Secure access

Trust your devices to access to the cloud and local networks

The proliferation of BYOD and cloud applications and the growing need for remote access to corporate data has accelerated the demand for secure access, including unmanaged device surveillance and compliance. It is more important than ever to go beyond basic tests such as operating system level and antivirus software to include removable media, unwanted applications, keyloggers and screen capture protection.

How can you verify that every device in your organization is security compliant before accessing an application or network, no matter where they connect from or where your data is located?

At the same time, in addition to ensuring device security, organizations need secure access to networks, applications and data.

How OPSWAT can help

The OPSWAT solution provides a single integrated platform to address each of these challenges and complexities. It is uniquely positioned to ensure that wherever your data is and wherever the user is, access and the device will be secure and compliant with your security policies. Implementing secure access for remote and local users and ensuring endpoint compliance for managed devices, BYOD and IoT can take months to a year, requiring senior engineers and network administrators, as well as outside consultants.

Secure Access – use cases

With a single platform approach, deployment and management become easier for IT staff, both in implementation and ongoing management, without the need for third-party services. At the same time, users will have access when needed, with easy self-repair steps if problems arise, to restore compliance. For typical applications such as VMware and Salesforce, even stronger integration is available for maximum productivity.

Secure cloud access, remote and on-site

OPSWAT enables cloud integration through Security Assertion Markup Language (SAML), an open standard that allows identity providers (IdPs) to pass credentials to service providers (SPs). OPSWAT also offers a zero-trust solution that replaces VPNs with better security, easier management and a more positive user experience.

Secure on-site access

In a local environment, OPSWAT provides detailed identification and security compliance to make sure you know exactly what’s on your network, can block any unauthorized attempts and enable segmentation by placing IOT devices in the appropriate group.

Specialized solutions

OPSWAT offers integrated solutions for specific environments, such as Virtual Desktop Infrastructure (VDI) and Salesforce, to make it even easier for both IT and the end user to have a secure device and access in these situations.

In-depth compliance and control

OPSWAT examines devices with standard security controls, such as operating system and antivirus software, and then goes much deeper, including risk and vulnerability assessments, with the ability to detect and fingerprint more than 5,000 third-party applications. Other tests include encryption, removable media, keylogger protection, screen capture protection, unwanted applications and multiple scans for active and passive malware.

Immediate visibility

OPSWAT illustrates the endpoint status of the entire environment and provides control over every device accessing your network and cloud applications – on a single panel. Administrators can conduct a detailed security review of any device and monitor which devices are accessing which applications and when. The overall dashboard illustrates threats, device actions and current vulnerabilities across the enterprise.

Repair and automation

OPSWAT offers self-repair options right out of the box, minimizing costly support calls. To maximize productivity, some repair options can simply be automated, such as updating virus definitions in local malware protection software, activating firewall software and removing unwanted applications.

Quick client for BYOD

Companies in the medical industry and healthcare facilities need to take extra precautions to ensure the privacy of confidential patient data is maintained, agreeUsers of BYOD often avoid accessing security software because it is traditionally cumbersome and slows productivity. OPSWAT provides a lightweight client that conducts a quick but comprehensive assessment and can be removed from the device.e with GIODO and HIPAA requirements. The requirements are that organizations adequately protect the privacy of the protected electronic health information they collect, create, maintain or transmit. When these confidential data are breached (with increasing frequency), healthcare organizations are exposed to significant costs associated with the consequences of the breach.

OPSWAT’s technologies provide ideal solutions to each of these challenges faced by today’s educational institutions. AppRemover forces old security applications to be uninstalled so that new ones can be installed on all student and faculty computers. Metascan provides protection for email and file upload servers by scanning incoming files through a mechanism of multiple anti-virus engines, increasing confidence that malware will not enter the network. Many universities also use Metascan for their IT departments to facilitate malware research.
Universities that choose network solutions from vendors such as Juniper, Cisco or others to allow students and academics to access protected resources can specify a list of approved Anti-Malware applications by selecting applications certified by OPSWAT. These applications will be compatible with the university’s network solutions, and the OPSWAT video will also help explain to students why they should use the Anti-Malware applications on this list, so that fewer questions will be directed to the Help Desk.

Current security vulnerabilities and patch management

Detect all known threats in the Common Vulnerability and Exposures (CVE) library, as well as using MetaAccess’ proprietary scoring system created to protect more than 100 million endpoints to help prioritize.

What do we offer?

OPSWAT offers a MetaAccess solution that covers both secure access and device compliance on a single platform. MetaAccess performs seven deep device security checks on employee, BYOD or guest and IoT devices. If your device is compliant, you can provide secure remote or local access only to authorized network segments and applications. The platform ensures security compliance, the amount of resources to deploy and maintain is reduced, and applications have positive, consistent access to the company’s applications and data.

MetaAccess platform presentation

In today’s environment, it is important to have adequate security for both users accessing networks, data and applications from home and the office. MetaAccess is a single platform that provides industry-leading compliance, security and vulnerability testing, a zero-trust alternative VPN and local network access control, whether you are at home, in the office or in remote locations, and whether your data and applications are local or in the cloud.

MetaAccess | Secure Device Access
MetaAccess | Advanced Device Compatibility

For true control over devices accessing the cloud, use SAML integration of OPSWAT, a cloud access protocol. With this capability, each user will be authenticated, checked for compliance, and if they are found to be non-compliant, they will not be granted access to the cloud application. Instead, the user will receive a Self-Repair page to fix any problems, and once fixed, the user will be granted access again.

It's time for organizations to rethink how users access valuable applications and data. OPSWAT replaces the VPN with an offering that first verifies security and compliance, and then only allows connections to applications and data resources. This Zero-Trust access model encrypts communications between user devices and applications, and integrates with an existing identity access management solution to simplify management and enable seamless multi-factor authentication.

For user devices in the office, get the same visibility, security and control of all devices on the network with Network Access Control (NAC), which collects device information from multiple sources to properly assign the device to the correct segment on the network. Unauthorized users are blocked and will not be able to connect to an empty port. Non-compliant devices can be audited, warned or quarantined, depending on the organization's policies. This solution streamlines other security investments.

Each additional connected device exposes your network and cloud applications to vulnerabilities. Stolen devices, lack of password protection, updated security software and improper use of encryption create points of exposure, as does exposure to keyloggers or screen capture. OPSWAT provides comprehensive device control, so you can be sure that only trusted devices have access to your environment.

Compliance requirements are enforced to minimize breaches and privacy violations. Ensuring compliance is time-consuming and costly - if requirements are not met. OPSWAT's technologies provide comprehensive visibility, detailed reporting capabilities and help meet PCI DSS, HIPPA, FINRA, HITECH, NIST, ISO, FTC, COBIT, Sarbanes-Oxley, CIS and SANS requirements. Learn how MetaAccess can meet specific compliance conditions in your industry.

Specialized solutions

Secure access to applications accessed via virtual desktop infrastructure (VDI) by ensuring that the device used to connect to the VDI server is critical, especially when the device is BYOD. VDI clients now allow a lot of interaction with the underlying endpoint and so it is often important, for example, to prevent screen capture or key loggers. To ensure endpoint security and compliance before using a VDI client, OPSWAT integrates with VDI offerings from vendors such as VMware.

Given the level of trust many companies have in Salesforce, where much of their valuable data on many aspects of their business is stored, securing access and ensuring compliance before users connect can ensure that data is not compromised and can only be accessed in a compliant fashion. OPSWAT offers a Salesforce application that integrates with our solution to ensure that all at-risk devices can't access Salesforce until they themselves are fixed.

Endpoint compatibility

MetaAccess Endpoint Compliance included in the core MetaAccess platform goes far beyond standard compliance checks to provide the highest degree of assurance that endpoints are secure. In addition to checking operating system levels, security software, encryption, passwords and firewall settings, there is a security vulnerability check and patch management function, managing potentially unwanted applications and blocking USB drives. Combined with our Advanced Endpoint Compliance module, MetaAccess provides the most comprehensive control in the industry.


MetaAccess compliance helps an organization achieve compliance by detecting and classifying applications installed on any endpoint and enabling the organization to monitor and manage those applications. Helps the organization evaluate and correct application-specific settings.

Monitor and correct application configuration
securing endpoints

Check and update malware definitions on any endpoint. Check when a full system scan was last performed and run it on any endpoint. Enable or disable real-time protection on any endpoint. Check that each endpoint’s firewall is enabled and turn them on without any end-user intervention. Check that phishing protection is enabled on any endpoint.

Monitor and correct updates and patches
applications and operating system

Detect third-party patch management applications and enable them if necessary. Detect which patches are currently installed on any endpoint, generate a list of missing patches and automatically install them.

Check if the endpoints are encrypted
in accordance with the rules and regulations

Detect hard drive encryption software on each device and report which parts of each drive are encrypted. It uses our patented method for evaluating the encryption status of selected drives (Patent No. 10,229,069) and works independently of third-party encryption algorithms and configurations. It supports all popular encryption solutions.

Efficient and accurate information reporting and repair

Supports more than 30 different product-specific remedies across all major operating systems. It gathers secret and unclassified application details, as well as in-depth configuration of security applications, including malware protection, personal firewall, hard drive encryption, patch management, browsers, browser plug-ins and much more. This enables organizations that must comply with the framework to easily collect information from endpoints to help them achieve compliance.

Gap and patch management

The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign importance ratings to gaps, allowing responders to prioritize responses and resources based on the threat. The results are calculated based on a formula that depends on several indicators that approximate the ease of use and impact of the exploit.

Realizing the limitations of CVSS, OPSWAT designed a new scoring system based on CVSS and analysis of large data sets, which we call the “OPSWAT Severity Score.” This is a dynamic score, with a range from 0 to 100. With this new result, old or irrelevant programs that exploit security vulnerabilities (CVEs) will be filtered out.

With this new result, we are providing better information to facilitate vulnerability management when old or irrelevant vulnerability exploitation (CVE) results are filtered out using OPSWAT.

Advanced protection against malware

MetaAccess uses process scanning, connection scanning and recurring threat reports to provide an additional layer of malware detection. In addition, there is a multi-engine malware protection service that greatly increases the chances of detecting near-zero-day malware. These comprehensive features can detect malware that endpoint malware protection applications have missed or could not fix. This feature searches for indications of whether an endpoint is infected, even though it complies with security rules and regulations. MetaAccess can greatly enhance malware detection through multi-engine scanning. Although one antivirus program cannot detect all malware problems

Scanning processes

MetaAccess scans all running processes and their loaded libraries. This can identify threats missed by the antivirus product installed on the endpoint, checking much more than the installed applications. Your organization can speed up process scanning by configuring the caching feature to scan only binary files that have not yet been analyzed.

Repeated endpoint threat reporting

Repeat endpoint threats occur when users repeat the same behaviors that pose a threat and when malware protection applications cannot remove the malware. MetaAccess looks for recurring threats on each endpoint device to detect persistent threats that the antivirus application has not been able to permanently remove.

Call scanning

Metaaccess allows the organization to scan all active network connections. It can detect all remote IP addresses connected to the device and compare these IP addresses with the results reported by multiple IP address reputation sources. Each IP reputation source compares and categorizes addresses according to IP trust ratings.

Manage potentially unwanted applications

MetaAccess can manage, block and even remove non-compliant or vulnerable applications. MetaAccess enables your organization to cleanly remove more than 2,000 versions of popular applications (both enterprise and consumer software) without end-user interaction. It allows your organization to silently detect such applications on any endpoint and remove them completely.

Comprehensive removal

MetaAccess detects and removes malware protection, personal firewall and anti-phishing programs that conflict with an organization’s security policies, as well as known vulnerable applications such as Java, Adobe software (such as Flash and Acrobat), browsers and popular office software.

Automatic cleaning of applications

MetaAccess automates the application cleanup process for applications that are difficult to uninstall and provides an easy way to close or remove these applications and delete all their files from any endpoint.

Works quietly without user interaction

MetaAccess detects and removes potentially unwanted applications (PUAs) that may reveal sensitive endpoint information without the user’s informed consent (such as browser toolbars, public file-sharing programs, and cloud backup or synchronization applications). This function can be configured based on the organization’s preferences to allow, block or remove the application.

Removes corrupted applications

MetaAccess is undaunted even in adverse conditions. It works when the program’s password is not known or has been forgotten, and removes applications that the uninstaller has partially removed or requires forced end-user interaction. Finally, it removes applications that no longer work or can’t be uninstalled otherwise because the required files or registry settings are missing or corrupted.

Protection of data carriers

MetaAcces blocks any connection that the media tries to make to the endpoint, and can block all connections except for processes specified by the organization. It blocks all media access, while allowing this service to transmit content through advanced content security technologies that verify and sanitize data.

Protection and security

MetaAccess scans all running processes and their loaded libraries. This can identify threats missed by the antivirus product installed on the endpoint, checking much more than the installed applications. Your organization can speed up process scanning by configuring the caching feature to scan only binary files that have not yet been analyzed.

Highly customizable

MetaAccess has highly configurable features to customize this solution to help organizations ensure that any data coming into their environment is clean and safe to use.

Advanced endpoint compliance

Advanced endpoint compliance goes beyond standard compliance checks to provide unique technologies that enhance security. Multiscanning is a threat prevention technology that takes advantage of the ability to use multiple antimalware engines to find shortcuts and scan files, greatly increasing the chances of detecting malicious activity at almost zero day. Anti-Keylogger prevents keystrokes, and Screen Capture Protection ensures that no one can Print Screen capture the contents of the screen.

Together, these technologies enhance the capabilities of the MetaAccess platform, including: compliance, advanced malware detection, vulnerability and patch management, management of both potentially unwanted applications and removable media, providing a comprehensive approach.

Risk prevention

Advanced threat prevention with simultaneous malware protection engines.

Multiscanning is an advanced threat detection and prevention technology that increases detection rates, reduces outbreak detection time and provides resilience to malware protection software vendors. OPSWAT pioneered the multiscanning file concept with more than 30 antimalware engines that provide better protection against various cyber threats.

Detection methods based on signatures, heuristics and machine learning are not perfect. Individual antimalware engines detect at most up to 91.8% of typical cyber threats, and most have a detection rate of only 40 to 80%.

How it works

Studies show that as more malware protection engines are added, malware detection improves, as each engine may fail to detect certain types of threats. Each engine specializes in different categories. Since each malware protection engine uses different algorithms, malware analysts are located in different time zones and different geographic labs, the value of combining multiple malware protection engines greatly increases detection.

As demonstrated by our multiscanning test of more than 10,000 of the most active threats, we were able to detect more than 95% with 12 connected engines, more than 97% with 16 engines and more than 99% with 20 or more engines.


With MetaAccess Threat Prevention, there is an increased opportunity to get closer to zero detection days, reduce outbreak exposure time and false alarms with minimal impact on performance. Since multiscanning requires multiple malware protection engines from different vendors, cost is an important consideration. However, we are working with vendors to provide optimized Multiscanning engine suite options to ensure a favorable total cost of ownership (TCO) over time.

By acting as a single point of contact, we reduce the complexity of multiple scanning deployments for our global customer base of government entities and organizations in virtually every industry, including other companies involved in security, aerospace and defense, health services, critical infrastructure and supply chain manufacturing.


Keystroke loggers are designed to steal high-value information that the user inputs for nefarious purposes. MetaAccess Advanced Endpoint Compliance prevents keyloggers and advanced malware from accessing sensitive data by capturing and encrypting keystrokes and providing real-time protection against monitoring programs, Trojans and spyware. This technology can protect against malicious behavior both locally and when working from home or remote workers.

How it works

It works with the Anti-Keylogger driver, which captures low-level keyboard events, encrypts them, and then uses the Anti-Keylogger decryption hook to decode them before sending keystrokes to the application. The controller encrypts keystrokes and sends the events to the operating system’s event bus, where a decryption hook decodes the keystrokes and sends them to the application.

User experience

When typing with this feature enabled, there is no lag for the user. This solution is an overlay with no configuration changes. Importantly, it supports current and future cybersecurity threats.

Screen protection

MetaAccess prevents malicious and accidental screenshots. Prevents unauthorized or accidental screenshots and recordings by users, VDI, web collaboration tools and malicious applications.

When a process tries to capture or record a screen, this protection hack will block the request, which can optionally allow only certain windows to be captured. Screen Capture Protection handles current and future threats from malware, as well as data loss issues from web collaboration tools such as Zoom, Microsoft Teams, Cisco WebEx and others.

How it works

MetaAccess monitors every running process. When a process tries to capture or record the screen, the screen capture protection attachment will block the request. This hook can optionally allow you to capture only certain windows.


This feature takes up little space on the device (less than 10 MB on disk) and supports current and future malware threats. Protects against data loss problems from web collaboration tools such as Zoom, Microsoft Teams, Cisco WebEx and others.

Secure access

Secure access to the cloud is possible through SAML / IdP integration. Security Assertion Markup Language (SAML) is an XML-based standard for single sign-on (SSO) in a Web browser that eliminates the need for application passwords. SAML uses single-use digital “tokens” that expire to exchange authentication and authorization data between an identity provider (IdP) and a cloud application provider that have an established trust relationship.

Secure access to the cloud

Secure access to the cloud is possible through SAML / IdP integration. Security Assertion Markup Language (SAML) is an XML-based standard for single sign-on (SSO) in a Web browser that eliminates the need for application passwords. SAML uses single-use digital “tokens” that expire to exchange authentication and authorization data between an identity provider (IdP) and a cloud application provider that have an established trust relationship.

How SAML single sign-on works
With access control to the cloud?

SAML single sign-on involves transferring a user’s identity from one place (identity provider) to another (service provider). This is done by exchanging digitally signed XML documents. Consider the following scenario: a user is logged into a system that acts as an identity provider. A user would like to log into a remote application such as Salesforce or Dropbox (i.e., a service provider), but before the user can gain access, the user’s device must pass a security check in accordance with the organization’s security policy.

The challenge - securing new circuits

The basis of the Internet is the communication access protocol (TCP / IP), which allows any IP-addressable device on the Internet to effectively “see” any other device. Secure access to applications and data is based on the outdated “trust and verify” approach, which has become a treasure trove of opportunity for malicious activity and hackers. In addition, the ability to use traditional device management techniques does not work for remote and/or personal devices.

Software-defined circuit

What if all critical Internet resources were inherently “invisible” to all users? The good news is that this “invisibility cloak” is now available under the Software Defined Perimeter (SDP) program. OPSWAT SDP, a cloud-based service, hides enterprise applications and data assets, and follows a “check first, connect second” access model compared to today’s “connect first, authenticate second” approach.

Use cases

Next-generation VPN

Enhance security by reducing the visibility of protected applications and preventing east to west transitions. This security is being added at no increased cost or additional reduction in bandwidth compared to the current generation of VPN solutions. At the same time, the user experience is improved with a consistent, easy way to connect in or out of the field.

Application security

It makes applications invisible, making them undetectable and inaccessible to outsiders, while enhancing application security and data access for internal wired and wireless network perimeter devices. This application security ensures compliance across a wide range of industries, especially with the ability to block unauthorized access.

Security without borders

Protect your data with mutual TLS encryption both inside and outside your area, providing the required secure access. This security protects against credential theft, connection interception and data loss, as well as common attacks such as DDOS, Man-in-the-Middle and more. The SDP protocol provides greater security based on a zero-trust access model per application session only (least privileged).

Check compliance

Meet regulatory requirements by preventing access to corporate data based on device risk. MetaAccess provides reports that can be used for compliance audits such as FINRA, HIPAA, Sarbanes-Oxley and others.

SDP architecture

How it works

SafeConnect SDP consists of three main components:

SDP client

Available for Windows, macOS, iOS and Android devices. It ensures that the certificate-based reciprocal TLS VPN connects only to authorized user services. The SDP client can be distributed to managed devices or downloaded as part of the patent-pending BYOD implementation process.

SDP Controller

Trust Broker between the SDP client and security controls such as identity access management, CA issuance and device compliance. After authorization, the SDP controller configures a reciprocal VPN TLS network to allow application access per session.

SDP gate

Termination point for TLS VPN interconnection from SDP client. The SDP gateway acts as a “Firewall type” deny all “, blocking visibility and access to the network. It is usually deployed as close topologically as possible to the protected application and multiple gateways are supported.