OESIS Framework Release Announcement | March 2026

We are thrilled to unveil the latest updates to the OESIS Framework this month. Get ready to supercharge your endpoint protection solutions with expanded support for more products and some new, exciting features. Build stronger defenses with advanced capabilities that integrate seamlessly into your products. Prepare for an epic upgrade that'll take your security to the next level.

LIMITATION, WINDOWS

We’ve received questions from customers about how OESIS Patching handles Microsoft’s new Hotpatch and rebootless update mechanism.

After investigation, we have confirmed that OESIS does not currently support Microsoft Hotpatch. Baseline cumulative updates associated with Hotpatch are detected and can be installed as normal via OESIS. However, Hotpatch updates themselves are applied only in memory, are not available via our wuo.dat, and therefore are neither detected by the SDK at this time.

This can lead to scenarios where a CVE fixed by a Hotpatch may still appear as missing in OESIS because the Hotpatch is not visible through the registry/WMI signals we rely on. We have documented these limitations and our current behavior in a dedicated Knowledge Base article: https://www.opswat.com/docs/mdsdk/knowledge-base/does-oesis-support-microsoft-hotpatch-for-patch-management

ENHANCEMENT, WINDOWS, DATA UPDATE NEEDED

We’ve extended OESIS Framework (MDESDK) application coverage with a new signature for Mozilla Firefox (UWP), the Microsoft Store version of Firefox.

This new signature lets you detect and manage Firefox (UWP) alongside the classic desktop Firefox on the same machine, with all core methods validated such as GetVersion, GetRunningState, and more.

This enhancement improves inventory accuracy and ensures your browser policies apply consistently, even when users install Firefox from the Microsoft Store.

BEHAVIOR CHANGE, WINDOWS, DATA UPDATE NEEDED

To improve Notepad++ coverage, we have split the existing detection signature 3241 (Notepad++) into three separate signatures: x64 exe (updated detection logic on the current signature 3241), x64 msi (new signature), and arm64 (new signature).

After this change, some Notepad++ installations can no longer be detected under signature 3241 and instead appear under the new signatures corresponding to their installer architecture.

NEW FEATURE, WINDOWS, ENGINE UPDATE NEEDED, CODE CHANGE

OESIS team now introduces a new Windows method, GetPhysicalDiskInfo, to help customers monitor hardware health on their endpoints.

GetPhysicalDiskInfo queries Windows’ storage subsystem (WMI, root/Microsoft/Windows/Storage) and returns a structured view of:

• Physical disks on the endpoint
• Their health and operational status
• Their volumes (partitions)
• Temperature metrics where available
  
  *You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

ENHANCEMENT, ALL PLATFORMS, DATA UPDATE NEEDED

We will update the raw_json.js file in our Compliance data (for all platforms including Windows, macOS, Linux) to use a pretty‑printed JSON format. This improves readability for customers who inspect or troubleshoot the data manually.

As a result, the Compliance package (compliance.zip) is slightly larger (from ~13 MB to ~14 MB), but no changes are required for existing integrations that programmatically consume this file.

ENHANCEMENT, MAC, ENGINE UPDATE NEEDED, CODE CHANGE

We are pleased to inform you that our team is actively investigating ways to improve patching support on macOS.

In the future release, our SDK will support patching multiple instances of applications, even when they are renamed or installed outside the standard Applications folder.

This enhancement ensures that after patching, only the latest version remains, eliminating unpatched or vulnerable duplicates across all locations.

NEW FEATURE, LINUX, ENGINE UPDATE NEEDED, CODE CHANGE

We are extending the OESIS Framework on Linux to properly handle multiple instances of the same application and show which instances are affected by each CVE. What will change:

• DetectProduct will detect and return multiple instances of the same application on a single Linux endpoint.
• GetVersion will return the version for each detected instance.
• GetProductVulnerability will:
  • Scan all application instances for a given signature, and
  • Return CVEs enriched with a new affected_app_instances field, for example:

"affected_app_instances": [
  {
    "id": "string",  // matches instance ID from DetectProduct
    "path": "string"
  }
]
  

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

NEW FEATURE, MAC, ENGINE UPDATE NEEDED, CODE CHANGE

In Q1-2026, the SDK will provide Real-time monitoring on Mac operating systems. Unlike the current compliance checks, which are on-demand audits, real-time monitoring is dynamic, adapting to live events and rule changes as they occur.

More details will be provided in the coming months regarding which compliance statuses will be supported in this first phase.

Please note that this feature has been moved from Q4-2025 to Q1-2026.

*You will need to make a code change to implement this feature. Please contact the OPSWAT team to assist with this*

3.1 ENGINE Release Cadence Change (Starting OCTOBER)

RELEASE SCHEDULE UPDATE, ALL PLATFORMS

Starting in October, we will be updating our Engine Package release cadence from weekly to bi-weekly. Under this new schedule, releases will occur twice per month, once in the second week and once in the fourth week of each month. This change aligns with our new development framework, enabling more accurate estimations, clearer updates, and more reliable on-time releases. We believe this adjustment will help us deliver higher-quality updates more consistently.

*The initial rollout timeline has been revised from April to October. If you have any concerns or need clarification on this update, please contact the OPSWAT team to assist with this*

3.2 End of Support for AppRemover package with the old engine on macOS

END OF SUPPORT, MAC

As we have refactored the AppRemover module on macOS to provide a more optimized and streamlined experience, two packages of the AppRemover module on macOS are being maintained on the My OPSWAT Portal: AppRemover OSX and AppRemover OSX V2. 

Starting January 1, 2026, the OSX package will be removed. We recommend upgrading to AppRemover OSX V2 to ensure your system receives all new updates and comprehensive technical support for the AppRemover module.