MetaDefender Endpoint Security SDK Release Announcement | August 2025

We are thrilled to unveil the latest updates to the MetaDefender Endpoint Security SDK this month. Get ready to supercharge your endpoint protection solutions with expanded support for more products and some new,  exciting features. Build stronger defenses with advanced capabilities that integrate seamlessly into your projects. Prepare for an epic upgrade that'll take your security to the next level.

ENHANCEMENT, MAC, LIBRARY UPDATE

We’re excited to announce that all Mac V3V4 Adapter libraries are now officially built using libc++ instead of libstdc++. This shift will bring better support for modern C++ standards, faster compilation, and better  optimizations.

You will need to change your compile process for the macOS to add support for the libc++ library

NEW FEATURE, ANALOG, DATA UPDATE NEEDED

We introduce new patch-related information that contains hash string of patches in the server files of Analog package as follows:

In patch_system_aggregation.json:

"analog_id": {
    ...
    "download_link": {
        ...
        "sha1": <string>
    },
    "optional": <bool>
    ...
}

In patch_aggregation.json:

"analog_id": {
    ...
    "download_link": {
        ...
        "sha256": <string>
        },
    ...
}

ENHANCEMENT, ANALOG PACKAGE, DATA UPDATE NEEDED

Due to the specific behavior of certain products that require updating the Microsoft Visual C++ Redistributable, two different restart scenarios may occur:

• If the machine already has the up-to-date version of Microsoft Visual C++ Redistributable, the installation of the target product does not require a restart.
• If the machine has an outdated version of Microsoft Visual C++ Redistributable, the installation of the target product does require a restart.

This behavior impacts how the MDES SDK handles the requires_reboot field. Since this condition is environmentdependent and cannot be predicted, we are introducing a new value called "conditional" to represent such cases. The "conditional" value allows the SDK to recognize and respond appropriately to these dynamic restart requirements.

NEW FEATURE, DATA UPDATE NEEDED

We introduced new patch-related information that contains vendor name, description, required restart information of patches in the json out of GetLatestInstaller method as below:

result: {
 ...
 "description": <string>,
 "vendor": <string>,
 "reboot_required": <bool>,
 "optional": <bool>
}

NEW FEATURE, WINDOWS, DATA UPDATE NEEDED

The GetAgentState output now includes a new field: startup_type — available for Windows Update Agent (WUA) only. This numeric field reflects the startup type of the wuauserv service (responsible for Windows Update), based on the standard defined by Microsoft’s ServiceStartMode. 

If the value is invalid or falls outside the expected range, it will return -1, indicating an unknown startup type. This enhancement offers better insight into WUA behavior and configuration across endpoints.

NEW FEATURE, WINDOWS, DATA UPDATE NEEDED

We’ve introduced a new optional parameter, force_install, in the InstallFromFile method input to address specific installer execution issues— hang or fail to execute due to Windows Integrity Level restrictions. 

When set to true, force_install enables the SDK to take additional steps to allow trusted installers to run successfully in environments where strict security settings may otherwise block execution. By default, this flag is false to maintain secure behavior.

Use this option only when you trust the installer source.

ENHANCEMENT

We’ve updated the file naming on MyOPSWAT download portal to clearly indicate the package type — [Native Package] or [V3V4 Adapter Package] — making it easier to find the right build at a glance

NEW FEATURE, LINUX, ENGINE UPDATE NEEDED, CODE CHANGE

In certain Linux distributions, patch management tools depend on up-to-date package repository metadata to accurately detect and apply updates. While our existing methods (such as GetMissingPatches, InstallMissingPatches, etc.) already support patching workflows, a repository refresh may be required beforehand in certain environments to ensure accurate results.

To better support this, we’re developing a new method: FetchRemoteData. This method allows users to explicitly refresh the package manager’s repository data before invoking patch-related methods.

The initial release will support Zypper, and is expected next month. Broader distribution support will follow in future updates.

This enhancement improves visibility and control in Linux patch management—especially in environments where repository freshness impacts accuracy.

NEW FEATURE, WINDOWS,  UPDATE NEEDED, CODE CHANGE

In the September release, the SDK will be able to detect and install Microsoft non-security patches when using the Windows Update Offline functionality.

Currently, the Microsoft categories supported by the SDK are Security Updates, Service Packs, and Update Rollups.

The Microsoft categories we will be adding are Regular Updates and Critical Updates.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

NEW FEATURE, MAC, ENGINE UPDATE NEEDED, CODE CHANGE

This autumn, the SDK will provide Real-time monitoring on Mac operating systems. Unlike the current compliance checks, which are on-demand audits, real-time monitoring is dynamic, adapting to live events and rule changes as they occur.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

NEW FEATURE, ANALOG PACKAGE, ENGINE UPDATE NEEDED, CODE CHANGE

In the August release, the SDK will introduce a new feature that enables customers to distribute smaller Windows Update Offline datasets to endpoints using a differential update mechanism.

This feature will include two new Analog packages, named analogv2.zip and analogv2_baseline.zip, which contain the new files wuo_baseline.dat (in analogv2_baseline) and wuo_delta.dat (in analogv2). These files allow customers to implement differential updates by initially distributing both files to the endpoints. After that, for up to one year, customers will only need to distribute the smaller wuo_delta.dat file to keep the Windows Update Offline data up to date.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

VULNERABILITY, WINDOWS 

An incorrect privilege management vulnerability in the OPSWAT MetaDefender Endpoint Security SDK used by the Palo Alto Networks GlobalProtect™ app on Windows devices allows a locally authenticated nonadministrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM. However, execution requires that the local user also successfully exploits a race condition, which makes this vulnerability difficult to exploit.

To address CVE-2025-0131, please upgrade your MDES SDK to version 4.3.4451 or later.

SECURITY UPDATE, VCR GATEWAY 

Starting December 31st, 2024, the OesisPackageLinks.xml file are relocated behind the VCR Gateway for enhanced security, replacing its currently public location.

Since September 1st, 2024, the file can be accessed via the VCR Gateway. You can download the file by following these steps: copy and paste this URL: https://vcr.opswat.com/gw/file/download/OesisPackageLinks.xml?type=1&token=<authorization_token>  into your browser and replace <authorization_token> with your unique token. If you don't have a unique token, please contact support.

This update ensures continued and secure access, and users should have updated their systems to accommodate this change.

END OF SUPPORT, MAC

As we have refactored the AppRemover module on macOS to provide a more optimized and streamlined experience, two packages of the AppRemover module on macOS are being maintained on the My OPSWAT Portal: AppRemover OSX and AppRemover OSX V2. 

Starting January 1, 2026, the OSX package will be removed. We recommend upgrading to AppRemover OSX V2 to ensure your system receives all new updates and comprehensive technical support for the AppRemover module.

END OF SUPPORT, WINDOWS

Starting January 1, 2026, support for Windows 7 and Windows 8 (server versions included) will be removed from the SDK. To ensure security, compatibility, and optimal performance with MDES SDK, we recommend upgrading endpoints to a supported Microsoft operating system.