Overview
MetaDefender Kiosk helps protect your network by enabling control over the flow of data into and out of your organization. It can be used as a media scanning station on your own hardware or on OPSWAT's custom-made kiosks. Media such as USB devices, DVDs, SD cards, flash drives, or floppy disks are processed by Kiosk. After the scan is complete, Kiosk generates a detailed report.
This user guide covers installing, configuring, upgrading, using, and troubleshooting MetaDefender Kiosk.
Key Features
Protection against zero-day attacks (MetaDefender Core integration)
Customized data security policies
Control over data flow
Active Directory authentication
Custom Authentication
Portable Media support including floppy disks, SD cards, CDs, DVDs, encrypted USB, and more
UI localization
- Contains bundled language translations and the ability to manually additional languages
Securely wipe USB drives
Easier system hardening
User authentication
MetaDefender Kiosk has the following authentication features:
- Active Directory authentication
- Support for Custom Authentication Module
Peripheral media
MetaDefender Kiosk automatically detects multiple peripheral media insertions for the following media types:
- USB devices
- CDs/DVDs/Blu-ray
- Card readers
- SD cards
- Floppy disks
Not all USB devices are currently supported. If you have a specific device you need supported, please contact OPSWAT support.
Encrypted USB devices
MetaDefender Kiosk can unlock encrypted USB devices with a given password and process its contents. Kiosk supports the following encrypted USB devices:
| Device | Software Version | Firmware Version | Scanning | Wipe | File Handling | Notes |
|---|---|---|---|---|---|---|
| Avira-Iron-Drive I | InfoPure - 3.201812 | - | ✔️ | ❌ | ✔️ | |
| Biocryptodisk-ISPX | - | - | ✔️ | - | - | |
| Buffalo RUF2-HSCT | PASSWORD - 2.67 | - | ✔️ | ✔️ | ✔️ | |
| Buffalo RUF3-HSL | OPEN_HS - 2.68 | - | ✔️ | ✔️ | ✔️ | Not supported as copy -to destination with all encrypted scan source devices, except SanDisk Cruzer Enterprise FIPS Edition and Bitlocker USBs. |
| DataLocker Sentry 3 FIPS | 6.8.1.0 | 3.05 | ✔️ | ✔️ | ✔️ | |
| DataLocker Sentry ONE | 6.8.1.0 | 03.05 | ✔️ | ✔️ | ✔️ | Versions managed with SafeConsole are also supported |
| DataLocker Sentry ONE Managed | 6.6.0.0 | 03.05 | ✔️ | ✔️ | ✔️ | |
| DataLocker Sentry 3.0 | 4.8.1 | ✔️ | ✔️ | ✔️ | ||
| DataTraveler Vault Privacy 3.0 - (DTVP30) | 3.0.1.1 | ✔️ | ✔️ | ✔️ | ||
| DataTraveler Vault Privacy 3.0 - (DTVP30M-R) | 4.8.2.1 | ✔️ | ✔️ | ✔️ | ||
| Integral Courier FIPS 197 | 1.0.3.1 | - | ✔️ | - | - | |
| IronKey D250 | 3.4.3.0 | ✔️ | ✔️ | ✔️ | ||
| IronKey D300 | 3.4.3.0 | ✔️ | ✔️ | ✔️ | ||
| IronKey D300S | 3.4.3.0 | ✔️ | ✔️ | ✔️ | Re-enter the password when the use of an incorrect password has not been supported yet. | |
| IronKey D500S | 3.4.3.0 | ✔️ | ✔️ | ✔️ | ||
| IronKey S1000 | 6.7.0.0 | ✔️ | ✔️ | ✔️ | ||
| Kanguru Defender Elite 30 | - | - | ✔️ | ✔️ | ✔️ | |
| Kanguru Defender Elite 200 | 4.0.8.1 | - | ✔️ | ✔️ | ✔️ | |
| Kanguru Defender Elite 300 | - | - | ✔️ | ✔️ | ✔️ | |
| Kanguru Defender 2000 | 5.1.6.8 | - | ✔️ | ✔️ | ✔️ | |
| Kanguru Defender 3000 | 5.6.8.0 | - | ✔️ | ✔️ | ✔️ | |
| McAfee Complete Data Protection | 4.3.0.224 | - | ✔️ | ❌ | - | McAfee File and Removable Media Protection client is installed on the system that MetaDefender Kiosk is installed. |
Trellix File and Removable Media Protection As of December 30, 2022, McAfee File and Removable Media Protection is now known as Trellix File and Removable Media Protection (Trellix FRP) | 5.4.3.170 | - | ✔️ | ❌ | ✔️ | Trellix File and Removable Media Protection client is installed on the system that MetaDefender Kiosk is installed. |
| Microsoft BitLocker | - | - | ✔️ | ❌ | ✔️ | Supports BitLocker To Go using passwords. MetaDefender Kiosk does not support BitLocker encryption using key files, smart cards, or VHD (Virtual Hard Drive) BitLocker encryptions. |
| SanDisk Cruzer Enterprise FIPS Edition | 2.5 SDK 1.2.10.12 | 6.615 | ✔️ | - | - | |
| SanDisk Cruzer Contour U3 based USB | 4.08 U3 Launchpad - 1,6,1,1 | - | ✔️ | - | - | |
| SDMS MkIII AES Duoulock | 1.0.0.8 | 1.21 | ✔️ | ✔️ | ✔️ | |
| USB Flash Security | 4.1.12.17 | - | ✔️ | - | - | |
| Viasat Eclypt | 4.1.14 | - | ✔️ | ✔️ | ✔️ | The Eclypt Management Application (ema-ui.exe) must be installed on the system in order to unlock the device. |
| Viasat Freedom 600 | 4.1.14 | - | ✔️ | ✔️ | ✔️ | The Eclypt Management Application (ema-ui.exe) must be installed on the system in order to unlock the device. |
| Viasat Freedom 100 | 4.1.14 | - | ✔️ | ✔️ | ✔️ | The Eclypt Management Application (ema-ui.exe) must be installed on the system in order to unlock the device. |
Encrypted devices are not supported by OPSWAT Media Validation Agent (OMVA)
Media handling
MetaDefender Kiosk's media handling features include the following:
- Can process drives with multiple partitions
- Can process full or partial media
- Can wipe/format USB drives
- Supports integration with MetaDefender Managed File Transfer for uploading files for processing or uploading/downloading processed files
- USB device soft eject
- CD/DVD eject
Processing files
MetaDefender Kiosk uses MetaDefender Core to process files. MetaDefender Core has the following processing features:
- Scanning with multiple anti-malware engines
- Data sanitization
- Application vulnerability detection
- Heuristics for zero-day threats
- Archive extraction
- File type verification
- Workflow engines
Processing session results
After processing media, MetaDefender Kiosk allows you to view detailed logs and print results.
Customizable interface
The MetaDefender Kiosk user interface includes multiple display languages:
- English
- Arabic
- Hebrew
- Korean
- Vietnamese
- German
- Japanese
- Spanish
- French
With the additional support of customizing the bundled languages or adding other languages.
On-screen keyboards are also supported for all of these languages.
System hardening
MetaDefender Kiosk comes with a variety of system hardening features for additional security:
- Disables autorun of inserted media
- Users can only exit by pressing
ALT+Sand if Kiosk is configured to require a password to exit, entering the exit password - User interface blocks direct access to the underlying system and unnecessary keystrokes
- Runs automatically on system startup
Defending against BadUSB devices
A range of BadUSB devices, including well-known ones like RubberDucky and BashBunny, mimic standard USB Flash Storage devices in appearance. However, beneath their facade, they utilize a USB keyboard interface when connected to host systems. These malicious devices execute keystroke sequences designed to initiate processes, establish shell access, and manipulate system configurations using shortcuts, among other tactics.
With the built-in MetaDefender Kiosk hardening measures, Kiosk significantly enhances its immunity against keyboard-based BadUSB attacks. This safeguards against keystrokes originating from BadUSB devices, which attempt to trigger shortcuts or interact with the Windows OS, by effectively suppressing such attempts. Moreover, the scanning of storage space on BadUSB devices remains intact, thereby enabling the identification and reporting of any malware that may be detected.