MetaDefender Endpoint Security SDK Release Announcement | July 2025

We are thrilled to unveil the latest updates to the MetaDefender Endpoint Security SDK this month. Get ready to supercharge your endpoint protection solutions with expanded support for more products and some new, exciting features. Build stronger defenses with advanced capabilities that integrate seamlessly into your projects. Prepare for an epic upgrade that'll take your security to the next level.

NEW FEATURE, LINUX, DATA UPDATE NEEDED

We’ve enhanced GetProductVulnerability method to provide clearer insights into Ubuntu vulnerability resolutions by distinguishing between Ubuntu Pro and Community fixes.

This only affects Ubuntu packages; standard APT packages are not impacted.

A new overlay field is now included in the resolution data, but only when a matching association exists and the value is not empty. This field clearly indicates whether a given fix belongs to Ubuntu Pro or Community, helping you understand what’s available for your system more accurately.

This update helps improve clarity for end-users and supports customer requirements for more transparent security insights.

NEW FEATURE, SDK UPDATE NEEDED

We’ve added support for retrieving Zero Trust Assessment (ZTA) scores from CrowdStrike Falcon directly through the GetAgentState SDK method — enabling integrated, real-time device trust evaluation.

By including the assessment_queries field in your request, you can now query ZTA scores (ranging from 0 to 100) for a target endpoint, helping strengthen your Zero Trust decision-making.

Sample input:

{
  "input": {
    "signature": 2866,
    "method": 1012,
    "assessment_queries": [{
      "data_type": "zta_score",
      "credentials": {
        "base_url": "<CrowdStrike API base URL>",
        "client_id": "<Your CrowdStrike Client ID>",
        "client_secret": "<Your CrowdStrike Client Secret>"
      }
    }]
  }
}

Sample result:

{
  "result": {
    "assessment_results": [{
          "data_type": "zta_score",
          "return_code": 0, // Result code of the assessment; 0 for a successful query
          "value": 30 // The device’s current ZTA score from CrowdStrike Falcon
        ]
      }
      ...
  }
}

This new feature is now available, providing a streamlined way to include trusted risk scoring within your agent state checks.

FIX, MAC, DATA UPDATE NEEDED

We’ve resolved a major issue affecting the InstallMissingPatches method for Software Update on macOS with Apple Silicon chips. The method now works reliably with administrative (privileged) permissions, allowing successful patch installations in most scenarios.

While this fix significantly improves functionality, there are still known limitations — such as failure when running in Service mode. We're actively working on these and will continue to enhance support in upcoming updates

NEW FEATURE, ANALOG PACKAGE, ENGINE UPDATE NEEDED, CODE CHANGE

In the July release, the SDK will introduce a new feature that enables customers to distribute smaller Windows Update Offline data to endpoints using a differential update mechanism.

This feature will include a new Analog package, named analogv2.zip, which contains two new files: wuo_baseline.dat and wuo_delta.dat. These files allow customers to implement differential updates by distributing both files to endpoints initially. After that, for up to one year, customers will only need to distribute the smaller wuo_delta.dat file to keep the Windows Update Offline data up to date.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

ENHANCEMENT, MAC, LIBRARY UPDATE

Soon, all Mac V3V4 Adapter libraries will be built via libc++ instead of libstdc++. This shift will bring better support for modern C++ standards, faster compilation, and better optimizations.

You will need to change your compile process for the macOS to add support for the libc++ library

ENHANCEMENT, ANALOG PACKAGE, DATA UPDATE NEEDED

Due to the specific behavior of certain products that require updating the Microsoft Visual C++ Redistributable, two different restart scenarios may occur:

• If the machine already has the up-to-date version of Microsoft Visual C++ Redistributable, the installation of the target product does not require a restart.
• If the machine has an outdated version of Microsoft Visual C++ Redistributable, the installation of the target product does require a restart.

This behavior impacts how the MDES SDK handles the requires_reboot field. Since this condition is environmentdependent and cannot be predicted, we are introducing a new value called "conditional" to represent such cases. The "conditional" value allows the SDK to recognize and respond appropriately to these dynamic restart requirements.

NEW FEATURE, WINDOWS, DATA UPDATE NEEDED, CODE CHANGE

In the September release, the SDK will be able to detect and install Microsoft non-security patches when using the Windows Update Offline functionality.

Currently, the Microsoft categories supported by the SDK are Security Updates, Service Packs, and Update Rollups.

The Microsoft categories we will be adding are Regular Updates and Critical Updates.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

NEW FEATURE, MAC, ENGINE UPDATE NEEDED, CODE CHANGE

This autumn, the SDK will provide Real-time monitoring on Mac operating systems. Unlike the current compliance checks, which are on-demand audits, real-time monitoring is dynamic, adapting to live events and rule changes as they occur.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

NEW FEATURE, ANALOG, DATA UPDATE NEEDED

We introduced new patch-related information that contains hash string of patches in the server files of Analog package as follows:

In patch_system_aggregation.json:

"analog_id": {
  ...
  "download_link": {
    ...
    "sha1": string
  },
  "optional": bool
    ...
}

In patch_aggregation.json:

"analog_id": {
  ...
  "download_link": {
    ...
    "sha256": string
  },
  ...
}

VULNERABILITY, WINDOWS 

An incorrect privilege management vulnerability in the OPSWAT MetaDefender Endpoint Security SDK used by the Palo Alto Networks GlobalProtect™ app on Windows devices allows a locally authenticated nonadministrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM. However, execution requires that the local user also successfully exploits a race condition, which makes this vulnerability difficult to exploit.

To address CVE-2025-0131, please upgrade your MDES SDK to version 4.3.4451 or later.

SECURITY UPDATE, VCR GATEWAY 

Starting December 31st, 2024, the OesisPackageLinks.xml file are relocated behind the VCR Gateway for enhanced security, replacing its currently public location. 

Since September 1st, 2024, the file can be accessed via the VCR Gateway. You can download the file by following these steps: copy and paste this URL: https://vcr.opswat.com/gw/file/download/OesisPackageLinks.xml?type=1&token=<authorization_token>  into your browser and replace <authorization_token> with your unique token. If you don't have a unique token, please contact support.

This update ensures continued and secure access, and users should have updated their systems to accommodate this change.

END OF SUPPORT, MAC

As we have refactored the AppRemover module on macOS to provide a more optimized and streamlined experience, two packages of the AppRemover module on macOS are being maintained on the My OPSWAT Portal: AppRemover OSX and AppRemover OSX V2. Starting January 1, 2026, the OSX package will be removed.

We recommend upgrading to AppRemover OSX V2 to ensure your system receives all new updates and comprehensive technical support for the AppRemover module.