MetaDefender Endpoint Security SDK Release Announcement | September 2025

We are thrilled to unveil the latest updates to the MetaDefender Endpoint Security SDK this month. Get ready to supercharge your endpoint protection solutions with expanded support for more products and some new, exciting features. Build stronger defenses with advanced capabilities that integrate seamlessly into your products. Prepare for an epic upgrade that'll take your security to the next level.

NEW FEATURE, LINUX, ENGINE UPDATE NEEDED, CODE CHANGE

In certain Linux distributions, patch management tools depend on up-to-date package repository metadata to accurately detect and apply updates. While our existing methods (such as GetMissingPatches, InstallMissingPatches, etc.) already support patching workflows, a repository refresh may be required beforehand in certain environments to ensure accurate results.

To better support this, we’re adding a new method: FetchRemoteData. This method allows your Agent to explicitly refresh the package manager’s repository data before invoking patch-related methods.

The initial release will support Zypper, and is expected in the October feature release. Broader distribution support will follow in future updates.

This enhancement improves visibility and control in Linux patch management—especially in environments where repository freshness impacts accuracy.

NEW FEATURE, ANALOG PACKAGE, ENGINE UPDATE NEEDED, CODE CHANGE

In the August release, the SDK introduced a new feature that enables customers to distribute smaller Windows Update Offline datasets to endpoints using a differential update mechanism.

This feature includes two new Analog packages, analogv2.zip and analogv2_baseline.zip, which contain the files wuo_baseline.dat (in analogv2_baseline) and wuo_delta.dat (in analogv2). These files allow customers to implement differential updates by initially distributing the baseline file to the endpoints. After that, for up to one year, customers will only need to distribute the smaller wuo_delta.dat file to keep the Windows Update Offline data up to date.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

NEW FEATURE, MAC, DATA UPDATE NEEDED, CODE CHANGE

In the August release, the value format of the sdk_version field in the checksums.json file of the macOS package was updated to align with the format used in the Windows and Linux packages. With this update, the sdk_version value in the macOS checksums.json file will no longer use an underscore (_) as a delimiter. Instead, a dot (.) will be used to separate version components.

For example: “sdk_version”: “4.3.4239.0”

NEW FEATURE, ALL PLATFORM, ENGINE UPDATE NEEDED

We’ve expanded the flexibility of the GetLatestInstaller method by introducing a new option for the download parameter: download=2.

Using this option, GetLatestInstaller method will return the patch_id only. No installer download and no download URL are included.

This update allows you to select the most appropriate workflow for your patching and compliance needs.

NEW FEATURE, WINDOWS, DATA UPDATE NEEDED, CODE CHANGE

In the September release, the SDK will be able to detect and install Microsoft non-security patches when using the Windows Update Offline functionality.

Currently, the Microsoft categories supported by the SDK are Security Updates, Service Packs, and Update Rollups.

With this update, the Microsoft categories we will be adding are Regular Updates and Critical Updates.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

NEW FEATURE, MAC, ENGINE UPDATE NEEDED, CODE CHANGE

In Q4-2025, the SDK will provide Real-time monitoring on Mac operating systems. Unlike the current compliance checks, which are on-demand audits, real-time monitoring is dynamic, adapting to live events and rule changes as they occur.

More details will be provided in the coming months regarding which compliance statuses will be supported in this first phase.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

ENHANCEMENT, WINDOWS, DATA UPDATE NEEDED

After October 14, 2025, Microsoft will no longer provide security patches, feature updates, or technical support for Windows 10. Windows 10 systems will still function, but become progressively vulnerable to security threats and software compatibility issues.

Therefore, Microsoft is introducing the Windows 10 Extended Security Updates (ESU) program, which gives customers the option to receive security updates for PCs enrolled in the program.

To extend support for Windows 10 and ensure the MDES SDK remains compatible with future updates of Windows 10, we have decided to continue supporting Windows 10 via the Windows 10 Extended Security Updates (ESU) program. This support will be applied to devices running Windows 10, version 22H2 with KB5046613, or a later update installed, and having an active ESU subscription.

ENHANCEMENT, ALL PLATFORM, DATA UPDATE NEEDED

We’re excited to share that GetAgentState method will soon include a new field: last_connection_time_to_server.

This enhancement provides visibility into the last time an EDR/XDR agent successfully connected to its server.

The new information is included in the response automatically; no changes are required to your existing API calls.

3.1 CVE-2025-0131

VULNERABILITY, WINDOWS 

An incorrect privilege management vulnerability in the OPSWAT MetaDefender Endpoint Security SDK used by the Palo Alto Networks GlobalProtect™ app on Windows devices allows a locally authenticated nonadministrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM. However, execution requires that the local user also successfully exploits a race condition, which makes this vulnerability difficult to exploit.

To address CVE-2025-0131, please upgrade your MDES SDK to version 4.3.4451 or later.

3.2 We moved the OesisPackageLinks.xml behind the VCR gateway

SECURITY UPDATE, VCR GATEWAY 

Starting December 31st, 2024, the OesisPackageLinks.xml file are relocated behind the VCR Gateway for enhanced security, replacing its currently public location.

Since September 1st, 2024, the file can be accessed via the VCR Gateway. You can download the file by following these steps: copy and paste this URL: https://vcr.opswat.com/gw/file/download/OesisPackageLinks.xml?type=1&token=<authorization_token>  into your browser and replace <authorization_token> with your unique token. If you don't have a unique token, please contact support.

This update ensures continued and secure access, and users should have updated their systems to accommodate this change.

3.3 End of Support for AppRemover package with the old engine on macOS

END OF SUPPORT, MAC

As we have refactored the AppRemover module on macOS to provide a more optimized and streamlined experience, two packages of the AppRemover module on macOS are being maintained on the My OPSWAT Portal: AppRemover OSX and AppRemover OSX V2. 

Starting January 1, 2026, the OSX package will be removed. We recommend upgrading to AppRemover OSX V2 to ensure your system receives all new updates and comprehensive technical support for the AppRemover module.

3.4 End of Support for Windows 7 & Windows 8

END OF SUPPORT, WINDOWS

After careful consideration, support for Windows 7 and Windows 8 (server versions included) will be removed from the SDK beginning January 1st 2027 (one year later than previous planned).

To ensure security, compatibility, and optimal performance with MDES SDK, we recommend upgrading endpoints to a supported Microsoft operating system.