Release Notes

UI modernization, smarter installation, improved support tooling, and quality-of-life usability updates.

This release focuses on making MetaDefender® ICAP Server easier to deploy, easier to support, and more consistent to operate. The interface has been fully modernized, the installation process is smarter, support diagnostics are faster, and several day-to-day friction points have been resolved.

• UI Overhaul — Full adoption of OPSWAT's Blue Line Framework with unified visuals, accessibility compliance, and consistent branding.
• Support Package Enhancements — Granular control over log collection and package content for faster, more targeted diagnostics.
• Installation Improvements — Automated port conflict detection and Windows Defender AV exclusion to reduce deployment friction.
• Usability Updates — UTF-8 block pages, expanded password characters, larger REST API body limit, and server profile visualization

Metadefender ICAP Server v5.14.0 adopts OPSWAT's Blue Line Framework (BLF) design system, delivering a consistent, modern, and accessible interface.

• Unified Visual Language — Consistent typography, spacing, color palette, and iconography applied across all pages and components for a cohesive look and feel.
• Modernized Components — Buttons, forms, tables, modals, and navigation elements have been rebuilt using BLF-standard components, improving usability and interaction clarity.
• Accessibility — UI components now conform to WCAG 2.1 accessibility standards, featuring enhanced keyboard navigation, visible focus states, and improved color contrast ratios to broaden access for all operators.
• Responsive Layout — The interface adapts fluidly across different screen sizes and resolutions, supporting a consistent experience on various devices.
• Consistent Branding — Visual alignment with other OPSWAT products (MetaDefender Core™, MetaDefender Cloud™, and other OPSWAT products) delivers a unified operator experience across the product suite. If you work across multiple OPSWAT products, the experience will feel immediately familiar.

The support package generator has been significantly improved with greater control and flexibility over what gets collected, reducing package size and generation time.

• Selective Log Collection — Choose which logs to include: database logs, system logs, NGINX logs, or ICAP product logs. Collect only what's needed for faster and more targeted diagnostics.
• Log File Limit — Set a maximum number of log files to collect per category. By default, all available log files are included.
• Processing History Toggle — Opt in or out of including processing history. Excluding it can noticeably reduce both the package size and the time required to generate it. By default, this option is disabled.

Go to Settings → Generate Support Package

To streamline deployment and reduce installation issues, two automated checks have been introduced during the installation process.

• Port Conflict Detection(all platforms) — Before installation begins, the installer verifies that all required ports are available. If a conflict is detected, installation is blocked and you are notified with enough detail to resolve the issue before retrying — no silent failures, no misconfigured deployments.
• Automatic AV Exclusion(Windows only) — On systems running Windows Defender, the ICAP Server process and its working directory are automatically added to the AV exclusion list during installation. No manual post-install configuration required.

Upgraded third-party libraries for improved security:

• LibXML2 v2.15.3
• OpenSSL v3.6.2
• Curl v8.20
• Nginx v1.30.2
• Sqlite v3.53.1
• Zlib v1.3.2
• ICU for C++ v28.3
• gRPC v1.78.1

Applied additional security hardening measures across the product to prevent vulnerabilities and strengthen overall protection.

• UTF-8 Encoding for Block Pages — UTF-8 encoding is now enabled by default for block pages, ensuring proper display of multilingual and special characters without additional configuration.
• Broader Password Character Support — Passwords may now include the < and > characters, providing greater flexibility when setting credentials.
• Higher REST API Body Size Limit — The default maximum accepted body size for REST API requests has been increased to 2 MB, accommodating larger payloads without requiring manual configuration changes.
• Server Profile Visualization — A new visual representation of Server Profiles makes it easier to understand how scan requests are distributed across MetaDefender Core™ instances. This feature is useful when tuning or troubleshooting multi-instance configurations.

In v5.5.0, users cannot create a new SAML directory via the web UI.

• Workaround: Use REST API to create the SAML directory
• Impact: Existing SAML directories remain unaffected after upgrading to v5.5.0
• Resolution: Fixed in v5.5.1 and newer

MetaDefender ICAP Server v5.1.0 or newer may encounter stability issues on Red Hat/CentOS systems running kernel version 372.

Solution: Upgrade to kernel version 425, where Red Hat has resolved this issue.

From v5.1.0, OpenSSL 1.x has been replaced with OpenSSL 3.x — across the product and its dependencies — to enhance security and address vulnerabilities.

As part of this upgrade, NGINX's OpenSSL 3.x in MetaDefender ICAP Server now enforces stricter cipher policies and rejects all weak cipher suites. The web server now only accepts "HIGH" encryption cipher suites https://www.openssl.org/docs/man1.1.1/man1/ciphers.html (MD5 and SHA1 hashing based are also not accepted).

As a result, if you have already configured MetaDefender ICAP Server for HTTPS using a weak SSL cipher with your certificate, the server will not start due to the enforced security policies in NGINX's OpenSSL 3.x.

On Debian OS, MetaDefender ICAP Server v5.1.0 requires the two following commands to enable TLS communication with MetaDefender Core:

sudo mkdir -p /etc/pki/tls/certs/

sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

Resolution: Upgrade to MetaDefender ICAP Server v5.1.1, where the issue is resolved.