productName The description of the product.

updateState The progress in percentage for update with the specified engine (0 indicates update started while 100 indicates update complete).

updateReport XML-formatted string consisting of engine names and engine update results. Engine update result is one of the following:

updateOk

string

v3.13.0 171


updateUpToDate

updateFailed

updateUnknown

updateNetworkProblem

updateTimeOut

updateNotImplemented

updateNotSupported

updateAlreadyInProgress*

* updateAlreadyInProgress - If any update on the antivirus product is already running, no additional updates will be queued. This means that the update that has previously been started will return the UpdateResult through the connection point after completion.

productNum The order of update among the current AVs.

totalNumberOfProducts The number of products scanned is requested for this ticket.

startTime Time when update for the engine is initiated.

elapsedMiliSec Time elapsed for update complete in milliseconds.

reserved Reserved

Deprecated COM interface

The following methods are no longer recommended by OPSWAT, but may be used under certain circumstances. Please contact OPSWAT customer support (https://www.opswat.com

) before using one of these methods./support#support-levels



v3.13.0 172

Analyze file type (deprecated)

Method AnalyzeFileType

Description This method analyzes the contents of a file and attempts to guess its type.

Note deprecated

Function prototype

HRESULT AnalyzeFileType( [in] VARIANT FileNameOrBuffer, [out] VARIANT * FileTypeLong, [out, retval] VARIANT * FilteTypeShort)

Arguments


FileNameOrBuffer If FileNameOrBuffer is of type string then it is treated as a file name to be analyzed. Otherwise, if it is a byte array (Byte []) it is treated as a memory buffer that should be analyzed.

File name: string

Buffer: byte array

FileTypeLong If the pointer that is passed to the method is not null, then the VARIANT will be filled with a string describing the file type in detail.

string

FileTypeShort A series of letters that summarize the file type. string

The string returned in FileTypeLong is a series of types that match the file. If the file matches more than one type (sometimes it’s impossible to tell the difference), the returned string will contain all the possible file types separated by ‘,’.

v3.13.0 173

The string returned in FileTypeShort is a string comprised of letters that give the rough classification of the file.

Get updated virus definition files (deprecated)

Method GetUpdateStatus

Description This method returns information about the virus definition files of the requested product.

Note deprecated

Function prototype

HRESULT GetUpdateStatus( [in] VARIANT ProductNamePart, [out] VARIANT * ProductDescription, [out] VARIANT * VirusDefinitionDate, [out] VARIANT * VirusDefinitionVersion)

Arguments


ProductNamePart A part of the product name of the desired package. Definition file information of the product containing this value is returned.

string

ProductDescription The description of the product that matched ProductNamePart.

string

VirusDefinitionDate The dates of virus definition files for the product. "0" is returned if the data file time is unavailable, for example when the product does not support the data file time.

Date

VirusDefinitionVersion The virus definition file version of the product. string

v3.13.0 174

Initialize object (deprecated)

Method InitEx

Description This method can still be used for the purpose of initializing an instance of a Metadefender Core object. However, with more flexible and extensive DB controller, the ability to have its own log writer per instance is disabled.

Note deprecated

Function prototype

HRESULT InitEx( [in] VARIANT * argsArray, [in] VARIANT argXML, [out, retval] VARIANT *UsableAntiViruses)

Arguments


argsArray empty

argXML This parameter is reserved for later use. Pass null as its value.

empty

UsableAntiViruses The list of AVs will be used for this instance of Metadefender Core client.

Array of strings

v3.13.0 175

Put in scan-and-clean queue (deprecated)

Method PutToScanAndCleanQueue

Description This method places a file to the scan-and-clean queue. In other words, the scan request will be processed asynchronously.

Note deprecated

Note: This is a deprecated method and we suggest using ScanEx instead.

Function prototype

HRESULT PutToScanAndCleanQueue( [in] VARIANT FileNameOrBuffer, [out, retval] VARIANT* Ticket)

Arguments


FileNameOrBuffer If FileNameOrBuffer is of type string then it is treated as a file or directory name to be scanned. Otherwise, if it is a byte array (Byte []), it is treated as a memory buffer that should be scanned.

File name: string

Buffer: byte array

Ticket A ticket for this scan job. This ticket is passed to the callback methods registered via the Callback for Scan Completion

connection point.(COM)

UINT32

Note: To get the result of this call, you must implement the Callback for Scan Completion connection point.(COM)


v3.13.0 176


Method PutToScanQueue

Description This method is called to place a file to the scan-queue. In other words, the scan request will be processed asynchronously.

Note deprecated


Function prototype

HRESULT PutToScanQueue( [in] VARIANT FileNameOrBuffer, [out, retval] VARIANT* Ticket)

Arguments


FileNameOrBuffer If FileNameOrBuffer is of type string then it is treated as a file / directory name to be scanned. Otherwise, if it is a byte array (Byte []) it is treated as a memory buffer that should be scanned.

File name: string

Buffer: byte array

Ticket A ticket for this scan job. This ticket will be passed to the callback methods registered via the Callback for Scan

connection point.Completion (COM)

UINT32

Note: To get the result of this call, you must implement the Callback for Scan Completion connection point.(COM)

v3.13.0 177

Scan and clean file (deprecated)

Method ScanAndClean

Description This method is called to scan and clean a file. This is done in a synchronous (blocking) fashion - the method returns only after the scan is complete.

Note deprecated


Function prototype

HRESULT ScanAndClean( [in] VARIANT FileName, [out] VARIANT* ThreatList, [out, retval] VARIANT* ScanOutcome)

Arguments


FileName If FileNameOrBuffer is of type string then it is treated as a file / directory name to scan. Otherwise, if it is a byte array (Byte []) it is treated as a memory buffer that should be scanned.

File name: string

Buffer: byte array

ThreatList A threat list found on the scanned object, otherwise null. Array of strings

ScanOutCome The scan result. UINT32

v3.13.0 178

Scan file (deprecated)

Method Scan

Description This method is called to scan a file or a memory buffer. This is done in a synchronous (blocking) fashion - the method returns only after the scan is complete.

Note deprecated


Function prototype

HRESULT Scan([in] VARIANT FileNameOrBuffer,[out] VARIANT* ThreatList,[out, retval] VARIANT* ScanOutcome)

Arguments


FileNameOrBuffer If FileNameOrBuffer is of type string, then it is treated as a file or directory name to scan. Otherwise, if it is a byte array (Byte []), it is treated as a memory buffer that should be scanned.

File name: string

Buffer: byte array

ThreatList A threat list found on the scanned object, otherwise null. array of strings

ScanOutCome The scan result. UINT32

v3.13.0 179

Subscribe to global events (deprecated)

Method SubscribeGlobalEvents

Description If you want to receive global callbacks such as OnLogAvailable, you must subscribe to global events with an appropriate event type through this call. If you subscribe to a specific type of event, you must unsubscribe to that type of event. For example, if you subscribe to a scan event type and update event type, you must both unsubscribe to the scan event type and update the event type.

Note deprecated

Function prototype

HRESULT SubscribeGlobalEvents( [in] VARIANT EventType [out, retval] VARIANT * Reserved)

Arguments


EventType Determines the type of events to subscribe.

0: All events

1: Update events

2: Log events

3: Scan events

UINT32

Reserved Reserved

v3.13.0 180

Unsubscribe from global events (deprecated)

Method UnsubscribeGlobalEvents

Description This method is called to unsubscribe to specific or all events. If you subscribe to a specific type of event, you must unsubscribe to that type of event. For example, if you subscribe to scan event type and update event type, you must unsubscribe to both scan event type and update event type. Calling to unsubscribe to events to which you are not subscribed has no effect.

Note deprecated

Function prototype

HRESULT UnsubscribeGlobalEvents( [in] VARIANT EventType [out, retval] VARIANT * Reserved)

Arguments


Reserved Reserved

Methods

This section lists all the methods available via Metadefender Core COM object. Before you can call any of the methods listed here, you need to create Metadefender Core COM object called ‘Metascanner’. When you install Metadefender Core, Metascanner is registered on the system as part of the type library .MetascanLib

Metascanner Program ID: Metascan.Metascanner.1

v3.13.0 181

Analyze file type I (COM)

Method AnalyzeFileTypeEx

Description This method analyzes a file (or buffer) and attempts to guess its type, detects files of which the file extensions may have been altered, and recursively analyzes contents of archive files.

Function prototype

HRESULT AnalyzeFileTypeEx( [in] VARIANT FileName, [out] VARIANT * SuggestedExtension, [out] VARIANT * FileTypeLong, [out, retval] VARIANT * FileTypeShort)

Arguments


FileName If FileNameOrBuffer is of type string then it is treated as a file name to be analyzed. Otherwise, if it is a byte array it is treated as a memory buffer that should be analyzed

String (file)

OR

Byte array(buffer)

FileTypeLong If the pointer that is passed to the method is not null then the VARIANT will be filled with a string describing the file type in detail.

string

SuggestedExtension If the pointer that is passed to the method is not null then the VARIANT will be filled with the suggested extension type of the file.

string

v3.13.0 182


FileTypeShort A series of letters that summarize the file type. More details are described in UOther Important Return Types.

string

The string returned in SuggestedExtension is the three letter extension of the filename. The AnalyzeFiletypeEx detection is based on the FileTypeLong returned from the AnalyzeFileType. The SuggestedExtension returns the actual extension of the file, even if it has been altered before scanning the file. If the file comprises of more than one extension, such as executable plus archive, the function returns only the first extension type detected.

Analyze file type II (COM)

Method AnalyzeFileTypeEx2

Description This method analyzes a file (or buffer) and attempts to guess its type, detects files of which the file extensions may have been altered, and recursively analyzes contents of archive files.

Function prototype

HRESULT AnalyzeFileTypeEx2{ [in] VARIANT FileNameOrBuffer, [out] VARIANT * InArgsArray, [out, retval] VARIANT * OutArgsArray}

Arguments


FileNameOrBuffer If FileNameOrBuffer is of type string then it is treated as a file name to be analyzed. Otherwise, if it is a byte array, it is treated as a memory buffer that should be analyzed.

String (file)

OR

Byte array (buffer)

v3.13.0 183


InArgsArray A list of input arguments in the following order:

[ ] Detect file extension mismatches. Result can be 0read from OutArgsArray. Set this to one of the following:

a. True - detect mismatches if the input file’s extension doesn’t match any of our suggested extensions

b. False - do not detect mismatches

[ ] If mismatch detection and recursive analysis is 1enabled, stop analyzing upon a mismatch and return immediately with results up until the file that contained the mismatch. Set this to one of the following:

a. True – stop analyzing on the first mismatch

b. False – analyze all the files within an archive

[ ] Analyze the full contents of archive files along 2with the archive file itself. Set this to one of the following:

a. True – recursively analyze archive files

b. False – only analyze the input file

*******************

Variant Array

[0] Boolean

[1] Boolean

[2] Boolean

*******************

OutArgsArray A list of output arguments in the following order:

[ ] If detection of file extension mismatch is enabled, 0this flag will indicate whether a mismatch was detected. This will be set to one of the following:

a. 0 – no mismatch is detected

b. 1 – a file extension mismatch was found while analyzing the input file or the contents of the archive

c. 2 –unknown because of no detection of file type and / or the input was a buffer

*******************

Variant Array

[0] UINT32 (mismatch flag)

[1] Variant Array (files)

----------------------

Variant Array (files)

[0][0] String (file name)

v3.13.0 184


[ ] Array containing the analyzed file(s) and file type 1information – consisting of the file name, file description, a short type, suggested extension, and extension mismatch flag

[0][1] Variant Array (file info)

[0][2] UINT32 (mismatch flag)

----------------------

Variant Array (file info)

[0][0] Long type

[0][1] Short type

[0][2] Suggested Extension

*******************

Comparison with AnalyzeFileTypeEx()

In addition to returning similar results as AnalyzeFileTypeEx, this method analyzes a file and the contents if it is an archive file. It also gives one or more suggestions for the file type information (description, category, and suggested extension) when available. Additionally, it can raise a flag if the extension of a file does not match any suggested extensions. The caller can specify to abort further analysis on the first mismatch. There are three levels of VARIANT arrays, the last two levels consisting of 2-dimensional SafeArrays.

Upon analysis with AnalyzeFileTypeEx(), if specific details of the file type could be not retrieved, the ‘FileTypeShort’ result will be set to the letter ‘O’, throwing it into the “others” category. In contrast, AnalyzeFileTypeEx2() will return an empty array, indicating that details could not be retrieved for the file

Analyze file type III (COM)

Method AnalyzeEx

Description This method is an extensible file type analysis API that allows the user to set various analyze file type options that can be configured for each file type analysis request. It can be used as a wrapper of the other file type analysis APIs. It also supports specifying custom ticket ID and session ID to associate file type analysis and scan.

v3.13.0 185

Function prototype

HRESULT AnalyzeEx{ [in] VARIANT ContentsToScan, [in] VARIANT * InArgsArray, [out, retval] VARIANT * OutArgsArray}

Arguments


ContentsToScan This argument may hold one of two types, a file path to be scanned or a memory buffer to be scanned based on the data type of this parameter and input argument (

) valueInArgsArray

A file path: if the type of this parameter is a string

Memory buffer: if the type of this parameter is a byte array(byte[])

File name: string

Buffer: byte array

InArgsArray A list of input arguments in the following order.

0. File Type Library choice

0: Use default

1: Magic File Type

2: TriD (Not supported for now)

1. Custom ticket #

(maximum 9 digits from 1-999999999) or (0 for not using custom ticket #)

2. Session ID

a. To associate multiple file scan as a group (e.g., multiple requests for single folder)

Array of variants with the following order:

1: UINT32

1: UINT32

2: String

OutArgsArray A list of outputs with the following order:

v3.13.0 186


0: Ticket number (if custom ticket # is specific in InargsArray, same ticket number is returned).

1: Suggested File Type Extension

2: File Type Long

3: File Type Short

Array of variants with the following order:

0: UINT32

1: String

2: String

3: String

Check license (COM)

Method Checklicense - COM

Description This method checks if the license installed on the machine is valid and when it expires. Metadefender Core processes, scans, and updates requests only if LicenseType is one of the“valid” types below.

Function prototype

HRESULT CheckLicense{ [out] VARIANT * LicenseType, [out] VARIANT * ExpiredDate, [out, retval] VARIANT * IsValid}

Arguments


LicenseType The type of license:

0: Expired (invalid)

1: Activated (valid)

UINT32

v3.13.0 187


2: Trial (valid)

3: Activate Required (invalid)

4: Activated but expires in 30 days (valid)

ExpiredDate The date when the license is expired in the following format:

MM/DD/YYYY (MM: month, DD: day, YYYY: year)

string

IsValid True: if the license is valid

False: if the license is invalid

bool

Get an engine info (COM)

Method GetUpdateStatusEx

Description This method returns information about the virus definition files of the requested product.

Function prototype

HRESULT GetUpdateStatusEx{ [in] VARIANT ProductNamePart, [out] VARIANT * ProductDescription, [out] VARIANT * VirusDefinitionDate, [out] VARIANT * VirusDefinitionVersion, [out] VARIANT * VirusDefinitionSignature, [out] VARIANT * ProductEngineVersion}

Arguments


ProductNamePart string

v3.13.0 188


A part of the product name of the desired package. Definition file information of the product containing this value will be returned.

ProductDescription The description of the product that matched ProductNamePart.

string

VirusDefinitionDate The dates of virus definition files for the product. 0 will be returned if the data file time is unavailable, for example when the product does not support the data file time.

date

VirusDefinitionVersion The virus definition file version of the product. string

VirusDefinitionSignature The virus definition file signature of the product. string

ProductEngineVersion The product (engine) version. string

Get a property value (COM)

Method GetProperty

Description Reads one of the internal properties.

Function prototype

HRESULT GetProperty( [in] VARIANT PropertyName, [out, retval] VARIANT* PropertyValue)

v3.13.0 189

Arguments


PropertyName The name of the requested property. For valid names, please refer to the Metadefender Core Configuration Guide.

string

PropertyValue The value of the property string

Initialize (COM)

Method Init

Description This method is called to initialize the connection to the Metadefender Core service. This method needs to be called before any other method can be called.

Function prototype

HRESULT Init( [out, retval] VARIANT *UsableAntiMalwares)

Arguments


UsableAntiMalwares The list of anti-malware engine names available to be used with this instance of Metadefender Core

array of strings (VT_BSTR)

v3.13.0 190

Process a file (COM)

Method Process

Description This method processes a file through a workflow based on the specified user agent.

Function p rototype

HRESULT Process( [in] VARIANT ContentsToBeProcessed, [in] VARIANT ContentsType, [in] VARIANT UserAgent, [in] VARIANT InArgsArray, [out] VARIANT *OutDetail, [out, retval] VARIANT *OutArgsArray)

Arguments


ContentsToBeProcessed Full path to the file to be processed string

ContentsType 0: holds a file path (Currently this is ignored since only 0 is supported)

UINT32

UserAgent A string to identify the user. Used for mapping to a specific workflow.

string

InArgsArray 0: Sync Flag - Reserved for future use.

1: Custom Ticket - Currently, only the integer range value is supported.

2: Password for Archives


v3.13.0 191


3: Additional Logging Parameter - This is passed to the user description argument in ScanEx if scanning is enabled on the workflow. Reserved for future use.

4: File Display Path - The full path of the file from the source machine to display to the user after processing.

5: Disable Logging - Disallows Metadefender Core to log any file type analysis and scan results.

6: Caching Option

0: disable to cache for the scan request

1: enable to cache for the scan request

2: disregard the existing cache

3: use the global setting

7: Customized data sanitization location

8: Workflow name - If you specify a workflow name, it overrides the mapping logic of the UserAgent parameter for workflow selection. If this string is not empty it MUST match a workflow name. Workflow names can be retrieved from the Metadefender Core Management Console (Configuration → Workflows)

0: boolean

1: string

2: string

3: string

4: string

5. boolean

6. uint32

7. string

8. string

OutDetail JSON result details string

Example JSON

{ "Ticket": "974989300" }

In case of error [e.g. "Server is too busy. Try again later." | "Invalid License" | "Daily scan limit reached" | "Failed to continue. unknown error" | "Invalid file path"] :

string

v3.13.0 192


{ "Error": "Invalid License" }

In case of too many simultaneous scans:

{ "Error": " Exceeded maximum thread count" }

OutArgsArray 0: Custom Ticket - to be used to associate callback results


0: string

When the Metadefender Core server is too busy, the HRESULT value returned will be Note:E_OUTOFMEMORY

Creating workflow profiles

Many configurations are supported via workflow profiles. To access the Workflow tab on the Metadefender Core Management Console, go here: http://localhost:8008/management/workflow.

Sanitize a file (COM)

Method ConvertFileType

Description This method converts the specified input file into a different format.

Function prototype

HRESULT ConvertFileType{ [in] VARIANT ContentsToConvert, [in] VARIANT ConvertTo, [in] VARIANT TargetFolderPath, [in] VARIANT * ReservedInArgsArray, [out] VARIANT * ReservedOutArgsArray,

http://localhost:8008/management/workflow

v3.13.0 193

[out, retval] VARIANT * ConvertedFilePath}

Arguments


ContentsToConvert UNC of the input file to convert. String

ConvertTo Identifier for targeted conversion.

Usually file extension (e.g., pdf, docx…)

String

TargetFolderPath UNC of the destination folder path. The converted file will be created in that folder.

String

ReservedInArgsArray Reserved

ReservedOutArgsArray Reserved

ConvertedFilePath Path to the converted file if conversion was successful. String

Scan a file (COM)

Method ScanEx

Description This method is an extensible scan API which allows the setting of various scan options that can be configured for each scan request.

Function prototype

HRESULT ScanEx( [in] VARIANT ContentsToScan, [in] VARIANT* InArgsArray, [out, retval] VARIANT* OutArgsArray)

Arguments

v3.13.0 194

1.

2.

3.

4.

5.

Arguments


ContentsToScan This argument may hold one of four types: a file path to be scanned, a file signature to be scanned, a boot sector to be scanned, or a memory buffer to be scanned, based on the data type of this parameter and input argument ( ) InArgsArrayvalue

File path: if the type of this parameter is a string and the fifth argument of is set to 0 or the size InArgsArrayof is 3InArgsArray

File signature: if the type of this parameter is a string and the fifth argument of is set to 1InArgsArray

Boot sector scan: if the type of this parameter is a string and the fifth argument of is set to 2InArgsArray

Memory buffer: if the type of this parameter is a byte array(byte[])

Virtual Machine image folder path

File name: string

Buffer: byte array

InArgsArray A list of input arguments in following order:

(boolean) Sync flag (true: synchronous scan , false or invalid value: asynchronous scan)

(boolean) Clean flag (true: Action on dirty file, false: keep)

(UINT32) Custom ticket #

- maximum 9 digits from 1-999999999 or 0 for not using custom ticket #

(UINT32) Analyze before scan

0: disable analyze file before scan

1: enable analyze file before scan

2: use global setting (“analyze_before_scan”)

(UINT32) Contents Type

Array of variants

v3.13.0 195

5.

6.

7.

8.

9.

10.


0: ContentToScan argument holds file path or memory buffer

1: ContentToScan argument holds SHA1-based signature.

2: ContentToScan argument holds driver letter for a boot sector scan

4: ContenToScan argument holds Virtual Machine image folder path (Virtual machine disk must contain a Windows based filesystem)

(UINT32) Clean Action Type

0: take no action

1: quarantine (ignore global setting, “clean_action”)

2: delete (ignore global setting, “clean action”)

3: follow global setting

(UINT32) Caching option

0: disable to cache for this scan request

1: enable to cache for this scan request

2:rescan (disregard existing cache and update with new scan result)

3: use global setting(“enable_cache_scan”)

(String) Password for encrypted archive.

- Use empty string to when no password is required.(“enable_cache_scan”)

(String) User agent

- This is used to associate scan history with the source of scan request. Empty string is allowed.

(String) User description

- This will be logged along with scan request for the caller’s purpose. Empty string is allowed.

v3.13.0 196

10.

11.

12.

1.

2.

3.


- Pass the following JSON formatted string to control the file name and file path to be logged:

{"file_info.original_file_path":"<original file path not including file name", "file_info.display_name":"<original file name>"}

(UINT32) Configure logging

0: disable logging this particular scan request

1: enable logging this particular scan request

2: use global setting (omsConfig.ini)

(UINT32) Archive File Handling

0: do not extract archive file for this particular request

1: extract archive file for this particular scan request

2: use global setting (“internal_archive_lib_enable”)

OutArgsArray A list of outputs with the following order:

(UINT32) Ticket number (if custom ticket # is specific in InargsArray, same ticket number is returned

(UINT32) Scan result as described in ScanOutCome Return Type

(Array of strings) List of threats(String) Scan detail per engine

<scan_details> <objects> <object name="[object name]"> <engine_result> <engine_name>[engine name]</name> <scan_result>[scan outcome for the engine]</scan_result> </engine_result> </object> </objects></scan_details>

v3.13.0 197

3.

4.


[object_name]: file name or signature depends on type of scan requested

[scan outcome for the engine]: Scan result per engine as described in ScanOutCome Return Type

(String) File type information

this is returned only if analyze_before_scan is enabled orthe third argument of is set to 1InArgsArray

<file_type> <objects size=""> <object> <sha1></sha1> <type_infos size=""> <type_info> <long></long> <short></short> <extension></extension> </type_info> </type_infos> </object> </objects></file_type>

Set a property value (COM)

Method SetProperty

Description Modify one of Metadefender Core's internal properties.

Function prototype

HRESULT SetProperty{ [in] VARIANT PropertyName,

v3.13.0 198

[in] VARIANT PropertyValue}

Arguments


PropertyName The name of the requested property. string

PropertyValue New value of the property string

Stop ongoing scan (COM)

Method StopScan

Description This method purges all scan requests and ongoing scans. Method returns only when all requests are purged.

Function prototype

HRESULT StopScan{ [in] VARIANT Reserved}

Arguments


Reserved Reserved

v3.13.0 199

Update an anti-malware engine (COM)

Method UpdateEngine

Description This method is called to initiate an update of a specific anti-malware engine on the local machine.

Function prototype

HRESULT UpdateEngine( [in] VARIANT EngineName, [in] VARIANT ReservedArg)

Arguments


EngineName The name of the anti-malware product that needs to be updated (case in-sensitive).

string

ReservedArg Reserved. Any type of Variant is allowed except NULL pointer.

Note: The result of this call is provided via the OnUpdateComplete connection point.

Update anti-malware engines (COM)

Method UpdateAntiViruses

Description This method is called to initiate an update of all anti-malware engines at the same time on the local machine. It is recommended to perform updates via automatic periodic update, which is performed at predetermined intervals as configured in “Update Interval” property.

v3.13.0 200

1.

2.

3.

a.

b.

c.

d.

4.

5.

6.

7.

8.

9.

Function prototype

HRESULT UpdateAntiViruses()

Note: The result of this call is provided via the OnUpdateCompleteconnection point.

Sample Code

You can download for COM interface from . Metadefender Core Sample Code OPSWAT portalThis document describes how to set up and use the sample code you have downloaded.

ASP Sample

Install IIS.

Install Web Development support for Visual Studio.

Enable web sharing on the sample dir.

Go to sample dir.

Right-click on . Properties

Click Web Sharing > . Share this folder

Give all permissions to folder (including ). Execute for scripts

Enable advanced file sharing options – Open an explorer window -> Tools -> Folder Options -> View -> uncheck “Use simple file sharing”.

Ensure the following ASP accounts have permissions on the project folder:• ASP.Net machine account• Internet guest account (IUSR)• Launch IIS Process account (IWAM)

To change the permissions, right-click the folder and select Properties > . Security

Add the accounts. For each account, add read and execute permissions.

Open Internet Explorer, and change security settings to custom. Reset them to Medium low, and change the “Download unsigned ActiveX controls” and “Initialize and script ActiveX controls not marked as safe” options to “prompt”.

Open the project. You may get the following message "The specified Web server is not running ASP.NET version 1.1 ..." If so. follow the steps in: http://support.microsoft.com/kb

./817267/en-us


https://portal.opswat.com

http://support.microsoft.com/kb/817267/en-us

http://support.microsoft.com/kb/817267/en-us

v3.13.0 201

10.

11.

1.

2.

3.

4.

5.

6.

a.

b.

c.

d.

e.

f.

g.

h.

i.

j.

7.

8.

9.

10.

11.

In the IIS, ensure access is allowed to the sample folder by setting the folder's "Directory Security".

Assign "Launch and Activation" permission on the Metascan to the account running ASP.Net in DCOM Configuration (DCOMCNFG).

PHP Sample Code for IIS 7

Install IIS 7 by adding a role to the server.

Add CGI/Fast CGI as an IIS feature (from cmd.exe):dism /online /enable-feature /featurename:IIS-CGI

Download the latest PHP 5 from .http://www.php.net/downloads.php

Install PHP as IIS FastCGI to “C:\PHP” (be sure to select script executable option to associate *.php with PHP).

Edit C:\PHP\php.ini.short_open_tag = Oncgi.force_redirect = 0

Configure IIS on the system.

Go to Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager .

Choose Sites > Default Web Site .

Double-click on in the right pane. Handler Mappings

Double-click on PHP_via_FastCGIModule .

Click .Request Restrictions

Select the tab. Verbs

Select radial button , enter “GET,POST,HEAD”. One of the following verbs

Select the tab. Access

Select the radio button. Script

Click all the way out and accept changes. OK

Place scan.php, userInput.html and uploads folder into C:\Inetpub\wwwroot folder.

Allow necessary security permission to both the files and the folder (for testing please allow to everyone).

Configure Metadefender Core COM settings to allow IIS_USRS and IUSR to launch, access, and configure Metadefender Core (local permissions only).

Restart Metadefender Core service.

http://www.php.net/downloads.php

v3.13.0 202

11.

12.

Go to .http://localhost/userInput.html

Upload the file to be scanned. HTML calls PHP script and prints the scan results on the web page.

Command Line Utility

Metadefender Core provides a command line utility (omsCmdLineUtil.exe) that enables a user to run Metadefender Core operations such as scanning files, getting or setting preferences/properties, etc.

For more information, run "help" command from the directory in which the command line utility is located.

Exit code (for scan command)

Metadefender Core provides a process exit code for each scan to the command console. After you scan a file from CLI, you can enter “echo %errorlevel%” from the command prompt to get the scan result code. For detailed scan result return value information, refer to .COM Interface

Note: If omsCmdLineUtil.exe is unable to establish a connection to the Metadefender Core service, it returns the message "Failed to initialize Metadefender Core".

Process a File Command

syntax process <file path> <user_agent>

This function allows a user to process a file on the command line with a specific user agent using all available AV products on the machine. This effectively allows the user to choose which workflow to use when processing their file.

COM API

Calls Metascan COM Process asynchronously.

Process parameters

input parameters

<file path> user entered file path

<user_agent> the User Agent corresponding to desired Workflow

http://localhost/userInput.html

v3.13.0 203

Example

c:\Program Files (x86)\OPSWAT\Metascan 4>omsCmdLineUtil.exe process C:\TestFiles\eicar.com default Ticket:[ 2772276979 ] Process Details--------------- File: [ C:\TestFiles\eicar.com ] MD5: [ 44D88612FEA8A8F36DE82E1278ABB02F ] SHA1: [ 3395856CE81F2B7382DEE72602F798B642F14140 ] SHA256: [ 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F ] File Size: [ 68 bytes ] File Type Category: [ T ] File Type: [ unknown ] File Type Description: [ ASCII text, with no line terminators ] [ Dirty ] Avira scan engine [ 1 ms ] | Eicar-Test-Signature[ Dirty ] ESET scan engine [ 2 ms ] | Eicar test file[ Dirty ] Ahnlab scan engine [ 3 ms ] | EICAR_Test_File[ Dirty ] ClamAV scan engine [ 14 ms ] | Eicar-Test-Signature Scan Completion--------------- [ Dirty ] Ticket: [ 2772276979 ] File path: C:\TestFiles\eicar.com Found threats: EICAR_Test_File Scan time: 14 ms [01/25/2016 16:01:44:835] Process Completion------------------ Ticket: [ 2772276979 ] User agent: default Profile: Default Result: [ Blocked ] Blocked reason: [ Dirty ] File processed: C:\TestFiles\eicar.com

v3.13.0 204

1.

2.

3.

1.

2.

Limitations

Does not support processing a folder.

Java Sample

Below are the steps to use for the Java sample with Eclipse IDE running or by running on the command line. Java sample is not installed with Metadefender Core. You must download this separately from the OPSWAT portal. Go to https://portal.opswat.com/en/content/metadefender-

, and click .core-sample-code Download

With the Eclipse IDE running:

Create a new Java project from existing source code. (Choose the Java sample code folder you have downloaded).

Add Metasscan_java_interface.jar to the build path of the project. By default, Metascan_java_interface.jar file is installed in the directory where Metadefender Core is installed under the JNI folder.

Set java argument of Native library path to “omsJInterfaceImple.dll”

Example: (in -Djava.library.path=C:/Program Files (x86)/OPSWAT/Metadefender Core 8/JNIvm arguments of “Run Configuration”)

Running on the Command Line:

Go to bin directory.

Run the following command:Java.exe -cp .;<absolute path to Metascan_java_interface.jar file> -Djava.library.path=<absolute path to omsJInterfaceImpl.dll> com.opswat.metascan.Sample

REST API (v2)

Beginning with Metascan 3.8.1, OPSWAT supports only using the JSON-based (v2) REST API and XML-based (v1) REST API is deprecated.



v3.13.0 205

API key-based authentication

Metadefender Core allows you to limit access to the REST API only to users that have a defined API key. If no such API keys are defined then the 'apikey' parameter should be excluded from the REST API calls. If one or more API keys are defined, the 'apikey' parameter is required. To define API keys configure them in the management console.

Getting Started

Look Up Hash and Process (Scan / Sanitize) A File

Compatibility with Core v4 and Metadefender.com

We have designed REST API in a way that most common functions on Core v3, Core v4, and Metadefender.com public/private API share same structures and mechanism.

If you are moving from Metadefender.com to Core or vise versa, the change you need to make on your application should be minimal unless there is specific function that is only available to either one. If you notice any incompatible API, please contact OPSWAT support for consulting.

Advanced Usages

v3.13.0 206

Advanced Usages

API Version

Description Returns API version

URL Path /apiversion

Method GET

Summary

Returns API version info of REST. Core v3 and Core v4 return different values in order for client applications to identify which Core is being integrated to.

This is useful if a client application utilizes specific features which are only available to Core v3 or Core v4.

Request URL

http://localhost:8008/metascan_rest/apiversion

Method: GET Response

Example of successful request v3 Core:

200

{"version":"3"}

Example of successful request v4 Core:

200

{"version":"4"}

Load handling

Maximum Number of Simultaneous Workflow Clients Through REST

v3.13.0 207

1.

a.

b.

c.

2.

a.

b.

c.

1.

a.

2.

a.

Overview

Configuring many systems to perform a full system scan using MClient.

Queuing Mechanism

We will have 2 queues in REST.

Pending: Pending scans

Scan not yet submitted to the COM service.

Maximum 20,000 files here before server returns 500 too busy.

Files go pass through here first, then if the ongoing scan queue has space they are moved there.

Ongoing: Scan in progress

Scan already submitted to the COM service.

Maximum 1000 files here.

If this queue is full the files stay in pending scan queue.

Disk Check

We have 2 types of disk checks based on how much free space is left.

If < 3.5 GB free disk space:

With every file upload we will do a disk space check.

If > 3.5 GB free disk space:

We used the cached value from our already periodic check.

The reason we need to checks is because there is a known issue about Mongo not being able to start if there is enough free space on the disk. (3379MB)

Mongo Error

2016-09-06T16:12:15.514-0700 [initandlisten] ERROR: Insufficient free space for journal files2016-09-06T16:12:15.514-0700 [initandlisten] Please make at least 3379MB available in C:\Program Files (x86)\OPSWAT\Metadefender Core 4\Mongo\data\journal or use --smallfiles

Recommend REST integration in multiple client environment

v3.13.0 208

1.

2.

3.

Recommend REST integration in multiple client environment

REST users should only submit ~20 files at a time and wait until processing is complete before uploading more.

/file/inqueue reports how many files are in the queues (adding both pending on ongoing)

If client gets 503 server too busy they should wait a bit and try again.

Number of pending jobs

Description Number of pending jobs

URL Path /file/inqueue

Method GET

Summary

Returns the number of pending jobs on the server

Request URL

http://localhost:8008/metascan_rest/file/inqueue

HTTP header parameters

apikey API key assigned by user OPTIONAL

Method: GET

URL path /file/inqueue REQUIRED

http://localhost:8008/metascan_rest/file/inqueue

v3.13.0 209

Response Code

200 OK Request is successful

400 Bad request Not supported HTTP method or invalid http request .

401 Invalid API key / Exceeded usage

Either missing API key or invalid api is passed.

500 Internal server error Server temporary unavailable. Try again later.

ResponseExample of when request is successful :

{ "in_queue" : "0"}

Descriptions of response:

in_queue Number of jobs inqueue.

Multiple Hashes Lookup

Description Retrieve scan report by multiple hashes.

URL Path /hash

Method POST

Summary

Get a list of available hashes for an API key.

Dues to business stuff, we need to remove scan result of Kaspersky in response json (MCL-3016) (Only applicable for Metascan Online)

v3.13.0 210


apikey API key assigned by user OPTIONAL

include_scan_details include scan details

Value: 0, 1

OPTIONAL

Default: 0

"scan_details" exists in response when = 0|1|2 in response and header "scan_result"=1"include_scan_details"

Method: POST

URL path /hash REQUIRED

Body content {"hash":["hash_value_1","hash_value_2","hash_value_3",..]}

Response Codes

200 OK Found or Not Found

400 Bad request Not supported HTTP method or invalid http request .

401 Invalid API key Either missing API key or invalid api is passed.

403 Signature lookup limit reached, try again later

User exceeds limit


Response

Example of when input body is empty :

{

v3.13.0 211

"err" : "hashes in body content is null or empty"}

Example of when input body is wrong format :

{ "err" : "Could not parse body content."}

Example of maximum hashes input.

{ "err" : "Exceeded maximum allowed. Allow maximum 1000 hashes"}

Example of when request is successful :

[ { "hash" : md5_1, "scan_result" : 0, "data_id" : data_id_1 }, { "hash" : md5_2, "scan_result" : 1, "data_id" : data_id_2 }, { "hash" : "abc", "scan_result" : 5, "data_id" : null } ]

Example of when request is successful and "include_scan_details"=1:

[ {

v3.13.0 212

"hash" : md5_1, "scan_result" : 0, "scan_details":{ "Agnitum":{ "scan_result_i":0, "threat_found":"", "def_time":"2014-08-07T07:00:00Z", "scan_time":78.0 }...{}}, "data_id" : data_id_1 }, { "hash" : md5_2, "scan_result" : 1, "scan_details":{ "Agnitum":{ "scan_result_i":0, "threat_found":"", "def_time":"2014-08-07T07:00:00Z", "scan_time":78.0 }...{}}, "data_id" : data_id_2 }, { "hash" : "abc", "scan_result" : 5, "data_id" : null } ]

Example of when the number of lookup hashes i s more than remaning lookup number:

e.g: user can only scan 2 hashes but posts 3 hashes.

[ { "hash" : md5_1, "scan_result" : 0, "data_id" : data_id_1 }, { "hash" : md5_2, "scan_result" : 1, "data_id" : data_id_2 }, { "hash" : md5_3,

v3.13.0 213

"scan_result" : 403, "data_id" : null } ]


scan_result the newest final scan result of hash

5: unknown scan result - may be hash does not exist in mongo

data_id the newest data_id of hash

scan_details Array of scan results for engines

For more details of response, refer to .Response Description

Retrieve profiles (ID and name)

Description Retrieve a list of all the workflow profile names

URL Path /file/rules

Method GET

Summary

Retrieves a list of all workflow profile names [i.e. "rule"] and associated IDs.


rule rule/profile name to search for OPTIONAL

Request Error

404 Not Found Could not find the rule specified with the rule header

500 Internal Error Unexpected error; check logs for details

v3.13.0 214

Response

Example of retrieving all rules:

200

[ { "name": "Block EXE", "id": "57c99fc376e0e0f1b9baab54" }, { "name": "Client", "id": "57c99fc376e0e0f1b9baab55" }, { "name": "Convert Docs", "id": "57c99fc376e0e0f1b9baab56" }, { "name": "Guest", "id": "57c99fc376e0e0f1b9baab57" }, { "name": "High Security", "id": "57c99fc376e0e0f1b9baab58" }, { "name": "Kiosk", "id": "57c99fc376e0e0f1b9baab59" }, { "name": "Mail Agent", "id": "57c99fc376e0e0f1b9baab5a" }, { "name": "No EXE/Archives", "id": "57c99fc376e0e0f1b9baab5b" }, { "name": "Only Docs", "id": "57c99fc376e0e0f1b9baab5c" }, { "name": "Default", "id": "57c99fc376e0e0f1b9baab5d" }, { "name": "Proxy",

v3.13.0 215

"id": "57c99fc376e0e0f1b9baab5e" }, { "name": "Web Scan", "id": "57c99fc376e0e0f1b9baab5f" }]

Example of searching for specific workflow with the rule header:

200

[ { "name": "Client", "id": "57f7e5621d9ac33a3788e031" }]


name the name of the workflow profile (i.e. rule)

id Unique identifier for a workflow. Changing workflow name does not affect id. Use "name" for description and "id" to specify a workflow.

Statistics

Check Server health

Description Server health

URL Path /stat/serverhealth

Method GET

v3.13.0 216

Summary

Retrieve server health including free disk space, RAM and CPU usage, disk queue length. These are average values based on sampling.

Request URL

http://localhost:8008/metascan_rest/stat/serverhealth

Use Cases (used by)

Management Console (to retrieve server statistics of memory, CPU usage, and average disk queue length to monitor server health).


Header Description Required

apikey API key assigned by OPSWAT or admin REQUIRED

Method: GET

/stat/serverhealth

Returns all entries in server health recorded.

/stat/serverhealth/{N}

n is hours. It will return entry between(inclusive) HH-n:00 and HH:00.

For example: call /stat/serverhealth/1 at 13:13, server will return entry between 12:00 and 13:00.

Response Codes

Code Status Description Notes

200 OK successful response

400 Bad request Not supported HTTP method or invalid http request.

401 Either missing API key or invalid API is passed.

http://localhost:8008/metascan_rest/stat/serverhealth

v3.13.0 217


Permission Denied for statistic


Response

Example of successful scan request:

[ { "usage_check_localtime": "2016-02-03T12:00:00-08:00", "avg_ram_usage": 84.92316500345866, "avg_cpu_usage": 13.39331203699112, "avg_disk_q_len": 0.2144404633436352, "avg_disk_free_space": 25.00000000000000 }, { "usage_check_localtime": "2016-02-03T13:00:00-08:00", "avg_ram_usage": 82.8503189086914, "avg_cpu_usage": 2.4295437335968018, "avg_disk_q_len": 0.0027925085742026567, "avg_disk_free_space": 25.0000000000000000 }]


Response Description

usage_check_localtime The local time when the information is queried.

avg_ram_usage Average of RAM usage of Metadefender Core server as a percentage of total RAM.

avg_cpu_usage Average of CPU usage of Metadefender Core server as a percentage of total CPU.

avg_disk_q_len Tracks the number of requests that are queued and waiting for a disk during the sample interval, as well as requests in service.

v3.13.0 218


avg_disk_free_space Average free disk space on Metadefender Core server as a percentage of total space.

Get enginedef stat

Description Get enginedef stat

URL Path /stat/enginedef

Method GET

Summary

Gets definition time of all current anti-malware engines. This is recommended API to check engine definition rather than using because it returns cached definition info Get engines statand relatively cheap API.

Request URL

http://localhost:8008/metascan_rest/stat/engines

Response Codes

200 OK

400 Bad request Not supported HTTP method or invalid http request.


Response

Notice that engine name will be shortened to single word.


{ "Lavasoft" : "2014-11-24T00:00:00", "TotalDefense" : "2013-02-12T00:00:00",

http://localhost:8008/metascan_rest/stat/enginedef

v3.13.0 219

"ESET" : "2014-11-25T00:00:00", "AVG" : "2013-08-12T00:00:00", "Avira" : "2014-10-01T00:00:00"}

Get engines stat

Description Get engines stat

URL Path /stat/engines

Method GET

Summary

Returns engine information for all usable anti-malware engines. This is relatively expensive API call on the server side. If you want to retreive definition info, use .Get enginedef stat

Request URL




Request Error

400 Bad request Not supported HTTP method or invalid HTTP request.


Response


[{ "eng_name" : "ClamWin scan engine", "eng_ver" : "0.97.8", "def_time" : "11/10/2013 12:00:00 AM",


v3.13.0 220

"eng_type" : "Bundled engine", "active" : true},{ "eng_name" : "ESET NOD32 Antivirus", "eng_ver" : "4.2.71.2", "def_time" : "11/11/2013 12:00:00 AM", "eng_type" : "Customer licensed engine", "active" : false},{ "eng_name" : "ESET scan engine", "eng_ver" : "1412 (20131023)", "def_time" : "6/1/2012 12:00:00 AM", "eng_type" : "Bundled engine", "active" : true},{ "eng_name" : "Norman scan engine", "eng_ver" : "7.2.6", "def_time" : "10/13/2013 12:00:00 AM", "eng_type" : "Bundled engine", "active" : true},{ "eng_name" : "Total Defense scan engine", "eng_ver" : "37.0.1.55", "def_time" : "11/8/2013 12:00:00 AM", "eng_type" : "Bundled engine", "active" : true}]


def_time The last time updated of engine.

active True: engine is used to scan file.

Summary of scan

Description Retrieve scan history

URL Path /stat/scanhistory/{n_hour}

Method GET

v3.13.0 221

Summary

Retrieve history of scanning in last n hours.



Response Codes

200 OK successful response

400 Bad request Not supported HTTP method or invalid http request

401 Permission Denied for statistic

Either missing API key or invalid api is passed


Response


200

[ { "total_scanned_files": 101, "total_infected": 0, "total_blocked": 1, "avg_scan_time": 19.712871287129, "localtime": "2013-11-11T11:00:00+07:00" }, { "total_scanned_files": 3, "total_infected": 0, "total_blocked": 2, "avg_scan_time": 113.66666666667, "localtime": "2013-11-11T10:00:00+07:00" }, { "total_scanned_files": 5, "total_infected": 1,

v3.13.0 222

1.

2.

3.

4.

5.

"total_blocked": 1, "avg_scan_time": 25.455566656565, "localtime": "2013-11-11T09:00:00+07:00" }]


avg_scan_time Average scanning time

total_infected all logs with scan_result_i of 1, 2, 4, 6, 8

total_blocked All logs that have process_info.result equal to "Blocked"

Look Up Hash and Process (Scan / Sanitize) A File

Recommended Flow Of API Usage

Calculate hash value of a file.

Hash Lookup to see if known instead of sending whole file to server for scan.

If unknown, callInitiate Process File

Retrieve process result Retrieve process result by data_id

if file is sanitized, .Download Sanitized File

User Provided Info

Certain data processing requires of accurate metadata for better process results. Refer to for more information.Initiate Process File

Download Sanitized File

Description Download a file which was converted by the /file workflow API

URL Path /file/converted/{data_id}

Method GET

v3.13.0 223

Summary

Downloading file scanned from database using data_id


apikey Only required if REST API keys have been defined OPTIONAL

Method: GET

URL path /file/converted/{data_id} REQUIRED

data_id Returned by Initiate Scan/Process a File REQUIRED

Example: http://localhost:8008/metascan_rest/file/converted/012e1a8945c041d181e79ab8d711555d

Request Codes

200 OK

400 Bad request Not supported HTTP method or invalid http request (e.g., empty body).

401 Invalid API key Either missing API key or invalid api is passed.

401 Exceeded usage

500 Internal server error

Server temporary unavailable. Try again later.

Response

Example of when request is not successful :

{ err: "DataID not found in the database"}

https://opswat.atlassian.net/wiki/pages/viewpage.action?pageId=3377091

http://localhost:8008/metascan_rest/process/converted/012e1a8945c041d181e79ab8d711555d?apikey=webscan

http://localhost:8008/metascan_rest/process/converted/012e1a8945c041d181e79ab8d711555d?apikey=webscan

v3.13.0 224

Example of when request is successful :

It will return the content of that file if using rest client tool.If using browser, a pop up save file will appear with the file name is the display_name in database. (This API sets the filename using the Content-Disposition)

Hash Lookup

Description Retrieving previous scan reports using hash value

URL Path /hash/{hash value}

Method GET

Metadefender provides multipe ways of looking up previously processed results using hashes or known data_id. If data_id is unknown, hash value (md5, sha1, or sha256) can be used to look up known scan results. While single hash lookup provides full scan results related to hash if found, will return condensed results with links (data_ids) to full scan Multiple Hashes Lookupresult.


apikey If API key is configured by the administrator OPTIONAL

Method: GET

URL path /hash/{hash value} REQUIRED

hash value: any of the followings.

SHA1

MD5

SHA256

v3.13.0 225

Response Codes

code status description note

200 OK either result is found or not found.

400 Bad request Not supported HTTP method or invalid http request

401 Invalid API key Either missing API key or invalid api is passed

404 Not found The scan result for the given data_id was not found.


Response

Only when server returns 200 OK, proper response is returned.

Example of when result is not found :

When scan results are not found, a 200 response status code appears.

Status: 200

{ "BED12FDA073BB386B54700138FB47EEA": "Not Found"}

Response

When result is not found (example) :

Status: 200 (Should be 404)

{ "4f84e3b096d54908963d037b5457bf27": "Not Found"}

When result is found :

v3.13.0 226


It will return process result. Refer to .Response Description

Initiate Process File

Description Initiate scan request

URL Path /file

Method POST

Summary

There are two ways of initiate processing file. One is to upload file and the other is passing the file path (local to the server).

There are several important parameters should be passed along the request so that administrators can track such histories on the server side without relying on additional application logic on client sides.


Parameter Value Required Description

apikey API key configured by administrator.

OPTIONAL

filename Name of files to preserve extension during scan and meta data.

RECOMMENDED filename should be encoded with URLencode and should not contains characters "<" and ">"

Otherwise, it will be removed from filename.

This will be sanitized and all invalid file_name characters will be removed.

If file type mismatch is enabled, needs filename to know original file

v3.13.0 227


extension. If not providing this header, it will cause mismatch.

filepath Path of files that are accessible to Core server

OPTIONAL filepath should be URLEncoded.

filepath should be accessible to core server.

When this head is set, no content need to be put in HTTP request body. Core server will try to process/scan using filepath directly

user_agent A string to identify the client application

OPTIONAL Administrator configures to map user agents to specific workflow.

rule A string to define which workflow to use (i.e. workflow name)

OPTIONAL This will supersede user_agent and both should not be used at the same time

Note: Workflow names can be retrieved from the Management Console Workflow list or REST API, Retrieve profiles (ID and

.name)

archivepwd password of encrypted file

OPTIONAL If submitted file is password protected archive.

original_file_path File path of file scanned on local to the Metascan

OPTIONAL original_file_path should not contains characters "<" and ">".

Otherwise, it will be removed from original_file_path.

v3.13.0 228


Note: This will be sanitized and all invalid path and file name characters will be removed.

source IP, hostname, or other client ID

RECOMMENDED Helps identify where the file is originated from. This should be end-user information to trace where the file came from.

X-File-Size Total size of the original file (before splitted to chunks)

OPTIONAL Used for chunk uploading.

Both MO and REST have already had these headers before. It still be used now.

Should expose, a big file can be uploaded as many parts.

Case insensitive.

This is data_id returned from 1st request and following request will return same data_id. Any further upload more than x-file-size will result in error (not affecting the scan). Checking progress until all file contents is uploaded will return "not found"

Limitation: returned data_id can after last chunk be changed

uploaded, see this case: database already had scan result for file A, customer uses chunk upload and posts this file again, for the first chunk we return data_id_1 (since don't know that

X-File-ID ID number is retrieved after uploading the 1st chunk

OPTIONAL

v3.13.0 229


file already exist in DB with only first chunk), when all chunks are uploaded, we calculated hash and found the result in DB, then we return old data_id (different with data_id_1) without scanning.

Method: POST

HTTP body Contents of the file for scan REQUIRED

Response Codes


200 OK File is uploaded to the server for initiation.

400 Bad Request Invalid request format or server is not configured correctly for Metascan.

401 Invalid API key Either missing API key or invalid API is passed.

403 scan limit reached, try again later

403 exceeded number of allowed clients

exceeded number of simultaneous clients

403 Invalid License

500 Not enough disk space Not enough free space in the temp directory to upload the file.

500 License expired

v3.13.0 230


500 Internal error

503 Failed to request scan. Try again later.

503 Server is too busy. Try again later.

Response


{ "data_id":"4f84e3b096d54908963d037b5457bf27" "rest_ip": "scan01.metascan-online.com/v2"}

Example of failed to upload:

{ "err": "Failed to upload - <error message>"}



data_id Data ID used for retrieving scan results. Since there are potentially multiple scans for same files when any engine has different definition time or when there is an additional engine, this is identifier for per scan other than per file.

rest_ip Requests for the scan progress using 'data_id' should be made to this address instead of the original address. Once a scan is finished, future requests for this 'data_id' can be made to the original address.

Retrieve process result by data_id

v3.13.0 231

Retrieve process result by data_id

Description Query process result

URL Path /file/{data_id}

Method GET

Summary

Query a previously submitted file's scanning result. Scan can be initiated the API below. Calling this API is required to retrieve scan results since the initiate API does not return results.

Initiate Process File

You can retrieve scan results using the Data ID. The scan is done asynchronously and each scan request is tracked by the ID. You need to use two separate API calls to initiate a file scan and retrieve the scan results. This request needs to be made multiple times until the scan is complete. You can trace the scan completion using the “scan_results.progress_percentage” value from the response.

Use the following URL to initiate the scan request: http://localhost:8008/metascan_rest/file

Use the following URL to retrieve scan results: http://localhost:8008/metascan_rest/file/{data_id*}

Method: GET

URL path /file/{data_id} REQUIRED

data_id Returned from Initiate Process File REQUIRED

https://api.metascan-online.com/v1/file

https://api.metascan-online.com/v1/file/%7bdata_id*%7d

https://api.metascan-online.com/v1/file/%7bdata_id*%7d

v3.13.0 232

Response Codes

200 OK Found the scan result for given data_id

400 Bad request Not supported HTTP method or invalid HTTP request.

401 Invalid API key Missing apikey header or invalid key passed

404 Not Found Unable to find a scan result for the given data_id. This is an error.

500 Internal Error Server temporary unavailable. Try again later.

Response

Example of when result is not found :

Status: 200 (Should be 404)

{ "4f84e3b096d54908963d037b5457bf27": "Not Found"}


It will return process result. Refer to .Response Description

v3.13.0 233

1.

2.

3.

4.


Top levels of Process Result

data_id Metadefender provides asynchronous API calls (stateless) and data_id is used for identifying a specific process job. It is obtained from initial data (e.g., file) upload and can be used any time as long as scan history is preserved on the server side. It is generated randomly from the server and guaranteed to be unique so it can be used without worrying about having duplicate data_id. Not applicable for hash look up.

scan_results scan result from each engines along with other metadata for scanning job.

file_info static file information and analyzed file type based on contents

process_info overall process status and information including applied workflow and action results such as sanitization.

extracted_files list of files inside of an archive file. If file is not an archive file or not extracted, this block will not be present.

Minimum Required Parsing Process Results ( process_info)

This only applies if you are using workflow-based process.

There should always process_info field for process JSON message.

Clients should use to know whether the process process_info.progress_percentagehas been finished or still in progress.

Clients should use to check whether the file processed is process_info.result allowedor blocked.

When file is allowed, is empty string If file is blocked, process_info.blocked_reason . clients should use the field to retrieve detailed block reasons

Clients should use to retrieve which profile is used when processing.process.profile

v3.13.0 234

1.

2.

3.

4.

Clients should use to know if the input file's detected process_info. file_type_skipped_scantype is configured to skip scanning

If post processing is configured and applied, there will be field in process.post_processingJSON result. Clients should always check whether this field exists or not to find out if post_processing has been applied or not.

If exists, clients could use process_info.post_processing process.post_processing.to check what actions have been applied and these actions are separated by action_ran

"|". See details in [Description of Response]

If exists, clients could use process_info.post_processing process.post_processing.to check which post_processing failed.action_failed

If "Move" is in "action_ran", clients should check process.post_processing.to retrieve information of the target file type. And clients should call /fileconverted_to

/converted/{data_id} to retrieve link to download converted files

if "Copied" or "Moved" is in "action_ran", clients should check process.post_processing. for the target directory infocopy_or_move_destination

v3.13.0 235

Response Details For process_info

process_info

Process node Only applied if user scanned with user_agent

progress_percentage Percentage of processing completed

Scale of 0-100

user_agent A string which identifies the user. This is used for mapping to a specific workflow.

profile The profile name. This is what the user_agent mapped to.

result The final result of processing the file

Possible values:

Possible Process Results (COM)

"Not processed": default value set in REST before the file is processed by Core

blocked_reason The reason for a file being blocked

Possible list values:

Failed to request a process: "Process Failed"

Possible Blocked Reasons (COM)

"null": default value set in REST before the file is processed by Core

file_type_skipped_scan Indicates if the input file's detected type was configured to skip scanning

JSON Boolean type

v3.13.0 236

post_processing Post processing node Exists only if post processing was configured

actions_ran List of post processing actions ran

Delimited by " | "

Possible list values: "Sanitized | Copied | Moved | Quarantined | Deleted | Ran Script"

*Copied and Moved will never exist together*Quarantined and Deleted will never exist together*(Copied/Moved) and (Quarantined/Deleted) will never exist together

actions_failed List of post processing actions that failed

Delimited by " | "

Possible list values: "Sanitization Failed | Copy Failed | Move Failed | Quarantine Failed | Delete Failed | Ran Script Failed"

*Copy Failed and Move Failed will never exist together*Quarantine Failed and Delete Failed will never exist together*(Copy/Move Failed) and (Quarantine/Delete Failed) will never exist together

converted_to Extension the file was converted to

If the string contains a file type, the converted file can be downloaded

copy_move_destination Destination to where the file was copied/moved

converted_destination Location where the converted file exists

https://opswat.atlassian.net/wiki/display/MLD/Download+Converted+Version+of+File

v3.13.0 237

Response Details For scan_results and others

file_id Populated only when files are configured to be stored. Not applicable for hash look up. This is unique per file so if same file is scanned twice, file_id would be identifical.

scan_result Global scan results, meta data, and scan reports from all engines.

file_info File metadata, hash value, analyzed file types

scan_details Array of scan results for engines

scan_result_i See table below for descriptions

threat_found Name of threat if detected by engine. Non ASCII characters removed.

def_time Definition time of engine at the time of scan

scan_time Elapsed scan time in mili-seconds per engine

rescan_available This value will be set to true

if engine definition has changed.

any engine is missing scan results such as "failed to scan", "not scanned"

scan_all_result_i See table below for descriptions

total_time Elapsed scan time in milli-seconds from when scan is initiated with the first engine until the last engine has completed.

total_avs Number of engines used for scanning

progress_percentage Indicator if scan is in progress

in_queue How many files are in queue before this scan request: 0 means it is being scanned or finished scanning.

v3.13.0 238

upload_timestamp First time file is uploaded to the server (even if file is rescanned this value will be preserved)

file_type_category High level categorization of file type see reference for descriptions

Additional Information For An Archive File

Note: Only applied when scanning an archive file

original_file Basic information and reference to the of the original file (actual data_id archive file, not the extracted contents)

Object Structure

"original_file": { "data_id": "96c7ce8170224bd29c427ec913e3d00b", "scan_result_i": 1, "progress_percentage": 100, "detected_by": 1}

extracted_files Basic information about the included files in the archive can be found in the property.files_in_archive

Files_in_archive only contains maximum 20000 results.

Entries with a non-zero scan_result_i always appear first.

More information about individual entries can be queried with the data_id

The under extracted_files is the reference to the engines data_id summaryor consolidated result for the archive

Object Structure

"extracted_files": { "data_id": "e511f16da3cc422eaa4127ed88ee9446", "scan_result_i": 0, "progress_percentage": 100, "detected_by": 0, "files_in_archive": [{

v3.13.0 239

"display_name": "\\U6367872802.exe", "data_id": "c421c7cfc5c34733ad037116cfe2b6f3", "scan_result_i": 0, "progress_percentage": 100, "file_size": -1, "file_type": "", "detected_by": 0 } ]}

parent_data_id When the scan result for a file within an archive is queried, this refer to the containing archive file.

Available Scan Results (scan_result_i, scan_all_result_i)

value short description

long description

0 No Threats Found

No threat detection or the file is empty

1 Infected/Known

Threat is found


3 Failed To Scan


4 Cleaned / Deleted

Threat is found and file is cleaned (repaired or deleted): repair is not supported yet

5 Unknown Unknown signature. NOTE: this is only used in multiple hash lookup. For single hash lookup, scan_result_* are not returned as response. see for more details.Retrieve scan report by hash (duplicate)

6 Quarantined File is quarantined

v3.13.0 240


long description

7 Skipped Clean

Scan is skipped because this file type is in white-list*

8 Skipped Infected

Scan is skipped because this file type is in black-list*


Threat is not found but there are more archive levels which were not extracted.

10 Not Scanned / No scan results

Scan is skipped by the engine either due to update or other engine specific reason. If scan is disabled, this will be the final result.

11 Aborted The current scan was stopped by the server

12 Encrypted File/buffer is not scanned because the file type is detected as encrypted (password-protected). If the Internal Archive Library is ON encrypted return type is not going to be returned through Metascan scan progress callbacks since the engines do not perform any scan operations. If the Internal Archive Library is OFF Metascan will pass the encrypted files to the engines directly, bypassing the detection.


The extracted archive is too large to scan


There are more files in the archive than configured on the server


Document that is protected by a password [e.g. Office documents or PDFs that require a password to view its contents]. If a file is password protected document, no sanitization will be applied.

17 Mismatch The file's extension does not match the detected file type. Only applicable when using workflows.

v3.13.0 241

Scan not startedThis means the file has not yet been sent to the engines for scanning. The progress_percentage value will be 0 and the in_queue value will be non zero.

scan_results.scan_all_result_i = -1

scan_results.scan_all_result_a = ""

Scan partially completedThis means some engines have returned results but there are still more remaining. This progress_percentage value will be greater then 0 and less than 100.

Accumulated result at the time scan result was queried.

Scan is disabled or skippedThis means the request is complete but scanning has been disabled or has been skipped for some other reason such as file type mismatch. The progress_percentage value will be 100.

scan_results.scan_all_result_i = 10

scan_results.scan_all_result_a = "Not Scanned"

This is same as other Metascan interface such as COM interface and Java interface.

Available File Type Categories (file_type_category)

Mark Note

"E" Executable (EXE, DLL, …)

"D" Document (MS Office word document, MS Office excel sheet)

"A" Archive (Zip, Rar, Tar, …)

"G" Graphical format (Jpeg, GIF, TIFF, BM P, …)

v3.13.0 242

Mark Note

"T" Text

"P" PDF format

"M" audio or video format

"Z" mail messages (MSG, …)

"I" Disk image

"O" Other (anything that is not recognize d as one of the above)

Response Example

Status: 200

{ "extracted_files": { "data_id": "b3a0949e833840128a346fdd7ec42477", "scan_result_i": 0, "detected_by": 8, "files_in_archive": [ { "display_name": "\\\\eicar.com", "data_id": "372d93b94be04ed89da2a7d938b72452", "file_type": "-", "scan_result_i": 1, "detected_by": 4, "progress_percentage": 100, "file_size": 68 }, { "display_name": "\\\\Printout.pdf", "data_id": "6acba97776694ac89b8e3c573439bfbe", "file_type": "PDF/AI", "scan_result_i": 0, "detected_by": 0, "progress_percentage": 100, "file_size": 246121 } ]

v3.13.0 243

}, "file_id": "", "scan_results": { "scan_details": { "Ahnlab": { "threat_found": "EICAR_Test_File", "scan_result_i": 1, "def_time": "2016-08-03T00:00:00Z", "scan_time": 1 }, "Avira": { "threat_found": "", "scan_result_i": 0, "def_time": "2016-08-03T00:00:00Z", "scan_time": 15 }, "ClamAV": { "threat_found": "Heuristics.PDF.ObfuscatedNameObject", "scan_result_i": 1, "def_time": "2015-07-03T00:00:00Z", "scan_time": 31 }, "ESET": { "threat_found": "", "scan_result_i": 0, "def_time": "2016-08-03T00:00:00Z", "scan_time": 1 } }, "rescan_available": false, "data_id": "c0983103f31f4e74889cc7188f6c0cdd", "scan_all_result_i": 1, "start_time": "2016-08-03T17:08:52.949Z", "total_time": 31, "total_avs": 4, "progress_percentage": 100, "in_queue": 0, "scan_all_result_a": "Infected" }, "file_info": { "file_size": 2073, "upload_timestamp": "2016-08-03T17:08:52.949Z", "md5": "4D6B72DDC54514F82DDCDDA2E9923AAF", "sha1": "7B7B5487948E4EDC1AF62539ABF0DD72B456D03E", "sha256": "1A90EA551EE596F357794DFF314F042D84A9AFC3D56ED2C995A4908395CBABBC", "file_type_category": "P", "file_type_description": "Adobe Portable Document Format", "file_type_extension": "pdf/ai", "display_name": "1470244133_dirty_315.pdf", "original_file_path": ""

v3.13.0 244

}, "process_info": { "post_processing": { "actions_ran": "Sanitized", "actions_failed": "", "converted_to": "pdf", "copy_move_destination": "", "converted_destination": "toConvert_[sanitized].pdf" }, "progress_percentage": 100, "user_agent": "cactus", "profile": "default", "result": "Blocked", "blocked_reason": "Dirty", "file_type_skipped_scan": false }, "data_id": "c0983103f31f4e74889cc7188f6c0cdd", "rescan_count": 0, "source": "10.0.50.37", "scanned_on": "10.0.50.52"}

Description of File Type Categories

Available File Type Categories (file_type_category)

Mark Note

"E" Executable (EXE, DLL, …)

"D" Document (MS Office word document, MS Office excel sheet)

"A" Archive (Zip, Rar, Tar, …)

"G" Graphical format (Jpeg, GIF, TIFF, BM P, …)

"T" Text

"P" PDF format

"M" audio or video format

"Z" mail messages (MSG, …)

v3.13.0 245

Mark Note

"I" Disk image

"O" Other (anything that is not recognize d as one of the above)

Description of Scan Results

Available Scan Results (scan_result_i, scan_all_result_i)


long description

0 No Threats Found

No threat detection or the file is empty

1 Infected/Known

Threat is found


3 Failed To Scan


4 Cleaned / Deleted

Threat is found and file is cleaned (repaired or deleted): repair is not supported yet

5 Unknown Unknown signature. NOTE: this is only used in multiple hash lookup. For single hash lookup, scan_result_* are not returned as response. see for more details.Retrieve scan report by hash (duplicate)

6 Quarantined File is quarantined

7 Skipped Clean

Scan is skipped because this file type is in white-list*

8 Scan is skipped because this file type is in black-list*

v3.13.0 246


long description

Skipped Infected


Threat is not found but there are more archive levels which were not extracted.

10 Not Scanned / No scan results

Scan is skipped by the engine either due to update or other engine specific reason. If scan is disabled, this will be the final result.

11 Aborted The current scan was stopped by the server

12 Encrypted File/buffer is not scanned because the file type is detected as encrypted (password-protected). If the Internal Archive Library is ON encrypted return type is not going to be returned through Metascan scan progress callbacks since the engines do not perform any scan operations. If the Internal Archive Library is OFF Metascan will pass the encrypted files to the engines directly, bypassing the detection.


The extracted archive is too large to scan


There are more files in the archive than configured on the server


Document that is protected by a password [e.g. Office documents or PDFs that require a password to view its contents]. If a file is password protected document, no sanitization will be applied.

17 Mismatch The file's extension does not match the detected file type. Only applicable when using workflows.

Scan not started

v3.13.0 247

This means the file has not yet been sent to the engines for scanning. The progress_percentage value will be 0 and the in_queue value will be non zero.

scan_results.scan_all_result_i = -1

scan_results.scan_all_result_a = ""

Scan partially completedThis means some engines have returned results but there are still more remaining. This progress_percentage value will be greater then 0 and less than 100.

Accumulated result at the time scan result was queried.

Scan is disabled or skippedThis means the request is complete but scanning has been disabled or has been skipped for some other reason such as file type mismatch. The progress_percentage value will be 100.

scan_results.scan_all_result_i = 10

scan_results.scan_all_result_a = "Not Scanned"

This is same as other Metascan interface such as COM interface and Java interface.

Creating Cpp library for REST API

This sample library is a C++ wrapper which interact with subset of REST API functions. These sample codes are written mainly for Metadefender Core v4.x but should be compatible with v3.x with minimum modification. It is a header only library, so there is no need for building it.

Sample Codes at Bitbucket

https://bitbucket.org/gergely_andras_nagy/mdrestclient

C API vs REST API

scanLocalFile: with filepath header for scanning a local file/file

scanFile: for sending a file for scan via POST/file

fetchScanResultById: for retrieving results via ID/file/{data_id}

https://bitbucket.org/gergely_andras_nagy/mdrestclient

v3.13.0 248

fetchScanResultByHash: for retrieving results via hash/hash/{md5|sha1|sha256 hash}

fetchSanitizedFileById: for retrieving a sanitized file via ID/file/converted/{data_id}

createSession: for creating a session/login

destroySession: for destroying a session/logout

getVersionInfo: for retrieving details about the product version/version

getLicenseInfo: for retrieving details about the licensing status of the /admin/licenseproduct

getEngineInfo: for retrieving information about the engines/stat/engines

Prerequisites for using the library

GCC 4.9+ or VS2013+

Prerequisites for building unit tests for the library

CMake 2.8+

GCC 4.9+ or VS2013+

Working internet connection for downloading Google's unit test framework

How to build unit tests

You should run CMake on TestOpswatMDRestLib/CMakeLists.txt found in the TestOpswatMDRestLib directory and use system dependent tools on the CMake output.

On Linux

Given you are standing in the root directory:

Making under Linux

$ mkdir build$ cd build$ cmake ../TestOpswatMDRestLib$ make

The executable test will be available under build/TestOpswatMDRestLib/test-mdrestclient

On Windows

After running CMake a Visual Studio solution file and projects will be generated. You can build the library using Visual Studio tools.

v3.13.0 249

How to use

The REST related functions can be accessed via the class, so you should create one MDRestfirst. In order to create MDRest you should provide type via template parameter.session

Session type

You can find two types of HTTP sessions: and MDPersistentHttpSession. MDPersistentHttpSession creates a persistent connection towards the MDSimpleHttpSession

REST server and re-uses it for every request, while MDSimpleHttpSession creates a new connection for every request. We recommend using MDPersistentHttpSession if you want to make consecutive requests. You should provide what type of you would like to use for the clientsession via template parameter.

Client type

This should be a class implementing . The client is used for sending requests to IMDHttpClientand receiving responses from the REST server. See for example.MDCurlHttpClient

Curl client

When using the curl client you should call or Opswat::MDCurlHttpClient::curlHttpClientInit() in your program. For more information Opswat::MDCurlHttpClient::curlHttpClientInitAll()

about initializing please refer to .curl_global_init documentation

Linking to libcurl and having libcurl headers are necessary if you want to use the MDCurlHttpClient in your application.

Using results of requests

Most of the functions found in MDRest return as a result. By calling MDResponse getJSON()on the response you can get the plain JSON answer received from the REST server in a string without any JSON parsing overhead. By calling a struct will be created and populated parse()by parsing the JSON. The struct's type depends on which function was called.

Using API keys

If you need to call functions which require API keys on REST side (like receiving license informations) you should get an API key first. After you have received an API key (for example after creating one with ) you should call with your key. By createSession() useSession()invoking useSession the provided API key will be included in every requests in the future.

https://curl.haxx.se/libcurl/c/curl_global_init.html

v3.13.0 250

Example

Example code

#include <iostream>#include <string>#include <chrono>#include <thread> #include "md_rest.h"#include "md_curl_http_client.h"#include "md_http_session.h" using SessionType = Opswat::MDPersistentHttpSession<Opswat::MDCurlHttpClient>; int main(int argc, char* argv[]){ Opswat::MDCurlHttpClient::curlHttpClientInitAll(); try { // Create an MDRest object using persistent connection with curl client Opswat::MDRest<SessionType> rest(std::make_unique<SessionType>("127.0.0.1", 8008)); // Create session auto parsedLogin = rest.createSession("admin", "admin")->parse(); std::cout << "Session ID after login: " << parsedLogin->session_id << std::endl; rest.useSession(parsedLogin->session_id); // Initate scan for a local file by giving the path for the file and a display name std::unique_ptr<Opswat::MDResponse<Opswat::MDFileScanId>> response = rest.scanLocalFile("C:\\test.txt", "test"); std::unique_ptr<Opswat::MDFileScanId> parsedResponse = response->parse(); std::cout << "Data ID: " << parsedResponse->dataId << std::endl; // Give some time for scanning const int waitTime = 10; std::this_thread::sleep_for(std::chrono::milliseconds(waitTime));

v3.13.0 251

// Check periodically if the scan is still processing by using the raw JSON so we don't make a lot of parsing auto scanResult = rest.fetchScanResultById(parsedResponse->dataId); while (scanResult->getJSON().find("\"result\":\"Processing\"") != std::string::npos) { std::this_thread::sleep_for(std::chrono::milliseconds(waitTime)); scanResult = rest.fetchScanResultById(parsedResponse->dataId); } // Print the display name of the file and the overall scan result auto parsedScanResult = scanResult->parse(); std::cout << "Result for " << parsedScanResult->fileInfo->displayName << " is: " << parsedScanResult->scanResult->scanAllResultDesc << std::endl; // Get engine infos and print the engine name and type for all of them auto parsedEngines = rest.getEngineInfo()->parse(); for (auto &engine : parsedEngines->engines) { std::cout << "Engine name and type: " << engine->engineName << " -> " << engine->engineTypeDescription << std::endl; } // Use the previously created session ID for functions which require api key auto parsedVersion = rest.getVersionInfo()->parse(); std::cout << "Metadefender version: " << parsedVersion->version << "\nProduct ID: " << parsedVersion->productId << std::endl; // Destroy session when it is not needed anymore auto logout = rest.destroySession(parsedLogin->session_id); } catch (Opswat::MDException& e) { std::cout << e.what() << std::endl; } return 0;}

Notes

v3.13.0 252

Notes

Please note that the initialization function for curl is . Please check it's not thread safedocumentation

Persistent session with the curl client is . The same MDRest object not thread safeshouldn't be used from different threads.

Please use MDRest in a block. When facing an error the library throws try-catchdifferent types of exceptions. For example for connection MDConnectionExceptionerrors or when the parsing was unsuccessful.MDParsingException

Please find the licenses for third party libraries under licenses folder.

https://curl.haxx.se/libcurl/c/curl_global_init.html

v3.13.0 253

5. Release Notes

New features

Many Metadefender Core components have been upgraded to 64-bit, including the REST server, allowing the scanning of very large archives simultaneously.

Support McAfee Web Gateway

Other changes

The Metadefender Mail Agent is no longer installed with Metadefender core. The Metadefender Mail Agent installer now needs to be generated from Metadefender Core's Management Console and then installed manually.

Scan results on the quarantine page are now linked to the scan results on the Logs page. If scan results are deleted from the Logs page they will also be removed from the quarantine page.

If the RAM drive is installed as part of Metadefender Core it will not be removed when Metadefender Core is uninstalled.

When the Metadefender Core license is expired the Management Console is now still accessible for configuration purposes

General and Known Issues

General

Metadefender Core 1, 4, and 8 come with a trial license good for 15 days after fresh installation (reinstalling does not reset trial).

Metadefender Core 12, 16, and 20 do not come with a trial license. To obtain a trial license, please contact OPSWAT sales ([email protected]).

Metadefender Core should be restarted whenever a new license has been applied via command line.

Metadefender Core was previously called Metascan.

Metadefender Core categorizes files as 'blocked' or 'allowed' based on the process results. Please refer to Callback for Processing a File (COM) for details.

Known issues

http://opswat.com/

https://opswat.atlassian.net/wiki/pages/viewpage.action?pageId=18383800

v3.13.0 254

Known issues

Metadefender Core embedded engines should not be installed on a system which has an alternate product provided by the same vendor, for example, installation of the Norman Scan Engine with Norman Security Suite. This configuration is not supported by Metadefender Core.

Metadefender Core license allows up to 10 Remote Desktop (RDP) sessions to a server running Metadefender Core . Please contact if you need more than OPSWAT supportten connections via RDP.

Scanning boot sector is only supported by the Total Defense/Quick Heal scan engine. Other engines will fail to scan for boot sector scan request.

REST Web Service installation may fail to install if UAC (User Access Control) is enabled. Turn off UAC and run the installation with Administrator privileges.

If logging all scan history is enabled, the Metadefender Core Management console dashboard may cause high load on mongoDB.

ICAP server does not block traffic if server is overloaded by default.

Metadefender Core does not support installation to directory paths that include non-ASCII characters.

Metadefender Core must have archive handling enabled in order to correctly scan GZIP content through the ICAP interface.

When Metadefender Core is configured to use a local instance of MongoDB (the default configuration) the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OPSWAT\Metascan\db_instance (or HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\Metascan\db_instance for 32 bit systems) key must be set to 'localhost' or '127.0.0.1'. The local system cannot be referred to by IP address.

Metadefender Core does not support installation on systems where the TEMP environment variable contains more than one path.

In Metadefender Core 20 packages, the Sophos scan engine must have its definitions updated before scans can successfully complete.

Archives scanned through the COM interface do not have their scan results logged.

The setting "Maximum File Size for files scanned through the web interface" found on the Configuration->Scan Configuration page in the Metadefender Core Management Console cannot currently be imported or exported through the Backup/Restore feature.

Disabling the 'support_custom_engine' property will disable all engines in Metadefender Core.


v3.13.0 255

Threats found within archives will not be removed even if Metadefender Core is configured to delete or quarantine files that contain threats.

Verbose debug logs larger than 1GB cannot be downloaded from Metadefender Core management console, call omsDebugTool.exe from the command line instead.

Files scanned through the Process COM API only have partial logging. This includes files scanned through the ICAP interface.

File size must be less than 2GB when scanning single file via REST or Metadefender Client.

v3.13.0 256

6. Important Concepts and Terminology

Usable AVs (antivirus)

Usable AVs are the anti-malware engines that Metadefender Core uses to process scan requests. All embedded engines are usable anti-malware engines. For anti-malware applications that are installed by you, please check the list of products that Metascan supports.

This list can be retrieved from:

Init API

Any command line utility (omsCmdUtil.exe) command

Metadefender Core Management Console Configuration Page

Current AVs

Current AVs are anti-malware engines that Metadefender Core automatically uses for scans and updates. This list is affected by licenses and properties such as included antiviruses, excluded antiviruses, and supported pre-installed antiviruses.

For example, if you installed Metadefender Core 8 and you have McAfee VirusScan installed on your machine, but you exclude the ESET scanning engine and disable customer-licensed products, your usable AVs and current AVs will be designated as below:

Usable AVs (Usable AMs) Current AVs

Avira scan engine

ESET scan engine

ClamAV scan engine

AhnLab scan engine

ThreatTrack scan engine

Bitdefender scan engine

Total Defense scan engine

Quick Heal scan engine

McAfee VirusScan

Avira scan engine

ClamAV scan engine

AhnLab scan engine

ThreatTrack scan engine

Bitdefender scan engine

Total Defense scan engine

Quick Heal scan engine

v3.13.0 257

Customer licensed engine

Customer licensed engine is the term used to describe an antivirus application that is already installed on your server (for example, an antivirus application that is installed on all computers in your corporate environment) which can then be incorporated as another engine to be used by Metadefender Core. You can view a list of antivirus applications that can be used as a customer licensed engine . A compatible antivirus application that is installed on the server herewill be automatically detected and made visible as an engine in the Metadefender Core Management Console (MMC). You can then use the MMC to enable the engine for Metadefender Core.

Metadefender Core's embedded engines are configured for optimal performance, Note: whereas a customer licensed engine is not. Thus, the performance of Metadefender Core can be adversely affected by a customer licensed engine.

Synchronous/asynchronous scan

Metadefender Core can be delegated to queue scan requests and return the results of queued scans via callbacks with extensive scan details. Even if your application is single threaded, you can process many scan requests without blocking. In other words, as soon as you have data to be scanned and you call the asynchronous scan API of Metadefender Core (for example, PutToScanQueue), you can continue to request scans without waiting for the results of the scan.

On the other hand, a synchronous scan is more suitable if your application creates scan requests in many threads. Refer to the ScanEx section on how to retrieve scan details when scanning synchronously.

Valid file name

A valid file name as a parameter for any API related to scanning files should meet the following requirements:

Absolute path to file, folder, and drive (e.g., c:, C:\Windows, C:\boot.ini)

File path should be limited to the local machine (e.g., “\\remote_machine\testfile.txt” would be recognized as an invalid path)

https://onlinehelp.opswat.com/corev3/Which_antivirus_engines_are_designated_by_Metadefender_Core_as__customer_licensed_engines__.html

v3.13.0 258

7. Metadefender / Client

About This Guide

Welcome to the Metadefender Client user guide. This guide is intended to provide the information you need to:

Install, configure, and manage Metadefender Client.

Learn about new features, updated features, and bug fixes on each Metadefender Client Release (i.e. each product version's release notes)

Learn about frequently asked questions and additional concepts through our library of knowledge base articles

While we offer the option to download this guide to a PDF file, it is optimized for online browser viewing. OPSWAT updates the online version of the guide regularly on an "as needed" basis. By viewing the document online, you are assured that you are always seeing the most recent and most comprehensive version of the guide.

Key Features of Metadefender Client

File scanning and processing with Metadefender Core workflows, including:

File sanitization (aka Content Disarm and Reconstruction) using 90 data sanitization engines

Multi-scanning for malware with more than 30 leading anti-malware engines

Heuristic analysis to detect more unknown and targeted attacks

Vulnerability Engines

File Type Verification

Archive Extraction

Enumeration and scanning of running processes and loaded libraries

Blocking of USB devices until they have been scanned by Metadefender and found clean





v3.13.0 259

1.

2.

Available Metadefender Client Packages

Metadefender Client

Metadefender Client can be run as a single executable for scanning files on demand without the need for installation.

Metadefender USB Client

The Metadefender USB Client can be installed on endpoints and run in the background, monitoring for any USB storage devices that are inserted into the system. When a USB storage device is detected Metadefender Client will block access to that device and prompt the user to initiate a scan. The user can select two options for scanning the USB storage device.

Browse mode - Allows users to specify specific files, which if found clean will be copied to the "Metadefender" folder on the desktop. If the file is suspicious, it will indicate this in the "Suspicious files" tab and not copy the file. After each scan, the drive will be ejected, the user can restart the process by removing and re-plugging-in the USB.

Full Scan mode - Scans the entire drive, if the drive is found clean then it unlocks the drive. Once unlocked, the drive should work as normal, it is fully accessible from Windows Explorer. It should be noted that if the user wants to copy files from the file system to the USB they will need to use this mode to unlock the drive first. If the drive is found dirty, it will be ejected from the system after scanning

Metadefender Cloud Client

The Metadefender Cloud Client scans files with the engines available in Metadefender Cloud (Metadefender.com).

Metadefender Client Configuration in Metadefender Core 3.x

"Metadefender Client Download Configuration" lets you specify the settings for the Metadefender Client package that you generate and download from the bottom of the page. After a client has been generated, the Metadefender Client download page (<ip or dns address>:8008/#/client) can be shared with anyone who should be able to use Metadefender Client to scan files with this Metadefender Core server.


v3.13.0 260

2. Click the Sources tab and then c lick Metadefender Client .

Note: The Windows Metadefender Client is supported to run only on endpoints running Windows 7 or later.

The following properties can be set for the Metadefender Client download package.


Metadefender Core

Local Metadefender Core

This is the address that Metadefender Client will use to access the Metadefender Core server. This should be an address (IP address or machine name) that will be accessible from every machine where Metadefender Client will be run.

<IP Address>:8008/metascan_rest/

Scan Options

File Size Limit

The maximum size of files to be scanned by Metadefender Client. Files larger than this size will not be scanned. Maximum file size limit: 2GB

50 MB

Scan Type

Set a default behavior

Select option to be used as the default behavior:

Full Scan: scans system drives, physical drives, running memory processes, and removable drives

Process (Quick Scan)

v3.13.0 261


Process (Quick Scan): scan running memory processes

Custom: select which system components to scan

Allow custom selection in the client

Allows a user of Metadefender Client to select to which system components to scan.Enabling components will show the components to be selected upon startup of the Client.

No components are selected

Local Log Directory

Save scan log

The directory where Metadefender Client will log all scanning activity

Enabled

Destination: %AppData%\Metadefender-Local

Allow App to Exit

Specifies whether the Metadefender Client can be exited from the system tray

Enabled

After configuration changes have been made, you can generate a new Metadefender Client downloadable package by clicking . Update Client

Release Notes

Changes in 3.12.5

Better handling of Malformed URLs that are inputted in the Metadefender Core Server URL dialog

Resolved an issue where the splash screen did not close under older operating systems (e.g. Windows 7 64bit)

Removed files from the Metadefender Client package which caused the package to be detected as encrypted archive

Improved performance by adding a hash lookup for existing scan results before uploading a file for scanning

Added support for network mapped drives

v3.13.0 262

Improved the reporting of processes with infected DLLs in the exported report

Added support for files that have been whitelisted or blacklisted on the Metadefender Core Server

v3.13.0 263

8. Metadefender / Email

Second Layer of Defense for Your Email Security Gateway

Email security gateways, although offering tremendous protection, are not perfect. Metadefender Email Security enhances existing email security gateways by offering additional protection with more than 30 anti-malware engines (leveraging both heuristics and signature-based detection) and data sanitization to combat increasingly popular document-based or image-based attacks.

Key Features

Prevent with email sanitization using 90 data sanitization engines

Detect and prevent more threats by scanning with more than 30 leading anti-malware engines

Leverage analysis to detect more unknown and targeted attacksheuristic

Decrease detection time of outbreaks

Easily integrate with existing email security layer

RealTime Monitoring threats

RealTime Alert / Monitoring

Schedule Report

High performance

Quarantine detected/sanitized Email

Deployment Options

Mail Proxy Deployment (Generic)

Email Proxy between Mail Gateway (anti-spam) and Mail Server





v3.13.0 264

Cloud Deployment

For hosted solution such as Office 365 and G Suite (formerly Google Apps for Work) Gmail

Onsite Microsoft Exchange Deployment

v3.13.0 265

Metadefender Email Does Not

Replace Email Gateway Spam Filtering

Replace Mail Server

1. Before Installation

Metadefender Email provides multiple deployment options as described in this documentation. If you need additional information in selecting the optimal deployment option, OPSWAT Technical Support is available to assist. Metadefender Email's performance and capacity vary depending on the specifications of the system hosting Metadefender Email. Increasing the resources available to the Metadefender Email system will likely increase the performance of the Metadefender Email system, however this is not guaranteed.

Increase Capacity and Resiliency

Single Server Capacity

System Profile Email Consists of Throughput CPU usage

4 Core Processor

16 GB RAM

64 bit OS


30% of emails with no attachment

40% of emails with single attachment (sanitization is not enabled)

12.5% of emails has PDF* attachment (sanitization is enabled)

12.5% of emails has DOCX* attachment (sanitization is enabled)

5% of emails has JPG* attachment (sanitization is enabled)

300 emails / minute

50-100%

*Files that we used for testing have the following sizes. The result may vary depending on data set you select. We strongly recommend to conduct testing based on your organization email statistics. If you need assistance on the tools for testing, contact OPSWAT support.

DOCX: 220 KB

PDF: 8 KB

JPG: 650 KB

v3.13.0 266

Load Balancing Metadefender Email

For Mail Proxy and Hosted deployment, this is desired configuration to increase the resilience and performance.

In order to achieve the following options should be considered.

Using load balancer (e.g., elastic load balancer, barracuda load balancer)

Using SMTP failover mechanism on your email gateway (configuration varies depending on the email gateway solution).

Load Balancing (remote) Metadefender Core

This is mainly for onsite exchange deployment scenario. See Multiple Metadefender Core for further instructions.Instances Configuration

System Requirements

The following does not include the system requirement for Metadefender Core if installed on the same system.


System RAM: 2 GB

Free Hard Drive Space: 16GB

CPU: 4 core


Operating System: Windows 7 / 8 / 8.1 / 10 / 2008 R2 / 2012 / 2012 R2

Bitness: 64-bit only

(Optional) 32-bit OpenSSL if using TLS encryption

Additional installation of 3rd party framework/components


.NET framework 4 Client ProfileExtended

REQUIRED

v3.13.0 267

Additional installation of Windows services

Name Service Name Optional

Metadefender Generic Mail Agent mdfExgEmailAgent by default

Ports that must be available

in/out component/service

port note

inbound Mail Agent Service

10025 this is customizable so adjust accordingly if modified

outbound Metadefender Core

8008 only if Metadefender Core is installed on a remote system.

outbound Metadefender Quarantine

8000 only if Quarantine (contained in Metadefender Core) is installed on a remote system.

Exchange Mail Agent Supportability Matrix

Overview

This page describes the supported operating systems and Microsoft Exchange version for installing Metadefender Mail Agent for .4. Onsite Microsoft Exchange Deployment

The matrix is built considering the Metadefender Core System Requirments and Microsoft Exchange Server Supportability Matrix.

Supported Environments

The following table identifies supported environments for installing Mail Agent on an operating system running Microsoft Exchange Server. Supported environments are marked with .

v3.13.0 268

Exchange Server Version

Windows Server 2008

Windows Server 2008 R2 Service Pack 1

Windows Server 2012

Windows Server 2012 R2

Exchange 2007 Service Pack 3

Exchange 2010 Service Pack 3

Exchange 2013 Cumulative Update 13

Exchange 2016 Cumulative Update 2

2. Mail Proxy Deployment (Generic)

Email Proxy between Mail Gateway (anti-spam) and Mail Server

Configuring Incoming Threat Protection

In order to install and configure Metadefender Email incoming threat protection, you must first install Metadefender Email and then configure the routing of the incoming threat protection, verify the routing settings, and then connect to your e-mail gateway.

Installation

v3.13.0 269

1.

2.

3.

Installation

Generate Metadefender Email installer package from Metadefender Core Management console. "Source">"Metadefender Email" > "Setup" page, choose "Generic / Cloud Agent". Download the Metadefender Email installer, copy it to where you want to install it, and follow the installation wizard to finish installation.

If you get Metadefender Email installer from OPSWAT portal or another source other than the Metadefender Core server you want it to process with, run the installation by opening a command prompt and type the following command:

MetadefenderEmailAgent.exe METASCANAPIKEY=<Mail Agent installer ID> METASCANURL=http://<Metadefender Core IP address>:8008/metascan_rest [ENTER]

Notes:

Replace with the ID shown on Metadefender Core <Mail Agent installer ID>management console source page under Email setup sectionNote:

Replace with the IP address or hostname of the <Metadefender Core IP address> machine where you have installed Metadefender Core.

Metadefender Email will automatically detect if Exchange Server is installed or not and install the appropriate edition (Proxy/Exchange)

Configure Routing & Connect to E-mail gateway

In this section, you will connect Metadefender Email to your mail server.

Open the Metadefender Core Management Console.

Select .Sources > Metadefender Email > Setup

Click on the newly installed Metadefender Email instance.Setup

v3.13.0 270

3.

4.

a.

b.

5.

Connect Metadefender Email to Mail Server.

In the Email Relay Out Server field, specify the of your mail IP address (or name)server and the SMTP protocol port that the mail server is listening on (usually port 25).

In the Email Direction field, select . Incoming

Connect E-mail Gateway to Metadefender Email

v3.13.0 271

5.

a.

6.

1.

2.

3.

Configure you're 3rd party e-mail gateway to forward all e-mails to the server:port specified in the dialog.

By default, Metadefender Email listens on SMTP port 10025 Make sure that Note: . your firewall allows traffic on the port used by the Mail Agent. You might need to open port 10025 in Windows Firewall

Click to save your changes.Apply

Verify Settings

In this section, you will verify your configuration settings and confirm that Metadefender Email works as expected.



Click on the newly configured Metadefender Email instance.Verify

v3.13.0 272

3.

4.

5.

6.

7.

Select as verification type and specify an Incoming external e-mail address as senderand .a local mailbox as recipient

Click to perform the test. If the test is successful, Metadefender Email is Applyconfigured correctly.

Optionally, manually send an e-mail from an external source to a local mailbox to verify that email routing from the gateway to Metadefender Email is configured correctly.

Go to the Metadefender Core Management Console Dashboard and verify that the e-mail has been scanned.

v3.13.0 273

1.

Configuring Outgoing Threat Protection

In order to install and configure Metadefender Email outgoing threat protection, you must first install Metadefender Email and then configure the routing of the outgoing threat protection, verify the routing settings, and then connect your mail server to Metadefender Email.

Installation

Generate Metadefender Email installer package from Metadefender Core Management console. "Source">"Metadefender Email" > "Setup" page, choose "Generic / Cloud Agent". Download the Metadefender Email installer, copy it to where you want to install it, and follow the installation wizard to finish installation.



Notes:

Replace with the ID shown on Metadefender Core <Mail Agent installer ID>management console source page under Email setup sectionNote:



Configure Routing & Connect to E-mail gateway

In this section, you will connect Metadefender Email to your mail server.


v3.13.0 274

2.

3.

4.

a.

b.

5.


Click 'Setup' on the newly installed Metadefender Email instance.

Connect Metadefender Email to Mail Server.

In the Email Relay Out Server field, specify the of your IP address (or name)outbound gateway and the SMTP protocol port that the outbound gateway is listening on.

In the Email Direction field, select . Outgoing

Connect your Mail Server to Metadefender Email

v3.13.0 275

5.

a.

6.

7.

8.

1.

2.

3.

Configure you're 3rd party e-mail gateway to forward all e-mails to the server:port specified in the dialog.

By default, Metadefender Email listens on SMTP port 10025 Make sure that Note: . your firewall allows traffic on the port used by the Mail Agent. You might need to open port 10025 in Windows Firewall

Click to save your changes.Apply

Send an e-mail from a local mailbox to an external source and verify that the e-mail is being delivered as expected.


Verify Settings

In this section, you will verify your configuration settings and confirm that Metadefender Email works as expected.




v3.13.0 276

3.

4.

5.

6.

7.

Select as verification type and specify an and Outgoing local mailbox as sender an .external e-mail address as recipient

Click to perform the test. If the test is successful, Metadefender Email is Applyconfigured correctly.

Optionally, manually send an e-mail from a local mailbox to an external source to verify that email routing from the Mail Server to Metadefender Email is configured correctly.


v3.13.0 277

1.

2.

3.

4.

1.

2.

3.

Configuring Recipient Verification

The Generic Mail Agent is capable of performing basic recipient verification on the incoming emails in order to ensure that emails not bound for a specific domain or containing illegal characters do not enter the system. By default, recipient verification is enabled but no domains are configured so every domain will be considered an accepted domain. If recipient verification fails the email will not enter the system.

Reject emails not bound for local domain(s)

In order to discard emails that are not addressed to recipients in your domain(s) you need to configure Mail Agent by specifying a list of local domains that are accepted.

Go to the installation folder (by default C:\Program Files (x86)\OPSWAT\Metadefender Core <engine count>\Metadefender Mail Agent)

Open as administrator the file Metadefender.Email.Engine.Generic.Agent.dll.config for editing

Add a comma (,) separated list of local domains as value for the setting called EmailRelayInLocalDomains

<setting name="EmailRelayInLocalDomains" serializeAs="String"> <value>opswat.com,metadefender.com</value></setting>

Note: by default the value is (*) which means all domains are accepted.Note: Multiple domains are separated with a comma (,) character. It is possible to prefix the domain name with an * to accept sub domains. For example: * will accept opswat.comboth & .opswat.com subdomain.opswat.com

Save the file.

Verify Settings

In this section, you will verify your recipient verification settings work as expected.




http://opswat.com

http://opswat.com

http://subdomain.opswat.com

v3.13.0 278

3.

4.

5.

6.

Select as verification type and specify an Recipient Verification an external e-mail and address as sender, a local mailbox as valid recipient e-mail address an invalid

.(unwanted) e-mail address as Invalid recipient address.

Click to perform the test. If the test is successful, recipient verification is Applyconfigured correctly.

Optionally, manually send an e-mail from an external source to a local mailbox to verify that recipient verification is working as expected.

v3.13.0 279

1.

2.

3.

4.

TLS support (Incoming/Outgoing emails)

Metadefender Email can both receive and send emails using TLS encryption for increased security. Refer to the sections below to enable TLS for incoming and/or outgoing emails.

Prerequisite

OpenSSL 32-bit

Incoming TLS support

Follow the instrutions below if you want to enable TLS encryption for incoming emails.

I have a pcks#12 certificate:

For these steps you will need a pcks#12 certificate file (.pfx).

If you don't have a certificate .pfx file, refer to for instructions how Export a certificateto export a certificate to a .pfx file.

Ensure that OpenSSL is installed. If you do not have OpenSSL installed, it can be downloaded from here: https://slproweb.com/products/Win32OpenSSL.html (unofficial distribution)

Open an administrator command prompt and navigate to the Mail Agent folder (default: C:\Program Files (x86)\OPSWAT\Metadefender Mail Agent)

Type the following command:

enableTls.exe -i -b "<path to .pfx>" -j "<certificate password>"

(Replace <path to .pfx> with the path to your .pfx certificate file. -j parameter can be omitted if the certificate is not password protected)

The certificate is imported and TLS settings automatically updated:

C:\Program Files (x86)\OPSWAT\Metadefender Mail Agent>enableTls.exe -i -b "<path to .pfx>" -j "<certificate password>"Reading Mail Agent settings...Updating settings...Mail Agent settings updated successfully

https://slproweb.com/products/Win32OpenSSL.html


v3.13.0 280

4.

1.

2.

3.

4.

1.

2.

3.

Metadefender Email will now accept TLS encryption when receiving emails.

I have a pcks#8 certificate:

For these steps you will need a certificate file and a private key file (pcks#8).




enableTls.exe -i -y "<path to certificate file>" -z "<path to private key file>"

(Replace <path to certificate file> with the path to your certificate file and <path to private key file> with with the path to your private key file)

The certificate and private key and imported and TLS settings automatically updated:

C:\Program Files (x86)\OPSWAT\Metadefender Mail Agent>enableTls.exe -i -y "<path to certificate file>" -z "<path to private key file>"Reading Mail Agent settings...Updating settings...Mail Agent settings updated successfully


I want to use a self-signed certificate:

Follow these steps if you wish to use a self-signed certificate.








v3.13.0 281

3.

4.

1.

2.

3.

enableTls.exe -i -e -d 365 -c US -s "California" -l "San Francisco" -o "Company"

Replace any of the following parameters with desired values:-d = Number of days the certificate is valid-c = Country code (2 letter ISO) -s = State/District-l = City-o = Company name

A new certificate is generated and TLS settings automatically updated:

C:\Program Files (x86)\OPSWAT\Metadefender Mail Agent>enableTls.exe -i -e -d 365 -c US -s "California" -l "San Francisco" -o "Company"Reading Mail Agent settings...Generating a 4096 bit RSA private key............++..............................................................................++ writing new private key to 'tls_key.pem'-----Updating settings...Mail Agent settings updated successfully


Outgoing TLS support

To enable outgoing TLS encryption, do the following:




enableTls.exe -g -r "<mail_server> -m 587 -q "<username>" -w "<password>"



v3.13.0 282

3.

4.

1.

2.

a.

b.

c.

d.

e.

Replace any of the following parameters with desired values:-r = Email relay out SMTP server name-m = Email relay out SMTP server port-q = Email relay out SMTP authentication user name. (Omit if no authentication is used)-w = Email relay out SMTP authentication password. (Omit if no authentication is used)

TLS settings are automatically updated:

C:\Program Files (x86)\OPSWAT\Metadefender Mail Agent>enableTls.exe -gReading Mail Agent settings...Updating settings...Mail Agent settings updated successfully

Metadefender Email will now use TLS when forwarding emails to your mailserver/gateway.

To enable both incoming and outgoing TLS, the parameters should be combined, for example:

enableTls.exe -i -b "<path to .pfx>" -j "<certificate password>" -g -r "<mail_server> -m 587 -q "<username>" -w "<password>"

For a complete list of available command line parameters, type: enableTls.exe -h

Export a certificate

If you have an existing certificate in your certificte store that you want to use with Metadefender Email to enable incoming TLS it will first have to be exported into a .pfx file. Follow the instructions below to export the certificate.

Run Microsoft Management Console (mmc.exe).

Add the Certificates Snap-In:

Select File > Add/Remove Snap in...

Select 'Certificates' and click 'Add >'.

Select the account for whom the certificate is installed (usually this is 'Computer account'), then click 'Next >'.

Select 'Local Computer' if the certificate is installed this computer, then click 'Finish'.

Click 'OK' to close the 'Add or Remove Snap-ins' dialog.

v3.13.0 283

2.

e.

f.

g.

h.

Navigate to the certificate you wish to export, then right-click and select 'All Tasks > Export...'.

Click 'Next >' in the 'Certificate Export Wizard' welcome step.

v3.13.0 284

2.

h.

i.

j.

Select 'Yes, export the private key' and click 'Next >'.

Note: The certificate must include the private key, so If this option is unavailable the certificate cannot be used with Metadefender Email.

Select 'Personal Information Exchange - PKCS #12 (.PFX) and click 'Next >'.

Specify a certificate password and click 'Next >'.

v3.13.0 285

2.

j.

k.

l.

m.

Specify a file name for the exported certificate and click 'Next >'.

Click 'Finish' to complete the export.

v3.13.0 286

2.

m.

1.

2.

3.

A dialog will display that export was successful.

Once the export is complete, refer to for instructions TLS support (Incoming/Outgoing emails)how to install the certificate in Metadefender Email.

3. Cloud Deployment

Overview

For hosted solution such as Office 365 and G Suite (formerly Google Apps for Work) Gmail

Steps

Configure the hosted email server to accept email from Metadefender Email server.

Configure Metadefender Email to relay out to hosted email server and use port 25.

Update MX record to point to Metadefender Email server.

Limitation

SPF enforcement will be skipped on the hosted email server

v3.13.0 287

1.

2.

3.

Google Apps integration

Overview


Configure Metadefender Email to relay out to hosted email server.


Detailed Steps

Step 1.1

Go to and login to your Google Apps subscription.https://admin.google.com

Step 1.2

Click 'MORE CONTROLS'.

Step 1.3

Click 'Apps'.

https://admin.google.com

v3.13.0 288

Step 1.4

Click 'Google Apps'.

Step 1.5

Click 'Gmail'.

v3.13.0 289

Step 1.6

Click 'Advanced settings'.

v3.13.0 290

Step 1.7

Scroll down to the 'Inbound gateway' section and click 'CONFIGURE'.

Step 1.8

Specify a gateway name (Metadefender Email Relay) and the IP address of the Metadefender Email server. Check 'Automatically detect external IP (recommended)', 'Reject all mail not from gateway IPs' and 'Require TLS connection from the email gateways listed above'.

v3.13.0 291

Step 1.9

Click 'SAVE' at the bottom right of the screen to save the changes.

Step 2.1

Connect to the Mail agent server and run the following REST POST request (using ,for example, POSTMAN) to http://localhost:8000/MailAgent/Settings

{"EmailRelayInDirection": 0,"EmailRelayInLocalDomains": [],"EmailRelayInPort": 25,"EmailRelayOutPassword": null,"EmailRelayOutPort": 25,"EmailRelayOutServer": "alt1.aspmx.l.google.com","EmailRelayOutUseTls": true,"EmailRelayOutUsername": null}

http://localhost:8000/MailAgent/Settings

v3.13.0 292

Step 2.2

Verify routing settings by sending an email to a Google Apps recipient directly to the Metadefender Email server and verify that it arrives correctly in the recipient inbox.

Step 3.1

Refer to your Internet domain registrar for details how to change MX record to point to Metadefender Email IP address. Verify email routing by sending an email to a Google Apps recipient.

Make sure that your MX record changes have propagated before verifying email routing.

Additional notes

Quarantine: Google Apps always does a malware check on all incoming emails, so releasing an infected item from quarantine will be rejected by Google Apps. As a workaround for this, configure quarantine to deliver emails to an alternative SMTP server that can accept infected emails

v3.13.0 293

1.

2.

3.

1.

2.

3.

4.

Microsoft Office 365 Integration

Overview




Detailed Steps

Configure the hosted email server to accept email from Metadefender Email server

Goto https://portal.office.com and login with your Office365 credentials.

Go to Office 365 Portal > Admin > Admin Centers > Exchange. Once the Exchange Admin has opened, go to mail flow > connectors and click + to add a new connector.

Select From: Partner organization and To: Office 365, then click Next

Specify a name for the connector (in this case Metadefender Email) and ensure that the option 'Turn it on' is checked. Then click Next.

https://portal.office.com/

v3.13.0 294

4.

5.

6.

Select 'Use the sender's domain' and click Next.

Click on the +.

v3.13.0 295

6.

7.

8.

Enter * as domain and click OK. Then c lick Next.

v3.13.0 296

8.

9.

Select 'Reject email messages if they aren't sent over TLS' and 'Reject email messages if they aren't sent from within this IP address range', then click +

Specify your public IP address (in this case ( 213.149.186.214) and click OK. Then click Next.

v3.13.0 297

9.

10. Verify connector properties and click Save to save the connector.


v3.13.0 298

1.

2.

3.


Obtain your MX record address by going to > Admin > Settings > https://portal.office.comDomain and click on your domain. Copy the MX Record value to the clipboard.

Connect to the Mail agent server and run the following REST POST request (using ,for example, POSTMAN) to . Specify the MX record http://localhost:8000/MailAgent/Settingsaddress obtained in the previous step and enter it in the EmailRelayOutServer value:

{"EmailRelayInDirection": 0,"EmailRelayInLocalDomains": [],"EmailRelayInPort": 25,"EmailRelayOutPassword": null,"EmailRelayOutPort": 25,"EmailRelayOutServer": "<MX record address>","EmailRelayOutUseTls": true,"EmailRelayOutUsername": null}

Verify routing settings by sending an email to a Office365 recipient directly to the Metadefender Email server and verify that it arrives correctly in the recipient inbox.


Refer to your Internet domain registrar for the details how to change MX record to point to Metadefender Email IP address. Verify email routing by sending an email to a Office365 recipient.

Make sure that your MX record changes have propagated before verifying email routing.

https://portal.office.com/

http://localhost:8000/MailAgent/Settings

v3.13.0 299

4. Onsite Microsoft Exchange Deployment

Metadefender Email can only be installed on Hub or Edge role Exchange Servers (2007, 2010, 2013 or 2016).

Metadefender Core must be installed on separate machine than the Exchange Server.

Installation

Generate Metadefender Email installer package from Metadefender Core Management console. Go to "Source">"Metadefender Email" > "Setup" page, choose "Exchange Agent". Download the Metadefender Email installer, copy it to the Exchange server, and follow the installation wizard to finish installation.


v3.13.0 300


Notes:

Replace with the ID shown on Metadefender Core <Mail Agent installer ID>management console source page under Email setup section



How To Verify

To verify that the Exchange Transport Agent has been installed successfully, open the Exchange Management Shell and type 'Get-TransportAgent' [ENTER]

Ensure that 'OPSWAT Metadefender' is listed and its enabled state is 'True'

[PS] C:\Windows\system32>Get-TransportAgent Identity Enabled Priority-------- ------- --------Transport Rule Agent True 1DLP Policy Agent True 2Malware Agent False 3Text Messaging Routing Agent True 4Text Messaging Delivery Agent True 5System Probe Drop Smtp Agent True 6System Probe Drop Routing Agent True 7OPSWAT Metadefender True 8

5. Notification and Report

Available Notification / Report

Infection Email Notification

Sanitized Email Notifications

Quarantine Reports

v3.13.0 301

1.

2.

a.

b.

c.

d.

Email Server For Notification

In the Metadefender Core Management Console, go to Sources > Metadefender Email > Settings

If you have already configured the SMTP settings and the Status is connected, skip to step 3.

Click .Update

In the Host field, specify the IP address or name of your mail server. You may also use an alternative mail server to deliver reports and Note:

notifications. To do this, replace the Host value with your alternative mail server address and specify Port, SSL, Username and Password settings as required for the alternative mail server.

Click .Save

SMTP connection will be validated and the status is updated to if Connectedconnection is established successfully.

Customizing Disclaimers

v3.13.0 302

Customizing Disclaimers

Currently customizing disclaimers are only supported using script or tools. Please contact OPSWAT support to obtain the instructions and tools.

Error Email Notification

Description

Metadefender Email can send a notification to the Administrator if unexpected events occur, such as loss of connection to Metadefender Core, Mail Sever/Gateway or queue build ups.

For a complete list of notifications please see .Mail Agent Alerts

Location

The tool is called and is shipped with the installer.configNotification.exe

The default location will be C:\Program Files (x86)\OPSWAT\Metadefender Core <x>\Metascan Quarantine

Run

If you run you will be able to see the help info:configNotification.exe -h

configNotification.exe -hUsage: configNotification.exe [OPTIONS]Example: configNotification.exe -t All -s [email protected] -r [email protected] --orgRecipients --debug Options: -t, --type=NOTIFICATION TYPE [REQUIRED] the NOTIFICATION TYPE you wish to change Possible values: All -> Enables all notifications (errors, blocked, sanitized, quarantined) QuarantinedEmail -> Enables the notification which is triggered when an email is sent to Quarantine QuarantinedFile -> Enables the notification which is triggered when a file is sent to Quarantine Blocked -> Enables the notification which is triggered when an email is blocked by Mail Agent Sanitized -> Enables the notification which is triggered when an email is sanitized by Mail Agent OnlyErrors -> Enables the error notifications NonErrors -> Enables the non-error notifications

http://sf-small-conf.us.opswat.com:8090/display/MDC/Mail+Agent+Alerts

v3.13.0 303

(blocked, sanitized, quarantined) -s, --sender=SENDER EMAIL [REQUIRED] the SENDER EMAIL from where the notification(s) will be sent -r, --recipients=RECIPIENT EMAIL(S) [REQUIRED] if notification type is All/OnlyErrors otherwise [OPTIONAL] The RECIPIENT EMAIL(S) where to send the notification(s) For non-errors email notifications, when this parameter is not set, the notification will be sent to both original sender and recipient(s) Note: multiple email addresses can be separated by comma --orgSender [OPTIONAL] applicable only to non-errors notifications If this option is set the notification will be sent to the original sender of the email that triggered the notification --orgRecipients [OPTIONAL] applicable only to non-errors notifications If this option is set the notification will be sent to the original recipient(s) of the email that triggered the notification -u, --url=ENDPOINT [OPTIONAL] the url ENDPOINT where Quarantine is located if it is not on the same machine --https [OPTIONAL] use https --disable [OPTIONAL] disable the specified notification(s) --debug [OPTIONAL] show debug info -h, --help [OPTIONAL] show help

If you run the tool on the machine where Mail Agent is installed and HTTPS is not enabled

configNotification.exe -t OnlyErrors -s [email protected] -r [email protected]

If you run the tool on the machine where Mail Agent is installed and HTTPS is

v3.13.0 304

If you run the tool on the machine where Mail Agent is installed and HTTPS is enabled

configNotification.exe -t OnlyErrors -s [email protected] -r [email protected] -https

If you don't run the tool on the machine where Mail Agent is installed

configNotification.exe --t OnlyErrors -s [email protected] -r [email protected] -u http://<mail_agent_ip>:8000/Quarantine/EmailAlerts

Troubleshooting

If you encounter any problems running the tool, please run with " " option so you can get -ddebugging information:

configNotification.exe -t OnlyErrors -s [email protected] -r [email protected] -d

Example, if the problem is an invalid email address:

configNotification.exe -s this.isnot.valid -d There was a problem updating email alerts: Invalid email address. You need to specify a valid email.System.Exception: Invalid email address. You need to specify a valid email.

This information will help us further investigate the problem.

Infection Email Notification

To send email notifications when an infected email is detected, move the On/Off slider to on, and specify a Sender email address, and modify subject and body as desired.

Notification email will be sent to the sender or recipient of the email with contents you configure on the following setting.

v3.13.0 305

1.

2.

a.

a.

b.

c.

Quarantine Reports

You can configure Metadefender Core so that it notifies administrator(s) of any e-mails that have been quarantined or sanitized during scanning.

In the Metadefender Core Management Console, go to Quarantine and click Configure .Quarantine Reports

Configure the SMTP settings and set the status to Connected. If you have already done this step, go to step 3.

In the SMTP Configuration Settings section, click .Update

In the Host field, specify the IP address or name of your mail server. You may also use an alternative mail server to deliver reports and Note:

notifications. To do this, replace the Host value with your alternative mail server address and specify Port, SSL, Username and Password settings as required for the alternative mail server.

Click .Save

Metadefender Core will verify that the SMTP connection can be established with your mail server and if so, the Status field is updated to Connected.

v3.13.0 306

3.

4.

5.

Enable Quarantine Reports by moving the On/Off slider to . On

Specify the scheduling interval for report generation, along with the sender, recipient and optional subject and message body.

Click to save the quarantine report settings.Save

Sanitized Email Notifications

To send email notifications when an email is sanitized, move the On/Off slider to on. Specify a sender email address, and modify subject and body as desired. Notification email will be sent to the sender or recipient of the email with contents you configure on the following setting.

6. Additional Configuration

Advanced Configuration

v3.13.0 307

Configuration From Config File

The Metadefender Mail Agent includes a set of configuration files that can be used to customize the application behavior and not most of the configurations are not available on management console.

Metadefender.Common.dll.config

Change will be applied within 30 seconds without restarting mail agent service.

Name Description Default Value

InstallationFolder Installation folder Run-time location of Metascan.Common.dll file

LogsFolder Logs folder [Installation folder]\Logs

LogMaxSize Possible values are, for example 100MB, or 4DAYS.

7DAYS

LogFormat Possible values are Text or Xml Text

LogLevel Possible values are Debug, Info, Warn, Error, Fatal

Debug

RestClientTimeoutMs Default timeout in milliseconds until a REST call times out

60000

Metadefender.Email.Engine.Exchange[2007/2010/2013].Agent.dll.config

Any change on this config file requires restarting Mail agent service.


LogName Log name Metascan.Email.Engine.Exchange[2003/2007/2010/2013].Agent

v3.13.0 308


LogFilename Log file name Metascan.Email.Engine.Exchange[2003/2007/2010/2013].Agent.log

PickupPath Exchange Server Replay Path Added at install time

AgentGuid Agent Guid. Should be unique. Added at install time

AgentStatusCheckInterval Durations between agent status checks

00:00:20

Protocol Protocol to use when sending process requests. Possible values are: REST

REST

RestBaseUrl REST base url http://localhost:8000/

UseQueueFile Use a temp queue file when submitting email instead of streaming content via protocol

True

Metadefender.Email.Engine.Generic.Agent.dll.config


Name Description

WorkExtension File extension to use when processing an email

BadExtension File extension to use for a file that cannot be parsed or processed

AgentGuid Agent Guid. Should be unique.

AgentStatusCheckInterval Durations between agent status checks

v3.13.0 309

Name Description

Protocol Protocol to use when sending process requests. Possible values are REST

StartRestServer Start the REST server

RestoreWorkItemsOnStartup Rename any items with a work extension (.work) to .eml on service startup

EmailProcessedHeaderNameMIME Header name for emails processed by Mail Agent in order to avoid duplicates

EmailRelayInProcessName Process name for emailrelay.exe application

EmailRelayOutProcessName Process name for emailrelayout.exe application

EmailRelayInStart Start Email relay process on service startup. (To monitor for incoming SMTP traffic)

EmailRelayInPort Port to monitor by email relay

EmailRelayInParameters Parameters that are passed to email relay application

EmailRelayOutStart Start Email relay process on service startup. (To monitor outgoing email and forward via SMTP)

EmailRelayOutHosts List of Name (or IP adress) and port of server(s) to forward all email to. Multiple servers are separated with a comma (,)For exampe: server1:25,server2:25

Note: Ensure that when the setting is updated the config file doesn't contain settings called 'EmailRelayOutServer' or 'EmailRelayOutPort' (delete them if they exist).

EmailRelayOutParameters Parameters that are passed to email relay application

v3.13.0 310

Name Description

EmailRelayInDirection Determine the direction of emails. Possible values :

0 = Incoming1 = Outgoing2 = Determine email direction using the local domain list in parameter EmailRelayInLocalDomains

(If sender's email domain exists in parameter direction is EmailRelayInLocalDomainsoutgoing, or else incoming)

EmailRelayInLocalDomains List of local domains. Separate multiple domains with a semi colon (;). For example opswat.com;mycompany.com.

Used to perform recipient verification (any recipient with a domain different than the specified domain(s) will be rejected at the SMTP protocol level).

Also used when is set to 2 in order to determine direction.EmailRelayInDirection

EmailRelayInQueueThreshold Maximum inbound email queue size (exceeding this value will generate an email alert)

EmailRelayOutQueueThreshold Maximum outbound email queue size (exceeding this value will generate an email alert)

EmailRelayOutRetryStart Start the retry monitor thread (for emails that failed submission)

EmailRelayOutRetryInterval Duration between submit retries (increasing with retry count) See Mail Agent Retry functionality

EmailRelayOutRetryMaxInterval Maximum duration between retries.See Mail Agent Retry functionality

EmailRelayOutRetryCount Maximum number of submit retries before email is moved to permanent failure

v3.13.0 311

Name Description

EmailRelayOutQueueBadThreshold

Maximum number of .bad files in email queue (exceeding this value cause email alert to be generated)

EmailRelayOutPermanentFailureThreshold

Maximum number of items in permanent failure (exceeding this value cause email alert to be generated)

EmailRelayOutMaxConnections Maximum number of simultaneous SMTP connections when forwarding emails to remote server.

EmailRelayInRetryStart Start the retry monitor thread (for emails that failed processing)

EmailRelayInRetryInterval Minimum duration between process retries

EmailRelayInRetryCount Maximum number of process retries before email is moved to process failure

MaxMonitorProcessThreads Maximum number of emails processed simultaneously

FastNoAttachmentProcessingEnabled

Avoid sending emails without attachments for processing (improved performance)

LowPriorityMinSize Minimum size (in MB) for emails that will be processed on the low priority threads

HighPriorityMaxSize Maximum size (in MB) for emails that will be processed on the high priority threads

UseAdjustingThreads Specifies if monitoring threads for incoming emails should adjust thread count dynamically or have fixed count

AddressValidation Specifies if Mail Agent should perform address validation on the incoming emails to detect invalid address (e.g. root@smth, ..@stop, inv'/alid)

EmailRelayInUseTls Enable TLS for incoming SMTP connections

EmailRelayInForceTls Force all incoming SMTP connections to use TLS (only used when EmailRelayInUseTls is true)

v3.13.0 312

Name Description

EmailRelayInTlsCertificate TLS certificate for incoming SMTP connections (only used when EmailRelayInUseTls is true) Example:-----BEGIN CERTIFICATE-----MIIFYDCCA0igAwIBAgIJALmTgUaaiHNjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV

....-----END CERTIFICATE-----

EmailRelayInTlsKey TLS certificate private key for incoming SMTP connections (only used when EmailRelayInUseTls is true) Example:

-----BEGIN PRIVATE KEY-----

MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDjAkwDuWFOHKUw

....-----END PRIVATE KEY-----

EmailRelayOutClientCertificate Client certificate for outoing SMTP connections (used when a server requests a client certificate) Example:-----BEGIN CERTIFICATE-----

MIIFYDCCA0igAwIBAgIJALmTgUaaiHNjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV

....-----END CERTIFICATE-----

Metadefender.Quarantine.Mail.dll.config


StartRestServer Start the REST server (SmtpConfiguration)

True

SubmitCommandTimeout Timeout for SMTP commands 00:01:00 (1 minute)

EmailSubmissionRequestExpireSpan

TTL (Time To Live) for an SMTP submit request. If email has not been submitted within this timespan the request is lost

01:00:00 (1 hour)

v3.13.0 313

Metadefender.Engine.History.dll.config



HistoryEntryExpireSpan Duration to keep history entries in the database

91:00:00 (91 days)

StartRestServer Start the REST server (History) True

Metadefender.Email.Engine.Processor.dll.config



StartRestServer Start the REST server (Processor)

True

ConvertTnefMessagesToSmtp Convert TNEF encoded emails to MIME format

False

MonitorMode Enables a monitoring mode of the Mail Agent. When set, no emails will be sanitized or quarantined (even when infected etc.)

False

AddXHeadersToOutgoingEmail Force Mail Agent to add x-headers (Custom Email Headers) to outgoing emails

False

EmailProcessedHeaderName

v3.13.0 314


MIME Header name for emails processed by Mail Agent in order to avoid duplicates

X-Metadefender-EmailSecurity-Id

EmailAddCustomXHeaders Add custom x-headers to each email processed by Mail Agent. See for Custom Email Headersmore information.

EmailBlockedQuarantineMode Option to move blocked emails to MD Core quarantine or submit them via SMTP for quarantine by other service.

Possible values are REST (MD Core Quarantine) or SMTP

REST

EmailSanitizedQuarantineMode Option to move original copy of sanitized emails to MD Core quarantine or submit them via SMTP for quarantine by other service.

Possible values are REST (MD Core Quarantine) or SMTP

REST

EmailQuarantineHeaderName The name of the X-Header that will be added to emails when

or EmailBlockedQuarantineMode EmailSanitizedQuarantineMode is set to SMTP.

Header value will always be 'True'

X-Metadefender-To-Quarantine

DoSpfCheck Enables SPF (Sender Policy Framework) lookups in Mail Agent. Result is placed in a header.

False

v3.13.0 315


SpfCheckHeaderName The name of the X-Header where to store the SPF lookup result

X-Metadefender-Spf-Result

SpfCheckReasonName The name of the X-Header where to store a reason for a failed/skipped SPF lookup

X-Metadefender-Spf-Reason

Metadefender.Scanner.dll.config



MetascanMode Possible values are COM, RESTv1 RESTv2and

RESTv2

MetascanScanTimeout Scanning timeout 00:05:00

MetascanScanQueueTimeout Metadefender Core In Queue timeout 00:05:00

MetascanScanProgressPauseMS Used in RESTv2 mode. Pause (in ms) between progress request calls

100

MaxMetadefenderCoreInQueueThreshold

If this limit is exceeded an alert will be sent saying that Metadefender Core is unresponsive and email delivery might be slower

250

MetadefenderUnavailableRetrySpan Minimum pause for retry after a Metadefender Core goes down (only applicable if multiple scanners are configured)

00:01:00

v3.13.0 316


MetadefenderAvergeScanTimeSpan Span for for scan times when calculating average scan time (when using multiple MD Cores)

00:01:00

UrlPrioritzationMethod Metadefender Core Url prioritization method. Possible vaules: RoundRobin, Circular, ScanTime

RoundRobin

LogAllRequests Increased logging. When set to true it will log all GET requests for getting scan settings and email disclaimers

false

Metadefender.Quarantine.dll.config



MaintenanceInterval Interval between checking folder actions & auto-deliver 00:00:30

RunAutoActionThread Start the thread checking folder actions & auto-deliver True

CompressionMode Quarantine item compression mode. Possible values are None, Zip

Zip

MonitoringFolderId Predefined Quarantined folder id

QuarantineReportId Predefined Quarantine Report id

StartRestServer Start the REST server (Quarantine) True

ReportUidExpireSpan Expiry time for entries used to record which quarantine items were inlucded in Quarantine Reports

1095:00:00

v3.13.0 317


MaxQuarantineItemSize Maximum buffer size when accepting quarantine items via REST

long max value

EmailAlertExpireSpan The minimum interval between unique email alerts (errors). This is used to prevent too many alerts being sent during continuous errors

01:00:00

Metadefender.Email.Engine.Service.exe.config



LogName Log name Metascan.Email.Engine.Service

LogFilename Log file name Metascan.Email.Engine.Service.log

ComponentList List of component loaded by service at startup

RestBaseUrl REST server base URL http://<computer_name>:8000

QuarantineBaseUrl Metadefender Core Quarantine server base URL

http://<computer_name>:8000

MetascanUrl Metadefender Core REST URL

http://<core_url>:8008/metascan_rest

MetascanApiKey Metascan API key (encrypted)

v3.13.0 318


StatusCheckInterval Interval between component status checks (for error alerts)

00:00:30

UsePerformanceCounters Creates a performance counter category (Metadefender Generic Mail Agent) for monitoring and recording processing data

False

ScanEmailBody Specifies if Mail Agent should scan the body of the email

True

MaxRetries Maximum number of retries before quit trying to connect to Metadefender Core

10000

TimeBetweenRetries Number of milliseconds before attempting to connect to Metadefender Core

6000

UpdateUrlsOnStartup Specifies if the service should attempt to update config URLs at startup.

Note: If MD Core load balancing is configured (multiple MetascanUrl's) no URL update will be performed for that setting, regardless of this value.

True

MetadefenderCoreIsLocal Specifies if Metadefender Core is installed locally

True when installed with Metadefender Core

False when installed remotely

ConnectionCheckOnStartup False

v3.13.0 319


Specifies if Mail Agent should do a connection + valid license test on service startup. If enabled Mail Agent will not intercept emails before MD Core is responding.

Metadefender.Quarantine.Service.exe.config



MongoDbUrl Mongo DB URL mongodb://localhost:27018

MongoDbUrlEncryptionMode MongoDb Url value encryption mode. Possible values are None, Encrypted

None

MongoDbName MongoDB database name

MetadefenderQuarantine

MongoDBStartupTimeout Timeout to wait for MongoDB to respond

00:00:30

LogName Log name Metascan.Email.Engine.Quarantine.Service

LogFilename Log file name Default is Metascan.Email.Engine.Quarantine.Service.log

ComponentList

mongodb://localhost:27018

v3.13.0 320


List of component loaded by service at startup

RestBaseUrl REST server base URL


QuarantineBaseUrl Metadefender Core Quarantine server base URL


MetascanUrl Metadefender Core REST URL

http://<core_url>:8008/metascan_rest

MetascanApiKey Metadefender API key (encrypted)

WebBaseUrl Metadefender Web Site base URL

http://<core_url>:8008//management/#

MongoDBStartupTimeout Time to wait for MongoDB database to start

00:00:30

UpdateUrlsOnStartup Specifies if the service should attempt to update config URLs at startup

True

MetadefenderCoreIsLocal Specifies if Metadefender Core is installed locally

True when installed with Metadefender Core

False when installed remotely

v3.13.0 321

Metadefender.Engine.Statistics.dll.config



StartRestServer Start the REST server (Statistics) True

StatisticsEntryExpireSpan Duration to keep statistics entries in the database 31:00:00

StatisticsEntryInterval Interval used when storing statistics. Possible values are Minute, TenMinute, Hour, Day

Minute

Metadefender.Engine.Events.dll.config



EventEntryExpireSpan Duration to keep system event entries in the database

91:00:00 (91 days)

StartRestServer Start the REST server (Events) True

XML schema for config file

Below is a sample configuration file.

File Format

<?xml version="1.0"?><configuration>

v3.13.0 322

<applicationSettings> <[namespace]> <setting name="[name]" serializeAs="String"> <value>[value]</value> </setting> </[namespace]> </applicationSettings></configuration>

Attribute Description

namespace For display reasons only. For example: Metadefender.Common

name Setting name. Example: InstallationFolder

value Setting value. Example: c:\MyInstallFolder

Custom Email Headers

The following custom email headers are added once processed by Metadefender Email. These can be used for custom rules on mail servers such as spam rules using X-Metadefender-Core-Result.

X-Metadefender-Core-Urls

The Metadefender Core REST API URL used in scanning operations for this email. If multiple MD Core scanners are configured and have been used for scans (this can happen when an email has multiple attachments) the list is comma separated.

Note: the field is empty if the email doesn't contain attachments.

Note: the URLwill contain the hostname of the machine. If hostname is not available it will contain the machine name. If machine name is not available it will contain "localhost".

X-Metadefender-Core-Result

When workflow is enabled (default), this header value will contain the Metadefender Core process result. For Blocked results, the reason is also displayed (separated by a / character).Example values:

Allowed (or Delivered - if email doesn't contain attachments)

Blocked/Dirty

Blocked/Filtered

v3.13.0 323

If workflow is disabled this value will be the Metadefender Core scan result for the email. Refer to for details.Description of Scan Results

X-Metadefender-To-Quarantine

See for more details.Quarantine Email On Another Mail Server

X-Metadefender-EmailSecurity-Sanitized

This header is added to all emails that have been sanitized by the Mail Agent (header value 'True')

X-Metadefender-EmailSecurity-OriginalCopy

This header is added to all original copies of sanitized emails (header value 'True')

Your Own Custom X-headers

In addition to the above headers, Mail Agent can also add custom x-headers to every email processed. These X-Headers are configured in Metadefender.Email.Engine.Processor.dll.config as follows:

Custom X-headers

...<setting name="EmailAddCustomXHeaders" serializeAs="String"> <value>X-MyHeader:MyHeaderValue,X-MyHeaderNoValue:</value></setting>...

The above will add the following 2 X-headers to the email:

X-myheader: myheadervalueX-myheadernovalue:

If header name is not prefixed by X- it will automatically be added to the header name. (myheadername → X-myheadername)

Header names should only contain 7-bit characters (ASCII 33-126 included) excluding colon (:) See for more details. Any https://tools.ietf.org/html/rfc2822header name that does not comply with these restrictions will be ignored (and not added)

If no text is added after : the header value will be empty

https://tools.ietf.org/html/rfc2822

v3.13.0 324

1.

2.

3.

If emails are not processed ( ), the customers headers will Skip Email Analysisnot be appended.

X-Headers are only added to emails when direction is configured as Incoming (Web MC > Sources > Metadefender Email > Setup). To force Mail Agent to also add X-Headers to outgoing emails, set AddXHeadersToOutgoingEmail in Metadefender.Email.Engine.Processor.dll.config (See Configuration From

)Config File

Enable Sender Policy Framework (SPF) Lookup

Sender Policy Framework ( ) is a mechanism defined by RFC 7208 which can help SPFdetermine if incoming mails are sent from a host authorized by the domain's administrators. Usually a domain administrator will publish a TXT record in the Domain Name System (DNS) in order to specify a list of authorized hosts that can send emails from that domain. Enabling SPF is an anti-spam technique that will instruct Mail Agent to perform SPF checks on the "FROM" address(es) and add a header to the email with the SPF result.

How to Enable SPF checks

Go to the installation directory (by default C:\Program Files (x86)\OPSWAT\Metadefender Core <engine count>\Metadefender Mail Agent) and open the file for editing.Metadefender.Email.Engine.Processor.dll.config

Find the setting called and modify the value to .DoSpfCheck true

(Optionally) Find the setting called and modify the value to the SpfCheckHeaderNamedesired value to be used for the header name that will be added to the email. This header value will contain the SPF result.

Possible SPF results

After the SPF check is performed a header will be added to the email (by default X-) and the value will be one of the following:Metadefender-Spf-Result

Pass

NoRecord

SoftFail

HardFail

Error

Neutral

Unknown

v3.13.0 325

1.

2.

UnknownMechanism

Please note that you will be required to add a rule on the target (destination) server to check for this header and take action based on the value (e.g delete the message, send to quarantine, etc).

An optional header (by default ) is added if the SPF check has X-Metadefender-Spf-Reasonfailed or is skipped.

Log collection (collectLogs.exe)

Metadefender Email provides a tool to collect logs into a single archive to aid troubleshooting issues.

Usage

To create a debug log archive, open a command prompt and navigate to the Metadefender Email folder and run the collectLogs.exe application:

C:\>cd "Program Files (x86)\OPSWAT\Metadefender Core X\Metadefender Mail Agent"C:\Program Files (x86)\OPSWAT\Metadefender Core X\Metadefender Mail Agent>collectLogs.exeCollecting data:....Logs collected and saved to file:C:\Program Files (x86)\OPSWAT\Metadefender Core X\Metadefender Mail Agent\md-email-logs-2016-11-17_02-59-00-PM.zip

The collected log file will be compressed as an archive file (e.g., md-email-logs-2016-11-17_02-59-00-PM.zip)

When Metadefender Email is installed on the same computer as Metadefender Core, additional information from Metadefender Quarantine will also be collected.

Advanced options

The collectLogs.exe application also options to, for example, password protect the archive or prevent certain information from being collected.

-o (–output)

v3.13.0 326

1.

2.

a.

3.

4.

-o (–output)

Override the default output archive name.

-p (–password)

Protect the output archive with a password.

Multiple Metadefender Core Instances Configuration

Overview

Single Mail Agent instance connecting to more than one Metadefender Core. Once it is configured, email will be processed depending on the number of ongoing jobs on each Metadefender Core instance.

How

Open file.Metadefender.Email.Engine.Service.exe.config

Modify settingMetascanUrl

Append the secondary MD instance IP, using semicolon (i.e. ) - as a separator.;

Save and Close the file

Restart the Metadefender Mail Agent service to make change effective

MetascanUrl Configuration

Metadefender.Email.Engine.Service.exe.config

... <applicationSettings> <OPSWAT.Metadefender.Email.Engine.Service.Properties.Settings> <setting name="MetascanUrl" serializeAs="String"> <value>http://server1:8008/metascan_rest;http://server2:8008/metascan_rest;http://server3:8008/metascan_rest</value> </setting>...

v3.13.0 327

1.

2.

Unavailable Metadefender Core

If a Metadefender Core server becomes unavailable, process requests will be skipped until it becomes available again. Once it becomes unavailable, the Mail Agent will try to attempt again periodically.

Email Processing Workflow (Metadefender Core)

Metadefender Mail Workflow

Metadefender Mail Workflow relies on Metadefender Core "Mail Agent" workflow. You can modify the workflow on

Sources > Metadefender Email > Workflows

Metadefender Core > configuration > Workflows

Modify Metadefender Core URL

Navigate to the Metadefender Mail agent folder (by default, this is C:\Program Files (x86)\OPSWAT\Metadefender Core X\Metadefender Mail Agent).

v3.13.0 328

2.

3.

Open Metadefender.Email.Engine.Service.exe.config in a text editor and change the following section, replacing with your server's real DNS hostname or IP *DNS_or_IP*address.

Original New

<setting name="RestBaseUrl" serializeAs="String"> <value>http://*DNS_or_IP*:8000</value></setting><setting name="QuarantineBaseUrl" serializeAs="String"> <value>http://*DNS_or_IP*:8000</value></setting><setting name="QuarantineProtocol" serializeAs="String"> <value>REST</value></setting><setting name="MetascanUrl" serializeAs="String"> <value>http://*DNS_or_IP*:8008/metascan_rest</value></setting>

<setting name="RestBaseUrl" serializeAs="String"> <value>https://*DNS_or_IP*</value></setting><setting name="QuarantineBaseUrl" serializeAs="String"> <value>https://*DNS_or_IP*</value></setting><setting name="QuarantineProtocol" serializeAs="String"> <value>REST</value></setting><setting name="MetascanUrl" serializeAs="String"> <value>https://*DNS_or_IP*/metascan_rest</value></setting>

Restart Metadefender Mail Agent service

Quarantine Email

Metadefender Email provides quarantine capability either when email (including attachments) are marked as threat (blocked) or are sanitized. When sanitized, original copy of the email will be quarantined while sanitized email will be delivered. Once quarantine is enabled, any emails that are blocked will be moved to quarantine. To enable quarantine, go to Metadefender Core

.Management Console > Sources > Metadefender Email > Settings

v3.13.0 329

1.

2.

3.

4.

If you want to quarantine email on 3rd party solution (e.g., hosted email solution), refer to .Quarantine Email On Another Mail Server

When emails are quarantined the following disclaimer is added to the email body (by default):This email was quarantined by Metadefender. For more information on Metadefender's Email Security technology please visit .www.opswat.com

Quarantine Email On Another Mail Server

Metadefender Email does NOT provide access to quarantined files for each email users other than access to administrator for all the quarantined emails. If your email server (either hosted or onsite mail server) has quarantine management capability for each user, it is recommended to quarantine email on your email server. By default, Metadefender Email will quarantine emails on Metadefender Quarantine but you can change this behavior.

Change Quarantine Mode For Blocked Email

Changing this setting will allow you to quarantine emails that are detected as blocked by Metadefender on a different email server by changing to EmailBlockedQuarantineModeSMTP. By doing this a header will be appended to the email for which you can configure a rule on your email server to quarantine emails that contain this header.

(Prerequisite): Quarantine should be enabled. Refer to for the Quarantine Emailinstructions.

Edit configuration file "C:\Program Files (x86)\OPSWAT\Metadefender Core 4\Metadefender Mail Agent\Metadefender.Email.Engine.Processor.dll.config"

Change the setting value to If you want to EmailBlockedQuarantineMode SMTP. restore the behavior, use instead REST .

Excerpt from the config file

<setting name="EmailBlockedQuarantineMode" serializeAs="String"> <value>SMTP</value></setting>

[Optionally] You can change the name of the header by modifying X-Metadefender-To- to something else.Quarantine


http://www.opswat.com

v3.13.0 330

4.

5.

1.

2.

3.

4.

<setting name="EmailQuarantineHeaderName" serializeAs="String"> <value>X-Metadefender-To-Quarantine</value></setting>

Restart the Generic Mail Agent service

net stop mdfExgEmailAgentnet start mdfExgEmailAgent

Change Quarantine Mode For Sanitized Email

Changing this setting will allow you to quarantine original copies of emails that have been sanitized by Metadefender on a different email server by changing

to SMTP. By doing this a header will be appended to the EmailSanitizedQuarantineModeemail for which you can configure a rule on your email server to quarantine emails that contain this header.

(Prerequisite): Quarantine should be enabled. Refer to for the Quarantine Emailinstructions.

Edit configuration file "C:\Program Files (x86)\OPSWAT\Metadefender Core 4\Metadefender Mail Agent\Metadefender.Email.Engine.Processor.dll.config"

Change the setting value to If you want to EmailSanitizedQuarantineMode SMTP. restore the behavior, use instead REST .


<setting name="EmailSanitizedQuarantineMode" serializeAs="String"> <value>SMTP</value></setting>

[Optionally] You can change the name of the header by modifying X-Metadefender-To- to something else.Quarantine


<setting name="EmailQuarantineHeaderName" serializeAs="String"> <value>X-Metadefender-To-Quarantine</value></setting>

v3.13.0 331

4.

5. Restart the Generic Mail Agent service

net stop mdfExgEmailAgentnet start mdfExgEmailAgent

How To Verify

If you open the message headers for an email that you will see should be quarantinedsomething similar to this:

Received: from ALING-PC ([192.168.16.16]) by alig-win8-dev.local with ESMTP ; Fri, 2 Sep 2016 16:45:18 +0300MIME-Version: 1.0From: [email protected]: [email protected]: 2 Sep 2016 16:45:18 +0300Subject: Checking new Quarantien modeContent-Type: multipart/mixed; boundary=--boundary_2_95887891-94da-4b66-8dc9-f2bceb4394d9X-Metadefender-EmailSecurity-Id: d9db058d-b568-4501-bbe7-d63378bbd56dX-Metadefender-Core-Urls: http://alig-win8-dev:8008/metascan_restX-Metadefender-Core-Result: Blocked/InfectedX-Metadefender-To-Quarantine: True

Notice the header is set to and this won't exist if email is X-Metadefender-To-Quarantine True NOT quarantined.

Skip Email Analysis

Emails without attachments can be skipped from being analyzed in order to increase throughput. If email body analysis is enabled this setting will not apply.

Configuration

To enable this functionality, make the following configuration file modification.

Metadefender.Email.Engine.Generic.Agent.dll.config

<setting name="FastNoAttachmentProcessingEnabled" serializeAs="String"> <value>true</value></setting>

v3.13.0 332

7. (Email) Release Notes

New Features

Support Microsoft Exchange servers

Support multiple relay-out mail servers for mail proxy deployment

Other Changes

Many bug fixes

(Email) General and Known Issues

Limitation

If target server requires of authentication, multiple target servers (relay out) is supported when same credential is configured.

A separate SMTP server is required for notification.

Exchange (malware agent configuration) may block release from quarantine.

Email sanitization to HTML may be blocked and attachment may be replaced with text "This attachment was removed because it contains data that could pose a security risk."

An attachment that has been sanitized may be larger than the original attachment. As a result, it may be necessary to increase the maximum attachment size setting on your mail server

Rich Text (RTF) body sanitization & disclaimers only available when Mail Agent is installed on Exchange server.

Embedded objects within sanitized Rich Text (RTF) may not retain its position in email body

Limitation for Onsite Microsoft Exchange Deployment

Mail agent will be installed on Metadefender Core server by default even if separate is required on exchange server.installation

Installing Metadefender Core on the exchange server is not supported.

v3.13.0 333

9. Metadefender / ICAP Server

By scanning all network traffic through an established proxy server, an organization can eliminate openings for advanced threats to enter an internal network. Scanning with a Metadefender ICAP Server also allows a record to be kept of when files entered a network, in case a threat needs to be investigated after it has been discovered within a secure network.

Any files scanned through the ICAP interface will be scanned with the same anti-malware engines and policies as files scanned through any other Metadefender Core interface. All files will be logged so that activity can be reviewed later if necessary. Especially important for a Metadefender ICAP Server, file scan results can be cached, which will significantly improve scanning throughout. Metadefender Core can be integrated with a Web Proxy Servers as well as a Reverse Proxy Servers.

Web Proxy Integration

Secure your web traffic and extend the protection of your organization against advanced threats by integrating Metadefender Core with your web proxy. Metadefender Core exposes an ICAP interface that allows system administrators to easily integrate the multi-scanning technology into an existing web proxy to enable anti-malware scanning of all HTTP downloads and uploads. System administrators can set up any proxy that implements ICAP, such as Blue

Coat® ProxySG or Squid, to automatically send HTTP requests to a Metadefender ICAP Server, where multiple anti-malware engines scan the requests for potential advanced threats.

https://www.opswat.com/products/metadefender/proxy/bluecoat-proxysg

https://www.opswat.com/products/metadefender/proxy/bluecoat-proxysg

v3.13.0 334

Reverse Proxy Integration

Secure your web or application servers against advanced threats by integrating Metadefender Core with your reverse proxy. The Metadefender ICAP Server interface allows system administrators to easily add Metadefender Core multi-scanning technology into an existing reverse proxy to enable anti-malware scanning of all file uploads. System administrators can set up any reverse proxy that implements ICAP, such as F5® BIG-IP® Load Traffic Manager™ (LTM®), to automatically forward any uploaded files to a Metadefender ICAP Server that will scan the files with multiple anti-malware engines for potential advanced threats.

Web Proxy Servers Supported

Squid

BlueCoat ProxySG

F5 BIG IP

McAfee Web Gateway

ARA network JAGUAR5000

v3.13.0 335

1.

2.

3.

4.

1. ICAP server Configuration

Configuration via Metadefender Core Management Console

To start the ICAP server from the Metadefender Core Management Console, follow the steps below and see the screenshot:

In your browser, go to http://localhost:8008/management

Click on the ' ' tab.Sources

Click on ' ' on the left side.Metadefender Proxy

Select ' '.Apply

Configuration via INI

Metadefender Core ICAP server can be configured using an ini configuration file which is installed under Metadefender Core install directory.

The ICAP server configuration is done in omsConfig.ini. Applying configuration changes requires to restart the ICAP server.

http://localhost:8008/management/dashboard

v3.13.0 336

Key Description

maxnum_sockets Range: 1~1000: 60Defaut

Number of worker threads to handle ICAP requests. Configures the number of threads that will be used by the Metadefender Core ICAP server for handling requests. For optimal performance, this should be set to a value higher than the number of processor cores available to the Metadefender Core system

maxnum_connections Default: 355

The maximum number of simultaneous connections that the ICAP server is able to support. Certain proxy servers will use this value to restrict the requests that are made of the Metadefender Core ICAP server and will not send more than this number of simultaneous requests to the Metadefender Core ICAP server.

By ICAP specs, the client (proxy) is not supposed to send more requests than what is advertised by the ICAP server.

If the client receives more than this number of connections, it is supposed to handle the overload itself (i.e. queuing, bypassing, rejecting...)

The ICAP server does not enforce that number, this means that if the client does not respect the rules and sends more than the advertised max number of connections, we will still process them.

port Range: 1 - 65535: 1344Default

Port the server is listening to. If you are installing with other product which have ICAP interface, you must change to different port.

block_on_max_capacity Range: 0 - 1: 0Default

v3.13.0 337

Key Description

Blocking (i.e. return 403 forbidden to HTTP clients) every request coming in when Metadefender Core is overloaded (i.e. "Metascan server too busy"). A "Metascan server is too busy. Please try again later." message will be displayed in clients browsers.

0: Allow files when overloaded

1: Block files when overloaded

path_to_custom_html Value: Absolute file path or file path relative to omsICAPServer.exe directory

: Default omsICAPdefault.htm

Path to custom HTML page to be displayed to the user when content is blocked, request rejected due to license, server too busy, etc.

Content is parsed by ICAP server.

Use the "%%%icap_block_message%%%" macro in the web page as a place holder for the ICAP message. ICAP server will replace that message by whatever message it has to say.

scan_health_checks Range: 0 - 1: 0Default

Scan client specific health checks.Disabling scanning health checks improves performance as it reduces the load on Metascan.

Only implemented for BlueCoat for now.

Easy to add support for different health checks

BlueCoat periodically sends requests to the ICAP server to make sure it's working fine.

Disabling scanning health checks improves performance.

dump_invalid_requests Range: 0 - 1: 0Default

v3.13.0 338

Key Description

Outputs the invalid buffer to a file ending in "_400_Bad_Request.txt" Slight performance impact when invalid requests are processed. Should only be enabled for investigation purpose.

0: Disables dumping invalid (ICAP 400 response) raw requests to a file.

1: Dumps invalid (ICAP 400 response) raw requests to a file.

log_file Value: Absolute file path or file path relative to omsICAPServer.exe directory

: Empty (Logs folder under install directory)Default

The path to the debug log file.

skip_too_big_file Range: 0 - Max Unsigned Long : 0Default

Allows the ICAP server to skip scanning a file if the file is too large. The value specifies in the threshold for skipping bytesfiles. A value of 0 means this feature is off, anything greater than 0 indicates this feature is on

use_persistent_connections Range: 0 - 1: 0Default

This should be used for improved performance. The ICAP server keeps the connections open, so they can be reused for several requests.

0 : ICAP server is not using persistent connections. Connections are closed after serving a request.

1 : ICAP server is using persistent connections. Connections are kept open after serving a request.

sanitization_postfix Value: Custom text postfix, that will be appended to Content-Disposition header's filename if the file is sanitized.

: No postfix will be appended.Default

v3.13.0 3391.

Key Description

This postfix can be used to indicate if a file is sanitized. If the key is not set or set to empty string, no postfix will be appended.

For example (PDF to PDF sanitization is enabled in Core workflow) and this configuration is done as follows. For the following HTTP header,

sanitization_postfix=[sanitized]

Content-Disposition: attachment; filename="report.pdf";

will be modified to

Content-Disposition: attachment; filename="report[sanitized].pdf";

Enabling profiling logging

Profiling logging can be used to identify issues with connections. It provides debug level details for each connections as well as the time each step took (e.g. parsing time, scan time, response time). It also tracks the number of active connections.

Warning

Profiling logging is not designed to be constantly enabled. It should only be used for investigating issues for short periods of time.

Keeping it enabled permanently may impact performances. If running for too long, the log file can become huge and significantly reduce the available disk space.

Step-by-step guide

In order to enable profiling logging.

v3.13.0 340

1.

2.

3.

4.

5.

1.

2.

3.

4.

5.

1.

Make sure ICAP is stopped (net stop omsICAP).

Open omsConfig.ini in a text editor.

Add the following in the "icap server" section.enable_debug_logging=1

Save and close.

Start ICAP server (net start omsICAP).

In order to disable profiling logging.

Make sure ICAP is stopped (net stop omsICAP).

Open omsConfig.ini in a text editor.

Set the following in the "icap server" section. (You can also completely delete the line)enable_debug_logging=0

Save and close.

Start ICAP server (net start omsICAP).

How to read the logs

<Metascan installation directory>\Log\icap_profiling.log.

TLS support

Metadefender ICAP does not support TLS natively but Using stunnel, you should be able to handle ICAP message to be encrypted between ICAP client and ICAP server.

Introduction

What is ?stunnel

Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. [ ]stunnel's website

By using stunnel one can receive ICAP requests via SSL connection which will be decrypted and send toward Metadefender ICAP Server locally.

Installation on Windows

https://www.stunnel.org/index.html

v3.13.0 341

1.

2.

3.

4.

1.

2.

3.

1.

2.

a.

b.

Installation on Windows

Download the Windows installer from stunnel's pagedownload

Start the installer and follow its steps (use default values if you are not sure)

During the installation you will be asked to generate a certificate file. Fill in the required fields with your information

Make sure that " " is at the end of the setupStart stunnel after installation not checked

Configuration

Locate and open the file. It should be under the directory in the stunnel.conf configstunnel installation directory. (e.g., "C:\Program Files (x86)\stunnel\config\stunnel.conf")

Add the following lines at the end of the file

ICAP service in stunnel

[icaps]accept = 11344connect = 1344cert = stunnel.pem

Save and close the configuration file

Explanation of configuration properties

accept: The port number where stunnel listens for TLS connections for the given service

connect: The port number where the decrypted connections are forwarded to. (This should be the port used by Metadefender ICAP Server)

cert: The TLS certification used by the service. You can set your own or use the one generated during stunnel setup (which is stunnel.pem next to stunnel.conf)

Starting stunnel

After setting the configuration you are ready to start and use stunnel.

There are two ways of doing this:

Starting it with GUI: Execute stunnel.exe under <stunnel installation directory>\bin\

Installing and starting it as a service:

Install as a service: execute stunnel.exe with option-install

https://www.stunnel.org/downloads.html

v3.13.0 342

2.

b. Start as a service: execute stunnel.exe with option or start it from Windows -startServices

For more information, FAQ and HOWTO please check the .official stunnel documentation

2. ICAP response headers

The following response headers are used by the ICAP server:

Header name

Description Example Note

X-Blocked-Reason

Metadefender specific custom header. Contains the blocking reason of the content.

X-Blocked-Reason: Infected

It is available only if the content was scanned and some violations were found.

X-ICAP-Profile

Contains the applied workflow's name.

X-ICAP-Profile: Proxy It is available only if the file was scanned.

X-Response-Info

Contains the one word description of the action the ICAP server applied on the request.

X-Response-Info: AllowedX-Response-Info: BlockedX-Response-Info: Options

This header is available in all responses sent by the ICAP server.

X-Response-Desc

Contains the blocking reason.

X-Response-Desc: InfectedX-Response-Desc: Encrypted Archive

The header is available in all "blocked" responses.

In case of the content was scanned and some violations were found, the returned string is equivalent to X-Blocked-Reason's value.

https://www.stunnel.org/docs.html

v3.13.0 343

Header name


X-Virus-ID Contains a short description of the threat that was found in the content. If multiple threats were found, only the first one is returned.

X-Virus-ID: EICAR Test StringX-Virus-ID: Encrypted Archive

The header is available only if the content was scanned and some violations were found.

X-Infection-Found

Contains the description of the threat that was found in the content. If multiple threats were found, only the first one is returned.

The value is a semicolon separated list with three parameters:

Type

0: Infection has been found

2: Container violation has been found

Resolution:

0: The suspicious content was not repaired

Threat: Threat name

X-Infection-Found: Type=0; Resolution=0; Threat=EICAR Test String;X-Infection-Found: Type=2; Resolution=0; Threat=Encrypted Archive;

The header is present only if the content was scanned and some violations were found.

X-Violations-Found

Contains the detailed description of the violations that were found. If the scanned content was an archive, the scan results for the contained files too are

X-Violations-Found: 2test.zipEICAR Test String00\eicar.txt

The header is present only if the content was scanned and some violations were found.

v3.13.0 344

Header name


listed. If multiple threats were found for a single file, only the first one is returned.

The structure of the header value is the following:

The first line contains the number of the reported violations. The following lines contain the details.

FilenameThreat nameProblemID (currently 0 returned for all threats)ResolutionID:

0: File was not repaired

1: File was repaired

2: Violating part was removed

EICAR Test String00

X-Include Contains the list of requested headers, that the ICAP clients should add to the requests, if the information is available.

X-Include: X-Client-IP The header is present only in Options responses.

3. Web Proxy Integrations

Metadefender Core's ICAP server functionality allows for integration with any proxy server that implements the ICAP interface. The Metadefender Core ICAP server can be configured and started from the Metadefender Proxy Configuration page. The Metadefender Core ICAP server is not started by default when Metadefender Core is installed.

v3.13.0 345

The following settings apply to Metadefender Core's ICAP server functionality:


ICAP Port The port the Metadefender ICAP server is operating on 1344

Maximum Sockets

Specifies how many concurrent threads will be used by the Metadefender ICAP server to handle requests.

60

After changes have been made click the ‘Apply’ button to save the changes. Click the ‘Restart ICAP Service’ or ‘Start ICAP Service’ button to restart or start the Metadefender Core ICAP server.

A custom ICAP block page can be uploaded to Metadefender Core to be displayed whenever a malicious file has been found. To upload a custom block page, browse to select the appropriate HTML file and then click to upload it.

v3.13.0 346

1.

2.

3.

4.

5.

6.

7.

8.

9.

ICAP URL

Mode URL Example

Request Modification Mode (REQMOD, OPTIONS)

icap://<IP address>:<port>/OMSScanReq-AV

e.g, icap://10.0.50.36:1344/OMSScanReq-AV

Response Modification Mode (REQMOD, OPTIONS)

icap://<IP address>:<port>/OMSScanResp-AV

e.g, icap://10.0.50.36:1344/OMSScanResp-AV

ARA network JAGUAR5000

Configuration via Web-based manager

In your browser log into Jaguar's Web Administration

Go to the pageConfiguration

From the menu on the left, click on under the groupOthers Protocol

From the top menu, select ICAP

Make sure that checkbox is checkedSend Client Address

Apply changes

Click on the button on the bottom of the pageICAP Profile

Add a new profile

v3.13.0 347

9.

10.

11.

1.

2.

3.

4.

5.

6.

7.

Type in "icap://<IP>:<PORT>/OMSScanReq-AV" to Vectoring Point 1

Type in "icap://<IP>:<PORT>/OMSScanResp-AV " to Vectoring Point 3

Apply changes

Scanning HTTPS Content

Go to the Configuration page

From the menu on the left, select SSL under the Protocol group

Check the Enable SSL checkbox

Check the Support SSL intercepting checkbox

Upload root certificate

Upload root key

Apply changes and restart the device

v3.13.0 348

7.

1.

2.

3.

BlueCoat ProxySG

Prerequisite

ICAP server Configuration

(recommended) - Blue Coat is reusing connections to the enable persistent connectionsICAP server, so it is highly recommended to enable persistent connections on the ICAP side or the Blue Coat might detect some ICAP connection drop errors under high load.

ProxySG Management Console

The ProxySG configuration should be done from the ProxySG Management Console interface. Below is the minimum configuration required for Metascan ICAP integration with ProxySG. Please refer to the ProxySG manual for advanced proxy configuration. Open a web browser and load the ProxySG Management Console. (Please refer to the ProxySG manual for details about how to open the .) The ProxySG configuration should be ProxySG Management Consoledone from the ProxySG Management Console interface. Below is the minimum configuration required for Metadefender Core ICAP integration with ProxySG. Please refer to the ProxySG manual for advanced proxy configuration. Open a web browser and load the ProxySG Management Console. (e.g. https://<ip address>:8082 Please refer to the ProxySG manual for details about how to open the ProxySG Management Console.)

Disable Automatic Cache Refresh

Click on the 'Configuration' tab, and navigate to 'Proxy Settings'->'HTTP Proxy'

Select the 'Freshness' tab and select the 'Disable refreshing' option

https://bto.bluecoat.com/sites/default/files/tech_briefs/Generic_ICAP_Integation.4.pdf

v3.13.0 349

3.

a.

b.

c.

d.

4.

1.

2.

3.

4.

5.

a.

i.

ii.

b.

i.

ii.

c.

i.

ii.

6.

7.

1.

2.

3.

Select the 'Acceleration Profile' tab and uncheck the following options

Pipeline embedded objects in client request

Pipeline redirects for client request

Pipeline embedded objects in prefetch request

Pipeline redirects for prefetch request

Click 'Apply' to save these settings

Adding REQMOD Service (Upload Mode)

Within the 'Configuration' tab, navigate to 'External Services'->'ICAP'

Click 'New'

Enter a service name for the Metascan service (in this example we use 'MetascanReqmod') and click 'OK'

In the services list, select 'MetascanReqmod' and click 'Edit'

Update the following values

In ICAP Service

Set Service URL to 'icap://<Metascan Server>/OMSScanReq-AV'

Select 'Use vendor's "virus found" page'

In ICAP Service Ports

Check 'This service supports plain ICAP connections

Set the 'Plain ICAP port' value to your Metascan's ICAP port (1344 by default)

In ICAP v1.0 Options

Check 'Request modification'

Check 'Send Client address'

Click 'OK'

Click 'Apply' to save the configuration

Adding RESPMOD Service (Download Mode)

Within the 'Configuration' tab, navigate to 'External Services'->'ICAP'

Click 'New'

Enter a service name for the Metascan service (in this example we use 'MetascanRespmod') and click 'OK'

v3.13.0 350

4.

5.

a.

i.

ii.

b.

i.

ii.

c.

i.

ii.

6.

7.

1.

2.

3.

4.

5.

6.

7.

a.

b.

8.

1.

2.

In the services list, select 'MetascanReqmod' and click 'Edit'

Update the following values

In ICAP Service

Set Service URL to 'icap://<Metascan Server>/OMSScanResp-AV'

Select 'Use vendor's "virus found" page'

In ICAP Service Ports

Check 'This service supports plain ICAP connections

Set the 'Plain ICAP port' value to your Metascan's ICAP port (1344 by default)

In ICAP v1.0 Options

Check 'Response modification'

Check 'Send Client address'

Click 'OK'

Click 'Apply' to save the configuration

Create Metadefender REQMOD Policy

Within the 'Configuration' tab, navigate to 'Policy'->'Visual Policy Manager'

Click the 'Launch' button

In the 'BlueCoat Visual Policy Manager' window, navigate to 'Policy'->'Add Web Content Layer'

Enter a layer name (in this example we use 'Metascan ICAP ReqMod') and click 'OK'

In the newly created 'Metascan ICAP ReqMod' tab, right click on 'Use Default Caching' and choose 'Set...'

In the 'Set Action Object' window, click 'New' and select 'Set ICAP Request Service...'

In the 'Add ICAP Request Service Object' window, set the following values

Set 'name' to 'Metascan ICAP Request Service'

In 'Available services', select 'MetascanReqMod' and click 'Add'

Click 'OK' to finish and 'Apply' to save

Create Metadefender RESPMOD Policy

Within the 'Configuration' tab, navigate to 'Policy'->'Visual Policy Manager'

Click the 'Launch' button

v3.13.0 351

3.

4.

5.

6.

7.

a.

b.

8.

1.

2.

3.

4.

5.

6.

7.

In the 'BlueCoat Visual Policy Manager' window, navigate to 'Policy'->'Add Web Content Layer'

Enter a layer name (in this example we use 'Metascan ICAP RespMod') and click 'OK'

In the newly created 'Metascan ICAP RespMod' tab, right click on 'Use Default Caching' and choose 'Set...'

In the 'Set Action Object' window, click 'New' and select 'Set ICAP Response Service...'

In the 'Add ICAP Response Service Object' window, set the following values

Set 'name' to 'Metascan ICAP Response Service'

In 'Available services', select 'MetascanRespMod' and click 'Add'

Click 'OK' to finish and 'Apply' to save

Configure Bluecoat SSL

refer to Configure Bluecoat SSL

Bypassing ICAP server Temporarily

This guide describes how to enable and disable ICAP server on BlueCoat proxy.

This documentation is assuming that Metadefender ICAP server is already configured and working properly.

Enable ICAP server

To enable ICAP server on BlueCoat:

Open the BlueCoat Management Console.

Go to "Configure" tab > "Advanced configuration" button.

In the left side menu, go to "Policy" > "Visual Policy Manager"

Click "Launch"

In the VPM window, right click on the service you want to enable tab (typically "ICAP Respmod" or "ICAP Reqmod")

Click "Enable layer".

The tab color should turn black.

Click "Install policy"

v3.13.0 352

1.

2.

3.

4.

5.

6.

7.

Disable ICAP server

To disable ICAP server on BlueCoat:


Go to "Configure" tab > "Advanced configuration" button.

In the left side menu, go to "Policy" > "Visual Policy Manager"

Click "Launch"

In the VPM window, right click on the service you want to disable tab (typically "ICAP Respmod" or "ICAP Reqmod")

Click "Disable layer".

The tab color should turn red.

Click "Install policy"

Configure Bluecoat SSL

Enabling Bluecoat To Intercept SSL traffic

By default SSL (HTTPS) connections are not intercepted by Bluecoat and therefore data in them are not scanned by the ICAP server. If you would like to scan files which were sent using secure connection, then you can optionally configure Bluecoat to decrypt SSL connections.

How To Configure

v3.13.0 353

1.

2.

3.

4.

How To Configure

Please refer to .bluecoat documentation

Limitations

If the ICAP server is not connected directly to Bluecoat or it is not in a private network, then the connection between Bluecoat and ICAP won't be secure anymore and the decrypted data could be in danger. (https://bto.bluecoat.com/sites/default/files/tech_pubs

"Securing access to an ICAP Server")/SGOS%20Administration%20Guide_1.pdf

Valid SSL certificates are needed for Bluecoat and user experience could be altered by certification notifications.

How to overcome certificate issues

When creating a keyring and certificate explained in the please Bluecoat documentationgive attention to that the Common name "must match the ProxySG name or IP address that the client expects"

After the keyring and the certificate is ready go to Statics → Advanced → SSL → in ProxySG Management Download a ProxySG Certificate as a CA certificate

Console

Select the previously created certificate and download/install it to the browser in use

This certificate should be set under and under the Proxy Settings → SSL Proxy which was created during configuring SSL interceptionSSLInterception

Data Trickling

Overview

Blue Coat ProxySG appliances implement Data Trickling to improve the user experience during ICAP scanning. Internet Content Adaptation Protocol (ICAP) is the protocol used by Blue Coat ProxySG and ProxyAV appliances, as well as some third party partner appliances, to perform scanning of objects to detect viruses, worms, spyware, and Trojans. Data Trickling is a mechanism implemented by Blue Coat ProxySG appliances performing ICAP scanning that slowly delivers, or trickles, data to the client as it is being scanned. By trickling data, users do not experience the timeouts sometimes associated with waiting for large objects to be scanned, or when scanning is delayed by high loads on content servers or upstream bandwidth limitations.

https://bto.bluecoat.com/webguides/proxysg/security_first_steps/index.htm#Solutions/SSL/ssl_solution.htm

https://bto.bluecoat.com/sites/default/files/tech_pubs/SGOS%20Administration%20Guide_1.pdf

https://bto.bluecoat.com/sites/default/files/tech_pubs/SGOS%20Administration%20Guide_1.pdf

https://bto.bluecoat.com/webguides/proxysg/security_first_steps/index.htm#Solutions/SSL/ssl_solution.htm

v3.13.0 354

1.

2.

3.

4.

How does Data Trickling work?

Data Trickling is designed to prevent the timeouts that can sometimes be associated with patience pages. To prevent such timeouts, Data Trickling trickles – or transmits at a very slow rate – bytes to the client at the beginning of the scan or near the very end. Because the ProxySG appliance begins serving content without waiting for the ICAP scan result, timeouts do not occur. However, to maintain security, the full object is not delivered until the results of the content scan are complete (and the object is determined to not be infected). Two types of Data Trickling are available on Blue Coat ProxySG appliances – trickle from start and trickle at end.

Trickle from start

In trickle from start mode, the ProxySG appliance buffers a small amount of the beginning of the response body. As the ICAP server continues to scan the response, the ProxySG appliance allows one byte per second to the client. After the ICAP server completes its scan, if the object is deemed to be clean (no response modification is required), the ProxySG appliance sends the rest of the object bytes to the client at the best speed allowed by the connection. If the object is deemed to be malicious, the ProxySG appliance terminates the connection and the remainder of the response object. Trickling from the start is the more secure Data Trickling option because the client receives only a small amount of data pending the outcome of the virus scan.

Trickle at end

In trickle at end mode, the ProxySG appliance sends the response to the client at the best speed allowed by the connection, except for the last 16KB of data. As the ICAP server performs the content scan, the ProxySG appliance allows one byte per second to the client. After the ICAP server completes its scan, if the object is deemed to be clean (no response modification is required), the ProxySG appliance sends the rest of the object bytes to the client at the best speed allowed by the connection. This method is more user-friendly than trickle at start. This is because users tend to be more patient when they notice that 99% of the object is downloaded versus 1%, and are less likely to perform a connection restart. However, network administrators might perceive this method as the less secure method, as a majority of the object is delivered before the results of the ICAP scan.

Step-by-step guide

To enable data trickling:


Go to "Configuration" tab > "Advanced configuration" button.

Enter credentials if prompted.

v3.13.0 355

4.

5.

6.

a.

b.

c.

7.

a.

b.

c.

In the Advanced configuration menu, go to "Configuration" tab > "External Services" > "ICAP".

Click the "ICAP Feedback" tab.

In the "ICAP Feedback for Interactive Traffic" section:

Check "Provide feedback after X seconds" checkbox

Set the number of seconds to the time you want to wait for ICAP to respond before starting trickling

8 seconds is a usually a good timing, long enough for average file sizes to be fully scanned by ICAP, short enough for browsers to not timeout before trickling starts.

Check the "Trickle object data from start" or "Trickle object data at end" depending on the trickling type you want (see "How does Data Trickling work" section).

"From start" is the most secure.

"At end" is the most user friendly.

In the "ICAP Feedback for Non-Interactive Traffic" section:

Check "Provide feedback after X seconds" checkbox

Set the number of seconds to the time you want to wait for ICAP to respond before starting trickling

5 seconds is a usually a good timing for non-interactive traffic

Check the "Trickle object data from start" or "Trickle object data at end" depending on the trickling type you want (see "How does Data Trickling work" section).

"From start" is the most secure.

"At end" is the most user friendly.

More info

https://www.bluecoat.com/sites/default/files/documents/files/ICAP_Data_Trickling.7.pdf

Disable BlueCoat caching

Step-by-step guide

To prevent the transmission of stale content or other issues caused by object caching, you can use either or in content policy language (CPL). For a cache(no) bypass_cache(yes)

comparison of and , see .cache(no) bypass_cache(yes) KB1772

https://www.bluecoat.com/sites/default/files/documents/files/ICAP_Data_Trickling.7.pdf

http://kb.bluecoat.com/index?page=content&id=KB1772

v3.13.0 356

1.

2.

3.

4.

5.

6.

7.

1.

2.

3.

This sample provides instructions for disabling object caching for specific URLs by adding a policy rule in the Web Access Layer.

In the Management Console, select > > , Configuration Policy Visual Policy Mangerand then click .Launch

From the Visual Policy Manager (VPM) dialog box, select Policy > Add Web Access . The Add New Layer dialog box appears.Layer

In the Add New Layer dialog box, name the layer to reflect the purpose of the layer, such as "Web Access Layer (bypass cache)," then click .OK

Right click the field and select from the drop-down list.Destination Set

In the Set Destination Object dialog box, click and enter the URL New > Request URL,you want to exclude from the cache. Click then .Add, OK

Right click on and select > Then, click .Action Set Bypass Cache. OK

Click to apply the new policy. Install policy

To use CPL code for the same policy rules, add the following CPL code in the local policy file or in a VPM CPL Policy Layer:

<Proxy>url.domain=< > bypass_cache(yes)url

In the example above, < > is the URL you want to exclude from caching.url

Source:

https://kb.bluecoat.com/index?page=content&id=KB5229

Related articles

Error rendering macro 'contentbylabel' : parameters should not be empty

Process Only Specific File Types

Step-by-step guide

Open the BlueCoat management console using a web browser (default URL: http://<bluecoat proxy IP>:8082/)

When prompted, enter your user name and password and click "Ok".

In the BlueCoat management console, click on the "Configure" tab)

https://kb.bluecoat.com/index?page=content&id=KB5229

v3.13.0 357

3.

4.

5.

On the "Configuration" page, click on the "Advanced configuration" button

In the management console menu, go to Policy -> Visual Policy Manager.

v3.13.0 358

5.

6.

7.

Click "Launch" to start the Visual Policy Manager.

In the Visual Policy Manager, click on the tab where you set the ICAP rule you plan to add file type filtering on.

In these instructions, the ICAP layer is named "Metascan ICAP RespMod". The tab name on your installation might be different.

The window you see should look similar to the screenshot below.

v3.13.0 359

7.

8.

9.

Right click the "Destination" cell of the ICAP rule (line where the "Action" is set to your ICAP service) and click "Set".

In the "Set Destination Object", select "New" and click "Apparent Data Type".

v3.13.0 360

9.

10. In the "Add Apparent Data Type Object" window, change the "Name" value to whatever you want (optional) and select the file types you want forwarded to the ICAP server.

v3.13.0 361

10.

11.

12.

Click "Ok" twice to get back to the Visual Policy Manager.

In the "Visual Policy Manager" window, click "Install policy" to apply the new configuration.

v3.13.0 362

12.

1.

F5 BIG IP

Prerequisite

ICAP server Configuration

Big-IP Management Console

The F5 Big-IP configuration should be done from the F5 Big-IP Management Console interface. Below is the minimum configuration required for Metascan ICAP integration with F5 Big-IP. Please refer to the F5 Big-IP manual for advanced configuration. Open a web browser and load the Big-IP Management Console. (Please refer to the Big-IP manual for details about how to open the Big-IP Management Console.) Metascan can be used to scan all files being uploaded to the F5 BIG IP server with all of the engines in Metascan to make sure that no malware is able to get to the web servers behind the Big IP server. This guide describes the basic steps to getting Metascan working with your F5 BIG IP server.

Configuring the F5 BIG IP Appliance

The following configuration steps should be done from the F5 BIG IP Management Console interface. The steps below describe the minimum configuration required for Metascan ICAP integration with F5 BIG IP. Please refer to the .F5 BIG IP manual for advanced configuration

Open a web browser and load the BIG IP Management Console. (Please refer to the BIG IP manual for details about how to open the BIG IP Management Console.)

Creating a custom client-side ICAP profile

You create this ICAP profile when you want to use an ICAP server to wrap an HTTP request in an ICAP message before the BIG-IP system sends the request to a pool of web servers. The profile specifies the HTTP request-header values that the ICAP server uses for the ICAP message.Important: You can use macro expansion for all ICAP header values. For example, if an ICAP header value contains ${SERVER_IP}, the BIG-IP system replaces the macro with the IP address of the ICAP server selected from the pool assigned to the internal virtual server. If an ICAP header value contains ${SERVER_PORT}, the BIG-IP system replaces the macro with

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/12.html

v3.13.0 363

1.

2.

3.

4.

5.

6.

7.

8.

the port of the ICAP server selected from the pool assigned to the internal virtual server. For example, you can set the URI value in an ICAP profile to icap://${SERVER_IP}:${SERVER_PORT}/OMSScanReq-AV.

On the Main tab, click Local Traffic > Profiles > Services > ICAP.

Click Create.

In the Name field, type a unique name for the profile.

For the Parent Profile setting, retain the default value, icap.

On the right side of the screen, select the Custom check box.

In the URI field, type a URI in this format: . For example, using icap://hostname:port/pathmacro expansion, you can set the URI value to:icap://${SERVER_IP}:${SERVER_PORT}/OMSScanReq-AV .

In the Preview Length field, type a length or retain the default value 0. This value defines the amount of the HTTP request or response that the BIG-IP system offers to the ICAP server when sending the request or response to the server for adaptation. This value should not exceed the length of the preview that the ICAP server has indicated it will accept.

Leave empty for "Header From", "Host", "Referer", "User Agent" fields.

icap://hostnameport

v3.13.0 364

8.

9.

1.

2.

3.

4.

5.

6.

7.

a.

b.

Click Finished.

After you create the ICAP profile, you can assign it to an internal virtual server so that the HTTP request that the BIG-IP system sends to an ICAP server is wrapped in an ICAP message, according to the settings you specified in the ICAP profile.

Creating a pool of ICAP servers

You perform this task to create a pool of ICAP servers that perform content adaptation on HTTP requests.

On the Main tab, click Local Traffic > Pools. The Pool List screen opens.

Click Create. The New Pool screen opens.

In the Name field, type a unique name for the pool.

For the Health Monitors setting, from the Available list, select the http monitor, and click << to move the monitor to the Active list.

From the Load Balancing Method list, select how the system distributes traffic to members of this pool. The default is Round Robin.

For the Priority Group Activation setting, specify how to handle priority groups:

Select Disabled to disable priority groups. This is the default option.

Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.

Using the New Members setting, add each resource that you want to include in the pool:

Either type an IP address in the Address field, or select a node address from the Node List.

v3.13.0 365

7.

b.

c.

d.

8.

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

1.

Type a port number in the Service Port field, or select a service name from the list.

To specify a priority group, type a priority number in the Priority field.

Click Add.

Click Finished.

The pool of ICAP load balancing servers appears in the Pools list.

Creating an internal virtual server for forwarding requests to an ICAP server

A virtual server of type internal provides a destination that a standard type of virtual server can use when forwarding HTTP requests slated for ICAP-based content adaptation.

On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.

Click the Create button. The New Virtual Server screen opens.

In the Name field, type a unique name for the virtual server.

In the Description field, type a description of the virtual server. For example: This virtual server ensures HTTP request modification through the use of the service_name ICAP service..

From the Type list, select Internal.

For the State setting, verify that the value is set to Enabled.

From the Configuration list, select Advanced.

From the ICAP Profile list, select the ICAP profile that you previously created for handling HTTP requests.

From the Default Pool list, select the pool of ICAP servers that you previously created.

Click Finished.

After you perform this task, a standard type of virtual server can forward HTTP requests to an internal type of virtual server. The internal virtual server then sends the request to a pool of ICAP servers, before sending the request back to the standard virtual server for forwarding to the pool of web servers.

Creating a custom Request Adapt profile

You create a Request Adapt type of profile when you want a standard HTTP virtual server to forward HTTP requests to an internal virtual server that references a pool of ICAP servers. A Request Adapt type of profile instructs the HTTP virtual server to send an HTTP request to a named internal virtual server for possible request modification.

v3.13.0 366

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

1.

On the Main tab, click Local Traffic > Profiles > Services > Request Adapt.

Click Create.


For the Parent Profile setting, retain the default value, requestadapt.

On the right side of the screen, click the Custom check box.

For the Enabled setting, retain the default value, Enabled. When you set this value to Enabled, the BIG-IP system forwards HTTP requests to the specified internal virtual server for adaptation.

From the Internal Virtual Name list, select the name of the internal virtual server that you previously created for forwarding HTTP requests to the pool of iCAP servers.

In the Preview Size field, type a numeric value. This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP request header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to 0 disables buffering of the request and should only be done if the adaptation server always returns a modified HTTP request or the original HTTP request.

In the Timeout field, type a numeric value, in seconds. If the internal virtual server does not return a result within the specified time, a timeout error occurs. To disable the timeout, use the value 0.

From the Service Down Action list, select an action for the BIG-IP system to take if the internal virtual server returns an error:

Select Ignore to instruct the BIG-IP system to ignore the error and send the unmodified HTTP request to an HTTP server in the HTTP server pool.

Select Drop to instruct the BIG-IP system to drop the connection.

Select Reset to instruct the BIG-IP system to reset the connection.

Click Finished.

After you perform this task, the BIG-IP system contains a Request Adapt profile that a standard HTTP virtual server can use to forward an HTTP request to an internal virtual server for ICAP traffic.

Creating a custom HTTP profile

An HTTP profile defines the way that you want the BIG-IP system to manage HTTP traffic.®

Note: Other HTTP profile types (HTTP Compression and Web Acceleration) enable you to configure compression and cache settings, as required. Use of these profile types is optional.

v3.13.0 367

1.

2.

3.

4.

5.

6.

7.

1.

2.

3.

4.

5.

6.

7.

a.

b.

c.

d.

8.

On the Main tab, click Local Traffic > Profiles > Services > HTTP. The HTTP profile list screen opens.

Click Create. The New HTTP Profile screen opens.


From the Parent Profile list, select http.

Select the Custom check box.

Modify the settings, as required.

Click Finished.

The custom HTTP profile now appears in the HTTP profile list screen.

Creating a pool to process HTTP traffic

You can create a pool of web servers to process HTTP requests.

On the Main tab, click Local Traffic > Pools. The Pool List screen opens.

Click Create. The New Pool screen opens.

In the Name field, type a unique name for the pool.

For the Health Monitors setting, from the Available list, select the http monitor, and click << to move the monitor to the Active list.

From the Load Balancing Method list, select how the system distributes traffic to members of this pool. The default is Round Robin.

For the Priority Group Activation setting, specify how to handle priority groups:

Select Disabled to disable priority groups. This is the default option.

Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.

Using the New Members setting, add each resource that you want to include in the pool:

Type an IP address in the Address field, or select a node address from the Node List.

Type 80 in the Service Port field, or select HTTP from the list.

(Optional) Type a priority number in the Priority field.

Click Add.

Click Finished.

The new pool appears in the Pools list.

v3.13.0 368

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

1.

2.

a.

b.

c.

Creating an HTTP virtual server for enabling request adaptation

You perform this task to create a standard virtual server that can forward an HTTP request to an internal virtual server. The internal virtual server then sends the request to a pool of ICAP servers before the BIG-IP system sends the request to the web server.®

On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.

Click the Create button. The New Virtual Server screen opens.

In the Name field, type a unique name for the virtual server.

For the Destination setting, in the Address field, type the IP address that you want to use as a destination for client traffic destined for a pool of HTTP web servers.The IP address you type must be available and not in the loopback network.

In the Service Port field, type 80, or select HTTP from the list.

From the Configuration list, select Advanced.

From the HTTP Profile list, select the name of the HTTP profile that you created previously.

From the Request Adapt Profile list, select the name of the Request Adapt profile that you previously created.

From the Source Address Translation list, select Auto Map.

From the Default Pool list, select the name of the HTTP server pool that you previously created.

Click Finished.

Configuring the REQMOD ( Request Modification) service

In order to configure F5 BIG-IP LTM to only forward HTTP requests to the Metadefender Core ICAP server, follow the steps described below. In the case you want to configure F5 BIG-IP LTM to forward both HTTP requests and responses, refer to the "Configuring REQMOD and RESPMOD Services" section.

Open a Web browser and follow the instructions from the page:https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/12.html

Update the REQMOD ICAP service profile.

Go to “Local Traffic” > “Profiles” > “Services” > “ICAP”.

In the list that appears select your ICAP Request mod service.



v3.13.0 369

2.

c.

d.

3.

a.

b.

c.

d.

1.

2.

a.

b.

c.

d.

3.

a.

b.

c.

d.

4.

a.

b.

c.

d.

5.

a.

Set “Preview Length” to 0 and make sure the checkbox next to it is checked.

Click “Update” to apply the changes.

Update the Request Adapt profile.

Go to “Local Traffic” > “Profiles” > “Services” > “Request Adapt”.

In the list that appears select your request adapt service.

Set “Preview Size” to 0 and make sure the checkbox next to it is checked.


Configuring REQMOD and RESPMOD Services

In order to configure F5 BIG-IP LTM to forward both HTTP requests and responses to the Metadefender Core ICAP server, follow the steps described below. In the case you want to configure F5 BIG-IP LTM to only forward HTTP responses, refer to the "Configuring REQMOD Service" section.

Open a Web browser and follow the instructions from the page:https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/13.html

Update your REQMOD ICAP service profile.

Go to “Local Traffic” > “Profiles” > “Services” > “ICAP”.

In the list that appears select your ICAP Request mod service.



Update your RESPMOD ICAP service profile.

Go back to “Local Traffic” > “Profiles” > “Services” > “ICAP”.

In the list that appears select your ICAP Response mod service.



Update your Request Adapt profile.

Go to “Local Traffic” > “Profiles” > “Services” > “Request Adapt”.

In the list that appears select your request adapt service.



Update Response Adapt service profile (only if RESPMOD is used)



v3.13.0 370

5.

a.

b.

c.

d.

1.

2.

3.

1.

2.

3.

4.

1.

Go to “Local Traffic” > “Profiles” > “Services” > “Response Adapt”.

In the list that appears select your response adapt service.



Configuring Service Down Actions

If you followed the steps described in "Configuring REQMOD Service" or "Configuring REQMOD and RESPMOD Services". Big-IP will be configured to drop all connections when the ICAP service is down.

F5 can be configured to forward HTTP data to the web server/web client in the case the ICAP server is unrechable. If you are using an ICAP server pool that contains more than one Metascan ICAP server, F5 can also be configured to forward the HTTP content to a different pool member.Bypass ICAP server on service down

Note that bypassing ICAP on service down may lower your organisation's security as content will be forwarded without being scanned.

Open the “Request adapt” profile (“Profiles” > “Services” > “Request Adapt”)

Set “Service Down Action” to “Ignore”.

Click the "Update" button to apply the changes.

Transfer content to different pool member

If you are using an ICAP server pool that contains more than one Metascan ICAP server, you can also configure Big-IP to send the HTTP content to a different ICAP pool member.

Open your ICAP services pool properties ("Pools" > "Pool List").

Set the "Configuration" list to "Advanced".

Set the “Action on Service Down” property to “Reselect”.

Click the "Update" button to apply the changes

Throughput limitation by license

If you experience slow download/upload through F5 then there is a chance that your throughput is limited by F5 license.

How to check the maximum throughput allowed by license:

SSH into F5: On Windows open PuTTY then type the IP of the F5 device, and click Open

v3.13.0 371

1.

2.

3.

4.

5.

Use the default login: admin/admin

Type tmsh and press enter

Type "show /sys license detail | grep perf" to see performance limitations by license

To exit from tmsh type "quit" and press enter, to quit from PuTTY type "exit" then press enter

F5 BIG IP SSL configuration

To be able to scan data transmitted using SSL connection you have to take similar steps as listed in .F5 BIG IP and Metascan Getting Started Guide

The only difference is that you should setup a HTTPS pool and virtual server instead of plain HTTP.

Please check the following links to be able to setup HTTPS connection handling:

Managing client-side HTTPS traffic using a self-signed certificate

Managing client and server HTTPS traffic using a self-signed certificate

Managing client-side HTTPS traffic using a CA-signed certificate

McAfee Web Gateway

The current documentation is based on McAfee Web Gateway version 7.7.

Prerequisites

McAfee Web Gateway is installed and license is activated

ICAP server is started and configured with " " option enabled. Use persistent connectionFor details please check 1. ICAP server Configuration

Configure McAfee Web Gateway to use Metadefender ICAP

https://opswat.atlassian.net/wiki/display/MLD/F5+BIG+IP+and+Metascan+Getting+Started+Guide

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/9.html#conceptid



v3.13.0 372

1.

2.

3.

4.

Configure McAfee Web Gateway to use Metadefender ICAP

In your browser navigate to the McAfee Web Gateway's user interface. By default it is accessible via http://<IP address>:4711 or https://<IP address>:4712. Default user/password combination is admin/webgateway

Choose Policy

Under the tab select Rule Sets Add → Rule Set from Library...

Select from the rule set list and click ICAP Client → ICAP Client OK

v3.13.0 373

4.

5.

6.

Select the newly created under and click on next to ICAP Client Rule Sets Edit...ReqMod server

v3.13.0 374

6.

7.

8.

1.

2.

3.

In the window under double-click on the first item. Edit List (ICAP Server) List contentIn the new window change the URI for the ICAP server. It should look Edit ICAP Serverlike . Click OK to close the Edit ICAP icap://<ICAP IP>:<ICAP port>/OMSScanReq-AVServer window and click OK again to close the ReqMod server editor window

Repeat steps 5-6 to set the . The URI for ICAP server should be RespMod servericap://<ICAP IP>:<ICAP port>/OMSScanResp-AV

After everything is configured click in the top-right corner. McAfee is now Save Changesconfigured to use Metadefender ICAP

Enabling SSL Scanner

If you want to inspect contents in HTTPS connections with Metadefender ICAP you should enable in Mcafee Web Gateway.SSL Scanner

In your browser navigate to the McAfee Web Gateway's user interface. By default it is accessible via http://<IP address>:4711 or https://<IP address>:4712. Default user/password combination is admin/webgateway

Choose Policy

Under select the rule which is disabled by defaultRule Sets SSL Scanner

v3.13.0 375

3.

4. Check option and click McAfee is now configured to decrypt Enable Save Changes.HTTPS traffic and send it to Metadefender ICAP unencrypted

Troubleshooting

To use the Mcafee Web Console, you need to enable java in your browser and add the Web Console's url to the trusted sites in Java Config.

If you see a McAfee Web Gateway malware detection page instead of a Metadefender ICAP block page then you should disable Anti-Malware scanning. This can be done under Policy → Rule Sets → Gateway Anti-Malware → Gateway Anti-Malware Settings

There are notifications or even non-working web pages after enabling SSL Scanner: you should download and install the SSL certificate used by Web Gateway to your browser. You can get the certificate under Policy → Settings → SSL Client Context with CA →

. Click next to and import the created file to Default CA Export... Certificate Authorityyour browser's trusted root certificates

If you see errors: Metadefender ICAP server should "16000 - NoIcapServerAvailable"be configured to use persistent connections. Please check 1. ICAP server Configuration

Squid

Basic Configuration

Squid configuration should be done by modifying “squid.conf” (e.g, /etc/squid3/squid.conf). Below is an example of a simplified version of configuration for Squid. For more detailed documentation, please refer to the Squid manual.

1. Enable acl localnet.

Search for “acl localnet” section, uncomment all “acl localnet” lines. Below is an example of how the configuration might look:

v3.13.0 376

acl localnet src 10.0.0.0/8acl localnet src 172.16.0.0/12 # RFC1918 possible internal networkacl localnet src 192.168.0.0/16 # RFC1918 possible internal networkacl localnet src fc00::/7 # RFC 4193 local private network rangeacl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECT

2. Allow localnet and localhost access by adding the following lines. (under the "Recommended minimum Access Permission configuration" section)

http_port 3128http_access allow localnethttp_access allow localhosthttp_access deny all

3. Enable ICAP and set the Preview Size to 0. (these values don't exist, so you simply add them anywhere in the file)

icap_enable onicap_send_client_ip onicap_preview_enable onicap_preview_size 0icap_service_failure_limit -1

Enable ReqMod (upload mode)...again, these don't exist, so add them anywhere

v3.13.0 377

Enable ReqMod (upload mode)...again, these don't exist, so add them anywhere

icap_service metascan_req reqmod_precache bypass=0 icap://<Metascan>:1344/OMSScanReq-AVadaptation_access metascan_req allow all

Enable RespMod (download mode) again, these don't exist, so add them anywhere

icap_service metascan_resp respmod_precache bypass=0 icap://<Metascan>:1344/OMSScanResp-AVadaptation_access metascan_resp allow all

4. Persistent connections

By default, Squid is using persistent connections to the ICAP server, this feature can be controlled explicitly by the following directive:

icap_persistent_connections on/off

If persistent connections are enabled in Squid, the same setting should be applied to the ICAP side or Squid might report some ICAP errors. See: Configuration via INI

5. Restart Squid to apply the new configuration.

NOTE: If you are using Squid 3.1 there is a bug in Squid that drops the connection to the ICAP server. You will notice messages in Squid's cache.log file similar to the following:

"essential ICAP service is down after an options fetch failure: icap://<metascan IP>:1344 [down,!opt]"/OMSScanReq-AV

This may cause you to get Squid error messages when trying to access websites.

To fix this, either upgrade to Squid 3.2 or higher, or add "icap_persistent_connections off" to your squid.conf file.

icap://10.0.50.72:1344/OMSScanReq-AV

icap://10.0.50.72:1344/OMSScanReq-AV

v3.13.0 378

Scanning HTTPS content

Learn how to configure Squid to scan HTTPS content below. This allows Squid to send HTTPS content to the Metadefender Proxy server for scanning purposes.

Requirements

Version: ? Tried with 3.5.19

Squid has to be compiled with SSL support. For further information, please see: http://docs.diladele.com/

Configuration

Tell Squid to listen on the following ports:

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=<SQUIDFOLDER>\etc\ssl\myc.pem# intercepted traffichttps_port 3130 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=<SQUIDFOLDER>\etc\ssl\myc.pem

In addition, the following lines have to be inserted:

sslcrtd_program <SQUIDFOLDER>\lib\squid\ssl_crtd.exe -s <SQUIDFOLDER>\var\cache\squid_ssldb -M 4MB ssl_bump stare allssl_bump bump all

Certification

Generate a new root certification for Squid by entering the following in the squid.conf file:

openssl.exe req -new -newkey rsa:1024 -days 1000 -nodes -x509 -keyout myc.pem -out myc.pem

After generating a new certification, the certification storage should be reinitialized by deleting the <SQUIDFOLDER>\var\cache\squid_ssldb folder and running:

http://docs.diladele.com/

v3.13.0 379

1.

2.

3.

a.

4.

a.

b.

c.

<SQUIDFOLDER>\lib\squid\ssl_crtd.exe -c -s <SQUIDFOLDER>\var\cache\squid_ssldb

The certification has to be added to the browser. Squid has to be restarted after the changes.

4. Using ICAP server for Metadefender Core v4.x (BETA)

For Windows

Prerequisites

Metadefender Core v4.x Windows is installed on the same machine.

Obtained a ICAP_for_v4_beta.zip package.

How To Install

Unpack ICAP_for_v4_beta.zip

Open icap_config.ini and set to the port used by Metadefender Core REST rest_port(default is 8008)

Start omsICAPServer.exe

For a better performance install omsICAPServer.exe as a Windows service

sc.exe create <new_service_name> binPath= "<path_to_the_service_executable>"

Using Metadefender Core v4 management enable local file scan:

Open Policies → Security rules → File scan

Check "Allow scan files on server"

Add the ICAP temp directory to the list of allowed directories. This is C:\Windows\Temp\ by default on Windows but can be overwritten by in temp_diricap_config.ini

For Linux (Ubuntu 16.04)

Prerequisites

Ubuntu 16.04 or newer

v3.13.0 380

1.

2.

3.

4.

a.

b.

c.

Metadefender Core V4 Linux is installed on the same machine

Obtained a ICAP_for_v4_beta.zip package.

How To Install

Unpack ICAP_for_v4_beta.zip into a directory

Open icap_config.ini and set to the port used by Metadefender Core REST rest_port(default is 8008)

Start md_icap

Using Metadefender Core v4 management enable local file scan:

Open Policies → Security rules → File scan

Check "Allow scan files on server"

Add the ICAP temp directory to the list of allowed directories. This is /tmp/ by default on Linux but can be overwritten by in icap_config.initemp_dir

Configuration via INI

The ICAP server configuration is done in omsConfig.ini. Applying configuration changes requires to restart the ICAP server.

Key Description

maxnum_sockets Range: 1~1000: 60Defaut

Number of worker threads to handle ICAP requests. Configures the number of threads that will be used by the Metadefender Core ICAP server for handling requests. For optimal performance, this should be set to a value higher than the number of processor cores available to the Metadefender Core system

maxnum_connections Default: 355

The maximum number of simultaneous connections that the ICAP server is able to support. Certain proxy servers will use this value to restrict the requests that are made of the Metadefender Core ICAP server and will not send more than this number of simultaneous requests to the Metadefender Core ICAP server.

v3.13.0 381

Key Description

By ICAP specs, the client (proxy) is not supposed to send more requests than what is advertised by the ICAP server.

If the client receives more than this number of connections, it is supposed to handle the overload itself (i.e. queuing, bypassing, rejecting...)

The ICAP server does not enforce that number, this means that if the client does not respect the rules and sends more than the advertised max number of connections, we will still process them.

port Range: 1 - 65535: 1344Default

Port the server is listening to. If you are installing with other product which have ICAP interface, you must change to different port.

block_on_max_capacity Range: 0 - 1: 0Default

Blocking (i.e. return 403 forbidden to HTTP clients) every request coming in when Metadefender Core is overloaded (i.e. "Metascan server too busy"). A "Metascan server is too busy. Please try again later." message will be displayed in clients browsers.

0: Allow files when overloaded

1: Block files when overloaded

path_to_custom_html Value: Absolute file path or file path relative to omsICAPServer.exe directory

: Default omsICAPdefault.htm

Path to custom HTML page to be displayed to the user when content is blocked, request rejected due to license, server too busy, etc.

Content is parsed by ICAP server.

v3.13.0 382

Key Description

Use the "%%%icap_block_message%%%" macro in the web page as a place holder for the ICAP message. ICAP server will replace that message by whatever message it has to say.

scan_health_checks Range: 0 - 1: 0Default

Scan client specific health checks.Disabling scanning health checks improves performance as it reduces the load on Metascan.

Only implemented for BlueCoat for now.

Easy to add support for different health checks

BlueCoat periodically sends requests to the ICAP server to make sure it's working fine.

Disabling scanning health checks improves performance.

dump_invalid_requests Range: 0 - 1: 0Default

Outputs the invalid buffer to a file ending in "_400_Bad_Request.txt" Slight performance impact when invalid requests are processed. Should only be enabled for investigation purpose.

0: Disables dumping invalid (ICAP 400 response) raw requests to a file.

1: Dumps invalid (ICAP 400 response) raw requests to a file.

log_dir Value: Absolute or relative path for the logging directory. All the generated log files are placed here.

: Empty (Log folder under install directory)Default

The path to the logging directory.

temp_dir

v3.13.0 383

Key Description

Value: Absolute or relative path for a directory that can be used by ICAP server for saving temporary files.

: Empty (C:\Windows\Temp\ on Windows and /tmp/ Defaulton Linux)

The path to the directory that can be used by the ICAP server to save temporary files.

skip_too_big_file Range: 0 - Max Unsigned Long : 0Default

Allows the ICAP server to skip scanning a file if the file is too large. The value specifies in the threshold for skipping bytesfiles. A value of 0 means this feature is off, anything greater than 0 indicates this feature is on

use_persistent_connections Range: 0 - 1: 0Default

This should be used for improved performance. The ICAP server keeps the connections open, so they can be reused for several requests.

0 : ICAP server is not using persistent connections. Connections are closed after serving a request.

1 : ICAP server is using persistent connections. Connections are kept open after serving a request.

rest_port Range: 1 - 65535: 8008Default

Port of the Metadefender V4 REST which can be used by the ICAP to initiate scanning.

sanitization_postfix Value: Custom text postfix, that will be appended to Content-Disposition header's filename if the file is sanitized.

: No postfix will be appended.Default

This postfix can be used to indicate if a file is sanitized. If the key is not set or set to empty string, no postfix will be appended.

v3.13.0 384

Key Description

For example (PDF to PDF sanitization is enabled in Core workflow) and this configuration is done as follows. For the following HTTP header,

sanitization_postfix=[sanitized]

Content-Disposition: attachment; filename="report.pdf";

will be modified to

Content-Disposition: attachment; filename="report[sanitized].pdf";

v3.13.0 385

10. Metadefender / Kiosk

Overview

Metadefender Kiosk helps protect your network by enabling control over the flow of data into and out of your organization. It can be used as a media scanning station on your own hardware or on OPSWAT's custom-made kiosks. Typically, media such as USB devices, DVDs, card readers, SD cards, flash drives, or floppy disks, are scanned by Metadefender Kiosk by inserting the media device into the appropriate drive. After the scan is complete, Kiosk generates a detailed report.

This user guide covers installing, configuring, upgrading, using, and troubleshooting Metadefender Kiosk.

Key Features

Protection against zero-day attacks (Metadefender Core integration).

Customized data security policies.

Control over data flow.

System restore.

Active Directory authentication.

Custom Authentication.

Portable Media including floppy disks, SD cards, CDs, DVDs, encrypted USB and disc, and more.

v3.13.0 386

UI localization/internalization (comes with English, Arabic, Hebrew, Japanese, Korean and the ability to manually add any other language).

Securely wipe USB drives.

Easier system hardening.

User authentication

Metadefender Kiosk has the following authentication features:

Active Directory authentication

Supports custom authentication

Peripheral media

Metadefender Kiosk automatically detects multiple peripheral media insertions for the following media types:

USB devices*

CDs/DVDs/Blu-ray

Card readers

SD cards

Floppy disks

* Not all USB devices are currently supported. If you have a specific device you need supported, please contact OPSWAT support.

Encrypted USB devices

Metadefender Kiosk can unlock encrypted USB devices with a given password. Metadefender Kiosk supports the following encrypted USB devices:

Biocryptodisk-ISPX

Buffalo RUF2-HSCT and RUF3-HSL

IronKey S200

IronKey D250

Kanguru Defender Elite 30

Kanguru 2000 and 3000

Kingston DataTraveler Vault Privacy

v3.13.0 387

SanDisk Cruzer Enterprise FIPS Edition

SanDisk Cruzer Contour

U3 based USBs

EncryptDisc CDs/DVDs

Microsoft BitLocker: Metadefender Kiosk supports BitLocker To Go using passwords. Metadefender Kiosk does not support BitLocker encryption using key files, smart cards, or VHD (Virtual Hard Drive) BitLocker encryptions.

McAfee Complete Data Protection when McAfee file and Removable Media Protection client is installed

Media handling

Metadefender Kiosk's media handling features include the following:

Can scan drives with multiple partitions

Can perform a full or partial media scan

Can wipe/format USB drives

Supports integration with Metadefender SFT ( Secure File Transfer) for accessing and downloading scanned files

USB device soft eject

CD/DVD eject

Processing files

Metadefender Kiosk uses Metadefender Core to process files. Metadefender Core has the following processing features:

Multi-engine scanning of files

Data sanitation

Heuristics for zero-day threats

Archive extraction

File type verification

Workflow engines

v3.13.0 388

Scanning session results

After scanning media, Metadefender Kiosk allows you to view detailed scan logs, and print scan results.

Customizable interface

The Metadefender Kiosk interface supports English, Arabic, Hebrew, Japanese, Korean, German, and Vietnamese languages.

System hardening

Metadefender Kiosk comes with a variety of system hardening features for maximum security.

Disabled autorun

Users can only exit by pressing ALT+F4 and, if Kiosk is configured to require a password to exit, entering the admin password

Blocks the ability to copy files to the system

Blocks the ability to execute files on the system

Runs automatically on system startup

Configurable file policy by file type

Select allowed/blocked and skipped files by file type and size

Select file extensions to be taken under consideration when a file type mismatch is performed

1. Installing / Upgrading Metadefender Kiosk

Before you begin the installation, you should ensure that are met. You system requirementscan install Metadefender Kiosk by either using the embedded Install Wizard or from the Windows command line.

Once you finish installing Kiosk and , you can Harden the kiosk deploy and launch the kiosk UI for usage.

This section does not cover installation of Metadefender SFT and Metadefender Core. Refer to the user guides for them.

v3.13.0 389

1.1. Kiosk System Requirements


When Metadefender Kiosk is installed on a separate machine than Metadefender Core, the machine Metadefender Kiosk is installed on must meet the following requirements:

Minimum system memory: 4 GB

Minimum available hard drive space: 10 GB

When Metadefender Kiosk is installed on the same machine as Metadefender Core, refer to Metadefender Core system requirements for additional requirement.


Metadefender Kiosk can only process files on devices with Windows file systems. It does not detect Linux or Macintosh file systems.

Operating System - Windows 7 / 8 / 8.1 / 10 / 2008 R2 / 2012 / 2012 R2 / 2016

Windows Installer - 4.5 or higher

Adobe Flash Player - 10.1 or newer

Internet Explorer - Install the latest official (non-beta) version of Internet Explorer from . If you are configuring Metadefender Kiosk on a tablet, you can Microsoft’s website

disable the touchscreen zoom functionality by creating a DWORD value ZoomDisabled with the value of 1 in the registry key (HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Zoom).

OPSWAT Metadefender Core® - In order to scan files with Metadefender Core's multi-scanning capabilities, Metadefender Kiosk requires a Metadefender Core server. You can install the Metadefender Core server on the same machine as Metadefender Kiosk, or a separate machine. The requirements for Metadefender Core vary depending on which version you plan to use. Metadefender Kiosk version 3.2.0 and later require Metadefender Core version 3.10.1 or later. If Metadefender Kiosk is installed on the same system as Metadefender Core, Metadefender Core 3.11.0 or later is required. Refer to the for installation instructions for Metadefender Core Product DocumentationMetadefender Core.

Installed third party components

The following third party components are installed as part of the Metadefender Kiosk installation process. These components may be shared with other applications.

https://get.adobe.com/flashplayer

http://windows.microsoft.com/en-us/internet-explorer/download-ie

http://software.opswat.com/metascan/Documentation/Metascan/documentation/Metascan_Documentation.htm

v3.13.0 390

All of these are required by Metadefender Kiosk. Uninstalling them may result in unexpected behavior of other applications.

Component Details

IIS express IIS express 7.5 (Metadefender Kiosk 3.2.0 or older)

IIS express 8.0 (Metadefender Kiosk 3.3.0 or newer)

.NET framework 4 Client Profile

Extended

Microsoft Visual C++ redistributable

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86



Microsoft Visual C++ 2012 Redistributable (x86)

Microsoft Visual C++ 2013 Redistributable (x86)

MongoDB An open source database that uses a document-oriented data mode.

Installed Windows services

The following Windows services are installed as part of the Metadefender Kiosk installation process.

Metadefender Kiosk REST

Metadefender Kiosk

Ports that need to be available

The following ports need to be available for the machine Metadefender Kiosk is installed on.

Component/service Port

Metadefender REST 8009

http://www.iis.net/learn/extensions/introduction-to-iis-express/iis-75-express-readme#Installation

http://www.iis.net/learn/extensions/introduction-to-iis-express/iis-80-express-readme

v3.13.0 391

1.

Component/service Port

MongoDB 27019

Application directory and registry key

Installation location

You can choose the installation location for Metadefender Kiosk.

Application directory

The %PROGRAMDATA%\OPSWAT directory is used for storing Metadefender Core application data. It also stores the license file.

Registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OPSWAT is the registry key for all OPSWAT products.

Temporary directory used for processing files

When processing files, Metadefender Core uses the temporary directory (c:\windows\temp).

Antivirus whitelist requirements

You must whitelist any process running out of the Metadefender Kiosk installation directory. Best practice is to exclude the folder from any real-time antivirus protection

Programs not uninstalled during uninstallation process

If you uninstall Metadefender Kiosk, Microsoft Runtimes, .NET, and IIS Express are not removed.

1.2. Installing Metadefender Kiosk Using the Install Wizard

Go to and click http://portal.opswat.com/en/product-categories/metadefender-kiosk. Download

If you are not already logged in to the portal, you will be prompted to login.Note:

http://portal.opswat.com/en/product-categories/metadefender-kiosk

v3.13.0 392

1.

2.

3.

Open the downloaded executable and click . The Welcome window appears. Run

Click . The Setup Progress window appears, followed by the Setup Wizard StartWelcome window.

v3.13.0 393

3.

4.

5.

Click . Next The End User License Agreement window appears.

v3.13.0 394

5.

6.

7.

8.

Read the EULA, select the checkbox, I accept the terms in the License Agreementand then click . The Custom Setup window appears. Next

Change the default location of the Metadefender Kiosk components, if required, using the button. Click to view a window that displays the disk space Browse Disk Usage

requirements for Metadefender Kiosk, and the amount of available disk space for the selected location. Click to reset the location to the default.Reset

It is recommend to install Metadefender Kiosk in the default location.Note:

Click . The Ready to Install window appears. Next

v3.13.0 395

8.

9.

10.

1.

2.

3.

Click . A window appears which displays the status of the installation process, Installfollowed by the Completed window.

Click . The Setup Complete window appears. Finish

Click . Metadefender Kiosk is now installed. Close

1.3. Installing Metadefender Kiosk from the Command Line

Verifying windows installer

To install Metadefender Kiosk from the command line, you must have Windows Installer 3.0 or higher. To verify what version you have:

Open Windows Explorer and go to C:\Windows\System32.

Right-click MSI.DLL and select the menu. Properties

v3.13.0 396

3. Click the tab to check the version. Details

If 3.0 or higher is not installed, you can download it at .Microsoft.com

Command line options

The following command line options are available with Metadefender Kiosk. All arguments are case sensitive.

Command Line Option Description Example

/install Install Metadefender Kiosk

c:\Metadefender Kiosk.exe /install

/uninstall Uninstall Metadefender Kiosk

c:\Metadefender Kiosk.exe /uninstall

/log <log-file-name> Create installation log file

c:\Metadefender Kiosk.exe /log c:\omsinst.log

/quiet Run Metadefender Kiosk installation silently

c:\Metadefender Kiosk.exe /logc:\omsinst.log

INSTALLLOCATION=<install-path>

Sets the installation location for Metadefender Kiosk

c:\Metadefender Kiosk.exe /i INSTALLLOCATION="c:\Metadefender"

1.4. Managing License Information

Metadefender Kiosk requires a valid license to be applied before you can use it. You can apply your Metadefender Kiosk license on the License page in the Metadefender Kiosk Management Console.

https://www.microsoft.com/en-us/download/details.aspx?id=8483

v3.13.0 397

If Metadefender Kiosk is not connected to the Internet, you can use the offline activation functionality of Metadefender Kiosk. Follow the instructions on the License page to activate Metadefender Kiosk.

v3.13.0 398

1.

2.

3.

4.

5.

If your Metadefender Kiosk license has expired or is invalid, the Metadefender Kiosk user interface displays an error and does not allow you to proceed.

1.5. Upgrading Metadefender Kiosk

You can upgrade Metadefender Kiosk to a newer version. Before upgrading, be sure to back up your configuration profiles as indicated below.

If Metadefender Kiosk is running, close it.

Backup your configuration settings and save your data log as instructed in Backing Up and Restoring the Configuration.

Uninstall Kiosk from control panel add / remove program.

Install the new version of Kiosk using one of the following methods:

1.2. Installing Metadefender Kiosk Using the Install Wizard

1.3. Installing Metadefender Kiosk from the Command Line

Restore your configuration settings as instructed in Backing Up and Restoring the .Configuration

The encryption method for passwords saved in the Metadefender Kiosk configuration changed with Metadefender Kiosk 3.3.2. Importing a configuration from versions prior to Metadefender Kiosk 3.3.2 will not import passwords.

Backing Up and Restoring the Configuration

To backup or restore the Metadefender Kiosk configuration, click in the top- Back Up / Restoreright corner of the Configuration page.

v3.13.0 399

Downloading a configuration backup

Click to download a file with all of the Metadefender Kiosk configuration Download Backupsettings saved.

If you select the checkbox, the backup will also Include Metadefender Core Configurationinclude all configuration settings from the Metadefender Core server. This option is only available if the Metadefender Core server has already been configured in Metadefender Kiosk.

Restoring configuration settings

To restore settings on this or a different Metadefender Kiosk system, upload the configuration settings file using the button in the Restore From Backup section.Browse

Optional Steps to Preserve Data

If you are installing Metadefender Kiosk on a system where there was a previous version installed, the following folders should be copied to a safe location prior to upgrading:

Metadefender Kiosk Log Directory

Default Location: C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\Log

2. Kiosk Hardening

OPSWAT recommends that the following additional setup is performed if Metadefender Kiosk is deployed on a dedicated system.

v3.13.0 400

1.

2.

3.

4.

1.

2.

3.

4.

5.

6.

Auto login

If Metadefender Kiosk is being used on a dedicated system we recommend that the Windows system on the kiosk is configured to auto-login into the account with Administrator privileges that Metadefender will run with. If the Metadefender Kiosk system is part of a domain additional steps may be required to allow this.

User Access Control (UAC)

OPSWAT recommends that UAC is disabled on systems that are being used as dedicated Metadefender Kiosks. If UAC is not disabled Metadefender Kiosk's print functionality may not work correctly. Metadefender Kiosk's watchdog functionality will also not work correctly if UAC is not disabled.

There are two ways to completely disable UAC in Windows:

By editing the registry

Click and type "regedit.exe" to open the Registry Editor. Start

Navigate to the registry key at HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > .Windows > CurrentVersion > Policies > System

Set EnableLUA to 0.

Restart Windows.

By adjusting Local Group Policy settings

Click and type "gpedit.msc" to open the Group Policy Editor. Start

Navigate to Computer Configuration > Windows Settings > Local Policies > Security .Options

After clicking Security Options, the right pane populates with your policies. Locate the ones for User Access Control.

Set "Run all administrators in Admin Approval Mode" to "Only elevate executables that are signed and validated."

Set "Switch to the secure desktop when prompting for elevation" to "Disabled."

Restart Windows.

v3.13.0 401

1.

2.

3.

1.

2.

3.

4.

5.

1.

2.

3.

1.

2.

Windows Update

Install all patches and updates available through Windows Update. Once all updates are installed, OPSWAT recommends that automatic updates are turned off to prevent system reboots.

Navigate to .Start > Control Panel > Windows Update > Change settings

Select from the menu.sNever check for update

Click or and close the dialog box. Apply OK

If turning off automatic updates is not desired, you must configure a mechanism or process to restart Metadefender Kiosk system. We recommend using standard organizational patch practices and tools.

Setting the screen saver and power saving options

Select the maximum performance power saving option.

Navigate to .Start > Control Panel > Power Options

Click . Change plan settings

Click . Change advanced power settings

Select from the menu. High Performance

Click . OK

You should turn off the screensaver.

Navigate to .Start > Control Panel > Personalization > Change screen saver

Select from the menu. ( None)

Click or and close the dialog box. Apply OK

Disabling mouse cursor pointer

Note: This configuration is optional. Once these steps are taken, there will be no visible mouse pointer.

OPSWAT recommends that mouse cursor points are turned off after Metadefender Kiosk has been configured.. If the system touchscreen configuration software does not have this feature, it can be done manually by following the steps below:

Navigate to .Start > Control Panel > Mouse

Click the tab. Pointers

v3.13.0 402

3.

4.

5.

Browse to C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\blank.cur.

Customize each pointer type to the provided blank pointer, blank.cur

Click and close the dialog box. Apply

Disabling hotkeys

By default, the Kiosk will ignore any command that is a combination of Ctrl and another key.

The Ctrl + Alt + Del combination is disabled once you launch the Kiosk UI first time. When a user presses these keys, the following screen appears and it is expected.

if you want to disable completely where nothing happens, please follow 2.2. Disabling Windows .Hot Keys

Other system hardening configuration

Metadefender Kiosk does the following system hardening when installed:

Disables auto-run on all plug-and-play media and drives

Captures and disables all Hotkey combinations such as Windows Key, Alt+Tab, etc.

CORS Configuration

see for more detailed instruction Limit Access to the REST Server

2.1. Configuring the Web Server

Metadefender Kiosk's Management Console relies on REST interface which runs on HTTP by default. You can configure the REST server for the following to harden the system.

changing the default port number

setting up an HTTPS server to enforce a secure connection between server and client

v3.13.0 403

1.

2.

3.

limiting the systems that have access to the REST server

Changing the Default Port Number

You can change the default port number of the REST server to any available port if the default port number is already in use.

To change the default port number, locate the <binding> tag in the applicationhost.config file located here: C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\REST\Config\applicationhost.config.

Limit Access to the REST Server

You can harden Metadefender Kiosk's cross-origin resource sharing (CORS) configuration to only allow access to the REST server for a restricted list of systems.

To limit access to the REST server, do the following:

Open the web.config file in Program Files (x86)\OPSWAT\Metadefender Kiosk\REST\Web\web.config.

Change the following line:

<add name="Access-Control-Allow-Origin" value="*"/>

to

<add name="Access-Control-Allow-Origin" value="http://localhost"/>

Next, add a new rule to <system.webServer><rewrite><outboundRules>:

v3.13.0 404

3.

1.

2.

3.

4.

<rule name="Allow CORS on specify ip/subnet" > <match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern=".+" /> <conditions> <add input="{REMOTE_ADDR}" pattern="^(192.168.200.*|192.168.201.102)$" /> </conditions> <action type="Rewrite" value="*" />....</rule>

Run REST on HTTPS

By default, communication with the REST web server is not encrypted. If you set up an HTTPS server, the server can enforce secure connections between client and server on an SSL channel. This section describes how to configure IIS Express to host an HTTPS server.

Requirements

In order to set up an HTTP server, you must have a trusted certificate issued by a certificate authority or a self-signed certificate used for development testing.

See the Installing a Certificate section below for information on how to install a self-signed server certificate.

Go for information on how to install a certificate authority-signed server certificate.here

Installing a certificate

To install a certificate, do the following:

Click on the Start menu, type “MMC.exe” in the search box and press Enter.The MMC window appears.

Select .> File Add/Remove Snap-In

In the Available snap-ins drop-down menu, select and click . Certificates Add

Select , click , and then click . Computer account Next Finish This process creates a certificate for all user accounts. The certmgr.msc command Tip:

only creates a certificate for the current user account.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/a2f35fcd-d3b6-4f39-ba93-041a86f7e17f.mspx?mfr=true

v3.13.0 405

4.

5.

6.

7.

8.

Click to load the certificates snap-in. OK

Expand the Certificates menu and browse to your certificate location.The image below uses the metascan_rest certificate as an example. Your Note:

certificate can have any name.

Double-click the certificate name you want to use for the Metadefender REST Server and go to the Details tab.

Select in the list and copy the value to a text editor for later use. Thumbprint

v3.13.0 406

8.

9.

10.

11.

1.

2.

3.

Click on the Start menu and open a command prompt.

Execute the following command:netsh http add sslcert ipport=0.0.0.0:443 appid={214124cd-d05b-4309-9af9-9caa44b2b74a} certhash=<certificate thumbprint retrieved on step 8>

Be sure to remove any spaces in the thumbprint so the command can execute Note:properly.

The following message appears indicating that the SSL Certificate was successfully added.

Enabling HTTPS on IIS Express

To enable HTTPS on IIS Express, do the following:

Open the REST Config folder (e.g., C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\REST\Config).

Open the applicationhost.config file in a text editor.

v3.13.0 407

3.

4.

5.

6.

7.

8.

9.

Go to the <sites> tag and add the HTTPS binding to the ‘metadefender_rest’ website.See the image below for details.Note:

Save and close the applicationhost.config file.


Stop the Metadefender REST server by executing the following command: net stop omdREST

Restart the Metadefender REST server by executing the following command: net start omdREST

Test that the site works by visiting . The following message should https://localhostappear:

For additional information see 5.1. Trusting an HTTPS Metadefender Core Server

2.2. Disabling Windows Hot Keys

You can completely disable Windows hot keys Ctrl+Alt+Delete and Windows+L. After disabling the hot keys, nothing happens when the hot keys are pressed.

https://localhost/

v3.13.0 408

1.

2.

3.

Disabling Ctrl+Alt+Delete

You must first disable "Windows secure logon", so that you do not need to press Ctrl+Alt+Delete from the windows login screen. Use one of the following procedures.

- Windows 7 http://pcsupport.about.com/od/windows7/ht/auto-logon-windows-7.htm - Windows 8 http://www.eightforums.com/tutorials/5761-secure-sign-ctrl-alt-delete-

enable-disable-windows-8-a.html - Windows 10 https://www.tekrevue.com/tip/skip-windows-10-login-screen/

- Windows 2008 http://www.expta.com/2008/04/how-to-enable-autologon-for-windows.html

While signed in as an Administrator, open the command line and run the following command:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d 0000000000000000030000004de01de04be01d0000000000 /f

Log out of the system and log in again. To re-enable Ctrl+Alt+Delete, run the following command line.

reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /f

Disabling Windows+L

Run the following command line.

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

To re-enable Windows+L, run the following command line.

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 0 /f

http://pcsupport.about.com/od/windows7/ht/auto-logon-windows-7.htm

http://www.eightforums.com/tutorials/5761-secure-sign-ctrl-alt-delete-enable-disable-windows-8-a.html

http://www.eightforums.com/tutorials/5761-secure-sign-ctrl-alt-delete-enable-disable-windows-8-a.html

https://www.tekrevue.com/tip/skip-windows-10-login-screen/

http://www.expta.com/2008/04/how-to-enable-autologon-for-windows.html

http://www.expta.com/2008/04/how-to-enable-autologon-for-windows.html

v3.13.0 409

3. Management Console for Administration

The Metadefender Kiosk Management Console allows you to manage the Metadefender Kiosk system through a web browser. The Metadefender Kiosk Management Console can be accessed through any browser at .http://<Metadefender Kiosk System>:8009/management

When you open the Metadefender Kiosk Management Console, the Dashboard appears. This page displays a summary of all of the files that Metadefender Kiosk has processed.

If Metadefender Kiosk has been configured with a Metadefender Core server, the dashboard for the Metadefender Core server also appears.

v3.13.0 410

4. Kiosk Authentication / User Workflow

Metadefender Kiosk Workflow is based on list of users from the authenticated system. If you disable user authentication, only one workflow can be applied. Metadefender Kiosk lets you assign different Kiosk options to different groups of users, called workflows. For example, you can assign users to the Only Docs workflow if they are only allowed to scan office documents, and you can assign users to the No EXE/Archives workflow if you want to block all executable files and archives for these users. You can create new workflows and edit any default ones. The page contains all workflows in Metadefender Kiosk.Workflow Profiles

For each workflow, you can do the following:

Edit the name and assign users to the workflow

Create and edit user questions

Select the allowed media types

Select a Metadefender Core Server

Select how to handle processed files

Use variables in post-processing scripts

Manage printing options

Manage email options for session scan logs

v3.13.0 411

4.1. Workflow Profiles Page

You can edit or create new workflow profiles on the Workflow Profiles page of the Metadefender Kiosk Management Console. You can also enable user authentication.

Note: Any users (Windows or Guest) that are not included in one of the defined profiles will be assigned the Default profile.

Note: Workflow profiles labeled with an "!" do not match with any existing Core profile names (V3) or security rules (V4). You must select a corresponding Metadefender Core in the

section.Selecting A Metadefender Core Workflow

The followings are the default workflows:

Name Description

Default Users that are not covered by other profiles.

Guest Account used when Guest Login is selected.

Block EXE Blocks executable files.

Convert Docs Only allows documents and converts all documents to safe formats.

v3.13.0 412

Name Description

Copy Clean Copies all clean files to new user-provided media.

High Security Recommended workflow for high security environments.

No EXE/Archives Blocks all archives and executables.

Only Docs Profile for users that only need to bring in Office documents.

Enabling user authentication

To enable user authentication, select the checkbox on the Require user authenticationWorkflows page.

If you enable user authentication, you can choose between using the default Metadefender Kiosk authentication or using a custom authentication module that has been installed on that Metadefender Kiosk. For more information, see . If you are Managing Custom Authenticationusing the default Metadefender Kiosk authentication you can choose between authenticating against the local Active Directory (Windows user login), a remote Active Directory server, or not enabling authenticated login.

Windows user login

If Windows user login is enabled, you can choose whether to restrict the users by domain. If selected, only users on the same domain as the Metadefender system are allowed to use Metadefender through the Kiosk interface. If this is not selected, users will be able to enter authentication information for users on any domain as well as local system users.

v3.13.0 413

Remote Active Directory

If Remote Active Directory authentication is enabled, the URL of the remote Active Directory server, as well as user credentials to authenticate against the server are required. These credentials will be used to retrieve the list of users from the remote Active Directory server for the purposes of assigning users to specific workflows.

Note: when using the Remote Active Directory authentication the Kiosk end user credentials are not used for copying files as part of the Metadefender Kiosk workflows.

Creating a new workflow profile

To create a new workflow profile, click . You will be guided through the Create New Profileprocess of creating a new Metadefender Kiosk Workflow profile. After the profile has been created, each step in the workflow can be edited independently.

v3.13.0 414

1.

2.

1.

2.

4.2. Properties & Membership

The Properties & Membership page lets you specify the name and description for a Metadefender Kiosk workflow profile. It also lets you manage the users assigned to that profile. You can add both domain users (the domain of the Metadefender Kiosk system) as well as local system users.

To add users to the profile:

Select the user(s) from the Available To Add section.

Click . The user(s) appear in the Members section. Add

To remove users from the profile:

Select the user(s) from the Members section.

Click . The user(s) appear in the Available To Add section. Remove

if you assign a user who is already on another workflow to new workflow, the user will be removed from the previous workflow and assigned to the new workflow.

4.3. Managing User Questions

The User Questions Policy page lets you create questions for users to answer before processing files. You can require that these questions be answered before the user is allowed to continue. Any required responses are stored in the User Question section of the session log.

v3.13.0 415

4.4. Allowed Media Types

The Allowed Media Types page lets you select which media types (CDs/DVDs and/or floppy disks) Metadefender Kiosk can process for the selected workflow profile.

4.5. Selecting A Metadefender Core Workflow

In order to use the multi-scanning functionality of Metadefender Core, Metadefender Kiosk requires a Metadefender Core Server. The Metadefender Core Server can be installed either locally on the same system as Metadefender Kiosk or remotely on another machine. The Metadefender Core Workflow page lets you select if you want to use a Metadefender Core Server to process files. By default, Metadefender Kiosk uses a locally installed Metadefender Core Server if one is available. To specify a remote Metadefender Core Server, use the Remote Metadefender Core Server URL option in the Advanced Configuration settings of the

page.Configuration

v3.13.0 416

There is also the option to define a max file size to be scanned by Metadefender Core, all files larger than this will still be processed by Kiosk without being processed by Core. The files that are larger are treated as allowed and are marked as skipped.

The Workflow Identifier drop-down menu determines which Metadefender Core workflow/security rule is used to process files from Metadefender Kiosk.

Metadefender Kiosk 3.3.6 or lower

Metadefender Core 3.12.3 or lower: The value for Workflow Identifier is the user_agent of a Metadefender Core workflow profile. If the specified Identifier does not match the user_agent values for any workflows in Metadefender Core, the Default workflow will be used.

Metadefender Core 4.x: The value for Workflow Identifier must match the name of the desired Security Rule defined in Metadefender Core. If there is no rule that matches the value specified, Metadefender Kiosk will not be able to process files.

Metadefender Kiosk 3.4.0 or greater

Metadefender Core 3.12.4 or greater: The value for Workflow Identifier is the name of a Metadefender Core workflow profile. If the selected value does not match the profile name for any workflows in Metadefender Core, the Default workflow will be used.

Metadefender Core 4.x: The value for Workflow Identifier must match the name of the desired Security Rule defined in Metadefender Core. If there is no rule that matches the value specified, Metadefender Kiosk will not be able to process files.

4.6. Selecting How to Handle Processed Files

The File Handling page is divided into two sections: actions to take on blocked files, and actions to be taken on allowed files. You can set different file handling options for each, including copying to either new media or a network path.

v3.13.0 417

Stop processing if a blocked file is found

Selecting this option will cause a Kiosk session to stop processing immediately after the first blocked file is found. Kiosk will alert the user that a blocked file was found and go directly to the session summary after the user has acknowledged the message.

Deleting, removing or taking no action on files

You can choose for this workflow to automatically delete blocked or allowed files that have been sanitized by Metadefender Core, take no action on blocked or allowed files, or remove non-sanitized blocked files.

To delete blocked or allowed files that have been sanitized by Metadefender Core, select the If a file has been sanitized by the Metadefender Core workflow, delete the original file

checkbox.

To take no action on blocked or allowed files, select the radio button.No Action

To remove any non-sanitized blocked files, select the radio button, then select Remove file Quarantine or Deleted from the drop-down menu.

Copying files to a designated location

You can configure files to be automatically copied to a designated location as part of the post-processing step in the Copy to section. Metadefender Kiosk will copy files to the directory specified by one of the three naming conventions below, depending on which option you select.

Note: If a file has been sanitized by Metadefender Core's Data Sanitization and Copy to is selected here, the sanitized file will be copied to the desired location, not the original file.

v3.13.0 418

Directory

The Directory field allows you to specify a specific location for blocked or allowed files.

You can use the pre-defined ‘%%%username%%%’ variable within the designated location in the Directory field to allow Metadefender Kiosk to copy files to a folder (e.g. ‘username’). This is for the user logged into the session. When Windows authentication is not enabled, or guest login is used, the %%%username%%% variable is replaced by the session ID.

You can copy files to a remote server(network share) by providing a UNC path. To allow for more restrictive permissions on a network share, a Metadefender Kiosk profile will need to be created containing users that have, at minimum, write permission to the network share. When a user logs into a session, Metadefender Kiosk will attempt to use the permissions of the user to copy files to the network share.

This section contains three directory name options:

v3.13.0 419

Copy to directory named with the unique session ID: Copies files to a directory identified by the session ID.

Copy to directory named with the session start time (GMT): Copies files to a directory identified by the session start time.

Keep the same folder structure as on original media (no subfolders): Copies files to the same directory as in the original media.

User media

You can also enable files to be copied to media that the Kiosk user provides. If you select the User media checkbox, the user will be prompted to insert media that the files are to be copied to. You can also select the Allow Copying to Floppy Drives option, if desired.

Metadefender Secure File Transfer Server

See for instructions and more details.6. Configuring with SFT

SHA-256 Verification

If you select the SHA-256 Verification checkbox, Metadefender Kiosk compares the hash value of files on the target directory with the ones from the original directory. Metadefender Kiosk displays and logs any mismatches. Metadefender Kiosk will not retry copying files in case of a hash value mismatch.

Delete after copy

Select this checkbox if you want Metadefender Kiosk to delete the blocked or allowed file after copying it to the specified location.

4.7. Custom Command Line Script

How To Configure

The File Handling page also allows you to run post-processing scripts via the Run custom command line script option. You can use variables from the table below in post-processing scripts. After entering your scripts, click . Apply

v3.13.0 420

For example, the following command line will copy the file that was analyzed by Kiosk to "E:\MD_POST_ACTION_BY_PAC" folder and delete after the copy.

copy /y %%%file_path%%% E:\MD_POST_ACTION_BY_PACdel /q %%%file_path%%%

Metadefender does not validate your script so make sure to test your script before configuring with Kiosk.

Using Pre-defined Variables in Your Command Line Scripts

Variable Description Notes

%%%file_path%%% The absolute path to the file to be scanned.

%%%threat_name%%%

The name of threats found by engines. This variable only applies to infected (“1”) scan results.

%%%scan_finished%%%

The time when the scan was finished.

%%%ticket_id%%% A random number assigned to each scan request.

v3.13.0 421


%%%scan_results%%%

The scan outcome return type. The scan outcome return types are listed below:

No threat detection 0 - No threat found:or the file is empty.

Threat is found.1 - Infected/Known:

Classified as possible 2 - Suspicious:threat but not identified as specific threat.

Scanning is not fully 3 - Failed To Scan:performed (for example, invalid file or no read permission).

Threat is found and file is 4 - Cleaned:cleaned (repaired or deleted).

Unknown scan result.5 - Unknown:

File is quarantined.6 - Quarantined:

Scan is skipped 7 - Skipped Clean:because this file type is in whitelist.

Scan is skipped 8 - Skipped Dirty:because this file type in in blacklist.

Threat is 9 - Exceeded Archive Depth:not found but there are more archive levels which were not extracted.

Scan is skipped by 10 - Not Scanned:the engine either due to update or other engine specific reason.

All ongoing scans are 11 - Aborted:purged by StopScan API call.

File/buffer is not 12 - Encrypted:scanned because the file type is detected as encrypted (password-protected).

The 13 - Exceeded Archive Size:extracted archive is larger than set in the maximum file size for archive.

v3.13.0 422


14 - Exceeded Archive File Number:There are more files in the archive than set in the maximum number of files extracted.

%%%process_result%%%

The process outcome

allowed

blocked

4.8. Managing Printing Options

The Printing Policy page lets you determine whether users have the option to print a receipt of their session and if so, what information will be included on the receipt. You can also choose to have the receipts print automatically at the end of each session.

Note: Metadefender Kiosk will use the printer which is set to default to the system.

v3.13.0 423

4.9. Email Session Report

The Email Session Report page lets you set up automatic emails that are sent to a designated recipient after each session is completed. The email includes the session log as an attachment. To enable this feature, move the slider on the right hand side of the page to . On

SMTP settings are configured in the Advanced Configuration section of the .Configuration page

5. Configuring a Metadefender Core Server

Metadefender Kiosk requires a Metadefender Core Server for multi-scanning functionality.

Metadefender Kiosk automatically connects with a Metadefender Core Server that is installed locally on the same system as Metadefender Kiosk. However, if you are using a remote Metadefender Core Server with your installation of Metadefender Kiosk, configure your Metadefender Core Server as detailed below.

Setting up your Metadefender Core Server with Metadefender Kiosk consists of the following steps.

Detecting the Metadefender Core server URL

Authenticating your configuration

Associating workflows in Metadefender Kiosk to workflows in Metadefender Core

v3.13.0 424

1.

2.

3.

1.

2.

Detecting the Metadefender Core server URL

If Metadefender Core is installed on a remote machine from Kiosk, the server URL must be specified.

Access your Metadefender Kiosk Management Console at http://<Metadefender Kiosk System>:8009/management. You can also access the Kiosk Management Console using Windows > > .Start OPSWAT Metadefender Kiosk Management Console

Click and enter your Metadefender Core Server's URL. Configuration

You can enter a backup server if you have on in case the primary server become inaccessible, its license expires, or other issues the primary server might encounter.

Authenticating your configuration

If you are using Metadefender Core Version 4, you must authenticate your configuration. This authentication is optional with Metadefender Core Version 3. You must obtain the API key from the Metadefender Core Management Console and enter that information on Kiosk Management Console's Configuration page.

Authenticating your configuration when using Metadefender Core Version 3

To obtain your Metadefender Core API key, go to Metadefender Core Management Console.

v3.13.0 425

2.

3.

4.

5.

1.

2.

Click the Configuration tab and then c lick Scan Configuration .

Scroll down to the API Key section and copy the value in the API Key field.

Return to the Metadefender Kiosk Management Console and click the Configurationtab.

Paste your Core API Key value in the API Key field.

Authenticating your configuration when using Metadefender Core Version 4

To obtain your Metadefender Core API key, access your Metadefender Core 4 Management Console.

v3.13.0 426

2.

3.

4.

Click and then click . Settings User Management

Click any user name.

Copy the contents of the APIKEY field.

v3.13.0 427

4.

5.

6.

7.

1.

2.

Click to save and close the window. OK

Return to the Metadefender Kiosk Management Console and click the Configurationtab.

Paste your Core API Key value in the API Key field.

Associating workflows in Metadefender Kiosk to workflows in Metadefender Core

Refer to .4.5. Selecting A Metadefender Core Workflow

5.1. Trusting an HTTPS Metadefender Core Server

In order to allow a Metadefender Kiosk to work properly with a Metadefender Core server, configured to use HTTPS, the certificate must be trusted on the system the Metadefender Kiosk resides on.

Trusting local or remote self signed security certificate

If you are using this guide on the local computer you should access and install the certificate from the DNS address (e.g. https://frosty7c/)

Open Internet Explorer and access the Metadefender Core dashboard (e.g. https://frosty7c/)

Click Continue to this website

https://frosty7c/

v3.13.0 428

2.

3.

4.

5.

Click Certificate error

Click View certificates

Click Install Certificate...

v3.13.0 429

5.

6.

7.

8.

Select either or and click nextCurrent User Local Machine

Select and click browsePlace all certificates in the following store

v3.13.0 430

8.

9.

10.

11.

12.

13.

14.

Select and click OKTrusted Root Certification Authorities

Select Next, then select Finish

Restart your Internet Explorer and navigate to the same page again

You should now see a locked padlock instead of a certificate error

Run certmgr.msc

Select → Trusted Root Certification Authority Certificates

Right click the → → DNS name All Tasks Export

v3.13.0 431

14.

15.

16.

17.

18.

19.

20.

21.

Click Next → Next → Browse

Choose anywhere to save the certificate and hit save

Click Next → Finish

Run mmc

File → Add or Remove Snap-in

Select and click Certificates Add

Select and hit nextComputer account

v3.13.0 432

21.

22.

23.

24.

Click finish then click ok

Select → CertificatesTrusted Root Certification Authority

Right click → → Certificates All Tasks Import

v3.13.0 433

24.

25.

26.

27.

Click next

Select the file you created previously

Click Next → Next → Finish

6. Configuring with SFT

Change on management console

If you select the Metadefender Secure File Transfer Server checkbox, you must also enter the following information:

Server URL: Enter SFT REST server's URL in this field.

v3.13.0 434

1.

2.

3.

1.

2.

a.

b.

3.

a.

Add Token: Enter token information in this field. You can obtain token information from the Metadefender Secure File Transfer management interface.

Select an SFT account option for file uploads: Choose an SFT account option in this section.

Maximum File Upload Size: Choose a size limit for uploaded files.

SFT account options for file uploads

If you select the radio button, Metadefender Always upload to an SFT guest accountKiosk creates and provides a temporary guest login ID to the Kiosk user both on the scan results screen as well as in the digital and printed logs.

If you select the radio button, eAttempt to use user credentials if they are availabl Metadefender Kiosk uploads files to the user account that matches the one used during authentication.

If authentication fails, files will be uploaded to the SFT guest account.

6.1. Arbit Data Diode configuration

This guide describes how to deploy Metadefender Kiosk, an Arbit data diode, and a Metadefender SFT server for the following use case.

Portable media is scanned by Metadefender Kiosk.

Clean files are passed through an Arbit data diode to an SFT Server.

User downloads files from the SFT server.

System Deployment

The following should be done before configuring the individual systems.

Install Metadefender KIosk with Metadefender Core on the low-side network

Install the Arbit data diode with the receiving side in the low-side network and the transmitting side on the high side network

Assign a static IP address to the low side

Assign a static IP address to the high side

Install the SFT server on the high side network

Assign a static IP address

v3.13.0 435

1.

a.

2.

1.

a.

1.

2.

a.

3.

4.

SFT Server Configuration

Create the known user accounts on the SFT server

Note the account that should be used as the 'from' account for files coming from Metadefender Kiosk

Generate the Authorization token

Arbit Data Diode Configuration

Define the URL list on the high side of the data diode to include the SFT server

URL List includes http://<SFT IP Address>:8000/sft_rest/file

Metadefender Kiosk Configuration

Configure the appropriate Metadefender Kiosk workflow profile to enable Copy To SFT in the post-action

Put in the URL of the data diode low-side receiver

http://<diode low-side IP address>:8080/pitcherrestapi/transfer/<URL List>

Enter the Authorization token generated by the SFT Server

Enter the Sender SFT account that was created on the SFT server

7. Additional Kiosk Configuration

The Metadefender Management Console allows you to manage the Metadefender Kiosk system through a web browser. The Metadefender Management Console can be accessed through any browser at http://<Metadefender Kiosk System>:8009/management

Note: If a license has not been previously applied to a Metadefender Kiosk installation, opening the Metadefender Management Console will direct the user to the ‘License’ page so that a Metadefender license can be applied.

Dashboard

The Dashboard will be the first page that is seen when opening the Metadefender Management Console. This page provides a summary of all of the files that have been processed by Metadefender Kiosk.

v3.13.0 436

If Metadefender Kiosk has been configured with a Metadefender Core server, the dashboard for the Metadefender Core server will also be displayed.

v3.13.0 437

Configuration

The Configuration page allows you to configure all Metadefender Kiosk settings that apply to all users of Metadefender Kiosk . Metadefender Kiosk configuration settings can also be saved from this page to be restored at a later date or on another Metadefender Kiosk system.

Advanced configuration options can be set by expanding the ‘Advanced Configuration’ section of the Configuration page. To display advanced options, click on the arrow to expand the settings

v3.13.0 438

7.1. UI Localization / Customization

You can change the language displayed in Metadefender Kiosk from the ‘Choose Language’ drop-down menu. The default languages included in the installation are English, Arabic, Hebrew, Korean, Vietnamese, German, and Japanese. Furthermore, if you wish to add a language to the Metadefender Kiosk UI or edit the translations of any of the existing languages, you can do so by clicking on ‘View and edit languages’.

After clicking 'View and edit languages' you can edit the translations for any of the strings which appear in Metadefender Kiosk. You can choose which language to edit from the drop-down menu next to ‘Choose language to update’. Once finished, click on ‘Apply’ at the bottom of the page.

v3.13.0 439

If you wish to add a new language, click ‘Add Language’ and type in the desired language. On the following page you can create translations for each of the strings to be displayed in Metadefender Kiosk.

If the language you are adding reads right to left, make sure to check that box when editing your added language.

There is also an option to enable "dead keys". A dead key is a special kind of modifier key on a mechanical typewriter, or in this case a computer keyboard, that is typically used to attach specific diacritic to a base letter. For example, if a keyboard has a dead key for the grave accent (`), the French character à can be generated by first pressing ` and then A, whereas è can be generated by first pressing ` then E.

v3.13.0 440

Once finished, click ‘Save’ at the bottom of the page and your language will now appear in the Advanced Configuration section where it can be selected.

7.2. Watchdog Behavior

The watchdog is an additional process that monitors the running processes of the Metadefender Kiosk.In the case where the Kiosk exits unexpectedly, the watchdog will run a specified action to take.

Configure watchdog behavior

Action Description

Do nothing No action will be performed, the system will remain on the secure desktop

Restart Metadefender Kiosk

Metadefender Kiosk will be restarted while the system remains on the secure desktopFor a brief moment, a blank secure desktop will be displayed before the Metadefender Kiosk starts up again

Log out of Windows

The user currently logged into Windows will have their session terminated and be logged outThe system will exit out to the Windows OS login

Lock Windows

v3.13.0 441

Action Description

The user currently logged into Windows will be locked outThe system will exit out to the Windows OS login where the admin must log back into Windows

Restart Windows

The Windows system will be rebootedThe system will either return back to the Windows OS login or be logged in to the default Windows user (this is dependent on the system's automatic login settings)

7.3. Configuring User Settings

The Configuration page lets you configure user settings for Metadefender Kiosk. You can also save configuration settings to be restored at a later date or on another Metadefender Kiosk system.

v3.13.0 442

Setting an exit password

Select the Exit Password checkbox to require users to enter a password when exiting Metadefender Kiosk. After selecting this checkbox, two fields appear: and New password

. Confirm password

Entering API Key information for Metadefender Core

If you have configured Metadefender Core server to use an application programming interface (API) key, you can enter that key in the API Key field.

Configuring session log files

You can save session log files as a text or PDF file, and choose to save log files to a specific location on the system or to the processed media. By default, Metadefender Kiosk saves session log files to the Log folder in the Metadefender Kiosk installation directory.

v3.13.0 443

1.

a.

b.

2.

3.

4.

To save session log files:

To save session log files to the local system, select the Save session log file to local checkbox. This checkbox is selected by default. To disable this feature, system Note:

deselect this checkbox.

To have the session log files save to the Log folder in the in the Metadefender Kiosk installation directory, do nothing.

To enter a specific location other than the Log folder, enter the path of the folder in the text box provided.

To save session log files to the media being processed, select the Save session log file checkbox. This setting will not apply to read-only media, such as to processed media

CDs or DVDs.

Select the or radio button, depending on the output type Save as Text File Save as PDF of the session log files you prefer.

Display the Metadefender Core Server URL used in the session log allows for the Core URL, that was used for the session, to be displayed in the log file. This is useful when configuring a backup Core server and determining which server was used for a particular session.

Note: The save options are independent from each other. You can save session logs locally and/or save it to the processed media or disable session log files altogether.

Setting advanced configuration options

You can set advanced configuration options by expanding the Advanced Configuration section of the Configuration page. To display advanced options, click the arrow.

v3.13.0 444

Max number of parallel scan

The recommended value of parallel scans is 3x the number of physical processing cores available or 20, whichever is greater.

Multiple Partitions

Multiple Partitions

Option Only 1 Windows Partition

Only Windows Partitions

Mixed Windows and Non Windows Partitions

Only Mac / Linux Partitions

Block all media with multiple partitions

SCAN ONE BLOCKED BLOCKED BLOCKED

Process files on all accessible partitions

SCAN ALL SCAN ALL SCAN ALL BLOCKED

The action will mount every partition it can successfully mount. All partitions will SCAN ALL

be scanned by "Process All." The file browser will have the ability to select files on any partition.

v3.13.0 445

Managing the display language

You can also change the language displayed in Metadefender Kiosk from the Choose Language drop-down menu. Options include English, Arabic, Hebrew , Korean, Vietnamese, German or Japanese. If you wish to add a language to the Metadefender Kiosk UI or edit the translations of any of the existing languages, click . View and edit languages

The next page lets you edit the translations for any of the strings that appear in Metadefender Kiosk. You can choose which language to edit from the Choose language to update drop-down menu. Once finished, click . Apply

If you wish to add a new language, click and enter the name of the new Add Languagelanguage. On the following page, you can create translations for each of the strings that appear in Metadefender Kiosk.

v3.13.0 446

Once finished, click . Your language now appears in the Advanced Configuration section. Save

Session Report Email configuration

The last group of configuration options in the Advanced section are the SMTP settings for emailing session logs at the end of a session. Here you can enter the host, port, username and password, and whether or not to enable SSL. The sender, recipient, and the message of the email is configured per .Metadefender Kiosk Workflow

Configuration Field Descriptions and Default Settings

The following table provides a brief description and default values for the Kiosk Configuration screen.

Basic Configuration

Configuration Setting

Description Default Value Range

Remote Metadefender Core Server URL

URL of primary remote Core server (Blank)

API Key The API Key of the primary remote Core server, if one is set

(Blank)

Backup Core Server

URL & API key input for an additional Core server for the Kiosk to use if the primary is inaccessible

(Blank)

v3.13.0 447



Printer Setup Select the color of the printing output: Black & White or Color

Black & White

Side margins Left and right margin length

Recommended settings:3 for zebra printer200 for laser jet

3 0 or greater

Display the Core URL in the session printout

The URL of the Core used for a session will be displayed on the printout

Disabled

Save session log file to local system

Enables a session text/PDF log to be created at the end of a session in a location on the system

Enabled

Logging directory: <kiosk install dir>\Client\Log

Save session log file to processed media

Enables a session text/PDF log to be created at the end of a session on the media processed

Disabled

If enabled, the log will be saved to the root of the media

Save as Text File / Save as PDF

Specifies whether the session log file will be a text or PDF file

Text file

Display the Core URL in the session log

The URL of the Core used for a session will be displayed on the log file

Disabled

v3.13.0 448



Wipe Method Specifies which wipe options to display to the user

Format1 pass wipe3 pass wipe7 pass wipe

All wipe methods shown

0,1,3,7 pass wipe

Exit Password Require password when terminating the Kiosk UI (ALT + F4)

Disabled

Watchdog Custom action watchdog that will run when the Kiosk UI is unexpectedly terminated

Do nothingRestart Metadefender KioskLog out of WindowsLock WindowsRestart Windows

Restart Windows

Advanced Configuration



Wait time before processing

Time period to wait before allowing users to interact with the UI after the device (media) is detectedThis helps administrators to optimize time for device initialization (which have some latency after initial detection is reported to system)

5 seconds 0 or greater

v3.13.0 449



Max number of parallel scans

Maximum amount of concurrent process requests Kiosk will make to the Core server

20 0 or greater

Allow decryption of encrypted archives

Allows you to input passwords when encrypted archives are detected

Enabled

User Interface Timeout

The time the Kiosk UI will wait for a session to begin before automatically switching back to the idle screen

5 minutes 60 seconds or greater

Allow user to browse for files

Allow user to select files before processing media

Enabled

Alert user if Metadefender Core license is close to expiration

Alerts you on the Kiosk idle screen if the Core license is close to expiration

Disabled

Alert user if Metadefender Kiosk license is close to expiration

Alert you on the Kiosk idle screen if the Kiosk license is close to expiration

Disabled

Exit at end of session

Specifies if the system should exit Kiosk after a session completes

Disabled

Reboot at end of session

Specifies if the system should reboot after a session completes

Disabled

Choose Language The default language to be used for the UI English

v3.13.0 450



Multiple Partitions Selects the method for processing files on partitions

Process files only on accessible primary partition

Host IP or DNS of SMTP server 127.0.0.1

Port Port of the SMTP server 25

Enable SSL Enable the use of SSL Disabled

Username Username to authenticate to the SMTP server

(Blank)

Password Password to authenticate to the SMTP server

(Blank)

7.4. Session Logs

Metadefender Kiosk displays the most recent scanning sessions on the Logs page. You can select any of these sessions to view details from that scanning session.

v3.13.0 451

Searching by file hash or session ID

You can also search Metadefender Kiosk logs by either file hash (SHA256) or by Metadefender Kiosk session ID on the Session History page.

v3.13.0 452

If you search by session ID, Metadefender Kiosk displays a summary of the results of that session. Click any of the list items in the summary page to display the individual files that were included in that Metadefender Kiosk session.

v3.13.0 453

v3.13.0 454

Searching by specific file name

Click to upload a file to check if it has been processed by Want to upload a file to searchMetadefender Kiosk.

If you search by SHA256 hash code, Metadefender Kiosk displays a summary of all of the times that file was processed by Metadefender Kiosk.

Viewing session details

Click any of the items in the list to display details from the specific processing sessions.

Similarly, you can click any of the items in the new list to display the details from that specific session.

v3.13.0 455

7.5 Alert Sound Customization

To change the alert sound when threats are detected, replace <Kiosk install directory>\Client\en\res\alarm.wav with your own .wav file.

v3.13.0 456

The file name must be maintained or Metadefender Kiosk will not recognize the sound to play.

8. Launching Metadefender Kiosk

The Metadefender Kiosk application automatically launches upon system startup. If there is a system malfunction and you restart the system, Metadefender Kiosk re-initializes upon startup

If your Metadefender Kiosk license has expired or is invalid, the Metadefender Kiosk application displays an error and does not allow you to proceed.

After startup, the Idle Screen displays. If you would like to modify this screen, you can edit the file at C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\en\res\main-screenshot.png.

Note: An error message displays if Adobe Flash Player is not installed.

Touch the screen to start (or click on the screen if it is installed on a PC).

Touch to view a brief demonstration video. Help

8.1. Exiting the Kiosk User Interface

To exit the Kiosk UI, press . When exiting the UI, it may take a few minutes if kiosk is in +Alt F4the middle of processing media. It is not recommended to exit UI while Kiosk is processing media. It is strongly suggested to set exit password in order to prevent non-administrator to access the system.

To set exist password on management console:

v3.13.0 457

To set exist password on management console:

When exit password is configured:

9.1. Logging In on the User Authentication Screen

If user authentication is required, you must login either with a Windows user account or as a Guest. If both of those options are enabled, the following screen displays.

v3.13.0 458

If you login with a Windows account (or if only the Windows authentication is enabled and the guest login is disabled) the Sign in screen displays.

If you authenticate as a domain account, the domain must be specified in the field. Username

If you log in as a Guest, or if only the Guest login is enabled (and the Windows login is disabled), you must answer the user questions defined for the Guest profile (see Answering

).User Questions

After logging in with either your Windows credentials or as a Guest, your workflow is determined by the workflow profile settings configured in the Metadefender Kiosk Management Console. For more information on configuring multiple workflow profiles, see 4.1. Workflow

.Profiles Page

Answering User Questions

If your workflow profile (either as a guest or domain user) specifies user questions, the questions are displayed. Answer the questions, and then click . Submit

v3.13.0 459

9.2. Inserting Digital Media

After the login process is complete and, if applicable, all user questions have been submitted, the Insert Media screen displays.

9.3. Unlocking Encrypted Devices

If the USB device you are trying to scan is encrypted, the Unlock screen displays. See the for a list of encrypted USB drives that are supported.Overview

v3.13.0 460

1.

2.

3.

4.

a.

b.

9.4. Processing Digital Media

Insert the media you want to scan. The Start screen appears.

Click . (If you want to scan the entire media, click and skip to step Browse Process All5.) All detected drives display. Files and folders are not sorted.

Click to remove all data from the detected media and overwrite the entire Note: Wipedisk with random data, depending on the configuration set in the Metadefender Kiosk Management Console .

StartScreen.png

Select the drive, folders, or files (including system files) you want to scan and click Begin . Processing

Note:1) Boot Records in the figure below means the Master Boot Record and Volume Boot Record; they will be processed.2) When a folder is selected, the subfolders and files within are not displayed as selected, but they will be processed.

BrowseScreen.png

Click . The Progress screen displays the following information: Begin Processing

Current File: The current file being processed. If the file path is more than 60 characters, the beginning will be trimmed and replaced with ellipses (…).

v3.13.0 461

4.

b.

c.

5.

6.

Number of Files Processed: The number of files already processed and the total number of files to be processed.

Size Processed: The total size of all the files that have already been processed and the total size for all of the files to be processed.

ProcessProgress.png

Note: If the inserted media does not have Windows-readable partitions, or if multiple partitions have been disabled in the Metadefender Kiosk Management Console and the drive has multiple partitions, the No volumes mounted for the

error message appears and you will be returned to the Idle selected devicescreen. This error message also appears if Metadefender Kiosk is unable to read a partition because it is a private or encrypted partition.

If at least one encrypted archive is found, and encrypted archive decryption is enabled in the Metadefender Kiosk Management Console, a list of the encrypted files display. See

for additional information.9.5. Processing Encrypted Archives

When processing is complete, the Sessions Results screen displays. See 9.7. Viewing .and Printing the Session Results

If you click during the scan or remove the media during Note: Cancel Processingprocessing, the Session Results screen displays ‘Processing Aborted’. Ejecting the media during processing does not stop the processing.

9.5. Processing Encrypted Archives

If at least one encrypted archive is found during processing (as described in 9.4. Processing ), and encrypted archive decryption is enabled in the Metadefender Kiosk Digital Media

Management Console, a list of the encrypted files displays.

v3.13.0 462

1.

2.

3.

To process encrypted archives:

Select the checkbox next to one or more of the encrypted archives. A password screen appears.

Enter the password for the encrypted archive, and then click .Submit If you selected multiple encrypted archives, you are prompted to enter different Note:

passwords for each archive.

Click . If the encrypted Begin processing to scan the selected encrypted archives archives are successfully unlocked, the Session Results appear.

Click to bypass the encrypted archives and go directly to the Session Results Note: Skipscreen.

9.6. Copying Files to Another Media

If your workflow profile specifies copying scanned files to other media, you are prompted to insert the media to which you want to copy your files. If you do not want to copy the files, click

to display the page. Skip Copy Session Results

The original source media must remain connected to Metadefender Kiosk to successfully copy the files.

v3.13.0 463

If the user media is configured to be wiped before copying, a prompt will alert the user that the destination media will be wiped.

Select 'Continue' to have the media wiped and copy files to or 'Cancel' to be taken back to insert another media to copy files to.

Note: If you insert an encrypted device as the media to copy to, you will be prompted to enter the password to unlock the media before files are copied.

v3.13.0 464

9.7. Viewing and Printing the Session Results

After media has been processed, the session results appear. The session results include whether processing was completed or aborted, the number of files blocked and why they were blocked, the actions taken on blocked and allowed files, and the total number of files processed.

The session results page includes the following buttons:

View Copy Details: If at least one file was copied as a result of the post processing configuration set in the Metadefender Kiosk Management Console, then the View Copy

button is enabled. Click this button to go to the Copied File Details screen. For Detailsadditional information, see below.Viewing details about copied files

View Blocked File Details: If at least one file was blocked, the View Blocked File button is enabled. Click this button to go to the Blocked File Details screen. If at Details

least one mismatched file is found, the File Type Analysis Mismatch section is included in the Blocked File Details screen. For additional information, see Viewing details about

below.blocked files

Print Report: If report printing is enabled, the button appears. Click this Print Reportbutton to print the session results. See Data Included in Metadefender Kiosk Log Filesand for additional information.Example of a Scan Log File

Done: Click to go back to the Idle screen. If Metadefender Kiosk is configured Done(through the Metadefender Kiosk Management Console) to exit after processing, Metadefender Kiosk closes.

Viewing details about copied files

v3.13.0 465

Viewing details about copied files

The Copied File Details screen displays the location files were copied to by Metadefender Kiosk during processing. This location is the path specified in the Metadefender Kiosk Management Console with a unique identifier for that processing session.

Viewing details about blocked files

The Blocked File Details screen displays the blocked files detected by Metadefender Kiosk during processing. You can click a blocked file to view more details. Click the and Back Nextbuttons to toggle between blocked files.

v3.13.0 466

Viewing details about mismatched results

Mismatched files have extensions that do not match the expected file type based on the content of the file. A mismatched file is not always a threat; many custom files or files generated by custom software have extensions that are different than standard file types. You should evaluate mismatched files on a case-by-case basis to determine whether the file is a potential threat.

Data Included in Metadefender Kiosk Log Files

After scanning is complete, you can print the scanning session log file. Click from Print Reportthe Session Results screen.

v3.13.0 467

See for more information.9.7. Viewing and Printing the Session Results

The following information is included in the printout.

Data Item Description

User ID If you are using Windows authentication, this is your Windows user ID. If you are not using Windows authentication, this is blank.

Profile The Metadefender Kiosk profile that was used for this session.

Session ID The unique session ID generated for this Metadefender Kiosk processing session.

Scan Completion Status

PROCESSING FINISHED SUCCESSFULLY or

PROCESSING ABORTED!

Start Time Processing start time.

Finish Time Processing finished time.

Metadefender Core Version

The product version of the Metadefender Core server. If the Metadefender Core server is installed remotely on another system, the IP address and communication method (e.g., metascan_rest) is listed as well.

v3.13.0 468


Metadefender Kiosk Version

The product version of the Metadefender Kiosk application.

Device Information

Section that includes identifying information for the physical media device that was scanned, if available, from the device.

Manufacturer Manufacturer of the media that was processed.

Model The model of the physical media that was processed.

Media Type The type of physical media that was processed.

Serial Number The serial number of the physical media that was processed.

Partition Count

The number of partitions on the device.

Disk Usage The amount of space used / the total size of the drive.

Scanning System

The machine name of the Metadefender Kiosk system where the processing was done.

Full Media Processed

Indicates whether all of the files on the media were processed.

Total Files Scanned

The total number of files scanned by Metadefender Core.

Total Files Processed

The total number of files processed by Metadefender Kiosk.

Blocked Files Section that includes a summary of the files blocked by the profiles defined in Metadefender Core.

v3.13.0 469


Mismatched The number of files detected as a file type mismatch.

Blocked File Types

The number of files blocked as a result of the file type filtering policy.

Password Protected

The number of files skipped because they were password protected and/or the password was not provided for an archive.

Potentially Vulnerable File

The number of files that have a known vulnerability. (detection available only in Core V4)

Noncompliant Archives

The number of archive files that exceeded limits specified in the archive handling policy.

Threats The number of files blocked because Metadefender Core detected a non-clean result.

Error The number of files that failed to scan either because one or more engines did not finish scanning them successfully or errors communicating with Metadefender Core.

Failed to Sanitize

The number of files that failed data sanitization.

Blocked Actions Taken

The number of files blocked because Metadefender Core detected a non-clean result.

Converted The number of files sanitized by Metadefender Core.

Quarantined The number of files quarantined by Metadefender Kiosk.

Deleted The number of files deleted by Metadefender Kiosk.

v3.13.0 470


Post Action Ran

The number of files processed by the post action script defined in Metadefender Kiosk

Copied To Media

The number of files copied to another device.

Copied To Directory

The number of files copied to another location.

Copied To SFT Server

The number of files copied to a Metadefender Secure File Transfer server.

Moved To Media

The number of files moved to another device.

Moved To Directory

The number of files that were moved to another location.

Moved To SFT Server

The number of files moved to a Metadefender Secure File Transfer server.

Copied to [media, directory, SFT Server]

The location where files were copied.

Moved to [media, directory, SFT Server]

The location where files were moved.

Allowed Actions Taken

Section that includes a summary of the actions taken on allowed files. The descriptions are the same as those described above for blocked files.

v3.13.0 471


Skipped Files The number of files skipped when scanning by Metadefender Core because of the policy set in the Core profile.

File Type Totals

The number of files of each file type that were included in the processing session.

Threats The list of files detected as threats during the session. Each file will have the PATH, SHA-256, THREAT NAME (if applicable) and SCAN RESULT listed.

Deleted Files The list of files removed during processing. Each file will have the PATH and SHA-256 listed.

Quarantine Failed Files

The list of files quarantined during processing. Each file will have the PATH and SHA-256 listed.

Password Protected Files

The list of files included in the process that were password protected. Each file will have the PATH and SHA-256 listed.

Potentially Vulnerable Files

The list of files that contain a vulnerability. Each file will have the PATH and SHA-256 listed.

Noncompliant Archives

The list of archives included in the process that exceeded archive handling limits. Each file will have the PATH, SHA-256 and REASON listed

Errors - Process Files

The list of files that failed to scan by Metadefender Core. Each file will have the PATH, SHA-256 and REASON listed.

Failed To Quarantine Files

The list of files that could not be quarantined.

Skipped Files

v3.13.0 472


The list of files that were configured to be skipped from being scanned by Metadefender Core. Each file will have the PATH and SHA-256 listed.

File Type Analysis Results

The list of files where the detected file content type did not match the file extension. Each file will have the PATH, SHA-256, SUGGESTED EXTENSION and DETECTED FILE TYPE listed.

Blocked File Types

The list of files whose file type was configured to be blocked. Each file will have the PATH, SHA-256, SUGGESTED EXTENSION and DETECTED FILE TYPE listed

Files Failed SHA-256 Verification

The list of files that failed SHA-256 verification during copy/move (if SHA-256 Verification was enabled). Each file will have the PATH and SHA-256 listed.

Files Failed to be Sanitized

The list of files that failed to be sanitized. Each file will have the PATH listed.

Allowed Files The list of allowed files in the session. Each file will have the PATH and SHA-256 listed.

Path The relative path to the given file.

SHA-256 The hash value of the given file.

Threat Name The name of the infection for the given file.

Scan Result The scan result of the detected file threat

Suggested Extension

The expected file extension based on the detected content type of the file.

Detected File Type

The detected content type of the file.

v3.13.0 473


Reason The reason the file has been included in the current list.

Example of a Scan Log File

OPSWAT - METADEFENDER KIOSK SCAN RESULTS

What is the ID of the media you will be scanning?: GX3419

What is the source of the files on this media?: 3rd Party Vendor

What is your name?: Metadefender Kiosk User

User ID: opswat\sampleuser

Profile: Default

Session ID: F624AA1F-BFF1-4501-A8F7-75DAC4C9EF2A

PROCESSING FINISHED SUCCESSFULLY

Process Start Time: 2016-07-23 10:54:09

Process Finish Time: 2016-07-23 10:54:35

Metadefender Core Version: 3.11.1.27535

Metadefender Kiosk Version: 3.3.1.27740

Device Information

Manufacturer: (Standard disk drives)

Model: SCSIDISK SCSI_DISK_1234 USB Device

Serial Number: USBSTOR\DISK&VEN_SCSIDISK&PROD_SCSI_DISK_1234&REV_1.00\12102314434D&0

Media Type: USB Device

Partition Count: 1

Disk Usage: 30.8MB / 1.8GB

Scanning System: METADEFENDER-KIOSK

Full Media Processed: YES

Total Files Scanned: 19

Total Files Processed: 20

Blocked Files

- Mismatched: 0

v3.13.0 474

- Blocked File Types: 0

- Password Protected: 1

- Noncompliant Archives: 1

- Threats: 5

- Failed To Scan: 0

Blocked Actions Taken

- Converted: 0

- Quarantined: 0

- Deleted: 0

- Post Action Ran: 0

- Copied To Media: 6

- Copied To Directory: 0

- Copied To SFT Server: 0

- Moved To Media: 0

- Moved To Directory: 0

- Moved To SFT Server: 0

- Copied to directory: C:\Kiosk\Sessions\F624AA1F-BFF1-4501-A8F7-75DAC4C9EF2A\blocked

Allowed Actions Taken

- Converted: 2

- Post Action Ran: 0

- Copied To Media: 16

- Copied To Directory: 0

- Copied To SFT Server: 0

- Moved To Media: 0

- Moved To Directory: 0

- Moved To SFT Server: 0

- Copied to directory: C:\Kiosk\Sessions\F624AA1F-BFF1-4501-A8F7-75DAC4C9EF2A\allowed

Skipped Files: 0

File Type Totals

bmp: 1

v3.13.0 475

doc: 1

docm/docx: 2

exe/dll: 1

gif: 1

htm/html: 1

jpg/jpeg: 1

pdf/ai: 1

png: 2

pps/ppt: 1

pptm/pptx/ppsx: 1

tif/tiff: 1

xls/xla: 1

xlsm/xlsx: 1

zip/jar: 4

_______________________________________________________________________

THREATS

1. PATH: F:\Samples\eicar_com.zip

SHA-256: F3F0C45B82514D6B2AB45F988288249AD73F3591BBD51CD

9302815EDE372143D

THREAT NAME: Eicar-Test-Signature

SCAN RESULT: Dirty

-----------------------------------------------------------------------

2. PATH: F:\Samples\eicarcom2.zip

SHA-256: 4FDABC19CFC54D84153389CEB1F75461606275207E24B60

04B74314200AB201B


SCAN RESULT: Dirty

-----------------------------------------------------------------------

3. PATH: F:\Samples\Sample Embedded.docx

SHA-256: 89309D4B57F87D6A25FA6053032B9E2106C41D146C9F8A3

C2BC56DE736619A2A

v3.13.0 476


SCAN RESULT: Dirty

-----------------------------------------------------------------------

4. PATH: F:\Samples\Self-Extracting.exe

SHA-256: 987204377CCE14B041BDCE2B2821063711E4B4786EDFBB9

103131EE3CB57FF25

THREAT NAME: Eicar test file

SCAN RESULT: Dirty

-----------------------------------------------------------------------

5. PATH: F:\Samples\Sample Files.zip

SHA-256: 7FD5107BF4D2A6FA445752025163C7F3B931B52E0BE22E7

D49A65FB3AA80FD31


SCAN RESULT: Dirty

-----------------------------------------------------------------------

_______________________________________________________________________

PASSWORD PROTECTED FILES

1. PATH: F:\Samples\File Test Set.zip

SHA-256: 1126E898787D018BE43BFF14A2AB24C605F5592654EFDA3692

821AA7E3AC9052

_______________________________________________________________________

_______________________________________________________________________

10. Developer Guide

10.1. Custom Authentication Module

Metadefender Kiosk allows you to audit the users that transfer data to and from the organization as well as to create a secure dataflow. Commonly used as a checkpoint to protect infrastructure from the risk of removable media devices (such as USB drives, CDs/DVDs, and other portable media), Metadefender Kiosk allows you to configure detailed content filters for unknown removable devices brought in by employees, contractors, vendors and others.

v3.13.0 477

1.

2.

3.

4.

1.

2.

3.

4.

This section provides instructions for developers who intend to build or integrate their own authentication method of these users into Metadefender Kiosk. We recommend that you have a strong understanding of C/C++ before reading this section.

The bundled code included in this section is a sample of how the authentication module can be implemented. You should modify the contents in each method described in this section to accommodate your integration needs. You can remove any additional methods in the sample code not described in this section if not needed.

Important: Any configuration pertaining to the custom authentication module are not saved if you uninstall and re-install Metadefender Kiosk. You must keep a copy of your module before uninstalling and then copy it back to the same directory once your installation or upgrade is complete.

System requirements

The system requirements for implementing custom authentication are as follows:

Metadefender Kiosk 3.2.0 or later

Visual Studio 2013 or later

NET 4.5 or later for running the Custom Authentication Sample for the sample UI

Deploying and configuring custom authentication

The steps necessary to deploy custom authentication are as follows:

Obtain a custom authentication template package from the downloads.OPSWAT Portal Use the template for C++ custom authentication module (vc12).Note:

Implement the custom authentication interface & build the custom authentication module (authenticationModule.dll).

Deploy the custom authentication module.

Configure Metadefender Kiosk to load and use the custom authentication.

Configuring custom authentication

After successfully building the custom authentication module, you can configure the custom authentication module.

Place the module (authenticationModule.dll) in the expected directory (e.g., <Metadefender Kiosk Install Directory>\Client\Authentication).

Open the Metadefender Kiosk Management Console, and go to the Workflows tab.

Go to the Configuration section.

https://my.opswat.com/hc/en-us

v3.13.0 478

4. Select Require user authentication, then select Custom Authentication, and click . Apply If Custom Authentication does not appear, the authentication module is either Note:

named incorrectly or not in the expected directory.

Understanding C++ code in the custom authentication template

The following section describes the C++ code in the custom authentication template.

Init

This is the first method called. It allows you to initialize your authentication module.

init

int Init( bool * showUI)

Arguments


showUI Output indicates if the authentication module has a UI to display to the user.

v3.13.0 479


True: Has a UI.

False: Has no UI.

Return value

Value Description

0 The module initialized correctly.

Non-zero Initialization failed and the module cannot be used.

Verify

This method initiates the authentication process to run. The return value has nothing to do with if the user is authenticated or not. Instead, it indicates if the authentication process was successful or not.

init

int Verify( wchar_t ** verifiedID wchar_t * desktopName wchar_t ** password)

Arguments

Argument Description Notes

verifiedID The ID associated with the user that successfully authenticated. If a user is denied, then this is empty.


desktopName

v3.13.0 480


Metadefender Kiosk uses a second desktop for security reasons. If your authentication process has a UI to display to the user, this will indicate the desktop in which your authentication process will be launched.

Disregard if your authentication process does not require a UI.

password The verified user’s credentials which allows Metadefender Kiosk to handle post processing permissions. If you don't want Metadefender Kiosk to have the user’s permissions, leave this empty.


Note: From 3.5.0, if is empty, Guest profile will be used.verifiedID

Return value

Value Description

0 Verification ran successfully.

Non-zero Verification failed to run.

Denit

This method is called when Metadefender Kiosk is shut down. Any resources acquired by your module should be released and any unsaved data should be stored.

init

int Deinit()

Arguments


Cancel

v3.13.0 481

Cancel

This method is called when the user tries to cancels while verification is running.

int Cancel

(

)

Arguments


Return value

Value Description

0 The cancel request was accepted.

Non-zero The cancel request was denied.

FreeString

This method is called to free allocated memory for wchar_t **. Metadefender Kiosk calls this function when finished with the values allocated by your functionality.

init

int FreeString( wchar_t ** stringToFree)

Arguments


stringToFree Double pointer to wchar_t

This function must be de-allocated in the same way that memory is allocated.

v3.13.0 482

1.

2.

3.

4.

Return value

Value Description

0 The allocated memory was successfully released.

Non-zero The allocated memory failed to be released.

Using the custom authentication tester

The custom authentication testing package includes a file called TestCustomAuthentication.exe that lets you test and troubleshoot your authentication module before using it with Metadefender Kiosk.

TestCustomAuthentication.exe behaves similarly to the component Metadefender Kiosk uses to load the authentication module. Since Metadefender Kiosk runs under a SYSTEM context, you should run the authentication module under SYSTEM as well. Attempting to run the authentication module under any other user may invalidate the module's results. You must run TestCustomAuthenticationModule.exe under SYSTEM to properly load authenticationModule.dll and test the methods.

You can use Windows Sysinternals to run the tool as SYSTEM.

To run the custom authentication tester:

Download PsExec.

Open a command prompt (as an administrator) to where PsExec is installed and enter "PsExec.exe -s cmd.exe"

Navigate to the <Metadefender Kiosk Install Directory>\Client\Authentication directory.

v3.13.0 483

4.

5.

Run TestCustomAuthentication.exe. At all points of method testing, the tester pauses and allows you to control when to move on to the next test.

A PASSED or FAILED result appears.

pcProx Plus RFID Reader Custom Authentication Module

Overview of Module

Required Components

Configuration


Reader Configuration

pcProxConfig Installation

Adding pcProx Custom Authentication Module to Metadefender Kiosk

Using the pcProx Custom Authentication Module

Overview of Module

This documentation describes usage of the pcProx Plus RFID Reader custom authentication module. This authentication module can be used with any version of Metadefender Kiosk version 3.2.0 or later to allow RFID cards to be used for Metadefender Kiosk authentication.

Required Components

Installed Metadefender Kiosk system (version 3.2.0 or later)

Installer available on OPSWAT's portal at https://portal.opswat.com/en/product-categories/metadefender-kiosk

https://portal.opswat.com/en/product-categories/metadefender-kiosk


v3.13.0 484

1.

2.

3.

4.

a.

pcProx Plus RFID Reader

https://www.rfideas.com/support/product-support/pcprox-plus

pcProxConfig reader configuration tool

Download available at https://www.rfideas.com/support/product-support/pcprox-plus

Documentation available at https://www.rfideas.com/files/downloads/manuals/Enroll_Plus_Wiegand_Manual.pdf

pcProx Plus RFID Reader Custom Authentication Module

Compiled binaries and source available on the OPSWAT Portal at https://portal.opswat.com/en/content/metadefender-kiosk-custom-authentication-module-sample-code

Configuration


If Metadefender Kiosk has not already been installed on the system, install it using the installer available on the OPSWAT Portal at https://portal.opswat.com/en/product-categories

. Follow the installation steps in the ./metadefender-kiosk Metadefender Kiosk documentation

Reader ConfigurationpcProxConfig Installation

Download the pcProxConfig installer from https://www.rfideas.com/support/product-support/pcprox-plus

Run the installer to install the pcProxConfig configuration tool

Connect the pcProx reader to the Metadefender Kiosk system and wait for the driver to be installed. The LED on the reader will turn red

Launch the pcProxConfig tool, the device should be automatically detected




https://www.rfideas.com/files/downloads/manuals/Enroll_Plus_Wiegand_Manual.pdf

https://www.rfideas.com/files/downloads/manuals/Enroll_Plus_Wiegand_Manual.pdf

https://portal.opswat.com/en/content/metadefender-kiosk-custom-authentication-module-sample-code





http://software.opswat.com/metascan/Documentation/Metadefender/documentation/Metadefender_User_Guide/Metadefender_Installation/Installing_Metadefender_Using_the_Install_Wizard.htm



v3.13.0 485

4.

a.

b.

c.

5.

a.

6.

a.

b.

If the reader is not automatically detected you can click on the 'Connect' button to detect the reader

The reader should be shown in the device list

Select 'Card Analyzer' from the menu

Click 'Learn Card'

Click Start Scan, and when prompted put the RFID card that you want the device to learn on the scanner. The card will need to stay on the reader until the scanning is complete.

v3.13.0 486

6.

b.

c.

7.

8.

a.

9.

Click the 'Auto Config>' button

Select the Configuration # to set and click the 'Write' button

v3.13.0 487

9.

10.

a.

b.

11.

a.

b.

c.

12.

a.

b.

After the configuration has been written click 'Exit' to close the Card Analyzer dialog or click the 'Learn Card' button to learn another card type

Confirm that the configuration has the 'High priority' checkbox selected

If two configurations are saved make sure this is selected for both

Select the 'Format' tab. On the 'Data Format' subtab do the following.

Confirm the 'Send ID' checkbox is selected

OPSWAT recommends that the 'Send FAC' checkbox is also selected

On the 'Delimiters' subtab, do the following

Confirm the Pre-data delimiter is set to <NONE>

v3.13.0 488

12.

b.

c.

d.

e.

13.

14.

1.

a.

b.

c.

Confirm the Post-data delimiter is set to <NONE>

Confirm the Termination Keystroke is set to <ENTER>

Click the 'Write Active' button to save the configuration. If there are two configurations set this needs to be done for both configurations.

Test the configuration by opening the Notepad application and scanning a card. The card ID should be written into Notepad.

Adding pcProx Custom Authentication Module to Metadefender Kiosk

Copy the following files from the custom authentication module download package into your C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\Authentication directory

authenticationModule.dll

CustomAuthExample.exe

v3.13.0 489

1.

c.

d.

2.

a.

b.

3.

a.

b.

1.

a.

omConfig_CAM.ini

db

If you would like to restrict users to the RFID cards that are listed in the database

Set the property validate_ID=1 in omConfig_CAM.ini

Open the 'db' file with a text editor, such as Notepad. Update/add the valid card IDs (can be read by pcProxConfig tool, step 14) with the corresponding user names in the format <Card ID>:<Name>. Only card IDs that are listed in this file can be used for authentication.

In the Metadefender Kiosk Management Console, enable Custom Authentication on the 'Workflows' configuration page

Click the 'Apply' button

Using the pcProx Custom Authentication Module

Users will be prompted to scan their RFID badge

v3.13.0 490

2.

a.

i.

b.

c.

The ID from the card will be saved as the user ID for the session

In the session log viewable through the Management Console

On the scan receipt

In the saved text log file

11. Release Notes

New features

Metadefender Kiosk can now be configured to abort scans as soon as a blocked file is found

Multiple Metadefender Core servers can be defined for redundancy

Support for wiping encrypted USBs

Alert sound can be customized

Other changes

Better reporting of mismatched files that are found within archives

SMTP settings for emailed session reports are now configured globally

Estonian keyboard layout is now supported for the onscreen keyboard

Options for handling multiple partitions have been simplified to either block devices with multiple partitions or scan all available partitions

11.1. Archived Kiosk Release Notes

Version 3.4.1

=============

v3.13.0 491

New features

------------

- None

Other changes

-------------

- Kiosk user will now be prompted to confirm before destination media is wiped before files are copied to it

Version 3.4.0

=============

New features

------------

- Each Metadefender Kiosk workflow specifies a specific Metadefender Core workflow or rule to use

- Files identified as potentially vulnerable by Metadefender Core's vulnerability engine are shown in the scan results

- Metadefender Kiosk will now scan the boot sector of any media

Other changes

-------------

- The Metadefender Kiosk session log page user interface has been updated

- Potential security vulnerability with Ctrl-L key combination has been closed

- Better handling of McAfee encrypted USB devices

- Requires Metadefender Core 3.12.4 or later

Version 3.3.6

=============

New features

------------

v3.13.0 492

- Built in user authentication now supports remote Active Directory authentication. Note that for remote Active Directory authentication provided user credentials are not used when files are copied as a post action.

Other changes

-------------

- Metadefender Kiosk will validate SSL certificates when using HTTPS to communicate to the Metadefender Core server. If Metadefender Core is using a self-signed certificate, this certificate must be installed on the Metadefender Kiosk machine, otherwise validation will fail.

- The Metadefender Kiosk UI will reset after the scanned media has been removed when at the scan results page

Version 3.3.5

=============

New features

------------

- Encrypted drives can now be used as the "Copy To" destination

- Drives that are being copied to can now be wiped before files are copied

Other changes

-------------

- Server settings for e-mail notifications are now configured in Metadefender Kiosk instead of in Metadefender Core

Version 3.3.4

=============

New features

------------

- Compatible with Metadefender Core 4.4 and later versions

- Support for Kanguru 2000 and 3000 encrypted USBs

- More flexibility allowed in the destination directory when "Copy To" post action is enabled

- Scan session log can be saved as a PDF

v3.13.0 493

Other changes

-------------

- High security workflow included by default in installation

- Kiosk UI now scales to higher resolutions

- Count of files sent to a Metadefender Secure File Transfer server added to Management Console dashboard

Version 3.3.3

=============

New features

------------

- Non-guest Metadefender Kiosk profiles can now upload to Metadefender SFT guest accounts.

Other changes

-------------

- Updated onscreen Japanese keyboard

- Metadefender Kiosk can now be used with a Metadefender Core server that has an API key set.

- Fixed bug where files on read-only media that are sanitized were not getting copied as part of the file handling part of the workflow.

- Several hotkeys are now automatically disabled when the UI is running

- Additional minor bug fixes.

Version 3.3.2

=============

New features

------------

- Scan reports can now be sent by e-mail after the scanning session is complete.

- The file upload chunk size for uploading files to a Metadefender SFT server is now configurable.

Other changes

v3.13.0 494

Other changes

-------------

- The sender e-mail address is no longer required when uploading files to a Metadefender SFT server.

- Additional strings have been added to the Kiosk UI and can be modified through the Management Console.

- The encryption method for passwords saved in the Metadefender Kiosk configuration has changed. Importing configuration from versions prior to Metadefender Kiosk 3.3.2 will not import passwords.

Version 3.3.1

=============

New features

------------

- None

Other changes

-------------

- Better cancellation of a scan in progress

- Fixed issue when browsing blank media

- Correct detection of unencrypted Kanguru devices

- Database and Windows events can be viewed through the Management Console

Version 3.3.0

=============

New features

------------

- The name of the product is now Metadefender Kiosk.

- Administrators have the option to restrict access to domain users when Windows authentication is enabled.

v3.13.0 495

Other changes

-------------

- Fixed bug in importing saved configuration

- IIS Express component has been upgraded to version 8.0

Version 3.2.0

=============

New features

------------

- Metadefender now uses Metascan workflows (Metascan versions 3.10.1 and later)

- Custom authentication modules are supported

- Windows 10 support

Other changes

-------------

- None

Version 3.1.0

=============

New features

------------

- Metascan functionality can now be configured within the Metadefender Management Console. This is only supported for Metascan servers version 3.9.5 or later.

- Support for floppy disks as the copy destination in post-actions

Other changes

-------------

- Custom time periods can be set for the statistics displayed on the Metadefender dashboard

Version 3.0.12

=============

v3.13.0 496

New features

------------

- Upload to Policy Patrol Secure File Transfer (Requires version 2.2 or later of SFT) is now available as a post action

- The Metadefender Management Console has an updated look and feel, matching the Metascan Management Console

Other changes

-------------

- The security and compatibility of the Metadefender Management Console has been improved by replacing the PHP component with JavaScript

- Stability of the data sanitization post-action has been improved

- Fixed issue where floppy disk drives on non-English operating systems were not being recognized

- Fixed issue where in certain circumstances Metadefender might not start automatically upon system restart

Version 3.0.11

=============

New features

------------

- None

Other changes

-------------

- Updated kiosk UI strings for non-English languages

- Improved support of Ironkey D250 encrypted USBs

- Improved support for Kanguru Elite Defender 30 USBs

- Improved support for Kingston encrypted USBs

- If Windows authentication is enabled, non-local (i.e. domain) users are now required to specify their domain

Version 3.0.10

v3.13.0 497

Version 3.0.10

=============

New features

------------

- None

Other changes

-------------

- Resolved issue where files would fail to copy to network locations when SHA-256 hash verification was enabled

- Resolved issue in displaying large number of files in Metadefender's browse dialog

- Support for file type conversion from image files has been removed. Conversion from PDF is now only supported to sanitized PDF. For customers that will be exporting Metadefender workflows that used this functionality OPSWAT recommends that these conversions are disabled before exporting.

Version 3.0.9

=============

New features

------------

- None

Other changes

-------------

- Reduced the latency in loading workflow configuration when there are many user accounts on the associated active directory server

- Resolved race condition where Metadefender occasionally did not start upon system startup when installed on Windows 8 or newer operating systems

- Improved behavior when multiple instances of Metadefender are running on the same system

Version 3.0.8

=============

New features

v3.13.0 498

New features

------------

- Windows 8.1 and 2012 R2 are now supported

- Buffalo RUF2-hsc-2gt Encrypted USBs are now supported

- McAfee Complete Data Protection Encrypted USBs are now supported

- EncryptDisc media is now supported

- Kanguru Defender Elite 30 USB devices are now supported

- Metadefender Idle Screen can be customized

- German and Korean translations of the Metadefender kiosk UI

Other changes

-------------

- Hashes of files are re-verified when the 'Copy To' post action command is used

- Better handling of network failures when scanning with a remote Metascan server

Version 3.0.7

=============

New features

------------

- Scan logs can be saved to the media being scanned

- Recent sessions now listed in the Metadefender Management Console logs page

- Support for Buffalo SecureLock encrypted devices

- Receipt can be configured to print automatically

Other changes

-------------

- More details available in the scan result screen for files that failed to scan

- Kiosk user can be alerted when Metadefender license is close to expiration

- New HTML documentation available through the Management Console

- Romaji input supported on Japanese keyboard

- More robust support for Kingston DataTraveler encrypted USBs

v3.13.0 499

- Bitlocker encrypted drives are now supported on Windows 8.1

- Other minor changes

Version 3.0.6

=============

New features

------------

- Support for Ironkey D250 encrypted USBs

- Support for BitLocker (password) encrypted devices

- Vietnamese and Japanese user interface available by default

Other changes

-------------

- User account credentials used for post actions when Windows authentication is enabled

- Better indication when potential threats are found

- Additional scan result details included in text log file

- Debug log package available for download in Management Console

- Additional printout configuration options

Version 3.0.5

=============

New features

------------

- Added Support of KIOSK UI localization

- Added predefined KIOSK UI Localization for Hebrew & Arabic

- Added additional predefined profiles

- More configuration for printouts

Other changes

-------------

- Fixed error when scanning empty media

v3.13.0 500

- Improved accuracy of timestamps in logs

- Improved error handling and logging for errors

- Updated logs to include scan failure reason.

- Clearer notification when a threat is found

- Add ability to set password in Metadefender Management Console

- Various bug fixes.

Version 3.0.4

=============

New features

------------

- Copy to user provided media as post-action

- Username is available as a variable in post-actions when Windows login is enabled

Other changes

-------------

- Improved archive handling

- Improved physical keyboard support

- Scan is aborted if connection with Metascan server is interrupted (when Metascan is on separate machine)

- Improved handling when Metascan server is operating at maximum capacity

- Fixed potential issue where Metadefender failed to launch due to latency of Windows desktop preparation

- Better logging for interruptions during post processing

- Minor bug fixes

- UI improvements

Version 3.0.3

=============

New features

------------

v3.13.0 501

- None

Other changes

-------------

- Fixed print formatting issues

Version 3.0.2

=============

New features

-----------------

- Search for processing result by file upload

- Ability to export processing logs

- Allow search results to be bookmarked for later reference

- Display more detailed progress during file enumeration

- Improved Metadefender Management Console

- Improved formatting for built-in kiosk printers

Other changes

-------------

- Fixed bug that was preventing restoration of default and guest profiles

- Prevent users from being added to more than one workflow profile

Version 3.0.1

=============

New features

-----------------

- User Authentication

- Customizable User Profiles

- Configurable User Questions

- Filtering by File Type

- Web-Based Metadefender Management Console

v3.13.0 502

- System Restore with Deep Freeze

- File Type Conversions

- Enhanced Post-Processing Options

- New End User Workflow

- Option to Restart After Each Session

- Comprehensive Logging for all Processed Files

- Support for Kingston encrypted USB drives

- Handling USB with partially corrupted file system

11.2. Known Limitations of Metadefender Kiosk

Upgrading from 2.x

All configuration is now DB-based. For migration, please contact OPSWAT.

Handling Multiple Devices

Metadefender Kiosk does not allow multiple devices to be processed at the same time. Each device must be inserted independently. If a device has a private, or encrypted partition, Metadefender Kiosk may not be able to read it. Encrypted drives can be scanned as covered in the Unlock Screen section. If a drive does not have any readable partitions, OPSWAT recommends using Metadefender Kiosk’s ‘Wipe’ functionality to clean the drive and ensure that there are no hidden partitions. Refer to the Advanced Options section of 7.3. Configuring User

for additional information.Settings

Non-Windows Partitions

Metadefender Kiosk does not support scanning partitions that cannot be mounted to volumes in Windows (e.g. Linux/Android/Mac). However, many anti-malware engines incorporate virus definitions for all operating systems, regardless of the system on which the engine will be installed. OPSWAT tests indicate that for each non-windows threat sample, a large number of antivirus engines detected that the file is infected.

USB Hubs

If a USB hub with multiple USB drives is inserted into a Metadefender Kiosk system for scanning, Metadefender Kiosk will only scan the first device reported to Windows. This is not guaranteed to be the same device each time the USB hub is inserted. OPSWAT does not recommend connecting drives to Metadefender Kiosk through a USB hub.

Self-Extracting Archives

v3.13.0 503

Self-Extracting Archives

The only self-extracting archives that are fully supported to be scanned as archives are ones created by 7-zip and WinRAR. Self-extracting archives created using other technologies may be recognized and scanned as archives but OPSWAT does not guarantee that this will be possible.

Private or encrypted partitions

If a device has a private, or encrypted partition, Metadefender Kiosk may not be able to read it. Encrypted drives can be scanned as described in . Non-9.3. Unlocking Encrypted Devicesprimary encrypted partitions can be blocked in the Metadefender Kiosk Management Console. If a drive does not have any readable partitions, you can use Metadefender Kiosk’s Wipe functionality to clean the drive and ensure that there are no hidden partitions.

UAC

If UAC is not disabled Metadefender Kiosk's print functionality may not work correctly. Metadefender Kiosk's watchdog functionality will also not work correctly if UAC is not disabled.

Other Known Issues

All external USB drives, such as SD card readers, floppy disk drives, and CD ROM drives, must be inserted before Metadefender Kiosk is started.

Windows User Accounts (domain or local) can be assigned to multiple workflow profiles and only one of the profiles will be used.

To be able to configure profiles with domain users, the Metadefender Kiosk system must be part of the domain.

Kiosk users cannot browse directories that contain more than 2,000 items.

For certain encrypted devices (e.g., Kanguru and Ironkey), unlocking may fail even with the correct password if a user interacts with the Kiosk UI during the process of unlocking.

The encryption method for passwords saved in the Metadefender Kiosk configuration changed with Metadefender Kiosk 3.3.2. Importing configuration from versions prior to Metadefender Kiosk 3.3.2 will not import passwords.

If the Metadefender Kiosk license has expired or is invalid, the Metadefender Kiosk application will display an error to the end user and will not allow them to proceed through the Metadefender Kiosk workflow.

McAfee & BitLocker encrypted drives are not supported for the wipe functionality.

v3.13.0 504

11. Legal

Copyright

DISCLAIMER OF WARRANTY

OPSWAT Inc. makes no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.

COPYRIGHT NOTICE

OPSWAT, OESIS, Metascan, Metadefender, AppRemover and the OPSWAT logo are trademarks and registered trademarks of OPSWAT, Inc. All other trademarks, trade names and images mentioned and/or used herein belong to their respective owners.

No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means (photocopying, recording or otherwise) without prior written consent of OPSWAT Inc. No patent liability is assumed with respect to the use of the information contained herein. While every precaution has been taken in the preparation of this publication, OPSWAT Inc. assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Export Classification EAR99

EAR99 (Export Administration Regulation 99) is an export classification category regulated by the U.S. Department of Commerce that covers most commercial items exported out of the U.S.

OPSWAT’s software is designated as EAR99, and there are no export restrictions other than embargoed countries and persons.

v3.13.0 505

12. Knowledge Base Articles

Page: What URLs must be whitelisted to allow access to virus definition updates?

Page: What is the difference between Scan, PutToScanQueue, and ScanEx?

Page: What is the RAM Drive or Ram Disk and how is it used in Metadefender Core?

Page: What is the support lifecycle for OPSWAT Appliances?

Page: What operating system patches should I apply to the system hosting Metadefender Core?

Page: What should you do if you have anti-malware on the same machine as Metadefender Core (formerly Metascan) ?

Page: What is the frequency of signature / definition updates?

Page: What is the maximum file upload size limit when accessing Metadefender Core through the REST server?

Page: Where can I submit false positives detected by Metadefender Core?

Page: Why did the AVG engine disappear from the Metadefender Core Management Console?

Page: Where is Metadefender Core's temp directory located?

Page: Which antivirus engines are designated by Metadefender Core as "customer licensed engines"?

Page: Why did Metadefender Core stop working on Windows 10 ?

Page: When I click Apply after I change the maximum total size of extracted files, I get an "Update failed" message. Why is that?

Page: When will the updates for ThreatTrack and Agnitum no longer be available ?

Are Metadefender Core upgrades free?

Yes. Your Metadefender Core license lets you run the latest version of the product. In fact, OPSWAT recommends that you upgrade to the latest release as soon as possible so that you can benefit from new AV engine versions, new features, and bug fixes.

If you are interested in upgrading, please check our Release Notes and our Installation and Upgrade Guide, which can be found here.

If you are a Metadefender Core Custom customer, OPSWAT recommends that you contact OPSWAT Support and let us guide you through the upgrade process. You can contact OPSWAT Support by .logging a support ticket with us

https://onlinehelp.opswat.com/corev3/1.2._Installing_Metadefender_Core.html

https://portal.opswat.com/support

v3.13.0 506

1.

2.

3.

4.

5.

6.

This article applies to Metadefender Core productThis article was last updated on 2016-09-02CA

Avira engine not updating

If you are running a version of Metascan that includes Avira, you can download the patch . hereTo apply this patch, please follow the instructions below.

Open an elevated command prompt.

Run the following command: net stop metascan

Extract the package you downloaded from the link above.

Copy the contents of the archive into the Engines\Avira directory in the Metascan install directory (usually C:\Program Files (x86)\OPSWAT\Metascan XX\Engines\Avira).

From an elevated command prompt, run the following command: net start metascan

Confirm that the Avira engine is scanning and returns the valid definition time from either the command line (by running the command ‘omsCmdLineUtil.exe debug’ in the Metascan directory) or through the Metascan Management Console web interface.

Note: This patch only affects your Metascan installation if it includes the Avira engine. If you are currently using Metascan 3.9.X, this is applicable to Metascan 4, 8, 12 and 16 packages. All other Metascan functionality will work normally even if the patch is not applied.

If you have any questions about this patch or about Metascan, please do not hesitate to contact .us

This article pertains to Metascan 3.9.XThis article was last updated on 2016-08-25.EF

Can I control access to the RAM disk?

Yes, you can set security permissions for the RAM disk just like a regular hard disk. To do so, right-click on that drive, select , and then navigate to the Security tab to access Propertiessecurity permissions for that drive.

Note: This only applies to the RAM disk that is installed as a part of Metadefender Core.

http://www2.opswat.com/e/27952/ket-Avira-Hotfix-June-2015-zip/2g8lpd/955749787

http://www2.opswat.com/e/27952/8z4-932370711-2dztb6-952206445/2g8lpg/955749787

http://www2.opswat.com/e/27952/8z4-932370711-2dztb6-952206445/2g8lpg/955749787

v3.13.0 507

1.

2.

1.

2.

3.

4.

This article applies to Metadefender Core version 3.xThis article was last updated on 2016-08-11TV

Can I disable (and later re-enable) any of the antivirus engines in Metadefender Core?

Occasionally, administrators may need to disable one or more of the antivirus engines that are part of Metadefender Core. This can be done from the Metadefender Core Management Console, which is accessible either via the Start menu or by opening a browser and navigating to .http://localhost:8008/management

Once there, follow the instructions below:

Go to the Configuration tab.

Deselect the engines you wish to disable in the Active column.

Enabling or disabling the engines can also be done from a command prompt. To do this:

Open an elevated command prompt and navigate to the Metadefender Core installation folder.

To see the names of the engines you have in your Metadefender Core installation, enter omsCmdLineUtil.exe debug

To enable an engine, enter omsCmdLineUtil.exe config in=<engine(s) to be included> (e.g., omsCmdLineUtil.exe config in="eset scan engine|avira scan engine").


v3.13.0 508

4.

1.

2.

3.

4.

5.

To disable an engine, enter omsCmdLineUtil.exe config ex=<engine(s) to be excluded> (e.g., omsCmdLineUtil.exe config ex="eset scan engine|avira scan engine").

Note: If you are enabling or disabling multiple engines, separate the engine names using the ‘|’ character.

This article applies to Metadefender Core product This article was last updated on 2016-08-05

CN

Can I force an uninstall of Metadefender Core when the native uninstall does not work?

Sometimes an error will occur when you uninstall older versions of Metadefender Core which use the MSI-based installer. When the uninstall process fails, you cannot install a new Metadefender Core instance, which means you cannot install a newer version of the product, nor can you re-install the version you had installed.

If you encountered a problem uninstalling Metadefender Core using the standard method, you will need to do a forced uninstall:

Stop all running Metadefender Core processes by opening an elevated command prompt and entering the following commands:

net stop metascannet stop metascan helper

Delete your Metadefender Core directory.Usually this located here: C:\Program Files (x86)\OPSWAT\Metadefender Core X Note:

where "X" is your Metadefender Core package (1, 4, 8, 12, 16 or 20). For example, if your package is Metadefender Core 16, your directory would likely be C:\Program Files (x86)\OPSWAT\Metadefender Core 16.

Delete the Metadefender Core registry: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OPSWAT\Metascan

Remove Metadefender Core from the MSI database using Msizap.This is a special command line utility provided by Microsoft that removes either all Note:

Windows Installer information for a product or all products installed on a computer. Information about Msizap (including where to download and how to install it) is located

. When installing the Windows SDK, you only need to select the Win32 Development hereTools option.

http://msdn.microsoft.com/en-us/library/windows/desktop/aa370523%28v=vs.85%29.aspx

v3.13.0 509

5.

6.

7.

After downloading Msizap, the .exe file is located here: C:\Program Files\Microsoft SDK\Bin\Msizap.Exe.

Run Msizap from the command line prompt:

Msizap.Exe T {834E5CFA-B648-49e9-ADEE-7ED24383BACD}

You have successfully force-uninstalled Metadefender Core and can now install a new version of it.

This article applies to Metadefender Core productThis article was last updated on 2016-09-02

CN

Can I install Metadefender Core v3 silently from a command line?

Yes, Metadefender Core supports silent installation from the command line. Please refer to the Installation & Upgrade Guide section of the .Metadefender Core Documentation

This article applies to Metadefender Core v3This article was last updated on 2016-10-04CA

Can I run Metadefender Core without IIS?

IIS is one of the required components for Metadefender Core to function as it is intended. You may uninstall IIS if you wish, and Metadefender Core will still retain the local scan functionality. However, doing this. OPSWAT does not support Metadefender Core we do not recommend with IIS removed.

IIS is a necessary component of Metadefender Core REST which is responsible for the REST API and other components which require REST service to be operational, including remote scanning, generation and scanning via Metadefender Client, and configuring or activating your Metadefender Core via Management Console.

This article applies to Metadefender Core v 3.x.This article was last updated on 2016-08-16.CN

http://onlinehelp.opswat.com/corev3/Installing_Metadefender_Core_Using_the_Command_Line.html

v3.13.0 510

1.

2.

a.

b.

3.

1.

2.

a.

b.

c.

3.

1.

2.

3.

Can I whitelist or blacklist a file so that Metadefender Core will always treat it as clean or dirty, respectively?

Metadefender Core allows you to create and maintain a set of whitelisted and blacklisted files.

You add a file to the whitelist when you want the scan result for that file to be returned as "clean." Likewise, you add a file to the blacklist when you want the scan result for that file to be returned as "threat." In both cases, the files are not processed by any antivirus engines. To add files to the whitelist or blacklist, you can use a command line executable named omsFilterCLI.exe. This executable comes with your Metadefender Core package.

To add a file to your whitelist:

Open a command line prompt.

Enter omsFilterCLI.exe addtowhite <path> <type>

Replace <path> with the absolute directory path of the file location.

Replace <type> with the number 0. This parameter is a placeholder for future functionality.

Press .Enter

To add a file to your blacklist:


Enter omsFilterCLI.exe addtoblack <path> <type> <threat>

Replace <path> with the absolute directory path of the file location.

Replace <type> with the number 0. This parameter is a placeholder for future functionality.

Replace <threat> with the threat name. This can be a name of your choosing as it is used for your own categorization purposes.

Press .Enter

To generate a list of files in xml format that are in the whitelist and blacklist:


Enter omsFilterCLI.exe list 0

Press .Enter

v3.13.0 511

This article pertains to Metadefender Core 3.xThis article was last updated on 2016-08-29EF

Can Metadefender Core scan attachments from within a PDF file?

Metadefender Core does not directly scan and analyze PDF files for malware. Instead, it enables multiple underlying antivirus engines to do this using those engines' algorithms.

The scanning of attachments within PDFs will depend on which underlying antivirus engines are incorporated into your version of Metadefender Core, and whether they include this function or not. According to our testing, the following engines can scan attachments from within a PDF file:

Quick Heal

F-prot

Ahnlab

ClamAV

Ikarus

Sophos

TrendMicro

TrendMicro

Symantec

NANOAV*

Note: You need to enable the extract_archive option for NANOAV engine in the Metadefender Core configuration file (omsConfig.ini).

This article pertains to Metadefender CoreThis article was last updated on 2016-08-31TV

Do any of the custom engines have updating limitations?

Some of the custom engines have limitations for updating and OS compatibility.

You can see these listed below:

Engine Name Proxy Update

Offline Update

Scan During Update

Other Limitations

v3.13.0 512

TGSoft/VirIT

Filseclab None Supported None

F-Secure Supported Supported None

Lavasoft

Microsoft Security Essentias

Supported Supported Supported None

Xvirus

NANO Supported Supported Supported None

NetGate Supported Supported None

STOPZilla Supported Supported Supported None

Symantec Supported Supported N/A Runs on Server 2008 R2 or 2012

Systweak Not Supported

Supported None

Trend Micro Supported Supported Supported None

Trend Micro HouseCall

Supported Supported Supported None

Note: This list is accurate for the latest packages of custom engines.

This article pertains to Metadefender Core Product.This article was last updated on 2016-08-05.CA

v3.13.0 513

Does Metadefender Core offer real-time antivirus protection on the system where it is installed?

Although Metadefender Core uses a number of antivirus engines that are typically found in anti-malware products, it does not offer real-time protection for the system it is installed on. Metadefender Core only scans files that are submitted to it on demand. We recommend installing an anti-malware product that provides real time protection on the Metadefender Core server if such protection is needed. If a real-time protection agent is installed on the Metadefender Core server, the Metadefender Core installation directory and the temporary directory used for scanning need to be excluded from this protection.


Does Metadefender Core v3.x require lots of memory for MongoDB usage?

No, Metadefender Core does not require lots of memory because MongoDB does not work in this way.

First of all, MongoDB allocates minimum Memory for "private working set" while it may allocate a lot bigger size for Working Set which include Shareable Memory which is the biggest portion. See example below.

Secondly, Metadefender Core utilizes MongoDB ( for file scanning and other logging MMAPv1) such as application log. Please refer to MongoDB for expected system memory documentationutilization.

Please see the quote below from MongoDB FAQ for more details.

Not necessarily. It’s certainly possible to run MongoDB on a machine with a small amount of free RAM.

https://docs.mongodb.com/v3.0/faq/fundamentals/#does-mongodb-require-a-lot-of-ram

v3.13.0 514

MongoDB automatically uses all free memory on the machine as its cache. System resource monitors show that MongoDB uses a lot of memory, but its usage is dynamic. If another process suddenly needs half the server’s RAM, MongoDB will yield cached memory to the other process.

Technically, the operating system’s virtual memory subsystem manages MongoDB’s memory. This means that MongoDB will use as much free memory as it can, swapping to disk as needed. Deployments with enough memory to fit the application’s working data set in RAM will achieve the best performance.

For better performance and a stable environment, you can reduce mongoDB memory usage by decreasing the length of log/history retention.

This article pertains to Metadefender Core v.3.xThis article was last updated on 2016-12-06EF

Does the RAM Disk operate like other drives?

Yes, the RAM Disk is no different than any other drive. You can browse it, map it, etc. More information about the RAM Disk can be found .here

Note: Files which are stored in RAM Disk are removed when the machine is rebooted.

This article applies to Metadefender Core v.3.x.This article was last updated on 2016-09-02CN

Does the RAM Disk size actually take space from the server-available hard disk space?

No, the RAM Disk takes space from server RAM.

Note: Not all the space you specified for the RAM Disk is taken from the system's available RAM immediately. RAM used for the RAM Disk increases as required up to the maximum specified size .

This article applies to Metadefender Core productThis article was last updated on 2016-09-02CN

https://en.wikipedia.org/wiki/RAM_drive

v3.13.0 515

1.

2.

3.

How are Metadefender Core remote clients licensed?

Each Metadefender Core package allows to your Metadefender Core 25 remote connectionsserver by default. A single remote client license is needed for each server or process that sends files to Metadefender Core. You can add any number of remote client licenses to allow additional devices to interact with your Metadefender Core server. A license is held by a single IP address/application for a total of 24 hours before being released. For example, if you have nine servers that send files to your Metadefender Core server for scanning within the same 24 hour period, you will need a total of nine remote client licenses. Typically, the remote client connections are acquired by your integrated application using REST API (for more information about REST API, go ) or by one of our dependent products in OPSWAT's Security Suite. hereFor more information, go .herePlease contact OPSWAT sales team at to learn more about pricing and [email protected] options for remote clients. This article applies to Metadefender Core productThis article was last updated on 2016-08-31TV

How can I purchase Metadefender licenses?

Please visit to contact our sales team or to connect with one of our http://www.opswat.com/buyauthorized channel partners.


How can I see the number of files queued to be scanned?

You can see the number of files pending scan from the command line interface (CLI):

Open the Command Prompt.

Navigate to the Metadefender Core folder (typically C:\Program Files (x86)\OPSWAT\Metadefender Core X) Where X is the package number.

Enter the command “omsCmdLineUtil.exe dumpinternals”

This article pertains to Metadefender Core Product.This article was last updated on 2016-08-11.RR

https://onlinehelp.opswat.com/corev3/REST_API_(v2).html

https://www.opswat.com/products/metadefender/product-family


v3.13.0 516

1.

2.

3.

How come the AnalyzeFileType API returns a failed result when scanning the System32 directory?

In earlier versions of Metadefender Core (named Metascan), the (now deprecated) AnalyzeFileType API may return a failed result when scanning the System32 directory with your application.

When your application requests to scan a file in the System32 directory, the Windows File System will instead direct the request to the SysWOW64 folder. For example, if you are scanning C:\Windows\System32\notepad.exe, Metadefender Core will scan the file at c:\Windows\Syswow64\notepad.exe.

Using the example above, you can workaround this issue by doing the following:

Instead of using the path System32, use the path Sysnative. Sysnative is a virtual folder, or special alias, that can be used to access the 64-bit System32 folder (e.g, C:\Windows\Sysnative\notepad.exe).

If it is a native 64-bit application, only use Buffer scan, as this will result in no direct access to the file.

This article applies to Metadefender Core v3.8.1 and olderThis article was last updated on 2016-08-16AA

How do I change the directory Metadefender Core uses for archive extraction?

Metadefender Core uses a temporary directory in order to process files. By default, the temporary directory used is C:\Windows\Temp. You can change this directory from the Metadefender Core Management Console. You can also set a secondary temporary directory within Metadefender Core product if needed. Use this second temporary directory if you think that the primary temporary directory will not have enough space to hold all the files submitted to Metadefender Core while they are being processed.

You can change the directory Metadefender Core uses for archive extraction to a location either on a RAM drive or a hard disk. Here is a explaining how to set up a RAM drive. KB articleTo change the directory location, please follow the instructions below:

Open the Metadefender Core Management Console and navigate to Workflow > Scan .Configuration

Change the location of the Primary Temp Directory, which by default is C:\Windows\TEMP.

https://onlinehelp.opswat.com/corev3/How_do_I_install_a_RAM_drive_on_an_existing_Metadefender_Core_installation_.html

v3.13.0 517

3.

4.

1.

2.

3.

4.

5.

6.

7.

Click .Save

Restart the Metascan service.

This article pertains to all supported Metadefender Core V3 versions.This article was last updated on 2016-08-30.CA

How do I change the location of Metadefender Core logs?

Some Metadefender Core administrators want Metadefender Core logs sent to a directory other than the one Metadefender Core uses by default. If you have this requirement, follow the guidelines below:

Create new folders named "data" and "log" under the new location you want to use as the destination for log files.

Open the registry editor and navigate to this location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OPSWAT\Metascan

Change the "mongo_data_dir" default value in C:\Program Files (x86)\OPSWAT\Metadefender Core (X)\Mongo\data\ with the path of the data folder that you created in the step 1.

Change the "mongo_log_dir" default value in C:\Program Files (x86)\OPSWAT\Metadefender Core (X)\Mongo\log\ with the path of the log folder that you created in the step 1.

Open Task Manager, select the Process tab, locate the mongod.exe process, and right-click on the process and choose to kill it.End Process Tree

Open Services and restart Metascan service.

Check if Metadefender Core populated the folders where you moved the logs.

v3.13.0 518

This article pertains to all supported versions of Metadefender Core 3.x.This article was last updated on 2016-08-31TT

How do I configure Metadefender Core to only use one or several scan engines using the CLI?

You can include or exclude the engines used by Metadefender Core, respectively, through the following properties:

"included_avs"

"excluded_avs"

"included_avs" is set to "ALL" by default.

If you change this value from "ALL" to the name(s) of the antiviruses you want to use as they are reported by Metadefender Core (separating by a "|"), then only they will be included in Metadefender Core operations.

There are a few ways you can change these properties (described in detail in the Metadefender Core manual, or ). The following examples demonstrate how to set this using the herecommand line.

Examples:

https://onlinehelp.opswat.com/corev3/Command_Line_Utility.html

v3.13.0 519

1.

2.

1.

2.

You would like to use Avira and Eset. The precise directory depends on the number of installed engines.

cd "C:\Program Files (x86)\OPSWAT\Metadefender Core X\"omsCmdLineUtil config in="Avira|Eset"

You would like to exclude QuickHeal from scanning:

omsCmdLineUtil config ex="QuickHeal"

This article applies to Metadefender Core productThis article was last updated on 2016-08-31TV

How do I delete all scan logs from MongoDB and reset the database?

One way to free some disk space is by periodically removing the MongoDB data and logs. You could manually delete all log files located in the <Metadefender Core installation folder>\Mongo\log\ folder.

In order to permanently delete all scan logs and reset the Metadefender Core database, please do the following.

Caution: This means you will permanently erase all logged scan results made before. If you do not want to lose any data from MongoDB and you prefer to change the location of the database

.and logs, follow this KB

1. Open a command prompt .with administrative privileges

2. Change the directory to the directory where the Metascan Mongo Database is installed (e.g., cd "c:\program files\OPSWAT\Metadefender Core 4\Mongo\64+" for Metadefender Core 4).

3. Stop the Metascan service and the Metascan REST service by running the following commands:

net stop Metascan

net stop omsRest

mongo

4. Reset the database by running the following command:

mongo localhost:27018/metascan --eval "db.dropDatabase()"

https://onlinehelp.opswat.com/corev3/How_do_I_change_the_location_of_Metadefender_Core_logs_.html

v3.13.0 520

2.

1.

2.

mongo localhost:27018/omsdb --eval "db.dropDatabase()"

5. Start the Metascan service and the Metascan REST service by running the following commands:

net start Metascan

net start omsRest

This article applies to Metadefender Core 3.xThis article was last updated on 2016-09-01CA

How do I disable real-time protection of my anti-malware software if it is not allowed by corporate policy?

Anti-malware engines included with Metadefender Core do not install real-time protection agents. If you have an anti-malware product already installed on your system that is included as one of the anti-malware engines in your version of Metadefender Core, it will interfere with the scanning process performed by Metadefender Core. For this reason, it is recommend that you disable the real-time protection of your anti-malware product.

If your corporate policy does not allow you to disable your real-time anti-virus product, you will need to add some exception rules. As part of your exception rule, you need to exclude the folder where Metadefender Core is creating temporary files (configurable via temp_dir property) and the Windows Temp folder which by default is located in C:\Windows\Temp.

If you do not add this exception or if you do not disable real-time protection, results returned by Metadefender Core for scanning will not be consistent. The return value of scans would be one of the following:

Clean: If your existing anti-malware product was able to clean the threat.

Failed (or other errors): If your existing anti-malware product removed the file before Metadefender Core could scan it.

If you need help on how to add an exception rule to exclude a given folder from scanning for a anti-malware product, please what product you are using and we may be able to help tell usyou. Be sure to include the product version.


v3.13.0 521

1.

2.

3.

4.

1.

2.

3.

This article pertains to Metadefender Core Product.This article was last updated on 2016-08-30RR

How do I find my serial key / license key?

You can find your license key using the command line interface (CLI):

Open your CLI.

Navigate to the Metadefender Core folder (typically C:\Program Files (x86)\OPSWAT\Metadefender Core XX).

Enter the following command (without quotes): "omsLicMgrCLI.exe checklicense X" (where X is your package number).

Example 1: If you have a Metadefender Core 4, enter the following: omsLicMgrCLI.exe checklicense 4

Example 2: If you have a custom Metadefender Core, figure out the base package. Most often it is Metadefender Core 16, so you would enter the following: omsLicMgrCLI.exe checklicense 16

In the output, look for the value paired with the text “Key:”

You can also get your license key from the debug.txt file which is generated when you click in the Logs tab of the Metadefender Core Management Console.Export quick debug log

This article pertains to Metadefender Core productThis article was last updated on 2016-07-27CN

How do I install a RAM drive on an existing Metadefender Core installation?

When installing Metadefender Core for the first time, you will be given the option to install the RAM drive which will automatically configure itself for your installation.

If you wish to set up and configure the RAM drive for Metascan servers that are already running without reinstalling Metadefender Core, please follow the steps below:

Download the and extract it to a permanent location.RAMdrive ZIP file

Open the folder that corresponds to the number of bits for your Windows installation. For most customers, this will be the 64 folder.

https://s3-us-west-1.amazonaws.com/supportbucket/KnowledgeBase/RAMdrive.zip

v3.13.0 522

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

1.

Run ramdrv_install.exe as an administrator.

Run ramdrv_restart.exe as an administrator.

Check your computer for the O: drive. If this drive is not present, restart the machine.

Open Windows Device Manager.

Under RAM Drive, double-click OPSWAT Secure RAM Disk.This menu allows you to configure the size of the RAM drive. Please read Note: this to understand how the RAM drive constraints should be set on your system.article

Allocate as much capacity as you feel comfortable. The larger the files you plan to scan, the larger you will want the RAM drive to be.

Metascan will not allow you to scan archives larger than half the available Note:temporary storage. To get around this limitation, we recommend setting a secondary temporary directory.

Open the Metascan Management Console and go to .Workflow > Scan Configuration

Set the Secondary Temp Directory to the current value of the Primary Temp Directory. Typically, this is C:\Windows\TEMP\.

Set the Primary Temp Directory to O:\.

In the tab, navigate to Archive Handling and ensure that the current archive Workflowsettings are adequate as they may have been lowered during the previous steps.

If you run a local antivirus with real-time protection, add an exclusion for the O: drive.

This article applies to Metadefender Core version 3.xThis article was last updated on 2016-08-10TV

How do I make Metadefender Core upload clean files to the FTP file server?

Metadefender Core provides the ability to specify custom scripts that will run after scanning every clean or infected file.

Using this feature, an administrator working with Metadefender Core can easily add custom script that will upload all clean files to file server. The following example is based on using FTP to upload files to file server.

Specify Custom Script from Command Line

Create an XML file with the following content.Code:



v3.13.0 523

1.

2.

1.

2.

3.

4.

<post_action>

<scripts>

<if type="0">echo OPEN myftpserver.myftp.com > ftp.scr&&echo

myusername>> ftp.scr&&echo mypassword>

ftp.scr&&echo cd test_post_action > > ftp.scr&&echo put

%%%file_path%%% > > ftp.scr&&echo CLOSE > > ftp.scr&&echo

quit > > ftp.scr&&ftp -s:ftp.scr</if>

</scripts>

</post_action>

Enable script by running the following commands from Metadefender Core installation directory.Code:

omsCmdLineUtil.exe config pa=<full path to the xml created in step 1>

Specify Custom Script in Metadefender Core Management Console

Open The Metadefender Core Management Console through the Start menu or go to .http://localhost:8008

Go to .Configuration > ScanEx Configuration > Post Processing

Under Clean Files, enable post action by selecting the checkbox next to Run custom command line script.

Enter the following script in the text box and click .ApplyCode:

echo OPEN > ftp.scr&&echo myusername>> ftp.myftpserver.myftp.comscr&&echo mypassword>ftp.scr&&echo cd test_post_action > > ftp.scr&&echo put %%%file_path%%% > > ftp.scr&&echo CLOSE > > ftp.scr&&echo quit > > ftp.scr&&ftp -s:ftp.scr

This article pertains to Metadefender Core v3 This article was last updated on 2016-09-01

HN

http://localhost:8008

http://myftpserver.myftp.com

v3.13.0 524

How do I modify the file size limit of the REST server in a remote Metadefender Core (formerly Metascan) configuration?

When using a remote Metadefender Core configuration that relies on the REST server, you can modify the file upload size limit. The default size limit is approximately 200MB. In order to change that size limit, perform the following actions on your Metadefender Core server machine:

1. Open the Web.config file with a Chrome or Firefox browser. By default, this file is located in the \REST\Web\folder. The complete path depends on the Metadefender Core version you are using:

- For Metadefender Core 1, use C:\Program Files (x86)\OPSWAT\Metadefender 1\REST\Web\Web *config file






2. In the httpRuntime XML tag, set the maxRequestLength value to the desired maximum file upload size. For example, to set the maximum file upload size to 2GB, use <httpRuntime maxRequestLength="2097151" requestLengthDiskThreshold=" 204800" />. The value in Note:maxRequestLength and requestLengthDiskThreshold is calculated in kilobytes. To set a proper value, you need a byte convertor that you can access from . 3. In the requestLimits tag, hereset the maxAllowedContentLength value to the maximum allowed file upload size. For example, for a 2GB size limit, use <requestLimits maxAllowedContentLength="2147482624" />. 4. Save and close the configuration file. 5. Restart the Metadefender Core REST service by opening a command prompt with administrator privileges.6. Enter net stop omsREST and then press .Enter7. Enter net start omsREST and then press . When setting your size limit, please be Enteraware of the following about maximum size limits:

These filesize parameters are IIS related configurations. IIS is the platform of the Metascan REST server.

http://www.whatsabyte.com/P1/byteconverter.htm

v3.13.0 525

1.

2.

3.

1.

2.

3.

The maximum IIS file upload limit is 3GB.

The values specified in the above instructions are the maximum values allowed by IIS. Setting higher values will result in file upload failures.

This article applies to Metadefender Core v3 productThis article was last updated on 2016-08-11CA

How do I set a password for the Metadefender Core Management Console?

In order to set a password for Metadefender Core Management Console, please follow the next steps:

Go to .http://localhost:8008/management/#/changepassword

Click the Automatic Login menu and select .Off

Enter the desired password, confirm it, and then click .Apply

This article applies to Metadefender Core v.3.x. product.This article was last updated on 2016-08-26.CN

How do I update my Metadefender Core Engines online?

To perform an online update:

The Metadefender Core Management Console is installed by default and can be launched from the Start menu or in any browser with network access to the Metadefender Core Server by navigating to .http://localhost:8008/management

In the Metadefender Core Management Console, click on the Configuration tab.

Here you can select to update specific engines or you can click 'Update All' to update all your currently active engines. (Please note that this can take some time depending on your internet connection speed)

You can also view a on the subject on the OPSWAT YouTube channel.short video tutorial

This article pertains to all supported Metascan versions

http://localhost:8008/management/#/changepassword

http://localhost:8008/management

https://www.youtube.com/watch?v=KAkAXzJpZ0c&list=PLQyU7yz1Zp48V_tAkhH7ZaMzHDYJ_VqoJ&index=6

v3.13.0 526

1.

2.

3.

4.

5.

6.

This article was last updated on 2015-06-30

EA

How do I update the AhnLab engine?

AhnLab is one of the engines included in Metascan 4, 8, 12, and 16. AhnLab is changing the way that it is distributing online updates. AhnLab has discontinued the previous method of distributing updates and online updating of AhnLab within Metascan no longer works.

You will need to update your Metascan installation only if all of the following apply:

Your installed version of Metascan is 3.9.0, 3.9.1, or 3.9.2.

Your installed package of Metascan is 4, 8, 12, or 16.

You use Metascan’s online updating functionality to update engine definitions.

Before upgrading the AhnLab engine, make sure you meet the following requirements:

Visual C++ redistributable 2013 x86

No engine is updating/scanning before upgrading engine

:To upgrade the AhnLab engine, do the following

Download the AhnLab engine installer from .here

Stop the Metascan service by opening an elevated command prompt and entering net stop metascan

Extract the package you downloaded from the link above.

Run the installer as Administrator.

Start the Metascan service by opening an elevated command prompt and entering net start metascan

Confirm the AhnLab engine is scanning and returns the valid definition time either from command line (by running the command omsCmdLineUtil.exe debug in the Metascan directory) either from the Metascan Management Console.

Note: Since the versions mentioned in this article are very old, we strongly recommend to upgrade to our latest version of Metadefender Core which have a lot of improvements and new features. The latest version of Metadefender Core can always be found on OPSWAT Portal.

This article pertains to Metascan 3.9.0, 3.9.1 and 3.9.2.This article was last updated on 2016-10-13.EF

https://s3-us-west-1.amazonaws.com/metascanbucket/ahnlab_26803.exe


v3.13.0 527

1.

2.

3.

4.

1.

2.

3.

4.

5.

How do I upgrade Metadefender Core while preserving configuration?

Some of Metadefender Core's components are stored in the Windows registry and others in a local configuration file. Therefore, it is important to preserve the configurations of these when upgrading. OPSWAT recommends using the backup and restore functionality in the Metadefender Core Management Console. Export the settings before uninstalling Metadefender Core and then import the settings after the new version of Metadefender Core has been installed. There is also a tool to export and import settings from the command line. To export your current configuration do the following:

Navigate to http://localhost:8008/management/

In the upper-right section of the page click on Backup / Restore

If you want to set a password for the exported configuration file, check Encrypt Backup with the following password and provide a password

Click on DOWNLOAD BACKUP

This backup, unfortunately, will only handle a portion of the needed configurations. Other configurations reside in the Metadefender Core configuration file (by default it's C:\Program Files\OPSWAT\Metadefender Core X\omsConfig.ini). In this file many antivirus engine specific configurations are placed, along with Custom Engine settings, DB controller settings, proxy settings and ICAP settings. NONE of this information is handled by the upgrade and if any information has been added to this file, it will be lost during the upgrade. Make a copy of this file and store it in a safe place before uninstalling for an upgrade. The same goes for any IISExpress web server changes the user might have made in the web.config file located in the Metadefender Core installation directory, Rest\Web folder. In this file, the user could have blocked certain API's or modified the file upload size by the variables maxRequestLength, requestLengthDiskThreshold and maxAllowedContentLength. Such changes are rather unlikely but make a copy of this file as well and place it somewhere safe. Now, the user can safely uninstall Metadefender Core and reinstall the new version, a restart may be required. After installing Metadefender Core do the following:

Navigate to http://localhost:8008/management/

In the upper-right section of the page click on Backup / Restore

Under Restore From Backup click Browse and select the previously exported configuration to import it

If you encrypted the backup file with a password, check Decrypt Backup with the following password and provide the password

Click on UPLOAD & RESTORE

(Optional) To import other non-registry settings please do the following:

http://localhost:8008/management/

http://localhost:8008/management/

v3.13.0 528

1.

2.

3.

1.

2.

3.

4.

5.

Copy over pertinent information to the new “omsConfig.ini” from the old "omsConfig.ini", being the engine-specific configurations such as “heuristic scanning” and “extract archive”, but NOT the “update server”. The reason that “update server” should not be changed is due to newer Metadefender Core releases may contain newer AV engine versions, which cannot use the old definition files.

If ICAP or Proxy is used, port those configurations over as well.

If the DB controller settings were , change them as well.changed by the Administrator


This article pertains to Metadefender Core v3 productThis article was last updated on 2016-09-01AF

How do I upgrade to the latest release of Metadefender Core v3?

In order to upgrade to a new release of Metadefender Core v3 you must do the following:

Save your existing configurations. This step only needs to be performed if you have modified the default configurations that come out-of-the-box with Metadefender Core v3. Guidelines on how to save existing configuration are located in our "How do I upgrade

article.Metadefender Core while preserving configuration?"

Stop your current release of Metadefender Core v3 if its still running.

Uninstall your current release of Metadefender Core v3.

Run the installer for the new release of the product which you can get it for free from .OPSWAT Portal - Metadefender Core v3 download section

https://www.youtube.com/watch?v=qb3PIo2Em5A&list=PLQyU7yz1Zp48V_tAkhH7ZaMzHDYJ_VqoJ&index=5

https://onlinehelp.opswat.com/corev3/How_do_I_upgrade_Metadefender_Core_while_preserving_configuration_.html




v3.13.0 529

5.

1.

Apply your saved configurations. This step is applicable only if you performed step 1. Guidelines on how to upload existing configuration are located in our "How do I upgrade

article.Metadefender Core while preserving configuration?"

Your license information (license keys and expiration dates) will remain intact as long as you install the new release on the same machine that the older version was on and you haven't refreshed the operating system.

If you have a Metadefender Core Custom installation (i.e. an installation that OPSWAT provided that includes custom engines) it is best to contact OPSWAT Support before upgrading to a new release. OPSWAT Support will then provide additional guidelines on how to upgrade the custom engines.


This article pertains to all supported Metascan versionsThis article was last updated on 2016-08-31CA

How fast can Metadefender Core process files?

our performance will vary based upon many factors.Y

These include:

The more engines you have, the longer the scans will take.

Customer licensed engines are slower than integrated engines.

Files stored locally scan faster than those which have to be transferred over the network, such as with the REST interface.

Using the option will improve performance.RAM Disk

Archive extraction comes before scanning, so archives take longer to scan.

For an estimate of what to expect, please see our .performance test


How is MongoDB usage secured with Metadefender Core?

Metadefender Core's MongoDB instance is secured in two ways:



https://www.youtube.com/watch?v=lcCVNd7Q6g4

https://onlinehelp.opswat.com/corev3/What_is_the_RAM_Drive_or_Ram_Disk_and_how_is_it_used_in_Metadefender_Core_.html

https://onlinehelp.opswat.com/corev3/Are_there_published_performance_specifications_for_Metadefender_Core_.html

v3.13.0 530

1.

2.

When a username and password is not supplied, MongoDB can ONLY be accessed via a localhost. Metadefender Core can access the MongoDB instance from the localhost while access from outside of the system is denied.

MongoDB's HTTP interface is disabled so that it cannot be accessed remotely via HTTP (this is different from ).DB authentication

For more details about securing Metadefender Core's MongoDB interface, please refer to .Security and MongoDB API Interfaces


How long is the support life cycle for a specific version/release of Metadefender Core v3?

OPSWAT provides support on each release of Metadefender Core for after the 18 monthspublication of the next release of the product (i.e. once a new release is published, you have 18 more months of support on the previous release). However, bug fixes and enhancements are applied only to the next release of a product, not to the current release or historical releases, even when those releases are still under support. In some cases hot-fixes can be provided for the current release of the product, and then incorporated as a regular fix in the next release.

OPSWAT strongly encourages customers to upgrade to the latest release on a regular basis and not to wait until the end of a releases supported life-cycle.

Note that prior to release v3.11.1, Metadefender Core was called Metascan. The name change does not affect the support life cycle of any of the releases, regardless of which name they were released under.

All releases older than v3.9.1 are no longer supported.

Release number Release date End-of-life date

3.12.5 22 Nov 2016

3.12.4 17 Oct 2016 22 May 2018

3.12.3 16 Sep 2016 17 Apr 2018

3.12.2 16 Aug 2016 16 Mar 2018

http://docs.mongodb.org/ecosystem/tools/http-interfaces/

http://docs.mongodb.org/manual/reference/program/mongod/#cmdoption--auth

http://docs.mongodb.org/manual/core/security-interface/

v3.13.0 531

3.12.1 24 Jun 2016 16 Feb 2018

3.12.0 16 May 2016 24 Dec 2017

3.11.2 07 Apr 2016 16 Nov 2017

3.11.1 24 Feb 2016 07 Oct 2017

3.11.0 10 Feb 2016 24 Aug 2017

3.10.1 22 Dec 2015 10 Aug 2017

3.10.0 17 Nov 2015 22 Jun 2017

3.9.5 20 Oct 2015 17 May 2017

3.9.4 16 Sept 2015 20 Apr 2017

3.9.3 18 Aug 2015 18 Mar 2017

3.9.2 20 Jul 2015 18 Feb 2017

3.9.1 13 Mar 2015 20 Jan 2017

3.9.0 9 Dec 2014 13 Sep 2016

This article pertains to all supported releases of Metadefender Core (formerly called Metascan). This article was last updated on 2016-11-23

TV

How would you recommend setting the RAM Disk size?

In order to take advantage of RAM disk technology, the total memory allocated on the Metadefender Core machine must be greater than or equal to the minimum settings required to run Metadefender Core. The system requirements for Metadefender Core are .here

In order to process multiple concurrent scan requests, the RAM disk must be big enough to hold the combined size of all of the files being scanned at any point in time. OPSWAT recommends the following way of estimating the size of the RAM disk:

https://onlinehelp.opswat.com/corev3/1.1._System_Requirements.html

v3.13.0 532

1.

2.

3.

RAM disk size = (Max number of simultaneous requests + 1) * Average size of a file * File type multiplier

Notes:

File type multiplier: If the majority of the scanned files are archives, this should be 2.

If the RAM disk is used as the primary temp directory, the maximum extracted archive file size will be half the size of the RAM disk for a single archive. If an archive exceeds that size, an error message appears unless a secondary temp directory is configured. If a secondary temp directory is configured, then the archive will use that temp directory to extract the archive. The size of the secondary temp directory is always half the available space on the drive.

This article applies to Metadefender Core 3.x

This article was last updated on 2016-08-10

TV

If I have an issue with Metadefender Core, what information does OPSWAT need in order to quickly troubleshoot my case?

In order to speed up the troubleshooting process of an issue, you should with a log a ticket summary of your issue and attach Metadefender Core debug information to that ticket. This information is important when troubleshooting scanning-related issues for Metadefender Core.

You can collect Metadefender Core debug information two eways: either via a web-based GUI or using CLI.

Method 1: Web-based GUI

Open a browser and navigate to the Metadefender Core Management Console ().http://localhost:8008/management

Go to the Logs tab

On the right-hand side of the page, select .Download > Verbose Log


http://localhost:8008/management

v3.13.0 533

3.

4.

5.

1.

2.

3.

4.

5.

Save the zip file (Metascan_Debug[...].zip) with the log files.

Attach Metascan_Debug[...].zip to your ticket using the button.Submit Large Files

Method 2: Using CLI


Change the directory to the one where Metadefender Core is installed (e.g., cd "c:\program files\OPSWAT\Metadefender Core").

Enter the debug command: omsDebugTool.exe all

Locate Metascan_Debug[...].zip in the directory where Metadefender Core is installed.

Attach Metascan_Debug[...].zip to your ticket using the button.Submit Large Files

If your issue appears only when Metadefender Core is called by your application, also attach a code snippet including the line where the Metadefender Core API is called and describe what is expected and what is returned.

This article applies to Metadefender Core 3.x This article was last updated on 2016-08-11TV

Is it normal for Metadefender Core to consume 100% of my CPU?

Metadefender Core might consume 100% of your CPU when it first starts. This happens only once (if you run Metadefender Core as a service, it happens when the machine first boots).

This happens because Metadefender Core is trying to detect the presence of any antivirus systems that may be placed on your machine. After running through this detection phase, Metadefender Core establishes a list of usable antiviruses on the machine, and never runs the detection phase again. After installing a new antivirus program, you should restart the

https://portal.opswat.com/en/support/requests/large_file

https://portal.opswat.com/en/support/requests/large_file

v3.13.0 534

Metadefender Core service.

Generally, the 100% of CPU consumption lasts for a short time (a minute or less) and then moves to the normal CPU consumption state.

Also, Metadefender Core automatically updates your installed antiviruses when it first starts, and then at pre-defined periods (every 24 hours is the default). If your antivirus requires a large update, it may take up some CPU time as well.


Is it safe to use Metadefender Core COM APIs in Multi-threaded Apartment?

Yes. Metascan COM APIs are thread-safe, so it is safe to use them in multi-threaded apartment

This article pertains to all supported Metadefender Core 3.x versions.This article was last updated on 2016-09-21.CA

Is Metadefender Core available on 64-bit operating systems?

Yes. Since version 3.11.2, Metadefender Core is only offered as a 64-bit application for Windows.

This article applies to Metadefender Core 3.11.2 or aboveThis article was last updated on 2016-08-29EF

Is Metadefender Core compatible with .NET Framework 4.5.2?

Metadefender Core is compatible with .NET Framework 4.5.2. NET 4.5.2 should be fully backward compatible with .NET 4.0. Please refer to https://msdn.microsoft.com/en-us/library

for more information./ff602939(v=vs.110).aspx

This article pertains to all supported versions of Metadefender Core 3.xThis article was last updated on 2016-08-30CA

https://msdn.microsoft.com/en-us/library/ff602939(v=vs.110).aspx

https://msdn.microsoft.com/en-us/library/ff602939(v=vs.110).aspx

v3.13.0 5351.

Is there a .NET version of Metadefender Core?

There is no version of Metadefender Core V3 or Metadefender Core v4 for Windows written in pure .NET technology.

However, Metadefender Core provides COM API's so that .NET clients can be integrated seamlessly.


Is there a virus test I could use to test Metadefender Core?

Tests to determine an engine's operation are rarely run with live malware. Fortunately, you can use a standard file called an EICAR Test File, which antivirus engines detect as positive even though no threat exists.The EICAR Test File is simply a text file containing the string listed below. Copy the string into a file and rename it to " ".eicar.com

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

For more information about the EICAR Test File, please visit the European Expert Group for IT-Security's .website


Metadefender Core shows a large number of files that failed to scan. What can I do?

Recent versions of Metadefender Core include an option that modifies the behavior of Metadefender Core when a specific engine fails to scan.

Under normal circumstances, all active engines scan every file. Occasionally, an engine will encounter a file that causes it to crash. When this happens, Metadefender Core will wait some time for the engine to recover, after which it will step in and restart the engine. During this time, the engine’s results will be logged as “Failed to scan”.

However, Metadefender Core can be configured to simply fail the scan if any of the engines report problems. In other words, it can toss out all partially incomplete scans.

Follow the instructions below to disable this option:

http://eicar.com

http://www.eicar.org/86-0-Intended-use.html

v3.13.0 536

1.

2.

3.

4.

1.

2.

3.

4.

Navigate to the Metadefender Core Management Console at http://localhost:8008./management

Click .Configuration

Select .Scan Configuration

Uncheck Detect scan failures.

This article applies to Metadefender Core product version 3.xThis article was last updated on 2016-09-08TV

My Customer Licensed Engine is not showing in Metadefender Core. What can I do?

Below are actions that must be done in order for Metadefender Core to recognize your Customer Licensed Engine:

Make sure the antivirus application has the latest updates.

Perform at least one scan on demand with your current antivirus.

Upgrade your Custom License Manager by following these steps:

Open an elevated command prompt on your Metadefender Core server.

Navigate to the Metadefender Core installation folder (the default location is C:\Program Files (X86)\OPSWAT\Metadefender Core X).

Enter omsCmdLineUtil.exe update cle-manager

Restart Metadefender Core Services.

If these do not fix the problem, please log a Support ticket using our .Portal

This article applies to Metadefender Core v 3.x.This article was last updated on 2016-08-24.CN

Test cases for different scan results on Metadefender Core

It's not possible to test every result. The results below only appear if there is an error related to specific files:



https://my.opswat.com/hc/en-us/requests

v3.13.0 537

Unknown

Aborted

The following are cases you can test:

Clean: You can test this with any file that you are certain is clean (e.g., a newly created text file).

Infected/Known: You can download an EICAR test file from http://www.eicar.org/85-0-.Download.html

Suspicious: This result is usually caused by an engine's heuristic algorithm. Since the heuristic algorithm is different from one engine to another, we do not have sample files for all of the engines. You could use the attached file below for testing (2-suspiciousSamples_Xvirus.zip), as it is detected as "suspicious" by XVirus engine which is one of the 42 engines of Metadefender Cloud ( ).https://www.metadefender.com/

FailedToScan: If you have any other antivirus which is installed separately from Metadefender Core, try to turn on its real time protection, then try to scan an infected file (e.g., eicar file), and you should get this result.

Cleaned: You can test this case by setting Clean Action to "Delete", then scanning an infected file. To do this, run this command:

<Metadefender Core install dir>\omsCmdLineUtil.exe config ca=2

Quarantined: You can test this case by setting Clean Action to "Quarantine", then scanning an infected file. To do this, run this command:

<Metadefender Core install dir>\omsCmdLineUtil.exe config ca=1

SkippedClean: You can get this result by adding the scanned file to the whitelist. For instructions on how to add files to the whitelist, please refer to Metadefender Core

, page 87.Documentation

SkippedDirty: You can get this result by adding the scanned file to the blacklist. For instructions on how to add files to the blacklist, please refer to Metadefender Core

, page 87.Documentation

Exceeded Archive Depth: You can set "Max recursion level" with a small integer (e.g., 2) at in the http://localhost:8008/management/#/configuration-scan_configurationScanEx Configuration section. Then create an archive file which has archive depth greater than 2 for testing.

Not Scanned: You can try to kill all processes of the available engines by running this command:

taskkill /F /IM omsAMEHandler.exe

http://www.eicar.org/85-0-Download.html

http://www.eicar.org/85-0-Download.html

https://www.metadefender.com/

http://software.opswat.com/metascan/Documentation/Metascan/documentation/!SSL!/Printed_Documentation/Metadefender_Core_Product_Documentation.pdf




http://localhost:8008/management/#/configuration-scan_configuration

v3.13.0 538

If you have custom engines, please run this command as well:

taskkill /F /IM omsCEHandler.exe

Then scan an arbitrary text file to get this result.

Encrypted: You can test this with any password-protected archive.

Exceeded Archive Size: You can set "Max total size of extracted files" with a small value (e.g., 5 MB) at http://localhost:8008/management/#/configuration-

in the ScanEx Configuration section. Then create an archive file with scan_configurationa total size of over 5 MB after extracting for testing.

Exceeded Archive File Number: You can set "Max number of files extracted" with a small value (e.g., 10) at http://localhost:8008/management/#/configuration-

in the ScanEx Configuration section. Then create an archive file scan_configurationwhich has more than 10 files after extracting for testing. Alternately, you can download a sample at https://s3.amazonaws.com/opswat-metascan-online-files/b07fcd92c31d5c45df2ccc3b66f16e05/6f97d459a0ee497ba650ff7ba07f3f72

This article pertains to Metadefender Core v.3.x.This article was last updated on 2016-09-02CN

Updated archive handling libraries

We have updated the archive handling libraries to support extraction of more types of ISO archives. These updated libraries are included in Metascan releases 3.9.3 and later, as well as in all versions of Metadefender Core.

OPSWAT recommends upgrading to the latest version of Metadefender Core (formerly known whenever possible.as Metascan)

This article pertains to Metadefender Core versions older than 3.9.3.This article was last updated on 2016-08-24CA

What are the maximum values for archive extraction settings?

The maximum value of "Max number of files extracted" is 2147483646.





https://s3.amazonaws.com/opswat-metascan-online-files/b07fcd92c31d5c45df2ccc3b66f16e05/6f97d459a0ee497ba650ff7ba07f3f72

https://s3.amazonaws.com/opswat-metascan-online-files/b07fcd92c31d5c45df2ccc3b66f16e05/6f97d459a0ee497ba650ff7ba07f3f72

v3.13.0 539

The maximum total size of extracted files is half the current available free space of the Metadefender Core temporary directory. If two temporary directories are set from different drives, the highest available space will be used.

This article pertains to all supported versions of Metadefender Core 3.x.This article was last updated on 2016-08-31.TT

What does "This key has reached the maximum usage" mean?

You will typically see the message "This key has reached the maximum usage" when you are trying to activate a new instance of Metadefender Core v3. This means that you have already used all of your purchased activations.

Typically there is no need to reactivate a license on a machine that already has or had Metadefender Core v3 installed (e.g., you do not need to reactivate if you uninstalled and are now re-installing the application).

If you want to install Metadefender Core v3 on additional machines and no longer have any unused activations, you need to contact OPSWAT Sales (sales@ ) about opswat.compurchasing more activations

If you are looking to transfer an activation from one machine to another machine (e.g., you are retiring the machine that initially hosted your Metadefender Core v3 and now want a new machine to host it), you need to log a ticket with OPSWAT Support using the "License Transfer

topic.Request"

This article pertains to Metadefender Core Product v3.This article was last updated on 2016-09-01RR

What do the 'skipped clean' and 'skipped dirty' scan results mean?

The scan results 'skipped clean" and "skipped dirty" are returned when a file's hash matches a hash that has been whitelisted or blacklisted, respectively. Whitelisting and blacklisting allows Metadefender Core administrators to eliminate false negatives/positives without waiting for engine vendors to update their detection definitions.

http://opswat.com



v3.13.0 540

1.

2.

In Metadefender Core 3.x, the feature is only available through the Metadefender Core CLI. Whitelists and blacklists will be available through the Metadefender Core Management Console in Metadefender Core 4.x.

You can read more about whitelisting and blacklisting .here

This article pertains to Metadefender Core 3.x.This article was last updated on 2016-08-30.RR

What file type conversions are supported in Metadefender Core 3.x?

OPSWAT introduced file type conversion functionality in Metadefender Core 3.8.1. As part of the workflow, Metadefender Core allows administrators to specify that certain file types are converted to other files types (e.g., Microsoft Word documents are converted to PDFs).

By adding this step to the data processing workflow, zero-day attacks where malicious objects are embedded into office documents or image files can be eliminated, even if no antivirus engine detects the threat.

File type conversions allow you to eliminate zero day threats that are embedded into document or image files.

You can check the conversion files by following these steps:

Open the Metadefender Core Management Console and select Configuration > .Workflows

In the Workflow Profiles section, click the Convert docs profile and then click Data Sanitization.

Here you will find all the files types conversion supported in Metadefender Core V3.

https://onlinehelp.opswat.com/corev3/Can_I_whitelist_or_blacklist_a_file_so_that_Metadefender_Core_will_always_treat_it_as_clean_or_dirty,_respectively_.html

v3.13.0 541

You can sanitize a file manually from the command line by typing the following command in the Metadefender Core installation directory: omsCmdLineUtil.exe convert (file path) (target file path) (output folder path)

Below is an example of sanitizing the Metadefender Core Product Documentation to .png image format and the output.

v3.13.0 542

To view the sanitization file format support, enter the following command in the Metadefender Core installation directory: omsCmdLineUtil.exe getinfo

This article applies to Metadefender Core 3.x, versions 3.8.1 or laterThis article was last updated on 2016-08-12RR

What is a Customer Licensed Engine?

"Customer licensed engine" is the term used to describe an antivirus application that is already installed on your server (for example, an antivirus application that is installed on all computers in your corporate environment) which can then be incorporated as another engine to be used by Metadefender Core. You can view a list of antivirus applications that can be used as a customer licensed engine . A compatible antivirus application that is installed on the server herewill be automatically detected and made visible as an engine in the Metadefender Core Management Console (MMC). You can then use the MMC to enable the engine for


v3.13.0 543

Metadefender Core. Metadefender Core's embedded engines are configured for optimal Note: performance, whereas a customer licensed engine is not. Thus, the performance of Metadefender Core can be adversely affected by a customer licensed engine. This article pertains to Metadefender Core 3.x. Customer Licensed Engines are not supported in Metadefender Core 4.x.This article was last updated on 2016-08-30.EF

What is a Metadefender Client for licensing purposes?

Metadefender Core tracks the number of remote clients that connect to the server and access scanning functionality. The number of clients in any 24 hour period cannot exceed the number licensed for a Metadefender Core server.

For licensing purposes, a Metadefender Client is any remote system that is scanning files through either the REST or ICAP interfaces. For clients connecting through the REST interface, the number of clients is equal to the number of systems accessing the REST interface, as measured by unique IP addresses. For scanning through the ICAP interface, Metadefender counts the number of unique endpoints scanning files through the proxy server.

By default, the Metadefender Core license includes 25 Metadefender Clients. You can increase the number of clients by purchasing an additional license provided by OPSWAT.

For more information on the and , please consult the Metadefender REST ICAP interfacesMetadefender Core Documentation.

This article applies to Metadefender Core products, versions 3.x.This article was last updated on 2016-07-27CN

What is a sanitized file?

A sanitized file is a file which has been gone through a process to strip any embedded objects and exploits while preserving the usability of a file. The sanitized will still have the format and file extension of the original file (unless its been explicitly set up to be converted to another type of file). For example, a sanitized PDF will still contain the PDF format, contain the .PDF extension, and be accessible by a PDF reader.

Some of the actions performed as part of santization can include:

Removing all attachments and document action

Removing all annotations

Removing java script

https://onlinehelp.opswat.com/corev3/REST_API_(v2).html

https://onlinehelp.opswat.com/corev3/7._Metadefender___ICAP_Server.html

v3.13.0 544

Making the form fields present in PDF file un-editable/in-accessible so that the user cannot update the values

Removing hyperlinks

Recent versions of Metadefender Core v3 allow administrators to create sanitization processes as part of the file type conversion process. For more information refer to the user manual:

For Metadefender Core v3, read about it in the Online Metadefender Core v3 Documentationat Configuring Metadefender Core v3 > Workflow Profile Configuration -> Creating a New Workflow Profile

Metadefender Core v3 supports file type sanitization for many of the most common types of document files. If you have a request for a file type that we do not support, log a ticket with us on the to let us know. Though we cannot make any commitments as to when OPSWAT portalwe will add support, we are always looking to add new file types that are commonly used by our customers.

This article pertains to Metadefender Core v3This article was last updated on 2016-08-31.CA

What is Metadefender Core file type detection?

Metadefender Core support file type detection is also referred to as 'file type analysis', 'file type mismatch', 'file mismatch analysis', etc.

Common uses of file type detection include (1) monitoring for discrepancies between a file extension and a detected file type and (2) altering the workflow of files based on certain file types (e.g., blocking files of a certain file type from entering a file system).

Metadefender Core supports file type detection via the API (introduced in Metascan 3.7.4) and the CLI (introduced in Metascan 3.8.1). More information can be found in the Metadefender Core User Guide.

Metadefender Core file type detection is driven by an OPSWAT proprietary algorithm that combines the logic as well as logic. As of this writing, there are 5837 file "Magic Number" TrIDtypes that can be detected and compared to the file extension; a complete listing can be found at the .TrID site

File type detection / analysis is not as accurate as other file metadata analysis. There will be cases where the Metadefender Core file identification engine will not be able to correctly analyze the file type. In these cases, you can submit a ticket with the file to OPSWAT Supportfor more investigation. However, we cannot guarantee that we will be able to fix the underlying issue and we cannot provide an expected turnaround time to provide an answer.

https://onlinehelp.opswat.com/corev3

https://onlinehelp.opswat.com/corev3

https://onlinehelp.opswat.com/corev3/2.4.1._Creating_a_New_Workflow_Profile.html

https://onlinehelp.opswat.com/corev3/2.4.1._Creating_a_New_Workflow_Profile.html

https://portal.opswat.com/

http://en.wikipedia.org/wiki/File_format#Magic_number



https://portal.opswat.com/en/support

v3.13.0 545

Note that while file type detection functionality is based on the logic above, file scanning functionality is not limited to these file types.

This article pertains to Metadefender Core 3.xThis article was last updated on 2016-09-08CA

What is the difference between Scan, PutToScanQueue, and ScanEx?

Scan and PutToScanQueue are old functions which have been replaced by ScanEx. ScanEx provides more flexibility to programmers.

Scan and ScanEx with the sync flag set are synchronous calls, meaning they will not return until all results have been received from the the underlying scanning engines.

PutToScanQueue and ScanEx without the sync flag set are asynchronous calls, meaning they return immediately and results are returned via callbacks (COM connection points).

Both synchronous and asynchronous scans depend on the thread pool. Anytime you call a scan function, the work is dispatched to a worker thread. That worker thread is then allocated to scan the file/buffer with one engine. If no worker threads are available, the request will wait until one is available.

To learn more about synchronous and asynchronous scans on Metadefender Core, please refer to the documentation .here

This article pertains to Metadefender Core Product.This article was last updated on 2016-08-10TV

What is the frequency of signature / definition updates?

There are two parameters that determine the frequency of signature/definition updates:

The frequency with which each antivirus vendor releases an update

The configuration setting on your Metadefender Core or Metadefender Kiosk installation that specifies the time interval between system checks and applying new updates.

Most of the antivirus vendors release definitions at least once per day. Many release multiple daily. Some vendors release updates on weekends while others do not.

https://onlinehelp.opswat.com/corev3/5._Important_Concepts_and_Terminology.html

v3.13.0 546

1.

2.

If you use OPSWAT's online update mechanism to apply updates (i.e. via direct internet connection) then you can configure the update interval to suit your needs. The default setting that comes with a new installation of Metadefender Core or Metadefender Kiosk is every 1440 minutes (once per day).

If you are using manual updates (aka offline updates) the frequency is controlled by how often you download and apply the offline update package from OPSWAT.

This article pertains to Metadefender CoreThis article was last updated on 2016-07-07CN

What is the maximum file upload size limit when accessing Metadefender Core through the REST server?

When scanning files through the Metadefender Core REST API, you can modify the file upload size limit to a maximum of 3GB. This maximum size is based on the limit set by IIS, which is the underlying platform of the Metadefender Core REST server. The default size limit (the limit as set with a fresh Metadefender Core installation) is 200MB.

For more information about changing the size limit, please click .here


What is the RAM Drive or Ram Disk and how is it used in Metadefender Core?

The RAM Drive (or RAM Disk) is a block of RAM that the computer treats as a disk drive (secondary storage). It serves two purposes:

It is much faster than other forms of storage media, thus speeding the scanning process.

It is more secure then a fixed disk because the contents of the disk are wiped clean on reboot. For example, if the system crashes during the scan process, the files do not inadvertently stay stored in the workspace being used by the antivirus engines.

The RAM Drive is an optional configuration in the Metadefender Core installation process. It is used as a location for temporary files used by the scanning process.Since the RAM Drive uses system RAM, please make sure that you configure the RAM Drive's size so that you have enough remaining RAM for at least the minimum system requirement of the version of Metadefender Core you are using. For further details on how to install and configure a RAM

https://onlinehelp.opswat.com/corev3/How_do_I_modify_the_file_size_limit_of_the_REST_server_in_a_remote_Metadefender_Core_(formerly_Metascan)_configuration_.html

v3.13.0 547

Drive for your Metadefender Core server, please refer to . This the online documentation articleexplains how to configure the Ram Disk size. This article applies to Metadefender Core v.3.x. productThis article was last updated on 2016-08-30CN

What is the support lifecycle for OPSWAT Appliances?

For OPSWAT sold hardware, support is available no less than 5 years from the date it is last sold. OPSWAT retains the right to update the specifications of our hardware as more optimal components become available, so later purchases or replacement units may use different components of equal or better performance specifications. There is a yearly hardware maintenance fee which must be kept up to date in order to receive hardware support which is an addition to any software licensing costs.

Metascan/Metadefender Core Appliance V1

1u form factor

Dual 6 core Xeon processors

32gb ECC RAM

Dual 200gb SSDs in RAID 1

Hot swappable power supplies

TAA compliant

Last sold Date: not yet set

What is covered by hardware maintenance

All support provided via OPSWAT

Advanced replacement for Blocker HW issues included

Hard drives can be kept/destroyed in the event a replacement is necessary

This article pertains to Metadefender Core ApplianceThis article was last updated on 2016-06-22CN

What operating system patches should I apply to the system hosting Metadefender Core?

We recommend that you keep the operating system hosting Metadefender Core completely updated with the latest operating system updates.

https://onlinehelp.opswat.com/corev3/RAM_Disk_Configuration.html

https://onlinehelp.opswat.com/corev3/How_would_you_recommend_setting_the_RAM_Disk_size_.html

v3.13.0 548

The systems in OPSWAT's labs are updated with the latest patches and thus Metadefender Core is tested and optimized for that condition.

This article applies to Metadefender Core productThis article was last updated on 2016-08-26HN

What should you do if you have anti-malware on the same machine as Metadefender Core (formerly Metascan) ?

If you have anti-malware installed on the same machine as Metadefender Core (formerly Metascan), we recommend that the Metadefender installation directory (C:\Program Files (x86)\OPSWAT) as well as Metadefender's temporary directory be excluded from the anti-malware engine's real-time protection

The real-time protection feature provides automatic protection which checks computer systems for suspicious activity in real-time. If a file is detected as infected, the anti-malware will try to clean or delete that file before Metadefender Core will have the chance to scan it. This will affect Metadefender Core's results and/or performance.

This article pertains to all Metadefender Core products.This article was updated on 2016-08-11.CA

What URLs must be whitelisted to allow access to virus definition updates?

To download incremental/full updates for engine definitions, you must allow Metadefender Core to communicate with the servers listed below. Depending on the scan engines you are using, you may include a subset of the servers.

The following table describes the servers which Metadefender Core connects to for each corresponding scan engine. Some scan engines have two URLs because Metadefender Core initially connects to and then redirects to its final destination.metascan.dl.opswat.com

If your firewall or router blocks HTTP redirection (302 status code), you must consult with your administrator to handle this configuration properly.

Note: Server URLs and IPs are subject to change without notification.

Note: Avira version 26150 must use https://metascan.dl.opswat.com/avira2

Avira version 30011 must use 3 https://metascan.dl.opswat.com/avira

http://metascan.dl.opswat.com

http://54.67.6.71/avg2

http://54.67.6.71/avg2

v3.13.0 549

Engine URL PORT

Clamwin database.clamav.net :80

ESET metascan.dl.opswat.com :80

Avira https://metascan.dl.opswat.com/avira :443

https://metascan.dl.opswat.com/avira2 :443

https://metascan.dl.opswat.com/avira3 :443

AhnLab *.ahnlab.com :80

ahnlab.nefficient.co.kr :80

Total Defense consumerdownloads*.totaldefense.com :80

Quickheal metascan.dl.opswat.com/quickheal1400 :80

BitDefender upgrade.bitdefender.com :80

AVG https://metascan.dl.opswat.com/avg2 :443

c1515002.r2.cf0.rackcdn.com :80

K7 http://updates.k7computing.com :80

Inca/Nprotect https://metascan.dl.opswat.com/nprotect :443

Zillya! http://updateserver.zillya.com :80

Virusblokada https://metascan.dl.opswat.com/virusblokada :443

Emsisoft update.emisisoft.com :80

dl.emsisoft.com :80

Frisk/F-Prot directupdates.f-prot.net :80

http://database.clamav.net


https://metascan.dl.opswat.com/avira3




http://ahnlab.com

http://ahnlab.nefficient.co.kr

http://consumerdownloads8.totaldefense.com

http://metascan.dl.opswat.com/quickheal1400

http://upgrade.bitdefender.com

https://metascan.dl.opswat.com/avg2

http://c1515002.r2.cf0.rackcdn.com

http://updates.k7computing.com

https://metascan.dl.opswat.com/nprotect

http://updateserver.zillya.com

https://metascan.dl.opswat.com/virusblokada

http://update.emisisoft.com

http://dl.emsisoft.com

http://directupdates.f-prot.net

v3.13.0 550

fprot*.ctmail.com :80

Kaspersky http://metascan.dl.opswat.com/kaspersky :80

McAfee update.nai.com :80

download.nai.com :80

Symantec liveupdate.symantec.com :80

F-Secure fsbwserver.f-secure.com :80

Lavasoft definitionsbd.lavasoft.com :80

downloadnada.lavasoft.com :80

Microsoft Security Essentials

v4.windowsupdate.microsoft.com :80

Nano updates.nanoav.ru :80

metascan.dl.opswat.com/nano (EE) :80

Trend Micro metascan.dl.opswat.com :80

TM Housecall metascan.dl.opswat.com :80

Netgate www.ngt.sk/update/* :80

Ikarus http://mirror03.ikarus.at/updates/ :80

http://mirror01.ikarus.at/updates/ :80

Systweak updates3.systweak.com; :80

updates4.systweak.com :80

Fileseclab fdrfilup.filseclab.com, :80

http://fprot*.ctmail.com

http://metascan.dl.opswat.com/kaspersky

http://update.nai.com

http://download.nai.com

http://liveupdate.symantec.com

http://fsbwserver.f-secure.com

http://definitionsbd.lavasoft.com

http://downloadnada.lavasoft.com

http://v4.windowsupdate.microsoft.com

http://updates.nanoav.ru

https://opswat.atlassian.net/wiki/metascan.dl.opswat.com/nano%20(EE)



http://www.ngt.sk/update/*

http://mirror03.ikarus.at/updates/

http://mirror01.ikarus.at/updates/

http://updates3.systweak.com

http://updates4.systweak.com/

http://fdrfilup.filseclab.com

v3.13.0 551

filup21.dot5hosting.com, :80

filup01.filseclab.com, :80



filup05.filseclab.com :80

update3.filseclab.com, :80

Stopzilla download.stopzilla.com :80

TGSoft/Vir.IT. metascan.dl.opswat.com :80

Sophos metascan.dl.opswat.com :80

Xvirus Personal Guard

metascan.dl.opswat.com :80

IP addresses are not included in the table above because they cannot be guaranteed to remain constant. For example, Metadefender Core connects to Rackspace CDN which has different hosting servers depending on your location. You must check the IPs of those URLs (*.rackcdn.

). To check the IPs for those URLS, you can use the the nslookup command from the comCommand Prompt.

Note: You may also need to grant access to the following URLs to allow the software to update itself:

verisign.com

onlineupdates.cdn.opswat.com

msftncsi.com

e.g., nslookup c1515002.r2.cf0.rackcdn.com

Antivirus vendors use similar hosting services and therefore the firewall rules should rely on the URLs presented above.

This article pertains to Metadefender CoreThis article was last updated on 2016-08-31CA

http://filup21.dot5hosting.com

http://filup01.filseclab.com




http://update3.filseclab.com

http://download.stopzilla.com

http://metascan.dl.opswat.com/


http://metascan.dl.opswat.com/

http://rackcdn.com

http://rackcdn.com

http://verisign.com

http://onlineupdates.cdn.opswat.com

http://msftncsi.com

http://c1515002.r2.cf0.rackcdn.com/

v3.13.0 552

When I click Apply after I change the maximum total size of extracted files, I get an "Update failed" message. Why is that?

Usually this error indicates that you have tried to set a value which is bigger than half of your current available disk space in Metadefender Core temporary directory.

For example, if you have 20 GB of disk space available and you set the maximum total size of extracted files at 11 GB, you will get an "Update failed" message.

The maximum allowed amount for this setting is 10 GB.

This article applies to Metadefender Core productThis article was last updated on 2016-08-30CA

When will the updates for ThreatTrack and Agnitum no longer be available ?

Starting with Metadefender Core version 3.12.0, ThreatTrack and Agnitum will be discontinued and replaced with Zillya! and Ikarus respectively.

Legacy Metadefender Core packages will continue to support Agnitum and Threat Track definition updates until May 15, 2017.

If you are using any other version which is older than 3.12.0., please make sure you upgrade your Metadefender Core installation by the end of Q1 2017 as afterwards, these two engines will not receive updates for virus signatures.

This article applies to Metadefender Core 3.12.0 and aboveThis article was last updated on 2016-05-27.CA

Where are all of the Metascan knowledge base articles that I used to access?

In February, 2016, with the release of 3.11.1, OPSWAT renamed Metascan to Metadefender Core. Knowledge base articles that had been in the Metascan section of our knowledge base were reviewed and either moved to the section or, in cases where the Metadefender Core v3

https://portal.opswat.com/en/knowledge-base/sections/201829086

v3.13.0 553

article was deemed no longer applicable, removed entirely from our knowledge base. Even articles that pertain solely to releases of the product from before 3.11.1 are now in the Metadefender Core v3 section, though in these cases the article body might refer to the product as Metascan.

Articles that have been moved to the Metadefender Core v3 section might have gotten new URLs associated with them.You can use the search box to find an article, or simply scroll through the list of articles in the Metadefender Core v3 section to find all the published articles that are of interest to you. If you still cannot find what you are looking for, contact .Support

This article applies to Metascan productThis article was last updated on 2016-08-16RR

Where can I submit false positives detected by Metadefender Core?

Below is a list of where you can send false positives detected by Metadefender Core to:

AhnLab

Email 1: [email protected] 2: [email protected]

Avira AntiVir

Submission: http://analysis.avira.com/samples/

AVGEmail: [email protected]: https://support.avg.com/SupportArticleView?urlname=How-to-report-a-false-incorrect-detectionSubmission: http://cgi.clamav.net/sendvirus.cgi

BitDefenderSubmission: http://www.bitdefender.com/submitEmail: [email protected]

ClamAVSubmission: https://www.clamav.net/reports/fp

http://analysis.avira.com/samples/

https://support.avg.com/SupportArticleView?urlname=How-to-report-a-false-incorrect-detection

https://support.avg.com/SupportArticleView?urlname=How-to-report-a-false-incorrect-detection

http://cgi.clamav.net/sendvirus.cgi

http://www.bitdefender.com/submit

http://www.bitdefender.com/submit

https://www.clamav.net/reports/fp

v3.13.0 554

EmsisoftSubmission: https://www.emsisoft.com/en/support/submit/

ESET / Nod32Email: [email protected]: http://kb.eset.com/esetkb/index?page=content&id=SOLN141

FilseclabEmail: [email protected]

F-PROTSubmission: http://www.f-prot.com/virusinfo/false_positive_form.html

F-SecureSubmission: https://www.f-secure.com/en/web/labs_global/submit-a-sample

IkarusEmail 1: [email protected] 2: [email protected]

K7Email: [email protected]

KasperskyEmail: [email protected]: https://newvirus.kaspersky.com/Info: http://forum.kaspersky.com/index.php?showtopic=13881

LavasoftSubmission: http://www.lavasoft.com/support/securitycenter/report_false_positives.php

McAfeeInfo: https://kc.mcafee.com/corporate/index?page=content&id=KB85567Email: [email protected]: https://kc.mcafee.com/corporate/index?page=content&id=KB67411

Microsoft Security Essentials and Windows DefenderEmail: [email protected]: https://www.microsoft.com/security/portal/submission/submit.aspxInfo: http://www.microsoft.com/windows/products/winfamily/defender/fpform.mspx

nProtectEmail: [email protected]

https://www.emsisoft.com/en/support/submit/

http://kb.eset.com/esetkb/index?page=content&id=SOLN141

http://www.f-prot.com/virusinfo/false_positive_form.html

https://www.f-secure.com/en/web/labs_global/submit-a-sample

https://newvirus.kaspersky.com/

https://newvirus.kaspersky.com/

http://forum.kaspersky.com/index.php?showtopic=13881

http://www.lavasoft.com/support/securitycenter/report_false_positives.php

https://kc.mcafee.com/corporate/index?page=content&id=KB85567

https://kc.mcafee.com/corporate/index?page=content&id=KB67411

https://www.microsoft.com/security/portal/submission/submit.aspx

https://www.microsoft.com/security/portal/submission/submit.aspx

http://www.microsoft.com/windows/products/winfamily/defender/fpform.mspx

v3.13.0 555

1.

2.

Quick HealInfo: http://support.quickheal.com/v4/index.php?/Tickets/Submit/RenderForm

SophosSubmission: https://secure.sophos.com/support/samples/Info: http://www.sophos.com/support/knowledgebase/article/35504.html

STOPzillaSubmission: http://www.stopzilla.com/support/false-positive/

Symantec / NortonSubmission: https://submit.symantec.com/dispute/false_positive/

SystweakInfo: http://support.systweak.com/kayako/index.php?/Tickets/Submit

Trend MicroEmail: [email protected]: http://www.trendmicro.com/us/about-us/detection-reevaluation/Info: https://esupport.trendmicro.com/en-us/home/pages/technical-support/1031392.aspx

VirIT/TGSoftSubmission: http://www.tgsoft.it/italy/file_sospetti.asp

VirusBlokAdaEmail: [email protected]: http://www.anti-virus.by/check/

XvirusEmail: [email protected]

ZillyaEmail: [email protected]

This article pertains to all Metadefender Core packages including the engines above.This article was last updated on 2016-08-31RR

Where is Metadefender Core's temp directory located?

You can locate the temp directory of the Management Console by following these steps:

Access the Management Console by going to http://localhost:8008/management.

http://support.quickheal.com/v4/index.php?/Tickets/Submit/RenderForm

https://secure.sophos.com/support/samples/



http://www.sophos.com/support/knowledgebase/article/35504.html

http://www.stopzilla.com/support/false-positive/

https://submit.symantec.com/dispute/false_positive/

http://support.systweak.com/kayako/index.php?/Tickets/Submit

http://www.trendmicro.com/us/about-us/detection-reevaluation/

https://esupport.trendmicro.com/en-us/home/pages/technical-support/1031392.aspx

http://www.tgsoft.it/italy/file_sospetti.asp

http://www.anti-virus.by/check/

v3.13.0 556

2.

3.

4.

1.

2.

3.

4.

Click the Configuration tab.

On the left navigation panel, select Scan Configuration.

The screen displays the Primary Temp Directory, where you can view and/or change the location of the temp directory.

You can also locate the temp directory using the command line (on Windows only):

Press the Start button, enter cmd, and click Enter*. The command prompt appears.Note: For operating systems other than Windows 7, click Run to open the command prompt.

Enter cd, then the file path of the Metadefender Core installation folder, and click Enter.

Enter omscmdlineutil.exe getinfo and click Enter.

The readout has the location of the temp directory (in most cases it will be C:\Windows\TEMP, which is the non-RamDrive default).

This article pertains to Metadefender CoreThis article was last updated on 2016-06-24CR

Which antivirus engines are designated by Metadefender Core as "customer licensed engines"?

While many antivirus products will work as customer licensed engines (CLEs), OPSWAT does not maintain a comprehensive list of these products, nor does OPSWAT officially support any products as compatible engines. Metadefender Core requires integration functionality to be available on the antivirus product in order to work, but it is up to the antivirus product vendors to make that functionality available.

Below are the results of testing we did in our labs on the latest releases of the most popular antivirus products on the market. However, we strongly recommend that you validate the integration of Metadefender Core with your antivirus product to determine if it will work for you. If this integration is key to the way you want to use Metadefender Core, we recommend doing this before you make your Metadefender Core purchase.

In some cases, we can help you test your integration. If you can provide us with an installer of the antivirus product, we can test the integration in our labs and give you the results, although positive results do not constitute binding support for the integration.

Popular antivirus products tested successfully as CLEs on Metadefender Core are as follows:

avast! Premier 10.2.2218

AVG Internet Security 2015.0.5863

v3.13.0 557

1.

2.

3.

ESET Endpoint Antivirus 6.1.2222.0

F-Secure Internet Security 14.132.102.0

Fix-it Utilities 8 Professional 8.0.2.2

McAfee VirusScan Enterprise 8.8.0.1274

Sophos AntiVirus 10.3.11

This article pertains to Metadefender Core 3.x.This article was last updated on 2016-08-18.CN

Which antivirus products are compatible with Metadefender Core?

Metadefender Core is sold in packages with each package containing a bundle of engines. The engines included in each bundle .are listed here

Metadefender Core also supports , which means that certain Customer Licensed Enginesantivirus products already existing on your machine can be controlled through the Metadefender interface, similarly to a built-in engine. A list of these engines can be found .here

If you do not see the antivirus product you wish to use, to request that submit a support ticketsupport for that product be added.

This article pertains to Metadefender Core versions 3.xThis article was last updated on 2016-08-09RR

Why am I getting a COM UnauthorizedAccessException error: 80070005 when working with Metadefender Core from ASP?

You will see this error if you do not have the proper permissions.

You can resolve the "COM UnauthorizedAccessException" error by doing the following:

Check your IIS setting:

In IIS, right-click on your project and choose .Properties

Select . Directory security

Click on Anonymous access.Edit

Make note of the username (copy the name or CTRL+C).

Go to DCOM config ( or ).Start > run > dcomcnfg Win-R > dcomcnfg

https://www.opswat.com/products/metadefender/packages

https://onlinehelp.opswat.com/corev3/What_is_a__Customer_Licensed_Engine__.html

https://www.opswat.com/products/metadefender/packages


v3.13.0 558

3.

4.

5.

6.

7.

Go to .My Computer > DCOM config > Metascan

Right-click and select .Properties

Click the Security tab:

Launch and Activation: Edit, add username (paste or CTRL+V) and give all local permissions.

Access Permissions: Edit, add username (paste or CTRL+V) and give all local permissions.

Configuration Permission: Edit, add user and give full control.

Restart Metadefender Core service.

Restart IIS.


Why did Metadefender Core stop working on Windows 10 ?

If you are using Windows 10 and applied the Anniversary Update, your REST service will stop functioning.

To fix this issue, please follow the steps below :

1. Open an elevated Command Prompt by clicking Start, typing cmd in the search bar, right-clicking the command prompt and selecting run as administrator2. Type net stop omsrest3. Uninstall IIS Express 8.04. Install IIS express 8.0 again. If you need any guidance for installing IIS express 8.0., please check https://www.microsoft.com/en-us/download/details.aspx?id=346795. Type net start omsrest

For more information about the update, please check the related .Microsoft page

This article pertains to Metadefender Core versions 3.xThis article was last updated on 2016-11-08CN



https://support.microsoft.com/en-us/help/12387/windows-10-update-history

v3.13.0 559

1.

2.

3.

4.

5.

Why did the AVG engine disappear from the Metadefender Core Management Console?

An issue with the AVG engine caused it to disappear from the Metadefender Core Management Console. If you are having this issue, download the patch and follow the instructions herebelow:

Open an elevated command prompt and enter net stop metascan

Extract the package you downloaded from the link above with the password "opswat"

Copy the omsAMEHandler.exe file into the AVG engine directory in the Metascan install directory (usually C:\Program Files (x86)\OPSWAT\Metascan XX\Engines\AVG\bin).

From an elevated command prompt, enter net start metascan

Confirm the AVG engine is scanning and returns the valid definition time from either the command line (by running the command ‘omsCmdLineUtil.exe debug’ in the Metascan directory) or through the Metadefender Core Management Console.

Note: This patch only affects your Metadefender Core installation if it includes the AVG engine. If you are currently using Metadefender Core 3.9.1 or a later version, this is only applicable to Metadefender Core 12 and 16 engine packages. All other Metadefender Core functionality will work normally even if the patch is not applied. The only thing that will not work correctly until this patch is applied is the AVG engine.

If these instructions don't resolve your issue, or if you have any questions about this patch or about Metadefender Core, please do not hesitate to .contact us

This article pertains to Metadefender Core 3.9.1 and older This product was last updated on 2016-08-24 EF

Why does my Customer Licensed Engine (antivirus) always return "failed to scan"?

Most antivirus products will be detected by Metadefender Core, but this does not necessarily mean they are compatible. You can check to see that yours is on our list.Compatible Engines

There are a number of possible causes for Customer Licensed Engines to return a "Failed to Scan" error. These include:

https://s3-us-west-1.amazonaws.com/metascanbucket/AVG_Hotfix_June_2015.zip



v3.13.0 560

You are not running the most up to date version of Metadefender Core. The Compatible list is only valid for the latest version of Metadefender CoreEngines

You have not properly configured the antivirus to work with Metadefender Core. This is usually just a matter of excluding Metadefender's Core installation and temp directory from the antivirus engine's real time protection.

If you have done all this and you are still receiving the error, please via submit a support ticketthe OPSWAT Portal.

This article pertains to Metadefender Core 3.x.This article was last updated on 2016-08-18.CN

Why do I get a prompt to install OPSWAT by Christiaan Ghijselinck?

When installing Metadefender Core, one of the optional components that you can install is the RAM drive.

The message below appears if you choose to install the RAM drive. The RAM drive was built by a third-party, so the publisher appears as Christiaan Ghijselinck.

This article applies to Metadefender Core 3.xThis article was last updated on 2016-08-10TV




v3.13.0 561

Why do MongoDB logs have a "You are running on a NUMA machine" warning?

Metadefender Core 3.x and Metadefender Kiosk use mongoDB as a database for storing the scan history, configuration, and other information. If you are seeing this warning in the mongodb log, please refer to the MongoDB to resolve a potential performance production notesissue.

This article pertains to Metadefender CoreThis article was last updated on 2016-08-25EF

Why is Bitdefender engine no longer working?

If your Bitdefender engine is no longer working, we recommend upgrading to the latest Metadefender Core version. If you cannot upgrade for whatever reason, you must apply a patch to your Bitdefender engine.Please note that in order for the patch to be applied you need to have the Visual C++ redistributable 2013 x86 package installed and run the patch as Administrator.Please also make sure no engine is updating/scanning before patching Bitdefender.

If you are using Metascan 3.9.5. or older, please download the patch from here.

If you are using Metascan 3.10.0., please download the patch from .here

After the installation is complete, please check omsAplier.log in the Metascan installation directory to see the upgrade result.

This article is applicable to Metascan 3.10.0 and earlier versions. This article was last updated on 2016-10-04CN

Why is engine heuristic scanning for some engines turned off by default in Metadefender Core?

Some engines allow you to scan files using heuristics, which can detect viruses that are not yet in the engine’s virus definition database. Enabling heuristic scanning for engines will increase detection of potential new viruses, but will also increase the false positive rate. Also, enabling heuristic scanning can increase the engine's scan time.

https://docs.mongodb.com/manual/administration/production-notes/

https://s3-us-west-1.amazonaws.com/metascanbucket/patches/Bitdefender_autopatch_3.9.5.zip

https://s3-us-west-1.amazonaws.com/metascanbucket/patches/Bitdefender_autopatch_3.10.zip

v3.13.0 562

1.

2.

For example, ESET has heuristic scanning turned off by default because in the past some customers had problems with the performance. You can enable the heuristic scanning feature for any engine via the Metadefender Core Management Console.


Why is K7’s heuristic scanning turned off by default in Metadefender Core?

Antivirus heuristic logic only estimates malware risk, so there is always a chance for false positives.

Each antivirus engine that offers heuristics does so using its own proprietary logic, and thus the rate of false positives differs for each of these engines.

OPSWAT has determined that the rate of false positives for K7's heuristic scanning is too high to have it enabled by default. Users who are willing to accept a higher rate of false positives in order to also increase detection rate can turn this feature on manually. You can disable heuristics for any engine via the Heuristic checkbox in the Engines section of the Metadefender Core Management Console's Configuration tab.

The K7 engine is part of Metadefender Core 12, Metadefender Core 16, Metadefender Core 20 and Metadefender Core Custom installations which are based on one of these packages.

This article pertains to Metadefender CoreThis article was last updated on 2016-07-27CN

Why is Metadefender Core REST API returning different results than the Metadefender Management Console?

Metadefender Core does not treat files differently, regardless of how they are delivered. You should receive the same results whether you use the command line, web scan, or a custom COM or REST interface.If you are seeing different results, check to make sure that the files are not being inadvertently manipulated before being posted to the REST Server:

Scan the file via the Command Line.

v3.13.0 563

2.

3.

Compare the file in the scan logs.

Compare the hash against the file submitted via REST.

If the file sizes and hash values differ, the extra data is most likely being added to the file before or while it is getting transferred to the REST API. This would affect the results of some engines.The most common cause of this are antivirus products, firewalls, and proxy servers.

If the file sizes and hash values are the same in both cases, please log a support ticket in the OPSWAT Portal.

This article pertains to Metadefender Core productThis article was last updated on 2016-06-14RR

Why is Metadefender Core taking so long to start?

Below are some common reasons why Metadefender Core might be slow to start:

If Metadefender Core starts slowly the first time, please refer to this article: https://portal.opswat.com/en-us/articles/208210753-Metadefender-Core-is-consuming-100-CPU-Is-this-normal-behavior-

Otherwise, please check system requirements for Metadefender Core and make heresure your Metadefender Core machine's current state meets the minimum requirements.

If your Metadefender Core instance is installed on Windows 7 or Windows Server 2008 R2, there is a known issue that can cause delays in Metadefender Core start-up. Metadefender Core uses an embedded MongoDB database to log scan results. On Windows7 and Windows 2008 R2, memory initialization by MongoDB can be adversely affected by an issue identified by Microsoft and addressed via a hotfix available in this

.Microsoft support KB article


Why is my Avira engine no longer running?

Any customer that is still running Metascan 3.9.0 or 3.9.1 will need to update the Avira engine.

OPSWAT recommends upgrading to the latest version of Metadefender Core if at all possible. If upgrading is not an option, perform the following task to ensure the Avira engine continues to work. This only needs to be done for Metascan 3.9.0 and 3.9.1.

You can download the patch . To apply this patch, please follow the instructions below.here



https://portal.opswat.com/en-us/articles/208210753-Metadefender-Core-is-consuming-100-CPU-Is-this-normal-behavior-



http://software.opswat.com/metascan/Documentation/Metascan/documentation/Developer_Guide/System_Integration_Requirement/System_Requirements_for_Metascan.htm



https://www.dropbox.com/s/fievlbuqfmbgldv/Avira_patch.rar?dl=0

v3.13.0 564

1.Extract the package you downloaded from the link above with the password "opswat".

2. Install the Visual C++ redistributable 2013 x86 from this . If you already have it installed linkplease skip this step.

3. Before installing the patch, please read the readme.txt file.

4. Install the Avira engine patch.

5. Restart the Metascan service by opening a command prompt and entering net stop metascan / net start metascan .

6. Confirm the Avira engine is scanning and returns the valid definition time from either the command line (by running the command omsCmdLineUtil.exe debug in the Metascan directory) or through the Metascan Management Console.

This article applies to Metadefender Core 3.9.0 and 3.9.1.This article was last updated on 2016-11-15.CA

Why is my Kaspersky engine no longer running?

Any customer that is still running Metascan 3.9.0 through 3.11.1 with the 16 or 20 engine package will need to update the Kaspersky engine in their package before July 1, 2016. Because their Kaspersky license will expire on 7/15/2016.

OPSWAT recommends upgrading to the latest version of Metadefender Core, if at all possible. If upgrading is not an option, perform the following task to ensure the Kaspersky engine continues to work. This only needs to be done for Metascan 3.9.0 through 3.11.1 and only for customers that have the 16 or 20 engine packages.

You can download the patch . To apply this patch, please follow the instructions below.here

1. Stop the Metascan service by opening a command prompt and entering net stop metascan

2. Extract the package you downloaded from the link above with the password "opswat".

3. Copy all of the extracted files into the Kaspersky engine directory in the Metascan install directory (usually C:\Program Files (x86)\OPSWAT\Metascan XX\Engines\Kaspersky).

4. Start the Metascan service by opening a command prompt and entering net start metascan

5. Confirm the Kaspersky engine is scanning and returns the valid definition time from either the command line (by running the command omsCmdLineUtil.exe debug in the Metascan directory) or through the Metascan Management Console.

This article applies to Metascan product from 3.9.0. to 3.11.1This article was last updated on 2016-08-16.CA


https://s3-us-west-1.amazonaws.com/supportbucket/Cosmin/Kaspersky_license_2017_hotfix+(1).zip

v3.13.0 565

Why isn't the Metadefender Email Agent processing my emails?

Starting with version 3.11.0, the Metadefender Email Agent is embedded in the Metadefender Core installation. The most common reason why it would not process emails is that it is not correctly configured.

First, make sure the agent is properly detected by running the Exchange Management Shell and typing "get-transportagent" (without quotes) on the exchange machine.

You should see the mail agent listed there.

Second, make sure the correct ports are open on both machines (the MS Exchange Server/SMTP and the Metadefender Core server). On each machine, if the firewall is on, open the following ports for inbound and outbound:

-port 8000 (used for Quarantine)

-port 8008 (used to submit files to Metadefender Core Server)

Please note the following :

1. Before installing Metadefender Core, you must uninstall the old mail agent.

2. A separate SMTP server is required for notification.

3. Exchange (malware agent configuration) may block release from quarantine.

4. Email sanitization to HTML may be blocked and the attachment may be replaced with the following text: "This attachment was removed because it contains data that could pose a security risk." An attachment that has been sanitized may be larger than the original attachment. As a result, it may be necessary to increase the maximum attachment size setting on your mail server.

This article applies to Metadefender Email Agent 3.11.0 or above.This article was last updated on 2016-07-08CN

Why should I upgrade my Metadefender Core?

Upgrading to the latest releases of OPSWAT products allows you to take advantage of new features, added functionality, bug fixes and performance improvements. It also ensures the best path to timely support.

OPSWAT typically has a new release of the Metadefender Core once a month. We recommend that you uptake each new release as it comes out. For organizations that have more restrictive upgrade policies, we recommend that you plan out regularly scheduled upgrades as part of your application management procedures.

v3.13.0 566

Customers with active licenses are entitled to upgrade for free. The upgrade can be done self-service by downloading the latest installer on our in the and following portal downloads sectionthe guidelines in our KB How do I upgrade to the latest release of Metadefender Core?

Note that Metascan was renamed Metadefender Core, but the license is interchangeable. i.e. a license for Metascan is the same as a license for Metadefender Core. Customers with active licenses can download the latest Metadefender Core releases.

This article pertains to all supported releases of Metadefender Core.This article was last updated on 2016-07-07CN

https://portal.opswat.com/en


https://onlinehelp.opswat.com/corev3/How_do_I_upgrade_to_the_latest_release_of_Metadefender_Core_v3_.html

Metadefender Core v3.13.0.pdf - OPSWAT Knowledge Center

Documents

Transcript of Metadefender Core v3.13.0.pdf - OPSWAT Knowledge Center