Embedded Engine

Known issues

Issue

Solution

MSI certificate validation is not supported on Windows OS


v2.1.0

Release date: 12/02/2024

New Features and Improvements

  • Min-Max Analysis timeout changed: Minimum and Maximum Analysis Timeout changed to 60-86400, for better handling of Large Files.

  • .Dll files are signed: Windows .Dll files are now signed for better security

  • Enhanced Archive handling: Archive File handling improved to reduce Scan times.


  • Java Dependency checking is fixed: Fixed Java dependency checking to no longer mismatch some Java versions

  • Deep CDR Triggers options added: New Deep CDR Trigger option is added to Workflow configs for a more granular setup option.

  • Removed Scan modes from configuration: Scan mode workflow config is no longer supported.

  • Context-Aware Threat Indicators: Improved threat indicators by factoring in the context of the analysis, leading to more accurate threat assessments.

  • Reduced False Positives: Lowered false positive rates for heuristically detected or non-clickable IP addresses and URLs, improving the accuracy of threat analysis.

  • Malicious Document Detection: Improved the detection of malicious documents, adding new indicators and reducing the risk of document-based attacks.

  • Enhanced Emulation: Increased emulation success rates, particularly through better recognition of file content types eligible for emulation.

  • Python Script Detection: Improved detection of malicious Python scripts, a growing vector for attacks.

  • Better XOR Decryption: Extended XOR decryption capabilities, improving analysis of encrypted malware.

  • Improved IOC Extraction: Enhanced the extraction of indicators of compromise (IOC) from emulation for a more comprehensive report.

  • YARA Rule Updates: Reviewed and vetted third-party YARA rules. By default, YARA rules are loaded with priority from the OPSWAT repository.

  • Symantec Quarantine Repair: Implemented a repair function for files restored from Symantec quarantine, ensuring files can be analysed post-restoration.

  • MSC File Support: Added the ability to identify and parse Microsoft Management Console (MSC) files, further broadening threat detection capabilities.

  • JPHP Support: Enhanced malware detection with the ability to parse and decompile JPHP files, expanding the range of supported file types and languages.

  • .NET API Call Detection: Added detection of unmanaged .NET API references, improving analysis of .NET-based malware.

  • OT Malware Detection: Introduced a YARA ruleset specifically for OT (Operational Technology) malware, expanding protection to critical infrastructure systems.

  • LNK File Threat Indicators: Strengthened detection for LNK icon smuggling and LNK-MOTW (Mark of the Web) bypass attacks, both common techniques in modern malware.

  • Ransomware Detection Enhancement: Added severity Yara rule matches related to ransomware, helping to prioritize and respond to ransomware threats more effectively.

Deep CDR Triggers

v2.0.0

Release date: 08/28/2024

New Features and Improvements

  • Upgraded to Java 17 and Python 3.10 for all relevant Sandbox components

  • Support for AutoIT script files, including compiled AutoIT Portable Executables

  • Parsing of MSI metadata and actions, including implementation for filtered file extraction

  • Parsing of ODF files and macro extraction

  • Parsing of Python pickle files, including implementation for malicious Threat Indicators

  • Capability to identify potential obfuscation for extracted macro code

  • New Threat Indicator for deceptive filenames commonly used for phishing files

  • New Threat Indicator for undetected Equation Editor RTF exploit

  • Enhanced parsing of LNK metadata and actions, including new Threat Indicators

  • Improved Python-specific Threat Indicators

  • Include proper tags for Golang, Rust and compiled-Python Portable Executables

  • Improved processing for nested extracted files

  • Enhanced Threat Indicators for imported APIs and emulation respectively

Fixes and improvements:

  • Fixed minor bugs and misdetections

  • Improved emulation efficacy

  • Improved application security

v1.7.1

Release date: 05/24/2024

New Features and Improvements

  • Ensured support for Ubuntu 22.04

  • Added new threat indicators

  • Disabled IP address OSINT lookups to avoid false positive findings

  • Added verdict to IOCs on the UI

  • Reduced false positive / false negative detection

  • Updated YARA rule-set

  • Fixed office file emulation errors

Verdict for IOCs

v1.7.0

Release date: 04/26/2024

New Features and Improvements

  • Malware config extraction support

  • Python Unpacking & Decompilation for PyInstaller, Nuitka, and py2exe

  • Improved error reporting

  • Added long path support on Windows

  • Added HTTP redirection support

  • Included disassembly of exported functions for Windows binaries

  • Threat indicator to flag when executable files have two different sections with the same section name

  • Extraction of VBA macro code from DWG files (shown as OLE Stream in File Details section)

  • Enhanced script language detection using the guesslang library

  • Fine-tuned several threat indicators to reduce false positive ratio

  • Improved detection for phishing calendar invites

  • Enhanced recursive analysis of active content containers (email, Office documents, PDF, etc.)

  • Improved scan process for corrupt OLE2 documents

  • Fixed several issues with existing threat indicators (ELF binaries, URL extraction, EML)


Improved error reporting

v1.6.0

Release date: 01/29/2024

New Features and Improvements

  • Improved engine performance and stability

  • Implemented configurable OPSWAT Reputation secret in engine global config

  • New indicators for Windows APIs related to specific activities

  • Implemented flagging for LSASS dump using minidump

  • Extracted remote templates inside xTable struct in MS Office documents

  • Implemented parser for Debian packages

  • Expanded malware configuration extractors to encompass the latest and most pertinent threats

  • Improved detection of dynamic syscalls using the HellsGate bypass technique

  • Enhanced Quishing and Phishing email detection

  • Improved the capabilities of Batch, CSV, HTA, JavaScript, LNK, PowerShell, VBA, and VBScript emulation and fine-tuned timeout handling

  • Fixed several UTF-8 parsing issues in content parsers (related to HTML & OLE files)

  • Ensured that all whitelisted submissions get the Benign verdict

  • Improved the stability of concurrent OSINT lookup tasks

v1.5.0

Release date: 11/06/2023

New Features and Improvements

  • Updated Threat Indicators

  • Improved office file emulation

  • Improved PE file analysis

  • Updated YARA rule-set

  • Improved disassembly for x64 architecture

  • Improved file type detection

  • New IOC types for Crypto wallets

  • New Executive Summary (ChatGPT report)

Executive Summary
Crypto Wallets

Known issues

  • Crypto Wallets IOCs sometimes parsed and displayed incorrectly on the UI

v1.4.0

Release date: 09/22/2023

New Features and Improvements

  • Support filenames with various Unicode characters

  • Support unpacking of 64-bit executables

  • Support malicious documents embedded in PDF files hidden as ActiveMime objects in MHTML format

  • New threat indicators to detect the WikiLoader malware family (Microsoft Office files)

  • Detection and extraction of embedded RTF files in Office documents, as described in CVE-2023-36884

  • Enhance Threat Indicator for Mavinject

  • Improved office file emulation

  • Improved application security

  • Improved large file processing

v1.3.4

Release date: 08/02/2023

New Features and Improvements

  • Updated Threat Indicators

  • Improved office file emulation

  • Improved verdict calculation

v1.3.3

Release date: 07/07/2023

New Features and Improvements

  • Fixed global config “reset to defaults” feature

  • Improved office file emulation

  • Updated YARA ruleset

  • Updated Threat Indicators

  • Updated verdict calculation

v1.3.2

Release date: 06/14/2023

New Features and Improvements

  • Updated logging for MetaDefender Core support package

  • Improved handling of embedded JavaScript files

v1.3.1

Release date: 06/05/2023

New Features and Improvements

  • Enabled XML file support by default

  • Updated reputation sources

  • Improved verdict calculation

  • Fixed global config reset to default values feature

  • Fixed report generation for files including Email IOCs

v1.3.0

Release date: 05/26/2023

New Features and Improvements

  • Updated YARA rule database

  • YARA matches displayed on MDCore UI

  • Dependency check on startup


v1.2.0

Release date: 05/17/2023

New Features and Improvements

  • Scan results are extended with the list of IOCs

  • Rapid mode support added and enabled by default

  • Reputation lookup support added and enabled by default

  • Reputation lookup verdict improvements

  • Improved embedded engine performance


v1.1.0

Release date: 05/08/2023

New Features and Improvements


  • Improved Microsoft Office file handling

  • Security and performance improvements


v1.0.0

Release date: 04/06/2023

New Features and Improvements

  • First versions of Embedded and Remote engines for MetaDefender Core customers