MetaDefender Configuration

Linux

The configuration file for the server is located in /etc/ometascan/ometascan.conf

Notice

After modifying the server configuration file you must restart the Metadefender Core service in order for the changes to take effect. You should use the distribution-standard way to restart the service.

[global] section

parameter

default value

required

description

restaddress


required

IP address of the computer that runs MetaDefender Core to serve REST API and web user interface (* means listening from all interfaces including IP version 4 and 6).

Just in case IP version 6 is not enabled on the system, then changing it to 0.0.0.0 to limit to IP version 4 only.

restport

8008

required

Designated port number for the web management console and REST interface

report_engine_issue

true

optional

Enable reporting of engine issue count. (possible values: "true" or "false")

dlppath

[Data directory]/dlp

optional

Directory for DLP-processed database and items

quarantinepath

[Data directory]/quarantine

optional

Directory for quarantine database and quarantined items

sanitizepath

[Data directory]/sanitized

optional

Directory for sanitized database and sanitized items

dbmode

1

optional

Support database mode, possible values:

  • 0: Not used for now, reserved

  • 1: Standalone Core (default)

  • 2: Core instance in Central Hub deployment

  • 3: Non-persistent mode (Core will not write any scan result into database, client must use webhook scanning fashion to retrieve scan result)

  • 4: Shared database model (all Core instances will share the same database)

After changed, a Core service restart is required to take effect. Only available starting MetaDefender Core 4.19.2

tempdirectory


optional

Full path of a directory to use for storing temporary files rather than using their default directories: /var/tmp/ and /tmp

Users need to prepare this directory in advance.

MetaDefender Core creates a subfolder called ometascanand ometascan/resources in the directory.

Default: /var/tmp/ometascan/resources/

tempdirectory_create_timeout


optional

Maximum time allowed for MetaDefender Core to access device and create temporary folder on it.

[logger] section

key

default value

required

description

logfile

/var/log/ometascan/ometascan.log

optional

Full path of a logfile to write log messages to

loglevel

info

optional

Level of logging. Supported values are: debug, info, warning, error

log_rotation

1

optional

Should only set this key when logfile key is also set accordingly. Supported values:

  • 0: All logs are not rotated, except for NGINX log.

  • 1 (default mode), enable to rotate log:

    • Rotation process will be performed every day or when file size reaches 1GB.

    • Limit rotated log to be stored is 30 files, the oldest log will be deleted if file number reaches the limit.

    • Rotated log name format: <logname>-<yyyyMMdd>.gz (e.g.: core.log-20200330.gz), all saved in same location with what you set in logfile.

    • All generated log packages included in MetaDefender Core support package.

syslog


optional

Switch on logging to a local ('local') or remote ('protocol://<hostname>:<port>') syslog server (Multiple server can be specified separated with comma)

syslog_level


optional

Level of logging. Supported values are: debug, info, warning, error

local_timezone

false

optional

Set local timezone for events sending to local syslog server

override


optional

Override specific log ids to display them on another level e.g.: "1723:error,663:info"

If there is no level set for an id, it will be displayed on every occasion. e.g.: "1723,663:info" means id 1723 dump message will be displayed every time and id 663 warning message is reduced to info level.

cef

false

optional

If true, the log format is Common Event Format.

nginx_logfile

/var/log/ometascan/nginx-ometascan.log

optional

File name and path to store the NGINX logs. If this value is changed, the /etc/logrotate.d/ometascan should be changed accordingly.

Notice

Setting both syslog and syslog_level, or none of them.

Notice

Setting both logfile and loglevel, or none of them.

[internal] section

key

default value

required

description

db_connection

10

optional

Define maximum number of concurrent connections allows MetaDefender Core to open to work with PostgreSQL database server. Only available starting MetaDefender Core 4.19.1

data_directory

/var/lib/ometascan

optional

Full path for MD Core’s data (database, updates etc.) E.g. /var/lib/ometascan/test

skip_upgrade_scan_data

0

optional

When enabled (set to 1), upgrading MetaDefender Core will auto skip migrating history processing data which is usually big in size (only migrate configurations and audit history).

This setting is to save upgrade time when users do not need to migrate entire scan data.

parallelcount

20

optional

Set maximum number of threads (files) sending to engine at the same time, applicable to all engines

Exception:

  • Archive engine (extraction): default = -1 (unlimited)

  • Archive engine (compression): default = 20

  • Proactive DLP engine: default = 5

  • Sandbox engine: default=5

parallelcount_<enginename>


optional

<enginename> is the first part of engine id which all can be found in <MD Core folder>\data\updates\metadescriptor

For example:

engine id: symantec_1_windows<enginename> = symantec

Some common use-cases:

  • ds (parallelcount_ds): Deep CDR engine. By default, parallelcount_ds = 20

  • 7z (parallelcount_7z): Archive engine, applicable to archive extraction only. By default, parallelcount_7z = -1 (unlimited threads)

    • 7z_extract (parallelcount_7z_extract): Archive engine, extraction only. By default, parallelcount_7z_extract = -1 (unlimited threads)

      • 7z_compress (parallelcount_7z_compress) : Archive engine, compression only for archive sanitization. By default, parallelcount_7z_compress = 20

next_extraction_polling_interval

1000

optional

Fine-tuning this interval between the range of 100-200ms may help stabilize the performance and processing time when dealing with small archive files or office document files under high load.

In case this polling interval is set to out of range (invalid number, < 100, or > 1000), the application cannot start, and an exception will log to system event log.

Windows

The configuration for the server is located in Windows RegistryHKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\Metascan\

Notice

After modifying the server configuration file you must restart the MetaDefender Core service in order for the changes to take effect.

Global

HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\Metascan\global

parameter

default value

type

required

description

restaddress


string value

required

IP address of the computer that runs MetaDefender Core to serve REST API and web user interface (* means listening from all interfaces including IP version 4 and 6).

Just in case IP version 6 is not enabled on the system, then changing it to 0.0.0.0 to limit to IP version 4 only.

restport

8008

string value

required

Designated port number for the web and REST interface

report_engine_issue

true

string value

optional

Enable reporting of engine issue count. (possible values: "true" or "false").

dlppath

[installdir]\data\dlp

string value

optional

Directory for DLP-processed database and items

quarantinepath

[installdir]\data\quarantine

string value

optional

Directory for quarantine database and quarantined items

sanitizepath

[installdir]\data\sanitized

string value

optional

Directory for sanitized database and sanitized items

dbmode

1

string value

optional

Support database mode, possible values:

  • 0: Not used for now, reserved

  • 1: Standalone Core (default)

  • 2: Core instance in Central Hub deployment

  • 3: Non-persistent mode (Core will not write any scan result into database, client must use webhook scanning fashion to retrieve scan result)

  • 4: Shared database model (all Core instances will share the same database)

After changed, a Core service restart is required to take effect. Only available starting MetaDefender Core 4.19.2

tempdirectory


string value

optional

Full path of a directory to use for storing temporary files.

Users need to prepare this directory in advance.

MetaDefender Core creates a subfolder called resources in this folder.

Default: <installation directory>\data\resources

tempdirectory_create_timeout


string value

optional

Maximum time allowed for MetaDefender Core to access device and create temporary folder on it.

Logger

HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\Metascan\logger

key

default value

type

required

description

logfile


string value

optional

Location of a logfile to write log messages to.

loglevel


string value

optional

Level of logging. Supported values are: debug, info, warning, error.

Must set value on this key when logfile key is also set accordingly.

log_rotation

1

string value

optional

This setting is only applicable on Windows only (on Linux, we use built-in OS log rotation). Should only set this key when logfile key is also set accordingly. Supported values:

  • 0: Core logs are not rotated.

  • 1 (default mode), enable to rotate log:

    • Rotation process will be performed every day or when file size reaches 1GB.

    • Limit rotated log to be stored is 30 files, the oldest log will be deleted if file number reaches the limit.

    • Rotated log name format: <logname>-<yyyyMMdd>.gz (e.g.: core.log-20200330.gz), all saved in same location with what you set in logfile.

    • All generated log packages included in MetaDefender Core support package.

wineventlog_level

info

string value

optional

Level of logging. Supported values are: debug, info, warning, error.

syslog


string value

optional

Value can only by in form of 'protocol://<hostname>:<port>' (Multiple server can be specified separated with comma)

syslog_level


string value

optional

Level of logging. Supported values are: debug, info, warning, error. Must set value on this key when syslog key is also set accordingly.

local_timezone

false

string value

optional

Set local timezone for events sending to local syslog server.

override


string value

optional

Override specific log ids to display them on another level e.g.: "1723:error,663:info".

If there is no level set for an id, it will be displayed on every occasion. e.g.: "1723,663:info" means id 1723 dump message will be displayed every time and id 663 warning message is reduced to info level.

cef

false

string value

optional

If true, the log format is Common Event Format.

nginx_logfile

[installdir] ginx ginx.log

string value

optional

File name and path to store the NGINX logs.

nginx_log_rotation

1

string value

optional

This setting is only applicable on Windows only (on Linux, we use built-in OS log rotation). Should only set this key when nginx_logfile key is also set accordingly. Supported values:

  • 0: Nginx logs are not rotated.

  • 1 (default), enable to rotate log:

    • Rotation process will be performed every day, regardless of file size.

    • Limit rotated log to be stored is 30 files, the oldest log will be deleted if file number reaches the limit.

    • Rotated log name format: <logname>-<yyyyMMdd>.gz (e.g.: nginxlog.log-20200330.gz), all saved in same location with what you set in nginx_logfile.

    • All generated log packages included in MetaDefender Core support package

Notice

Setting both syslogand syslog_level, or none of them.

Notice

Setting both logfile and loglevel, or none of them.

Internal

HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\Metascan\internal

key

default value

type

required

description

db_connection

10

string value

optional

Define maximum number of concurrent connections allows MetaDefender Core to open to work with PostgreSQL database server. Only available since MetaDefender Core 4.19.1

data_directory

<MD Core installation folder>\data

string value

optional

Full path for MD Core’s data (database, updates etc.) E.g. D:\custom_path

skip_upgrade_scan_data

0

string value

optional

When enabled (set to 1), upgrading MetaDefender Core will auto skip migrating history processing data which is usually big in size (only migrate configurations and audit history).

This setting is to save upgrade time when users do not need to migrate entire scan data.

parallelcount

20

string value

optional

Set maximum number of threads (files) sending to engine at the same time, applicable to all engines

Exception:

  • Archive engine (extraction): default = -1 (unlimited)

  • Archive engine (compression): default = 20

  • Proactive DLP engine: default = 5

  • Sandbox engine: default=5

parallelcount_<enginename>


string value

optional

<enginename> is the first part of engine id which all can be found in <MD Core folder>\data\updates\metadescriptor

For example:

engine id: symantec_1_windows<enginename> = symantec

Some common use-cases:

  • ds (parallelcount_ds): Deep CDR engine. By default, parallelcount_ds = 20

  • 7z (parallelcount_7z): Archive engine, applicable to archive extraction only. By default, parallelcount_7z = -1 (unlimited threads)

    • 7z_extract (parallelcount_7z_extract): Archive engine, extraction only. By default, parallelcount_7z_extract = -1 (unlimited threads)

      • 7z_compress (parallelcount_7z_compress) : Archive engine, compression only for archive sanitization. By default, parallelcount_7z_compress = 20

next_extraction_polling_interval

1000

string value

optional

Fine-tuning this interval between the range of 100-200ms may help stabilize the performance and processing time when dealing with small archive files or office document files under high load.

In case this polling interval is set to out of range (invalid number, < 100, or > 1000), the application cannot start, and an exception will log to system event log.