Embedded Engine

• Min-Max Analysis timeout changed: Minimum and Maximum Analysis Timeout changed to 60-86400, for better handling of Large Files.
• .Dll files are signed: Windows .Dll files are now signed for better security
• Enhanced Archive handling: Archive File handling improved to reduce Scan times.

• Java Dependency checking is fixed: Fixed Java dependency checking to no longer mismatch some Java versions
• Deep CDR Triggers options added: New Deep CDR Trigger option is added to Workflow configs for a more granular setup option.
• Removed Scan modes from configuration: Scan mode workflow config is no longer supported.
• Context-Aware Threat Indicators: Improved threat indicators by factoring in the context of the analysis, leading to more accurate threat assessments.
• Reduced False Positives: Lowered false positive rates for heuristically detected or non-clickable IP addresses and URLs, improving the accuracy of threat analysis.
• Malicious Document Detection: Improved the detection of malicious documents, adding new indicators and reducing the risk of document-based attacks.
• Enhanced Emulation: Increased emulation success rates, particularly through better recognition of file content types eligible for emulation.
• Python Script Detection: Improved detection of malicious Python scripts, a growing vector for attacks.
• Better XOR Decryption: Extended XOR decryption capabilities, improving analysis of encrypted malware.
• Improved IOC Extraction: Enhanced the extraction of indicators of compromise (IOC) from emulation for a more comprehensive report.
• YARA Rule Updates: Reviewed and vetted third-party YARA rules. By default, YARA rules are loaded with priority from the OPSWAT repository.
• Symantec Quarantine Repair: Implemented a repair function for files restored from Symantec quarantine, ensuring files can be analysed post-restoration.
• MSC File Support: Added the ability to identify and parse Microsoft Management Console (MSC) files, further broadening threat detection capabilities.
• JPHP Support: Enhanced malware detection with the ability to parse and decompile JPHP files, expanding the range of supported file types and languages.
• .NET API Call Detection: Added detection of unmanaged .NET API references, improving analysis of .NET-based malware.
• OT Malware Detection: Introduced a YARA ruleset specifically for OT (Operational Technology) malware, expanding protection to critical infrastructure systems.
• LNK File Threat Indicators: Strengthened detection for LNK icon smuggling and LNK-MOTW (Mark of the Web) bypass attacks, both common techniques in modern malware.
• Ransomware Detection Enhancement: Added severity Yara rule matches related to ransomware, helping to prioritize and respond to ransomware threats more effectively.

• Upgraded to Java 17 and Python 3.10 for all relevant Sandbox components
• Support for AutoIT script files, including compiled AutoIT Portable Executables
• Parsing of MSI metadata and actions, including implementation for filtered file extraction
• Parsing of ODF files and macro extraction
• Parsing of Python pickle files, including implementation for malicious Threat Indicators
• Capability to identify potential obfuscation for extracted macro code
• New Threat Indicator for deceptive filenames commonly used for phishing files
• New Threat Indicator for undetected Equation Editor RTF exploit
• Enhanced parsing of LNK metadata and actions, including new Threat Indicators
• Improved Python-specific Threat Indicators
• Include proper tags for Golang, Rust and compiled-Python Portable Executables
• Improved processing for nested extracted files
• Enhanced Threat Indicators for imported APIs and emulation respectively

Fixes and improvements:

• Fixed minor bugs and misdetections
• Improved emulation efficacy
• Improved application security

• Ensured support for Ubuntu 22.04
• Added new threat indicators
• Disabled IP address OSINT lookups to avoid false positive findings
• Added verdict to IOCs on the UI
• Reduced false positive / false negative detection
• Updated YARA rule-set
• Fixed office file emulation errors

• Malware config extraction support
• Python Unpacking & Decompilation for PyInstaller, Nuitka, and py2exe
• Improved error reporting
• Added long path support on Windows
• Added HTTP redirection support
• Included disassembly of exported functions for Windows binaries
• Threat indicator to flag when executable files have two different sections with the same section name
• Extraction of VBA macro code from DWG files (shown as OLE Stream in File Details section)
• Enhanced script language detection using the guesslang library
• Fine-tuned several threat indicators to reduce false positive ratio
• Improved detection for phishing calendar invites
• Enhanced recursive analysis of active content containers (email, Office documents, PDF, etc.)
• Improved scan process for corrupt OLE2 documents
• Fixed several issues with existing threat indicators (ELF binaries, URL extraction, EML)

• Improved engine performance and stability
• Implemented configurable OPSWAT Reputation secret in engine global config
• New indicators for Windows APIs related to specific activities
• Implemented flagging for LSASS dump using minidump
• Extracted remote templates inside xTable struct in MS Office documents
• Implemented parser for Debian packages
• Expanded malware configuration extractors to encompass the latest and most pertinent threats
• Improved detection of dynamic syscalls using the HellsGate bypass technique
• Enhanced Quishing and Phishing email detection
• Improved the capabilities of Batch, CSV, HTA, JavaScript, LNK, PowerShell, VBA, and VBScript emulation and fine-tuned timeout handling
• Fixed several UTF-8 parsing issues in content parsers (related to HTML & OLE files)
• Ensured that all whitelisted submissions get the Benign verdict
• Improved the stability of concurrent OSINT lookup tasks

• Updated Threat Indicators
• Improved office file emulation
• Improved PE file analysis
• Updated YARA rule-set
• Improved disassembly for x64 architecture
• Improved file type detection
• New IOC types for Crypto wallets
• New Executive Summary (ChatGPT report)

• Crypto Wallets IOCs sometimes parsed and displayed incorrectly on the UI

• Support filenames with various Unicode characters
• Support unpacking of 64-bit executables
• Support malicious documents embedded in PDF files hidden as ActiveMime objects in MHTML format
• New threat indicators to detect the WikiLoader malware family (Microsoft Office files)
• Detection and extraction of embedded RTF files in Office documents, as described in CVE-2023-36884
• Enhance Threat Indicator for Mavinject
• Improved office file emulation
• Improved application security
• Improved large file processing

• Updated Threat Indicators
• Improved office file emulation
• Improved verdict calculation

• Fixed global config “reset to defaults” feature
• Improved office file emulation
• Updated YARA ruleset
• Updated Threat Indicators
• Updated verdict calculation

• Updated logging for MetaDefender Core support package
• Improved handling of embedded JavaScript files

• Enabled XML file support by default
• Updated reputation sources
• Improved verdict calculation
• Fixed global config reset to default values feature
• Fixed report generation for files including Email IOCs

• Updated YARA rule database
• YARA matches displayed on MDCore UI
• Dependency check on startup

• Scan results are extended with the list of IOCs
• Rapid mode support added and enabled by default
• Reputation lookup support added and enabled by default
• Reputation lookup verdict improvements
• Improved embedded engine performance

• Improved Microsoft Office file handling
• Security and performance improvements

• First versions of Embedded and Remote engines for MetaDefender Core customers