The OPSWAT Media Validation Agent (OMVA) is a lightweight tool that is deployed on Windows endpoints ensuring that no media can be mounted that has not been first processed by MetaDefender Kiosk.
With the media manifest feature enabled, after media is processed by MetaDefender Kiosk, it will contain a media manifest that is digitally signed and hashes of all the clean and approved files.
When an endpoint has the OMVA installed, any media that is inserted is first checked for a valid digital signature from the Kiosk and then a hash check is performed verifying that the contents of the media have not been altered.

Supported Operating Systems

OMVA is supported on the following operating systems (32\64 bit):

Windows 7
- Requires Service Pack 1 and Microsoft updates KB2533623 and KB3033929
Windows 8
Windows 8.1
Windows 10
Windows Server Small Business Server standard FE (version: 2011 Standard)
- Requires KB2533623 installed http://go.microsoft.com/fwlink/p/?linkid=217865
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016

Installing the Agent

Run the .msi obtained from the Kiosk Resources page on the Windows endpoint.

images/download/attachments/1933464/omva_install.png

Note:
The Agent must be provided with the certificates it should consider trusted.
The Agent will look in the following folders to locate all trusted certificates:

%ALLUSERSPROFILE%\OPSWAT\.ssh\
%USERPROFILE%\.ssh\
%APPDATA%\.ssh\
%APPDATA%\OPSWAT\.ssh\

If the trusted certificate is not in any of the directories above, the Agent can also verify certificate trust if the root Certificate Authority certificate is installed.
OPSWAT recommends automating the deployment and installation of trusted certificates to the client using an AD Push or similar technique.
A Certificate Authority certificate can also be installed for an individual end-point by copying the .crt file over, right clicking on it, and selecting "Install Certificate."

Usage / Verification of the Media

Insert the media to the endpoint, automatically, the Validation Agent will begin checking the media, it performs the following steps:

Looks for an OPSWAT Media Manifest file on the media
Checks to make sure the Certificate that signed the media manifest is trusted
Checks each file on the removable media against the media manifest to make sure it has not been modified

images/download/attachments/1933464/verifying_files.png

Result

If the manifest is found to be invalid or files on the media are found to be missing/modified from the manifest, the media will be blocked from being accessed on the endpoint.

images/download/attachments/1933464/device_blocked.png

images/download/attachments/1933464/blocked_mount_msg.png

Configuration of the Agent

Registry configuration: HKLM\SOFTWARE\OPSWAT\OPSWAT-OMVA

Key	Type	Description
days_trusted	REG_SZ or REG_DWORD	The maximum days to use a media manifest result If blank or omitted, the manifest is trusted forever

Uninstalling the Agent

Uninstalling the agent requires the password: " Opswat1234! " to successfully complete.