3.6.2. Workflow template configuration

The Workflow templates page is found under Policy > Workflow templates after successful login.

These workflow templates define the scanning methods that can be used by the rules.

MetaDefender Core comes with predefined workflow templates that can not be modified, however they can be copied and the created workflow templates are fully customizable.

NOTE: These predefined workflow templates cannot be modified or removed.

It is highly recommended to use less workflow template and rather more rules based on the workflow templates.

images/download/attachments/24891927/image2018-7-5_14-53-31.png Workflow templatesWhen clicking on a workflow template a windows pops up showing different tabs related to the workflow templates different kind of properties.


On the Archive tab the archive handling can be enabled or disabled as well as other parameters can be set.

The max recursion level defines how deep extraction should go into the archive, the number of maximum extracted files also can be set as well as the overall maximum size of these files.

It is also possible to disable scanning the archive itself, and a timeout for the whole process can be set as well.




During scan it is possible to create blacklists/whitelists where files depending on their checksum or MIME-TYPE and extensions can be skipped. All of these can be stored in the fields on the Blacklist/Whitelist tab. Also it is available to blacklist/whitelist all the files coming from the same group, such as executables, Microsoft Office files and others. When filtering by mime-type or filename, the filter is handled as a regular expression.

Exceptions can be defined in Exceptions (by mime-type) section using regular exceptions. For instance, if all office files have to be blocked except docx files, then Office documents group should be chosen and ^application\/vnd\.openxmlformats-officedocument\.wordprocessingml\.document$ expression should be given as exception.



Files can also be whitelisted by their checksums. For more information please see Skip by hash page.


File type mismatch feature can be enabled on the tab. With this feature on, when the extension of the file does not match with the available extensions for the actual file type, the scan result will be Filetype Mismatch.

You can specify the number of active anti-malware engines required for performing a processing. When disabled, no active anti-malware engine is needed to be up to start a processing.

Anti-malware engines not to be used in this workflow also can be listed here.

The timeout for the different engines and the whole scanning process also can be set. The maximum allowed size of scanned objects can be set also on this tab as well.

It is possible to enable and set a threshold value for the failed engine results. If the number of failed engine results for the currently scanned object reaches this value, then the overall result will also be failed. This threshold value does not have an effect on suspicious or infected results.

The threat detected threshold has two value infected limit and the suspicious limit if the number of infected engine results is between these values the overall result will be suspicious. If the infected limit is reached the overall result will be always infected. If none of them is reached the overall result will be the highest priority engine result (infected results are ignored).

If the provided workflows do not meet your requirements, please contact our support team via the OPSWAT Portal.



MetaDefender Cloud

When MetaDefender Cloud workflow element is enabled, online database of MetaDefender Cloud will be used as source for hash lookups.

Available options:

  1. Use results: INFECTED or ALL RESULTS
    If INFECTED is chosen, then only that result will be accepted as result, otherwise all type of results will be taken into account.

  2. MetaDefender Cloud API key: An API key is necessary to have access to the MetaDefender Cloud database. API Key Information can be found on http://metadefender.com, under Account Information page.

  3. Maximum age of scan results: Only results that are not older than what is set here will be considered as a valid result.

  4. Excluded engines' name: Name of the engines whose results are not to be taken into account.

  5. Minimum hit count: To consider a verdict as a valid one, there should be at least as many result for a hash as it has been set here. (If Use result is set to INFECTED, then only infected results will be counted in.)

  6. Time out: The time interval within which the response should be received from MetaDefender Cloud.


MetaDefender Cloud

Data Sanitization (CDR)

By enabling data sanitization one can convert from a set of supported filetypes into another (or the same). By doing so lot of vulnerabilities can be got rid out of rendering the resulting file be more safe. Both the types to be sanitized and the target filetype can be set. File name fro sanitized files can be defined by using "Output filename format" field. For usage and meanings of variables, please refer to Setup output file name page.

The maximum allowed time for data sanitization to be made can be configured through the "Conversion timeout" and "Try count" options, where first one means that data sanitization should finish within the configured timeframe, otherwise abort the conversion and latter means the number of times product should retry in case of a failed conversion.

Beware, however, that possible data loss or change may occur during conversion, thus this feature is disabled by default.

Note that data sanitization engine is currently available only for Windows nodes.

Result of sanitization can be either downloaded on the scan page or retrieved the data ID via REST. See Fetch Scan Result. Note that /hash API does not provide such information.

Length of time the system stores sanitized files can be set in Settings > Data retention.

images/download/attachments/24891927/Selection_744.png Data sanitization

Data Loss Prevention (DLP)

Using this feature, sensitive data can be prevented acquiring them by an unauthorized party. There are two special type of data that the DLP engine can identify automatically:

  • Social Security Number

  • Credit Card Number.

Using regular expressions, custom texts can be searched for.

With the context option, the number of words to show before and after a hit can be given.

Data Loss Prevention

DLP configuration options

On the Technologies page, clicking on the line of the DLP engine then on the Settings text on the top right corner of the popup window, the configuration options for the DLP engine appear.

DLP engine configuration


  • "Mask numbers in CCN/SSN hits": On the result page, the found CCN/SSN numbers will be masked with "X"s.

  • "Mask regex matches": On the result page, texts matching regex will be masked with "X"s.

  • "Parse binary files": Choosing this option, sensitive data will be searched for in files that cannot be converted to text.


By enabling 'Quarantine blocked files' all of the files which are blocked are automatically copied to the quarantine. For detailed description of the quarantine please see the Quarantine page.

By enabling 'Fallback filetype detection to current extension if needed' (default enabled), file type detection can use the extension of the currently processed file as a helping hand. For example this could be useful, when analyzing CSV files.

By enabling 'OVERRIDE SCAN RESULTS CLASSIFIED AS ALLOWED' it is possible to overwrite the default behaviour of MetaDefender and determine which scan verdicts should result as allowed.

Scan results checked are marked as allowed.

By default only 'No Threat Detected' and 'Skipped Clean' verdicts result in allowed status.

images/download/attachments/24891927/image2018-4-10_14-40-26.png Advanced