Release Notes

Version5.12.0
Release date19 Dec 2025
ScopeFocused on new functionalities, enhancements and bug fixes

Before upgrading MetaDefender ICAP Server to v5.10.0 or newer from v5.6.0 or earlier, make sure you review the Release Notes and the following Documentation:

  1. PostgreSQL Database Deployment Options
  2. Installation
  3. Upgrade to MetaDefender ICAP Server v5.7.0 or newer

New Features, Improvements and Enhancements

Details
Expanding processing history details

View a complete chronological timeline of each file's journey through the processing pipeline, including precise start and end times for every stage. Quickly identify bottlenecks and optimize performance by visualizing where files spend the most time, enabling faster troubleshooting and process optimization.

Security Hardening for Block Page Content

Strengthen security with an option to disallow scripts and unsafe HTML tags in custom block pages.

  • By default, new installations block these elements to prevent potential vulnerabilities.
  • For upgrades from older versions, if the existing blockpage content contains scripts or unsafe HTML tags, an admin or authorized user will be prompted to review and choose whether to allow or disallow them.
  • Note: Before applying the “Remove and Block Scripts/Unsafe HTML” option, admins should carefully review the blockpage content, as removing these elements may alter its formatting.

To toggle the option, use the configuration flag global/blockpage_allow_script_or_unsafe_html_tag (refer to Configuration file)

Support for CIS Level 1 and 2 for WindowsMetaDefender ICAP Server now aligns with CIS Level 1 and Level 2 benchmarks for Windows Server 2022. This enhancement supports organizations that require stricter security controls. Refer to CIS Level 1 & 2 Guidelines - Windows
Security Enhancements

Upgraded third-party libraries for improved security:

  • Qt v6.9.3
  • PostgreSQL v16.10
  • OpenSSL v3.4.3
  • gRPC v1.71.1
  • NGINX v1.28.0
  • OpenLDAP v2.6.10
  • Brotli v1.2.0
  • Curl v8.16.0

Applied additional security hardening measures across the product to prevent vulnerabilities and strengthen overall protection.

Usability Improvements
  • Prevent Hardware Deployment ID Changes with Teamed NIC: Ensures stability by preventing deployment ID from changing when network interface cards are teamed.
  • Configurable Syslog Date Format: Added a flag option logger/syslog_dateformat to allow customization of the datetime format in syslog entries (refer to Configuration file).
  • Enhanced Processing History Search: Supports searching and displaying filenames in processing history if the file can be scanned, even when files are packaged in multipart form

  • Workflow Optimization: Allow List by File Type - Introduced an option to allowlist by file type within each workflow, reducing unnecessary scans for extremely small files (e.g., files less than 10–20 bytes).

  • NGINX Integration Health Check: Added support for health checks to improve reliability in NGINX-integrated environments.
  • Simplified ICAP Integration with Numeric Verdicts: Added an option to return the X-Result-Number header with a numeric value instead of a verdict string, making ICAP client integration simpler for verdict validation. Enable this header by setting the flag global/enable_x_result_number_header (refer to Configuration file)
  • Add support for scanning Base64-encoded data embedded within a JSON structure in a URL-encoded format

Bug Fixes

Details
Random crash issue on LinuxResolved a rare crash issue on Linux environments that could occur when polling and webhook callbacks were combined.
Minor FixesResolved various UI cosmetic issues and minor fixes

Known Limitations

Details
Proxy ConfigurationCurrently, HTTPS proxy configuration is not supported.
SAML Directory (SSO Integration) Limitations

In v5.5.0, users cannot create a new SAML directory via the web UI.

  • Workaround: Use REST API to create the SAML directory
  • Impact: Existing SAML directories remain unaffected after upgrading to v5.5.0
  • Resolution: Fixed in v5.5.1 and newer
Stability Issues on Red Hat/CentOS (Kernel Version 372)

MetaDefender ICAP Server v5.1.0 or newer may encounter stability issues on Red Hat/CentOS systems running kernel version 372.

Solution: Upgrade to kernel version 425, where Red Hat has resolved this issue.

MetaDefender ICAP Server's NGINX Web Server Fails to Start with Weak Cipher Suites for HTTPS

From v5.1.0, OpenSSL 1.x has been replaced with OpenSSL 3.x — across the product and its dependencies — to enhance security and address vulnerabilities.

As part of this upgrade, NGINX's OpenSSL 3.x in MetaDefender ICAP Server now enforces stricter cipher policies and rejects all weak cipher suites. The web server now only accepts "HIGH" encryption cipher suites https://www.openssl.org/docs/man1.1.1/man1/ciphers.html (MD5 and SHA1 hashing based are also not accepted).

As a result, if you have already configured MetaDefender ICAP Server for HTTPS using a weak SSL cipher with your certificate, the server will not start due to the enforced security policies in NGINX's OpenSSL 3.x.

no_proxy ConfigurationStarting with MetaDefender ICAP Server v5.1.0, the no_proxy setting must support CIDR for IP addresses. For more details, see No Proxy configuration.
TLS Connectivity to MetaDefender Core on Debian

On Debian OS, MetaDefender ICAP Server v5.1.0 requires the two following commands to enable TLS communication with MetaDefender Core:

sudo mkdir -p /etc/pki/tls/certs/

sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

Resolution: Upgrade to MetaDefender ICAP Server v5.1.1, where the issue is resolved.

TLS 1.3 Not Supported on Windows Server 2012TLS 1.3 is not supported on Windows Server 2012 due to limitations with Schannel SSP. Reference
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Archived Release Notes
On This Page
Release NotesNew Features, Improvements and EnhancementsBug FixesKnown Limitations