3.6.2. Analysis workflow configuration

The Analysis workflow page is found under Policy > Analysis workflows after successful login.

These workflows define the scanning methods that can be used by the rules.

Metadefender Core comes with predefined workflows that can not be modified, however they can be copied and the created workflows are fully customizable.

NOTE: These predefined workflows cannot be modified or removed.

It is highly recommended to use less workflow and rather more rules based on the workflows.

images/download/attachments/17148258/image2018-2-1_14-27-40.png WorkflowsWhen clicking on a workflow a windows pops up showing different tabs related to the workflows different kind of properties.


On the Archive tab the archive handling can be enabled or disabled as well as other parameters can be set.

The max recursion level defines how deep extraction should go into the archive, the number of maximum extracted files also can be set as well as the overall maximum size of these files.

It is also possible to disable scanning the archive itself, and a timeout for the whole process can be set as well.




During scan it is possible to create blacklists/whitelists where files depending on their MIME-TYPE and extensions can be skipped. Both of these can be stored in the fields on the Blacklist/Whitelist tab.

Also it is available to blacklist/whitelist all the files coming from the same group, such as executables, Microsoft Office files and others. When filtering by mime-type or filename, the filter is handled as a regular expression.



Files can also be whitelisted by their checksums. For more information please see Whitelist (by hash) page.


File type mismatch feature can be enabled on the tab. With this feature on, when the extension of the file does not match with the available extensions for the actual file type, the scan result will be Filetype Mismatch.

The timeout for the different engines and the whole scanning process also can be set.

The maximum allowed size of scanned objects can be set also on this tab as well.

It is possible to enable and set a threshold value for the failed engine results. If the number of failed engine results for the currently scanned object reaches this value, then the overall result will also be failed. This threshold value does not have an effect on suspicious or infected results.

If the provided workflows do not meet your requirements, please contact our support team via the OPSWAT Portal.



MetaDefender Cloud

When metadefender.com workflow element is enabled, online database will be used. On the result page existing scan results found by file hashes will be shown.



Data Sanitization

By enabling data sanitization one can convert from a set of supported filetypes into another (or the same). By doing so lot of vulnerabilities can be got rid out of rendering the resulting file be more safe. Both the types to be sanitized and the target filetype can be set. File name fro sanitized files can be defined by using "Output filename format" field. For usage and meanings of variables, please refer to Setup output file name page.

Beware, however, that possible data loss or change may occur during conversion, thus this feature is disabled by default.

Note that data sanitization engine is currently available only for Windows nodes.

Result of sanitization can be either downloaded on the scan page or retrieved the data ID via REST. See Fetch Scan Result. Note that /hash API does not provide such information.

Length of time the system stores sanitized files can be set in Settings > Data retention.

images/download/attachments/17148258/image2018-2-1_14-42-54.png Data sanitization


By enabling 'Quarantine blocked files' all of the files which are blocked are automatically copied to the quarantine.

Please note that only default workflows will be upgraded on Metadefender Core v4 upgrade. In order to make quarantine option available with the custom settings, the custom workflow should be recreated by cloning an upgraded default workflow or by creating from scratch.

By enabling 'Fallback filetype detection to current extension if needed' (default enabled), file type detection can use the extension of the currently processed file as a helping hand. For example this could be useful, when analyzing CSV files.

By enabling 'OVERRIDE SCAN RESULTS CLASSIFIED AS ALLOWED' it is possible to overwrite the default behaviour of Metadefender and determine which scan verdicts should result as allowed.

Scan results checked are marked as allowed.

By default only 'No Threat Detected' and 'Skipped Clean' verdicts result in allowed status.

images/download/attachments/17148258/image2018-2-1_14-43-59.png Advanced