Release notes

Version5.14.1
Release date28 April 2025
ScopeThis minor version adds support for Oracle Linux 9.5, enables TLS-secured syslog communication, provides hardening for Post Action processing, introduces usability improvements and bug fixes.

Making sure to check out the Known Limitations

New Features, Improvements and Enhancements

New OS support: Oracle Linux 9.5

This release of MetaDefender Core introduces official support for Oracle Linux 9.5, expanding platform compatibility for our suite.

#

New endpoint for API Key Management

To offer automated user management, MetaDefender Core provides a new REST API that Administrators can call to set or change a permanent apikey for local-type users.

API document at Update user's API keyAPI.

#

Securing syslog communication over TLS

This version introduces support for securing syslog communication over Transport Layer Security (TLS), enhancing the confidentiality and integrity of log data transmitted across networks.

New protocol tcps is supported. Documentation at Logging, and API can be found at Apply syslog server configurationsAPI.

#

Post Action and External Scanner

Introduce a command restriction for Post Action and External Scanner features enabling server Administrators to specify a list of permitted commands that these features can only use.

More details at Hardening feature for Post Action and External Scanner.

**Post Action with permitted-only commands.**

Post Action with permitted-only commands.

An ability to adjust maximum slots of queue capacity for archive processing

Previously, archive processing was fixed at 25% of the maximum queue size. Now, Administrators can configure this value within a range of 25% to 75%, providing better flexibility to optimize resource allocation for archive processing to improve efficiency in high-throughput environments.

You can find the setting Queue ratio for archive at Settings/General.

Embedded Adaptive Sandbox engine with Daily Scan Quota

When the daily scan quota is reached, Sandbox engine will reject scan requests and display a warning message Declined due to license limit reached .

Users can decide to block files due to out-of-quota by ticking a new option Block files if the execution limit reached . It can be found in Workflow/Adaptive Sandbox.

Continuous Integration with My OPSWAT Central Management

To close the experience gap, the product now supports more features in Inventory/Modules of MetaDefender Core on My OPSWAT Central Management like engine activation, update lock & unlock.

Usability Enhancements & Changes

  • Get prepared for a new engine ID of Archive Extraction engine.
  • Changes in extracted object aggregation, total_extracted_files now excludes nested folder/directory.
  • Handle an edge case where a missing test sample results in engine initialization failure.
  • Improved the detection and redaction of support package generator tool. It coincidentally mistook engine versions for sensitive data.
  • Provide new options for having Blocklisted and Allowlisted reasons in PDF result export.
  • Introduce a new display option to switch between 12-hour and 24-hour clock format. This applies to either web console or exported PDF/CSV file. You can find the setting "Date & Time format" at Settings/General.
  • No longer showing a misleading label True Type in result details of File Type engine when the result is "Not Available".
  • "Processing results to be classified as Allowed" setting now included “Suspicious Verdict by Sandbox” by default.

Technology Integration Enhancements

  • An ability to continue further processing based on results concluded by InSights Threat Intelligence engine.
  • Adjust timeout value for the following engines (File Type Verification, YARA, SBOM, Reputation, COO, InSights Threat Intelligence) to reflect correct remaining time. Only applicable when global timeout is enabled.
  • Create permanent storage folder for internal jobs of Adaptive Sandbox engine.

Security Enhancements

  • Restricted modifications to information of an Administrator account to exclusively be performed by accounts with Administrator privileges.
  • Implemented secure random number generator.
  • Improved endpoints' validation.

Bug Fixes

  • Fixed an issue that stopped periodic email notifications for out-of-disk-space and database maintainance events from being sent.
  • Fixed an Email Notification issue that kept checking license expiration despite of that the setting was disabled.
  • Fixed a display issue that blocked users to view workflow or user directory on touch screen.
  • Fixed an Import issue that temporarily (~3mins) caused lack-of-permission issue for a user who previously had imported configuration to the product.
  • Fixed a Data Retention issue that mistakenly cleaned up sanitized files and DLP-processed files. This issue only occured when feature "Skip hash calculation" is enabled.
  • Fixed an issue that sent too frequently an event log "Synchronized configuration" to My OPSWAT Central Management (MOCM).
  • Fixed a crash issue happening during unenrollment the product on Linux from MOCM.
  • Fixed an issue that stopped syncing engine advanced settings to MOCM when an engine is being updated.
  • Fixed issues that failed engine advanced setting synchronization after editing multiple engines' settings on MOCM.
  • Fixed an issue that failed to apply engine advanced settings after several configurations have been edited on MOCM previously.
  • Fixed an issue that failed to sync YARA source settings from the product to MOCM after performing import configuration.
  • Fixed an issue that interrupted the group policy inheritance of MOCM and failed to apply those settings on the product.
  • Fixed a display issue that showed up an empty screen of Inventory/Modules on MOCM after upgrading to v5.14.0.
  • Fixed a display issue that sometimes showed up an empty screen of Workflow on MOCM after enrollment.

Known Limitations

Details
The 'Proxy server requires password' setting cannot be disabled once it has been enabled

This issue has been resolved in version 5.14.2.

In version 5.14.1, there was an issue that prevented disabling the Proxy server requires password setting once it has been enabled. As a workaround, you can export the current settings, locate and remove the username and password fields under the relevant proxy configuration, and then import the modified configuration.

Database connection failure occurred in a specific circumstance after upgrading to version 5.11.0

This issue has been resolved in version 5.11.1.

This issue does not affect all cases when upgrading to version 5.11.0.

After applying the authentication method scram-sha-256 to enhance security for the bundled PostgreSQL, a database connection issue started occurring after the upgrade, in a specific circumstance.

  • If the application was previously upgraded from version 5.5.1 or older to version 5.6.0 or newer, this issue will occur when users upgrade to version 5.11.0.

We prepare a Knowledge Base (KB) for troubleshooting the issue and bringing the system back online: How to Troubleshoot an Error related to Connection to Database Failing after an Upgrade to v5.11.0?

The issue will not occur in the following scenarios:

  • Upgrading directly from version 5.5.1 or older to version 5.11.0.
  • Upgrading from a fresh installation of version 5.6.0 or newer to version 5.11.0.
Archive compression may fail with very large archive files that contain a large number of subfiles

This issue has been addressed in MetaDefender Core v5.14.0.

MetaDefender Core has a limitation when compressing very large archive files that contain a high number of subfiles. In our test scenario, it failed when processing an archive with 300,000 or more subfiles.

Reuse processing result by hash might be slow in high-load situations

This issue has been resolved in version 5.10.1.

Since its introduction in version 5.8.0, this feature has helped improve overall performance and reduce significant load when processing similar files.

However, we have realized this feature might run slowly in high-load scenarios against large database sizes.

Temporary files in the resource folder may not be properly cleaned up if the Archive Extraction engine crashesStarting from MetaDefender Core version 5.10.1, if the Archive Extraction engine crashes, temporary files from specific extraction transactions may not be properly cleaned up. However, this issue is relatively rare.
Reject importing non-empty required_engines setting in containerized environments

This issue occurs only in containerized environments.

If the config zip file includes non-empty required_engines setting, MetaDefender Core will reject the import.

Workaround:

  1. Extract the config zip file.
  2. Open the "export_settings.json" and set "required_engines" to an empty array.
  3. Recompress the files into a new zip.
  4. When executing the docker run command, set the following environment variables: MDCORE_HEALTH_CHECK, MDCORE_REQUIRED_ENGINES. For more details, please refer to Health check settings.
The Engine Update feature may not work as expected in certain environments

We have observed that the Engine Update feature may not work properly in an environment protected by a [Palo Alto firewall](Palo Alto firewall). In the log file, you might find the error message 'SslHandshakeFailedError'.

If upgrading to the latest version of MetaDefender Core does not solve the issue, please consider setting up MetaDefender Update Downloader product. This product is responsible for downloading engines, and MetaDefender Core will retrieve and update its engines from there.

Performance degradation when processing large archive files

This issue has been resolved in MetaDefender Core version 5.5.0 and the Archive Extraction engine version 6.2.1.

  • If you're using MetaDefender Core version 5.4.1, you can update the Archive Extraction engine to version 6.2.1 or newer without waiting for MetaDefender Core version 5.5.0 release.
  • If you're using MetaDefender Core 5.4.0 or older, you can upgrade it to version 5.4.1 or newer, and update the Archive Extraction engine to version 6.2.1 or newer. If you are not able to upgrade MetaDefender Core, it is recommended to stick with the Archive Extraction engine version 6.0.2 until you are able to upgrade MetaDefender Core.
Stability issues on Red Hat / CentOS systems with kernel version 372.13

MetaDefender Core version 5.2.1 or later may not function correctly with Red Hat or CentOS operating systems that use kernel 372.13.

Red Hat is addressing the kernel issues. Please try upgrading to kernel version 372.26.

PostgreSQL and MetaDefender Core services cannot initialize in certain containerized environments

This issue was addressed in MetaDefender Core v5.11.1

In a containerized environment, MetaDefender Core version 5.2.0 or newer may work properly when:

  • The Linux kernel version of the host machine is newer than 4.18.0 including 5.x.y and 6.x.y.
  • The Docker base image is CentOS 7.
  • The bundled PostgreSQL database is used (DB_TYPE=local).

Workarounds for older versions:

  1. Switch to using a Docker base image RHEL 8 or Debian.
  2. Switch to using a remote PostgreSQL database.
MetaDefender Core's NGINX web server will not start if weak cipher suites are used for HTTPS

On MetaDefender Core version 5.2.0 and later, OpenSSL 1.x has been replaced by OpenSSL 3.x within the product and its dependencies, including PostgreSQL and NGINX, to enhance security and address known vulnerabilities in OpenSSL 1.x.

However, NGINX's implementation of OpenSSL 3.x in MetaDefender Core enforces strong encryption by rejecting all weak cipher suites. It only accepts "HIGH" encryption cipher suites as defined by OpenSSL https://www.openssl.org/docs/man1.1.1/man1/ciphers.html. This means ciphers based on MD5 and SHA1 hashing are no longer supported.

Consequently, if you previously configured MetaDefender Core for HTTPS connections using a weak SSL cipher with your certificate, the service will not start due to NGINX's OpenSSL 3.x security enforcement.

To prevent and remediate the issue before upgrading MetaDefender Core, please refer to the following resources: HTTPS Failure on MetaDefender Core 5.2.0 (or newer)

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard