Scan from link settings

Scan from link settings are accessible under Settings > Security tab .

This settings is apply for the header downloadfrom when scanning file via API POST /file

  • Max download queue:

    • Determines the number of total concurrent requests that can be downloaded at a time.
    • Range: [1-1000]
    • Default: 500
    • Info: If your system has poor internet speed, you should decrease this number or if you have a decent internet speed, you might want to increase the setting. This setting depends on your network.
    • Note: this setting only applies to total concurrent download requests, and it is different from the total scan queue in Setting -> General > Queue size

  • Enforce scan from link validation:

    • Enable this setting will make Metadefender Core validate the links from "downloadfrom" header.
    • Default: disable
    • Validation type: Blocklist or Allowlist
    • Patterns: Regular Expression patterns

For example, if we would like to validate the links in "downloadfrom" header, and ONLY allow for the site https://allowlisted-domain.com we should use this pattern:

^https:\/\/allowlisted-domain\.com\/

We strongly recommend using an allowlist approach rather than a blocklist for the following reasons:

  • Positive security model: Only explicitly permitted URLs are allowed
  • Reduced attack surface: Unknown or new malicious domains are automatically blocked
  • Better maintainability: Easier to manage a list of trusted sources

Configure Specific URL Patterns

To prevent URL manipulation attacks and bypass attempts, configure your allowlist patterns with maximum specificity:

Vulnerable Configuration:

allowlisted-domain.com

Secure Configuration:

^https:\/\/allowlisted-domain\.com\/

Why Specific Patterns Matter

Attackers can exploit loose patterns using various techniques:

  • Subdomain spoofing: https://allowlisted-domain.com.malicious-site.com/
  • Path injection: https://evil-site.com/allowlisted-domain.com/malware.exe
  • Query parameter manipulation: https://malicious-site.com/?redirect=allowlisted-domain.com

Pattern Configuration Best Practices

  1. Always use anchors: Start patterns with ^ and end with appropriate boundaries
  2. Specify protocol: Include https:\/\/ to enforce secure connections
  3. Escape special characters: Use \. instead of . for literal dots
  4. Include path separators: End with \/ to prevent subdomain spoofing

Example Configurations

For a specific domain:

^https:\/\/downloads\.yourcompany\.com\/

For a subdirectory:

^https:\/\/cdn\.vendor\.com\/updates\/

Testing Your Configuration

After configuring your allowlist patterns, test with various URL formats to ensure they work as expected:

  • Verify legitimate URLs are accepted
  • Confirm malicious variations are rejected
  • Test edge cases and potential bypass attempts

Following these guidelines will provide robust protection against URL-based attacks while maintaining legitimate functionality.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Nginx configurations
On This Page
Scan from link settingsEnforce scan from link validate: use Allowlist Over BlocklistConfigure Specific URL PatternsWhy Specific Patterns MatterPattern Configuration Best PracticesExample ConfigurationsTesting Your Configuration