Release Notes

To expand our platform compatibility, this release introduces the official support for:

• Windows Server 2025
• Oracle Linux 9.5

MetaDefender ICAP Server now supports local user management through REST APIs provided by My OPSWAT Central Management. When integrated, administrators can automate user account provisioning and role assignments across distributed environments, enabling better alignment with centralized identity and access management practices.

This support is available starting from MetaDefender ICAP Server v5.10.0 and My OPSWAT Central Management version v10.1.2507.

Refer to the official My OPSWAT Central Management documentation for more details.

This release adds extended settings for email notifications, including:

• CPU and RAM usage notifications

• Certificates expiration notifications

• Configurable recipient lists based on filters for blocked scan requests

For more information, see the Email Notification page.

Upgraded third-party libraries for improved security:

• Libxml2 v2.14.5
• Brotli v1.1.0
• yaml-cpp v0.8.0
• SQLite v3.50.2
• Removed: 7z library

• Added the status of mdicapsrv_engineprocess (for the File Type engine) to health check response.
• Added support to override X-include header in OPTIONS response (specifically for GlobalScape integration). See Configuration file
• Upgraded the File Type engine bundle to latest version v7.5.0.
• MetaDefender Core integration enhancements:
  • Support for failover to another Core in server profile when AVs are not ready
  • Support for override block reasons per workflow in the following cases (under the Advanced options of each workflow)
    • All Core instances are blocked due to mandatory engines being unavailable
    • All Core instances are blocked due to failure to meet minimum required engines

• Added Acknowledgement button in the UI to confirm the clean up of all processing history.
• Support for non-TLS webhook callback, even when TLS enabled, to reduce TLS connection negotiation overhead. (Recommend when MetaDefender Core and MetaDefender ICAP Server are on same host machine.) See Configuration file

In v5.5.0, users cannot create a new SAML directory via the web UI.

• Workaround: Use REST API to create the SAML directory

• Impact: Existing SAML directories remain unaffected after upgrading to v5.5.0

• Resolution: Fixed in v5.5.1 and newer

MetaDefender ICAP Server v5.1.0 or newer may encounter stability issues on Red Hat/CentOS systems running kernel version 372.

Solution: Upgrade to kernel version 425, where Red Hat has resolved this issue.

From v5.1.0, OpenSSL 1.x has been replaced with OpenSSL 3.x — across the product and its dependencies — to enhance security and address vulnerabilities.

As part of this upgrade, NGINX's OpenSSL 3.x in MetaDefender ICAP Server now enforces stricter cipher policies and rejects all weak cipher suites. The web server now only accepts "HIGH" encryption cipher suites https://www.openssl.org/docs/man1.1.1/man1/ciphers.html (MD5 and SHA1 hashing based are also not accepted).

As a result, if you have already configured MetaDefender ICAP Server for HTTPS using a weak SSL cipher with your certificate, the server will not start due to the enforced security policies in NGINX's OpenSSL 3.x.

On Debian OS, MetaDefender ICAP Server v5.1.0 requires the two following commands to enable TLS communication with MetaDefender Core:

sudo mkdir -p /etc/pki/tls/certs/

sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

Resolution: Upgrade to MetaDefender ICAP Server v5.1.1, where the issue is resolved.