OESIS Framework Release Announcement | January 2026

We are thrilled to unveil the latest updates to the OESIS Framework this month. Get ready to supercharge your endpoint protection solutions with expanded support for more products and some new, exciting features. Build stronger defenses with advanced capabilities that integrate seamlessly into your products. Prepare for an epic upgrade that'll take your security to the next level.

ENHANCEMENT, ANALOG PACKAGE, DATA UPDATE NEEDED, CODE CHANGE

We have updated the Linux vulnerability data delivery in OESIS by splitting the original liv.dat file into smaller, distro-specific files.

Customers can now use dedicated files for each supported distribution: liv_ubuntu.dat, liv_mint.dat, liv_debian.dat, liv_redhat.dat, liv_alma.dat, liv_rocky.dat, liv_amazon.dat, liv_oracle.dat, and liv_suse.dat.

This change helps reduce the size of the vulnerability database you need to download to each endpoint, improving efficiency and performance.

All the liv_<distro>.dat files are now available under analog.zip in the /client folder. In addition, each dat file

can be downloaded individually via the VCR gateway using the standard format

https://vcr.opswat.com/gw/file/download/liv_<distro>.dat?type=1&token=<authorization_token>

The existing liv.dat file will continue to be delivered and supported to ensure backward compatibility for current integrations.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

ENHANCEMENT, WINDOWS, ENGINE UPDATE NEEDED

We have enhanced the behavior of Microsoft Office MSI patching when Office applications are open during installation. This enhancement applies to Office 2007, 2010, 2013, and 2016 MSI products patched via the WUO InstallFromFile flow.

When any Office application (such as Word, Excel, PowerPoint, or Access) is running and you install a patch:

- With force_close = 0, the SDK now returns WA_VMOD_ERROR_CANNOT_TERMINATE_PRODUCT, users might need to close Office and retry the installation.

- With force_close = 1, the SDK force‑closes all running Office applications before continuing the patch and reports the closed processes in the blocking_processes field.

This gives integrators clearer control over the user experience when patching Office: either preserve user sessions and ask them to close Office, or apply updates immediately by closing running Office apps automatically.

BEHAVIOR CHANGE, ANALOG PACKAGE, DATA UPDATE NEEDED, CODE CHANGE

We have updated the Delta Updates packaging for Windows Update Offline (WUO) data in analog.zip to simplify distribution and prepare for future enhancements. Going forward, we will no longer publish the following legacy files:

- analogv2.zip

- analogv2_baseline.zip

- wuo_baseline.dat

- wuo_delta.dat

Instead, the new WUOv2 data (wuov2_baseline.dat and wuov2_delta.dat) are now included in analog.zip package under the client folder, and they are fully documented in header.json and the updated

How_to_use_Analog_files.pdf guide. This change increases the analog.zip size by approximately 44 MB.

To use Delta Updates with WUO, customers must migrate to WUOv2 by ensuring that endpoints first receive the matching wuov2_baseline.dat file before deploying the corresponding wuov2_delta.dat file.

Please note that there is no longer a 30‑day grace period to switch to a new baseline, so wuov2_baseline.dat and wuov2_delta.dat must always match on the endpoint for Delta Updates to work properly.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

BEHAVIOR CHANGE, ANALOG PACKAGE, DATA UPDATE NEEDED, CODE CHANGE

We have added a new "usable_download_link" boolean field to each product entry in analog/server/products.json. This field indicates whether the installer download link from GetLatestInstaller(download=0) is valid or not.

• If "usable_download_link" is true, agents will be able to use the download link.

• If "usable_download_link" is false, agents should not attempt to use it.

This update will help improve reliability by providing clear guidance to agents. To reduce failed download attempts, please plan to update your integration logic to check this field before fetching installer links.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

NEW FEATURE, ALL PLATFORMS, ENGINE UPDATE NEEDED, CODE CHANGE

We have enhanced our SDK to enable detection of per-user applications across Windows, MacOS, and Linux platforms. A new flag, detect_all_users_products, has been added to the DetectProducts method.

By default, this field is false and detection is limited to only applications installed for the active user and those available to all users (system-wide). When detect_all_users_products is set to true, this field enables detection of all applications installed on the device, including those specific to other user accounts.

On Windows, when detect_all_users_products is enabled, the output will include a new installed_for_users field for each detected product. This field lists all users (by SID and username) who have the product installed in per-user mode.

This enhancement provides a comprehensive view of software inventory across all user profiles on a device.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

NEW FEATURE, ALL PLATFORMS, ENGINE UPDATE NEEDED, CODE CHANGE

We are pleased to announce that our Q1-2026 release will introduce three new software categories: Vulnerability Management, Artificial Intelligence, and Gaming.

All new categories will include comprehensive support methods such as version detection, running state, installation directories, and more.

Stay tuned for further details as we approach the release date.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

ENHANCEMENT, WINDOWS, DATA UPDATE NEEDED

As of October 14, 2025, Microsoft no longer provides security patches, feature updates, or technical support for Windows 10. Windows 10 systems will still function, but become progressively vulnerable to security threats and software compatibility issues.

Therefore, Microsoft is introducing the Windows 10 Extended Security Updates (ESU) program, which gives customers the option to receive security updates for PCs enrolled in the program.

To extend support for Windows 10 and ensure the Framework remains compatible with future updates of

Windows 10, we have decided to continue supporting Windows 10 via the Windows 10 Extended Security Updates (ESU) program. This support will be applied to devices running Windows 10, version 22H2 with KB5046613, or a later update installed, and having an active ESU subscription.

ENHANCEMENT, MAC, ENGINE UPDATE NEEDED, CODE CHANGE

We are pleased to inform you that our team is actively investigating ways to improve patching support on macOS.

In the future release, our SDK will support patching multiple instances of applications, even when they are renamed or installed outside the standard Applications folder.

This enhancement ensures that after patching, only the latest version remains, eliminating unpatched or vulnerable duplicates across all locations.

3.1 CVE-2025-0131

VULNERABILITY, WINDOWS

An incorrect privilege management vulnerability in the OPSWAT OESIS Framework used by the Palo Alto

Networks GlobalProtect™ app on Windows devices allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM. However, execution requires that the local user also successfully exploits a race condition, which makes this vulnerability difficult to exploit.

To address CVE-2025-0131, please upgrade your Framework to version 4.3.4451 or later.

3.2 We moved the OesisPackageLinks.xml behind the VCR gateway

SECURITY UPDATE, VCR GATEWAY

Since December 31st, 2024, the OesisPackageLinks.xml file are relocated behind the VCR Gateway for enhanced security, replacing its currently public location.

Since September 1st, 2024, the file can be accessed via the VCR Gateway. You can download the file by following these steps: copy and paste this URL:

https://vcr.opswat.com/gw/file/download/OesisPackageLinks.xml?type=1&token=<authorization_token> in to your browser and replace <authorization_token> with your unique token. If you don't have a unique token, please contact support.

This update ensures continued and secure access, and users should have updated their systems to accommodate this change.

3.3 End of Support for AppRemover package with the old engine on macOS

END OF SUPPORT, MAC

As we have refactored the AppRemover module on macOS to provide a more optimized and streamlined experience, two packages of the AppRemover module on macOS are being maintained on the My OPSWAT Portal: AppRemover OSX and AppRemover OSX V2. 

Starting January 1, 2026, the OSX package will be removed. We recommend upgrading to AppRemover OSX V2 to ensure your system receives all new updates and comprehensive technical support for the AppRemover module.