Hi all,

for testing purpose I developed a special shell extension for NOD32 v. 2.0, but I don't see any motive to keep it inside the lab only, so here you are.

An excerpt from the documentation

"The new NOD32 scanner which comes with NOD32 v. 2.0 offers a new, powerful heuristic option to identify unknown Win32 malware (this option is included in the new IMON – Internet MONitor also). This new feature is very powerful, but on account of its nature it will notably slowdown the speed of the scanning process.
For this motive this option cannot be enabled directly in the environment of NOD32 scanner, but it can be used only if the scanner is explicitly launched with the /AH (Advanced Heuristic) option on command line.

The purpose of this shell extension is to supply a shortcut for users that want to run a scanning with Advanced Heuristic enabled directly from the context menu of Explorer.

Actually, this shell extension has been written to be very flexible and it can be easily customized to pass whatever parameter to the NOD32 scanner "

You may download it here

http://www.nod32.it/tools/NODSE.ZIP

To ease the installation process I developed a full fledged installer, so installing/uninstalling the shell extension should be a breeze. The installer contains also a RTF file as documentation, where you'll find how you may customize the behaviour of the shell extension.

Enjoy it 8)

ciao,
Paolo.

well maybe this will force eset guys to add this shell shorcut too ...

For several motives, I don't think so. But after all it doesn't matter, since NOD32 users may use my shell extension. I'm planning other enhancements, by the way. When I'll have a minute I'll implement them and I'll release a new version.

ciao,
Paolo.

Only bad thing about it is that it will not keep the settings of the "normal" right click default" any chance you get that too??

Ruben

{QUOTE-> quoting: tosbsas link=board=35;threadid=9776;start=0#msg64771 date=1054851956]
Only bad thing about it is that it will not keep the settings of the "normal" right click default" any chance you get that too??
<-QUOTE}

Just to be sure: do you mean that my shell extension doesn't load the profile loaded by Eset's shell extension? In this case I don't see particular problems and yes, I'll implement this feature.

ciao,
Paolo.

Yeah thats exactly what I mean. It should use the same setting as default as the "normal" one or at leats keep a setting you set when running. I remeber till version beta4 nod had that problem too

Ruben

Running NOD32 Version 2.


I am having problems trying to get this Shell Extension to work for Limited Users on my machine under XP Pro. If they are promoted to Administrator it works fine.

The program was installed by an Administrator as is required. When a Limited User right clicks on a file or folder to use it he is presented with an error message stating - Error executing NOD32 scanner, and the path of the file or folder to be scanned in quotes followed by %s. Where is it getting "%s" from?

Is there anyway a Limited User can use this program by Paulo?

I think this was alluded to in the above post, is it also possible for it to be able to scan "all file extensions" and not just default ones from NOD32?

Here's an image of the error.

Linney,

Paolo (and most probably all Eset staff members) are enjoying their - well deserved - free Sunday. Let's take this one over the weekend, OK? ;)

regards.

paul

{QUOTE-> quoting: linney link=board=39;threadid=9776;start=0#msg66972 date=1055674400]
I am having problems trying to get this Shell Extension to work for Limited Users on my machine under XP Pro. If they are promoted to Administrator it works fine.
I think this was alluded to in the above post, is it also possible for it to be able to scan "all file extensions" and not just default ones from NOD32?
<-QUOTE}

It seems a problem with Registry permissions. I'll investigate it.
About the file extensions: consider that you may pass whatever parameter to the shell extension using its "Params" entry in the Registry. Try to add the "/all" switch. On the next version of the shell extension this option will be included by default.

ciao,
Paolo.

{QUOTE-> quoting: linney link=board=39;threadid=9776;start=0#msg66972 date=1055674400]
Is there anyway a Limited User can use this program by Paulo?
I think this was alluded to in the above post, is it also possible for it to be able to scan "all file extensions" and not just default ones from NOD32?
<-QUOTE}

OK, I fixed the problem and now all seems to work fine for Limited accounts also ;D
Tomorrow I'll release a new version of the shell extension. Stay tuned.

ciao,
Paolo.

Great - thanks

Let is know if we can install on top of the "old" version

Ruben

Thanks for the great response.

Paolo,

Thanks for the great little add-on. I liked it so much, I disabled the original NOD32 context-menu item so that I don't have to look at two scanning options in the menu.

I've added the following switches to the string value of "Params" in the registry (these are in addition to the "/ah" switch). All the functions set by the switches in "Params" then run in addition to the standard defaults run by the NOD32 on-demand command line scanner, i.e. "/subdir+", "/pattern", "/heur+", "/scanfile+", "/scanboot+", etc.):

/list+
/scroll+
/arch+
/pack+
/all
/log=context.log*

*I use a separate log file for on-demand scanner launched from context menu (context.log), launched from a download utility (dl.log), and normall launched from within NOD32 (nod32.log).

Works great, so thanks again.

{QUOTE-> quoting: NewNOD link=board=39;threadid=9776;start=0#msg67439 date=1055850450]
Works great, so thanks again.
<-QUOTE}

You're welcome, I'm glad to know that you found helpful my shell extension :)
Just a little advice: into the "Params" entry in the Registry, you might add a "not-up-to-now-documented" switch : /mailbox+
With this switch NOD32 will scan e-mail formats also.

ciao,
Paolo.

are you talking about a new version already???

Ruben

Any indication which regkey to look at??

which switch would stop checking operating memory and bootsector???

Ruben

I found a key for my profile

adv_heur_enable - was 0 set it to 1
sensitivity 3
enabled 1

How about that??

Ruben

Paolo,

Thanks for the tip on the "/mailbox+(-)". I asked in a previous post if the command line switch list in the NOD32 help file was complete; I questioned its "completeness" based on the knowledge that the "/ah" switch wasn't listed. As such, I was assuming maybe others were missing, too. No one ever responded to the other post, but it seems now at least two switches aren't listed. Thanks for that info ... hopefully, a complete listing will be made available at some point.

Now some questions regarding the "/mailbox+(-)" switch and e-mail file scanning in general:

1. Am I correct in guessing that the switch you provided is the equivalent to checking the "Email files" option on the on-demand scanner Setup tab?

2. If the answer to #1 is yes, then I can speak about the switch and the Setup tab option as one and the same. In neither case (switch or Setup tab option) do I get a real level of comfort that the scanner is actually scanning email files. Here's an example:

If I scan a folder containing 3 *.pst files with "Email file" scanning option "off" (no switch in Params and "Email files" unchecked in the Setup tab), the scanner returns a log (list+) which indicates 3 files scanned. If I activate the "Email file" scanning option, either via switch or via the Setup tab, and then scan the same folder, the scanner returns a log (list+) indicating that 3 files were scanned. Shouldn't the scanner indicate that more files were scanned because the scanner should have been scanning inside the *.pst file, which is really just a special archive containing emails and attachments.

The comparison I raise is this:

If the option to scan archives is set to "off", and a *.zip file containing 5 files is scanned, the scanner returns a log (list+) indicating that only one file was scanned and further indicates that internal scanning was not performed. If, on the other hand, the option to scan archives is set to "on", and the same file is scanned, the scanner returns a log indicating that 5 files were scanned and lists the files inside the archive.

Shouldn't scanning a *.pst file be similar to scanning an archive in both the "off" and "on" states. In other words, shouldn't the email scanning in the "on" state cause the scanner to show all the internal files it scanned inside the *.pst file? At the very least, even if visual (log) confirmation was impossible, shouldn't it take quite a bit longer for the scanner to scan inside a 350mb email file than when it doesn't? In either state, the scanner scanned the 350mb file in less than 1 second.

The only "email file" that seems to be thoroughly scanned is the one that is currently active as the OutLook Inbox, and the scanner will scan the entire contents of the file even if both "Email files" and "MAPI" options are disabled.

So, needless to say, I'm not understanding exactly what NOD32's capabilities are in scanning email files. The available options don't seem to have any affect at all on the behavior of the scanner. Can you help?

Thanks.

Have found the settings

I am running

/ah /heurdeep /list+ /scroll+ /arch+ /pack+ /all /scanmbr+ /scanboot+ /scanmem-

now - just one question - is the heurdeep necessary or already covered by ah??

Keeps the question about the "normal" rightclick registry thing

Ruben

"I found a key for my profile

adv_heur_enable - was 0 set it to 1
sensitivity 3
enabled 1

How about that??"

{QUOTE-> quoting: tosbsas link=board=39;threadid=9776;start=15#msg67472 date=1055862074]
which switch would stop checking operating memory and bootsector???
<-QUOTE}

From my personal knowledge
-------------------------------------
/scanmem- disable memory scanning

From NOD32 help
----------------------
/scanboot+ (-) Enable (disable) boot sector scanning
/scanmbr+ (-) Enable (disable) master boot record (MBR) scanning

ciao,
Paolo.

{QUOTE-> quoting: NewNOD link=board=39;threadid=9776;start=15#msg67481 date=1055864051]
Thanks for the tip on the "/mailbox+(-)". I asked in a previous post if the command line switch list in the NOD32 help file was complete; I questioned its "completeness" based on the knowledge that the "/ah" switch wasn't listed. As such, I was assuming maybe others were missing, too.
<-QUOTE}

Yes, you are right. The list inside the help is not complete. Anyway, I'm sure that many little "imperfections" will be fixed soon.

{QUOTE->
No one ever responded to the other post, but it seems now at least two switches aren't listed. Thanks for that info ... hopefully, a complete listing will be made available at some point.
<-QUOTE}

Yes, don't worry. The lack of a exhaustive documentation is just a temporary problem due to the particular period. For the new version the International Eset's team is quite under pressure for many, many things to accomplish (new graphic, new box design, new pricelist, and so on).


{QUOTE->
1. Am I correct in guessing that the switch you provided is the equivalent to checking the "Email files" option on the on-demand scanner Setup tab?
<-QUOTE}

You're correct. About the remaining questions: I don't have yet a complete list concerning the type of e-mail databases that NOD32 is able to scan with that switch. I'll let you know ASAP. Anyway, you should consider that e-mail protection by NOD32 is achieved in different way. I mean, the "philosophy" is to demand a real-time protection to IMON, so I don't think that the developers will add a very deep, wide support for e-mail formats. I saw that NOD32 is able to scan .EML files, but I'm almost sure that it doesn't decode .PST files

ciao,
Paolo.

Paolo,

Thanks. Hope I didn't sound to course. I'm just trying to understand the program and it's capabilities.

By the way, I don't have any *.eml files to test (these seem to be "backup" copies of Outlook Express mail), but I did test *.dbx files (normal Outlook Express email file databases), and NOD32 can scan inside these.

Help me understand the MAPI option: According to the help file:
___________________
"Use MAPI interface" provides MAPI support to scan Microsoft (R) Outlook databases.
___________________

But as I noted, previously, enabling the MAPI functionality does not change the behavior of the scanner. The scanner can scan inside a *.pst file if actively functioning as an Outlook inbox, but the scanner cannot scan inside "inactive" *.pst files; this behavior is the same regardless of whether MAPI is enabled or not. So what does MAPI do?

If NOD32 can't do something, that's fine. I'm just trying to reconcile what the help file says it does with the realities of the program.

Thanks.

{QUOTE-> quoting: NewNOD link=board=39;threadid=9776;start=15#msg67625 date=1055892006]
Paolo,

Thanks. Hope I didn't sound to course. I'm just trying to understand the program and it's capabilities.
<-QUOTE}

Don't worry :) You're welcome.

{QUOTE->
But as I noted, previously, enabling the MAPI functionality does not change the behavior of the scanner. The scanner can scan inside a *.pst file if actively functioning as an Outlook inbox, but the scanner cannot scan inside "inactive" *.pst files; this behavior is the same regardless of whether MAPI is enabled or not. So what does MAPI do?
<-QUOTE}

There is a topic discussed by Anders about this issue. Please, take a look here

http://www.wilderssecurity.com/showthread.php?t=10418;start=msg67818#msg67818

ciao,
Paolo.

Hi all,

new version released. The address to download it is the same

http://www.nod32.it/tools/NODSE.ZIP

In the new version I've fixed the problem reported by linney (thanks again for the report, by the way) and changed the default parameters used by the shell extension:

/ah /all /shext

Few words of explanation about the /shext option: it's an undocumented switch used to load the configuration of the context menu, Eset shell extension uses this switch to accomplish this task.

Installation issue: before to update to the new version, to keep things clean I strongly advice to uninstall my previous shell extension (classic way, just go in the Installation applet in the Panel control and you''ll find an entry to uninstall the shell extension).

ciao,
Paolo.

Anyone here can tell me how to get rid of the "normal" shell extension??

Ruben

{QUOTE-> quoting: tosbsas link=board=39;threadid=9776;start=15#msg68184 date=1056046063]
Anyone here can tell me how to get rid of the "normal" shell extension??
<-QUOTE}

Unfortunately, Eset shell extension doesn't supply a DDLUnregisterServer entry, so you cannot use Regsrv32.exe utility.

You must uninstall NOD32 and then reinstall it. When the installer asks if you want to invoke NOD32 by means of the right mouse click, choose "no".

ciao,
Paolo.

shame on them (:--((

Ruben

Will try the configuration editor (:--))

ruben

I am new to NOD32 and am not as savy as most of the people who are replying to this. I would like to know should I download this and why. I would appreciate any helpful advice. ::)

Hi William,

{QUOTE-> quoting: WilliamP link=board=39;threadid=9776;start=15#msg70036 date=1056759899]
I am new to NOD32 and am not as savy as most of the people who are replying to this. I would like to know should I download this and why. I would appreciate any helpful advice. ::)
<-QUOTE}

The purpose of the software has been explained in my first message about this topic. So... well... I advice you to read it again carefully :) In short: this shell extension is just a shortcut to use a feature supplied by the new NOD32 scanner. If you have any doubt feel free to ask.

ciao,
Paolo.

A question concerning the command line switches:

the manual (Nod32Man.pdf) lists command line switches and states which switches are activated (or deactivated) by default. The list of switches in the v.2 help file does not make this distinction. Are the default settings still valid?

indodude

{QUOTE-> quoting: indodude link=board=39;threadid=9776;start=30#msg71210 date=1057132425]
the manual (Nod32Man.pdf) lists command line switches and states which switches are activated (or deactivated) by default. The list of switches in the v.2 help file does not make this distinction. Are the default settings still valid?
<-QUOTE}

You should consider that the new NOD32 scanner is profile driven: everytime that you start it, the scanner reads the options from the default profile.

ciao,
Paolo.

{QUOTE-> quoting: Paolo Monti link=board=39;threadid=9776;start=30#msg71256 date=1057154486]
{QUOTE-> quoting: indodude link=board=39;threadid=9776;start=30#msg71210 date=1057132425]
the manual (Nod32Man.pdf) lists command line switches and states which switches are activated (or deactivated) by default. The list of switches in the v.2 help file does not make this distinction. Are the default settings still valid?
<-QUOTE}

You should consider that the new NOD32 scanner is profile driven: everytime that you start it, the scanner reads the options from the default profile.

ciao,
Paolo.
<-QUOTE}

Hi Paolo

looking at the behavior of different scans I conclude that the default settings are still valid. The question remaining now is how to get the /ah switch into IMON?

I also conclude that the settings for the context menu scans override the default settings. Right or wrong?

indodude

Hi,

{QUOTE-> quoting: indodude link=board=39;threadid=9776;start=30#msg71271 date=1057159194]
looking at the behavior of different scans I conclude that the default settings are still valid. The question remaining now is how to get the /ah switch into IMON?
<-QUOTE}

IMON has the Advanced Heuristic (i.e. the feature enabled in the scanner by the /AH switch) enabled by default. In IMON the AH option is placed inside its own setup (IMON->Setup->Setup->Use extended heuristics)

{QUOTE->
I also conclude that the settings for the context menu scans override the default settings. Right or wrong?
<-QUOTE}

The rules are the following:

1) The switches that you specify on command line have always a higher priority on profiles.
2) The scanner reads the default options from the default profile. When you use the context menu to run the scanner, the default profile is a dedicated one (i.e. a special profile for the shell extension).

ciao,
Paolo.

{QUOTE-> quoting: Paolo Monti link=board=39;threadid=9776;start=15#msg68197 date=1056049243]
{QUOTE-> quoting: tosbsas link=board=39;threadid=9776;start=15#msg68184 date=1056046063]
Anyone here can tell me how to get rid of the "normal" shell extension??
<-QUOTE}

Unfortunately, Eset shell extension doesn't supply a DDLUnregisterServer entry, so you cannot use Regsrv32.exe utility.

You must uninstall NOD32 and then reinstall it. When the installer asks if you want to invoke NOD32 by means of the right mouse click, choose "no".
<-QUOTE}


Getting rid of the following Reg subkeys ought to remove the original context menu entry:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
HKEY_CLASSES_ROOT\Drives\Shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension

Are there any disadvantages to doing so?

{QUOTE->
Are there any disadvantages to doing so?
<-QUOTE}

I didn't make any test about it, anyway removing those keys only is not sufficient to "clean" completely the Registry.

ciao,
Paolo.

No, I'd have to agree with that.

If that's what you'd want to do, you'd (at least?) have to get rid of the following as well:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B089FE88-FB52-11d3-BDF1-0050DA34150D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\\{B089FE88-FB52-11d3-BDF1-0050DA34150D}

However, it certainly ought to get rid of the context menu entries, which was tosbsas original desire

I have to say I haven't installed the new Shell extension myself as yet, but I will soon, and I'll report back :)


Cheers,

waiting anxiously on your findings (:--))

Ruben

{QUOTE-> quoting: tosbsas link=board=39;threadid=9776;start=30#msg71907 date=1057496511]
waiting anxiously on your findings (:--))

<-QUOTE}

Sorry for the delay, but I've just done it, and it works fine! :)

Do the following:

Copy the bold to Notepad, and save as Remove.reg. Save as "all files".
Now doubleclick Remove.reg, and answer yes when asked if you want its contents added to the Registry.


REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension]

[-HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension]

[-HKEY_CLASSES_ROOT\Drives\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension]

[-HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B089FE88-FB52-11d3-BDF1-0050DA34150D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B089FE88-FB52-11d3-BDF1-0050DA34150D}"=-



That will remove the registry entries for the original Nod32 shell extension, leaving only the the context menu entry for the "NOD32 Scanner Advanced Heuristic Shell Extension"

Cheers,

BTW, here's a screen shot to illustrate it... ;D

{QUOTE-> quoting: TonyKlein link=board=39;threadid=9776;start=30#msg73054 date=1058018397]
[-HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension]

[-HKEY_CLASSES_ROOT\Drives\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension]
<-QUOTE}

BTW, ESET people, one very minor thingie: why are both of the above being installed?

To tell you the truth, I've never seen a HKEY_CLASSES_ROOT\Drives registry entry before.
Adding that Nod32 subkey to HKEY_CLASSES_ROOT\Drive uniquely ought to do the trick, I should think? ???

Hey thanks

are you sure there is not a "-" missing in the last line??

Ruben

If there was a - there, that would wipe out the entire HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved subkey, which is NOT what you want... :o

This way it only deletes the "{B089FE88-FB52-11d3-BDF1-0050DA34150D}" value.

The regfile is fine! :)

ok- thanks (:--))

I do have no problem editing registry, but never wrote a file for that.

Ruben :D

{QUOTE-> quoting: tosbsas link=board=39;threadid=9776;start=30#msg73360 date=1058187622]
I do have no problem editing registry, but never wrote a file for that.

<-QUOTE}

Not everyone feels comfortable editing the Registry, so I sometimes do write a regfile.
Also, importing such a regfile sure is a lot faster than manually editing 6 individual Registry keys/values .

Cheers,

(:--))

{QUOTE-> quoting: Paolo Monti link=board=39;threadid=9776;start=0#msg63907 date=1054405041]
Hi all,

for testing purpose I developed a special shell extension for NOD32 v. 2.0, but I don't see any motive to keep it inside the lab only, so here you are.

An excerpt from the documentation

"The new NOD32 scanner which comes with NOD32 v. 2.0 offers a new, powerful heuristic option to identify unknown Win32 malware (this option is included in the new IMON – Internet MONitor also). This new feature is very powerful, but on account of its nature it will notably slowdown the speed of the scanning process.
For this motive this option cannot be enabled directly in the environment of NOD32 scanner, but it can be used only if the scanner is explicitly launched with the /AH (Advanced Heuristic) option on command line.

The purpose of this shell extension is to supply a shortcut for users that want to run a scanning with Advanced Heuristic enabled directly from the context menu of Explorer.

Actually, this shell extension has been written to be very flexible and it can be easily customized to pass whatever parameter to the NOD32 scanner "

You may download it here

http://www.nod32.it/tools/NODSE.ZIP

To ease the installation process I developed a full fledged installer, so installing/uninstalling the shell extension should be a breeze. The installer contains also a RTF file as documentation, where you'll find how you may customize the behaviour of the shell extension.

Enjoy it 8)

ciao,
Paolo.
<-QUOTE}

My sincere compliments Signore. You have added a valuable additional feature to this great program. Advanced heuristic scanning of individual files is a feature that Eset should incorporate IMHO.

Wow!!! Is this the same program I won in the 5,000th member drawing??? If so, I am a novice and all I have been reading in this thread is like greek to me ??? :o ::) :-[ HELP!!!

{QUOTE-> quoting: yvonne link=board=39;threadid=9776;start=45#msg80188 date=1060948676]
Wow!!! Is this the same program I won in the 5,000th member drawing??? <-QUOTE}

Indeed it is ;)

{QUOTE-> If so, I am a novice and all I have been reading in this thread is like greek to me ??? :o ::) :-[ HELP!!! <-QUOTE}

Don't worry - you don't need this in order to run NOD32 (provided it's configured properly). Make sure you'll get the grasp from the version 2. you have first and foremost, read the FAQ etc.

regards.

paul

HELP

I am trying to download this program and it won't accept the password I was given.Could the password be wrong or am I supposed to make my own password? Do I need to download the commercial program as opposed to the administrative program? Sorry to be such a pest and thanks so much for Nod32 program!!!

Did you do a copy and paste of the password, or type it manually?

I suggest the former. Also, an accidental space at the beginning or at the end of what you copied could already cause trouble (as I've found myself...)

IMPORTANT NOTE: The latest version of the virus definition database must be downloaded immediately after the installation has been completed to ensure the highest detection capabilities of the system.
The username/password for NOD32 version 1 is valid also for version 2.

SUCCESS!!!!! Thanks to Mr Wilders and Mr Klein!!! :-* :-*

Now does this note above mean there is something else I need to download? You guys are great and I feel very fortunate to have found this site!!!

Hi yvonne,

{QUOTE-> SUCCESS!!!!! Thanks to Mr Wilders and Mr Klein!!! <-QUOTE}

Good! credits go to teh honourable Mr. Tony Klein ;). The name is Paul, btw ;)

{QUOTE-> Now does this note above mean there is something else I need to download? <-QUOTE}

As for NOD32: just make sure you'll have the software configured properly, and check for/download database updates regularly - at least once a day.

{QUOTE-> You guys are great and I feel very fortunate to have found this site!!! <-QUOTE}

On behalf our our team: thanks for the compliment!

regards.

paul

Just installed this shell extension, and I cannot log on to the eset server for updates, anyone else have this problem?

I get the message server connection failure
??? :-\

Disregard previous post have located and fixed the problem

8)

Is this shell extension (and more properly, the "/ah" parameter in general) no longer needed, now that NOD32 2.0 has a "/heurdeep" command line parameter, and also the capability to enable "deep heuristic" right within the interface?

The "/ah" parm isn't documented, so far as I can tell. My guess is that "/heurdeep" replaced it.

/ah isn't yet documented but that's the new advanced heuristic option in NOD version 2. Previously NOD 1 only had the Safe, Standard and Deep Heuristics sensitivity levels. Those are still available in NOD 2, but Advanced Heuristics is, well, advanced. ;)

Just so this is clear to me... :P

Would someone kindly confirm that:
deep heuristics is not the same (as thorough?) as advanced heuristics (/ah)?
advanced heuristics is typically available only as an on-demand activity, using Paolo Monti's shell extension?
/ah is not available (for whatever reason) as an option during NOD32's continuous on-access activity?
/ah as a constant on-access option is unfavorable because of the slowdown likely to be experienced, regardless of OS or environment?

Many thanks
Optigrab

{QUOTE-> quoting: optigrab link=board=39;threadid=9776;start=45#msg99840 date=1068326883]Just so this is clear to me... :P

Would someone kindly confirm that:
deep heuristics is not the same (as thorough?) as advanced heuristics (/ah)? <-QUOTE}

This is true. Deep heuristics is different than (and not as powerful as) Advanced heuristics. See this screen shot (http://www.wilderssecurity.com/attachments/Deep.JPG) that shows deep heuristics selected on the Amon setup screen. But, there is no setting available in AMON for Advanced heuristics.

{QUOTE-> advanced heuristics is typically available only as an on-demand activity, using Paolo Monti's shell extension? <-QUOTE}

Not completely true. Yes, for the on-demand NOD32 scanner, you need to use Paolo Monti's shell extension to get AH to be used (or setup the command line switches yourself). However, Advanced heuristics are enabled and used by default in IMON (and EMON, too I believe).

{QUOTE-> /ah is not available (for whatever reason) as an option during NOD32's continuous on-access activity? <-QUOTE}

Correct. At this time AMON (which handles the on-access file checking) does not and can not use Advanced heuristics.

{QUOTE-> /ah as a constant on-access option is unfavorable because of the slowdown likely to be experienced, regardless of OS or environment? <-QUOTE}

I don't believe Eset has actually stated that directly. (Maybe they did and I missed it.) However, I think everyone assumes that a slowdown would occur because of reports from those who've tested scanning a massive number of files on a server both with and without /AH set, and there is a definite slowdown. So, I believe it seems logical that there would be some impact on a continuous resident module like AMON.

Many, many thanks LWM, you've cleared things up for me nicely! ;D My only follow-up comment:

It seems that various comments that praise NOD32's advanced heuristics capabilities (sometimes as a counterpoint to NOD32's supposed 'weaknesses') really imply careful use by the user. Users relying on the on-access scanner alone -deep heuristics or not- are not taking advantage of this lauded strength of NOD32. One must continue to rely on the 'safe hex' habit of on-demand scanning consistently.

I apologize if I'm very late to the party with this observation. I installed the /ah shell option quite a while ago, but apparently didn't fully understand the importance of relying on it.

Thanks again
Optigrab

{QUOTE-> quoting: optigrab link=board=39;threadid=9776;start=45#msg99874 date=1068334783]
It seems that various comments that praise NOD32's advanced heuristics capabilities (sometimes as a counterpoint to NOD32's supposed 'weaknesses') really imply careful use by the user. Users relying on the on-demand scanner alone -deep heuristics or not- are not taking advantage of this lauded strength of NOD32. One must continue to rely on the 'safe hex' habit of on-demand scanning consistently. <-QUOTE}

I really hope those comments aren't accurate. A user should not have to use undocumented and difficult-to-use tricks in order to get good performance from his anti-virus software.

Hi Nameless,

I didn't mean to imply that a user wouldn’t get "good" performance out of NOD32 with regular heuristics. I'm not qualified to make such a statement and my impression from lurking here at Wilders is that users (like myself) feel they are protected with NOD32's on-access scanning.

What I did mean is that I've read many instances of NOD32 fans touting its advanced heuristics as a particular strength that sets it apart from other fine AV's. A NOD32 user must be aware that this advantage applies to their situation only if they consistently rely on 'on-demand' scanning with advanced heuristics.

The expert who believes that "safe hex" practices should be maintained regardless of how good the AV is, probably wouldn't consider this surprising or an inconvenience.

Regards,
Optigrab

P.S. I made a mistake in the post that you quoted. I meant to say: {QUOTE-> quoting: optigrab link=board=39;threadid=9776;start=45#msg99874 date=1068334783] ...Users relying on the ON-ACCESS scanner alone -deep heuristics or not- are not taking advantage of this lauded strength of NOD32.... <-QUOTE}

I can't imagine NOT using advanced heuristics nor can I imagine not practicing safe computing. In fact, without advanced heuristics, I don't know if I would have NOD32 any longer as I do not use IMON as it is redundant and unnecessary, but I do use advanced heuristics and it is absolutely necessary IMO. I NEVER, EVER open a downloaded file or an email attachment without first saving it to disk and then scanning it via advanced heuristics. This is safe computing and should always be practiced by all users.

IMON causes, as all av email scanning programs do, a lot of problems. My ISP, Road Runner, asks that we turn off all email scanning as does Microsoft recommendations for Outlook Express. AV scanning of OE mail is the number one breaker of OE. Just save those attachments to disk and scan via advanced heuristics before opening. Much better for the health of your email program.

Advanced heuristics are that powerful? Good to know!

I also don't run IMON. I run Apache 2 on my WinXP system, and I've found that running IMON makes images fail to deliver properly from Apache (even if I try browsing locally). Users see lots of those lovely red Xs, and constantly have to refresh the page. That sucks.

Getting back on topic... I, for one, really hope that AH is built into the interface sometime soon. I hate having to use a command line or shell extension to invoke it. For one thing, when you use the command line, you override all other profile settings. And since not all options are configurable with command line options, you end up having to take the defaults on certain things. That sucks, too!

{QUOTE-> quoting: Mele20 link=board=39;threadid=9776;start=60#msg102585 date=1069244337]
I can't imagine NOT using advanced heuristics nor can I imagine not practicing safe computing. In fact, without advanced heuristics, I don't know if I would have NOD32 any longer as I do not use IMON as it is redundant and unnecessary, but I do use advanced heuristics and it is absolutely necessary IMO. I NEVER, EVER open a downloaded file or an email attachment without first saving it to disk and then scanning it via advanced heuristics. This is safe computing and should always be practiced by all users.

IMON causes, as all av email scanning programs do, a lot of problems. My ISP, Road Runner, asks that we turn off all email scanning as does Microsoft recommendations for Outlook Express. AV scanning of OE mail is the number one breaker of OE. Just save those attachments to disk and scan via advanced heuristics before opening. Much better for the health of your email program.
<-QUOTE}

Well, just for the record, I have zero probs with IMON & OE :)

I also have not had any problems with IMON & OE.

Putting all of your faith in the advanced heuristics is not wise.
I have used it to scan zipped files, archives, etc and it has not always caught the critters lurking within.


gj

And, for the record, I just installed NOD32 2.009, and found the problem with Apache was still there. I then added APACHE.EXE to IMON's exclusion list, and it corrected the problem--even with IMON set to its maximum efficiency setting. (Was the option to exclude applications available in NOD32 2.006?)

{QUOTE-> quoting: nameless link=board=39;threadid=9776;start=60#msg130147 date=1076535880]
(Was the option to exclude applications available in NOD32 2.006?)
<-QUOTE}

No, it is with new packet worm filer one of new features in 2.000.9

Why does everybody (and also ESET) says IMON is only about checking e-mail?
Every Monday, when I check the Remote Administrator console in my firm I see things like this, broughten buy laptop users:

Yes, IMON blocks/logs some exploit attempts too..

That is a (quite) recent addition to IMON. More features are also expected soon.

Best regards,
Anders

Just to be clear:

Using this shell adds the Advanced Heuristic on top of the other, pre-defined settings for the Context Menu profile, correct?

In others words, if I add features in the Context menu Profile (e.g. deep heuristics, more items to diagnose - email, archives, etc.) - all that will get added on top of using the advanced heuristic?

When I use it, this definitely appears to be the case. I assume advanced and deep heuristic are separate and additive?

-Adam

Is this shell extension relevant to the current NOD32 v2.000.9 release? I see a right-clickable shell context option in Windows Explorer that can run scans on individual or multiple selected files manually. After the scan runs on the selected files, the "Setup" tab shows my default profile settings for "Deep" heuristics as expected.

Am I missing something here? Does this shell extension (dated June 2003 by the way) do something that the current NOD32 release does not?

Thanks in advance,
Spin

Hi Spin

The Advanced heuristics shell extension is still applicable to the latest release of NOD32. Please refer to my posts above and particularly LowWaterMark's reply, excerpted here. The shell extension offers "Advanced heuristics", as opposed to the "deep heuristics" setting that you've mentioned. {QUOTE-> ...Deep heuristics is different than (and not as powerful as) Advanced heuristics. See this screen shot (http://www.wilderssecurity.com/attachments/Deep.JPG) that shows deep heuristics selected on the Amon setup screen. But, there is no setting available in AMON for Advanced heuristics. <-QUOTE}

Regards
Optigrab

I found a registry key for Nods32 scanner HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\Modules\NOD32\Settings\Config001\Scanner\adv_heur_enable

I changet the value 0 to 1. Am I now using adv.heur as defaul with on-demand- scanning?

Jaska

After reading all posts within this thread I've got a question about parameters. Default is /ah /all /shext ... What should be added to scan all kind of files / all types of files including archives, runtime packed files, mail files, mailbox databases, all boot records, memory ...

I want to really scan all things possible using /ah without missing anything.

Thanks

{QUOTE-> Do the following:

Copy the bold to Notepad, and save as Remove.reg. Save as "all files".
Now doubleclick Remove.reg, and answer yes when asked if you want its contents added to the Registry.

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension]

[-HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension]

[-HKEY_CLASSES_ROOT\Drives\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension]

[-HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B089FE88-FB52-11d3-BDF1-0050DA34150D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B089FE88-FB52-11d3-BDF1-0050DA34150D}"=-

That will remove the registry entries for the original Nod32 shell extension, leaving only the the context menu entry for the "NOD32 Scanner Advanced Heuristic Shell Extension" <-QUOTE}

Hi Tony, where do I save the "Remove.reg" file to?

I have installed the shell extension without a problem, but that's as far as I know what to do, I would like to add more switches to the command line scanner but also cannot find the location to do this...

Help appreciated ;D

Cheers ;D

{QUOTE-> ...for testing purpose I developed a special shell extension for NOD32 v. 2.0, but I don't see any motive to keep it inside the lab only, so here you are.

The installer contains also a RTF file as documentation, where you'll find how you may customize the behaviour of the shell extension... <-QUOTE}

Just went back and read the first post for a 3rd time, amazing what the eye skips over, just saw the RTF file as documentation, I'm too used to seeing a file like this as part of what is downloaded with the main .exe file.

So I'll now go and have a read and see if I can figure it all out ::)

Cheers ;D

For those that aren't so tech savy without a GUI, the following screenshots should help you once you have installed Paolo Monti's Shell Extension.

After installing the Shell Extension, go to the directory it was installed into, and there you will find a file called "Advanced Shell Extension for Nod32" ;D

Click Start
Click Run

Type in regedit

Click on HKEY_LOCAL_MACHINE
Click on SOFTWARE
Click on NODSE

In the right hand window:

Click on Params

Double click on Params

After the existing switches, you can ADD further switches...

For a list of switches and their functions, see the following thread:

http://www.wilderssecurity.com/showthread.php?t=33275&page=1

Then click OK, and close the registry editor, and there you have it, additional switches placed into Nod32 Advanced Heuristics rightclick option provided by Paolo Monti.

Cheers ;D

Blachspear, please forgive my ignorance,but after doing this what will we be able to do with the Shell Extension? Please explain. Thank you.

{QUOTE-> The purpose of this shell extension is to supply a shortcut for users that want to run a scanning with Advanced Heuristic enabled directly from the context menu of Explorer.

Actually, this shell extension has been written to be very flexible and it can be easily customized to pass whatever parameter to the NOD32 scanner "
<-QUOTE}

Hi William, this will alllow you to right click on a file/folder and have Nod32 scan using Advanced Heuristics.

Cheers ;D

{QUOTE-> Hi William, this will alllow you to right click on a file/folder and have Nod32 scan using Advanced Heuristics.

Cheers ;D <-QUOTE}

That is a confusing statement unless you read all the above posts very carefully. We ALREADY have right click AH scanning simply by installing the shell extension. I had to read your posts and several above yours more than once because of this last comment of yours. You had me panicked for a moment as I thought that because I had never edited the registry after installing the shell extension back when Paolo first put it up that somehow it had never really scanned using AH. But after reading very carefully again, I see that you need to edit the registry ONLY if you wish to add more commands to right click AH scanning.

Why would you want to add more commands to right click scanning? That is used just to scan one or two files that you have just downloaded and want to execute if they are clean. If you want to scan a bunch with a zillion commands seems to me you would just run the on the demand scanner and use that string that you have posted that I just used that scans every single file on your box using AH. Plus, the ability to scan using normal right click scanning is still there and you can choose it or AH or do both. So, am I missing something here?

{QUOTE-> That is a confusing statement unless you read all the above posts very carefully. We ALREADY have right click AH scanning simply by installing the shell extension...So, am I missing something here? <-QUOTE}

You are right Mele, you have the ability to use the right click advanced heuristic option immediately after installing the Shell Extension. If you want to place in extra switches you can follow the screenshots that I posted, then if you want to immediately scan your entire drive or a large file using switches that you have added, then you can, without having to set up a schedule...

Cheers ;D

I didn't think about the advantage of not needing to set up a schedule if you wanted to scan your entire hard drive that way. So, I can now see a reason for maybe adding those switches in the registry.

BTW, your screen shots/tutorial is really good! (It was just that one comment I found a bit confusing).

Is it necessary to change the registry as posted by Tony first?

No, you only change the registry using Tony Klein's instructions if you want to get rid of the original NOD 32 shell extension. I left it in the registry, so when I do a right click on a file I want to scan, I get both choices. If you use Tony Klein's instructions, you can then add the original scanning to the command line so you get both with one scan instead of needing to scan twice if you want both the original scan and the AH one. I have to scan twice if I want both types of scans. I usually just use the AH scan. The way I do it may not be ideal, but I do scan the entire hard drive every night using all commands needed to have every single file scanned with both deep heuristics and advanced heuristics as well as signature scanning so I think that is sufficient.

Hi, Blackspear

{QUOTE-> Hi Tony, where do I save the "Remove.reg" file to? <-QUOTE}

You don't save it, You Right Click it and Click Merge then answer yes.

Which will Remove the keys in the registry.


Hope this Helps,
Take Care,
TheQuest 8)

{QUOTE-> You don't save it, You Right Click it and Click Merge then answer yes. Which will Remove the keys in the registry. Hope this Helps,
Take Care, TheQuest 8) <-QUOTE}

Thanks for that, I'll try it when I get home tonight...

Cheers ;D

{QUOTE-> ...BTW, your screen shots/tutorial is really good! (It was just that one comment I found a bit confusing). <-QUOTE}

No Worries Mele, tried to say it, words sometimes need clarifying. I wanted to make the screenshots so anyone could install the shell and any additional switches without confusion, it's very simple when you know how ::)

Cheers ;D

{QUOTE-> Do the following: Copy the bold to Notepad, and save as Remove.reg. Save as "all files". Now doubleclick Remove.reg, and answer yes when asked if you want its contents added to the Registry. <-QUOTE}

{QUOTE-> You don't save it, You Right Click it and Click Merge then answer yes. Which will Remove the keys in the registry... <-QUOTE}

Tony says save, you say Right Click, I am unable to follow either...

I copied the files in bold to notepad, I then saved that file to the desktop. If I doubleclick the file it opens notepad, if I right click on it, there is no option available to merge... maybe I'm blonde, but I sure can't get it to do what you are sayiong it should do...

More help appreciated...

Cheers ;D

Hi, Blackspear

{QUOTE-> I copied the files in bold to notepad, I then saved that file to the desktop. If I doubleclick the file it opens notepad, if I right click on it, there is no option available to merge... maybe I'm blonde, but I sure can't get it to do what you are sayiong it should do... <-QUOTE}

You have to Save As [Remove.Reg] Which will make Turn Into Registration Entries. [Key]

Save in My Documents. [or anywere of your choice]

Which you can then Right Click it and Click Merge .

Sorry for any confusion.
Take Care,
TheQuest 8)

Blackspear,I have gone into the registry to add the switches. I'm not sure which switches to add. Also do they need to be added in any particular order? You have been a great help and I appreciate it.

{QUOTE-> Blackspear,I have gone into the registry to add the switches. I'm not sure which switches to add. Also do they need to be added in any particular order? You have been a great help and I appreciate it. <-QUOTE}

Hi William, take a look at post #46 in the following thread:

http://www.wilderssecurity.com/showthread.php?t=33275&page=2&pp=25

It will give you what I think is a maximum strength scan, though I'm still waiting on a reply regarding the /all switch...

Glad I could be of help ;D

Cheers ;D

{QUOTE-> You have to Save As [Remove.Reg] Which will make Turn Into Registration Entries. [Key]

Save in My Documents. [or anywere of your choice]

Which you can then Right Click it and Click Merge. <-QUOTE}

I now see what was happening, the .txt extension was being added when I saved the file, when I removed that, then it saved the document as a .reg file ::) and now it works ;D

With merging the file I no longer have Nod32 as a right click option, I now only have Nod32 Advanced Heuristic as a right click option ;D

Finally success ;D ;D ;D

Thank you TQ, much appreciated ;D

Cheers ;D

Blackspear, if this is the switches do they have to be in this order?/clean /ah /all /subdir+ /heur+ /scanfile+ /scanboot+ /scroll+ /arch+ /pack+ /mapi- /pattern+ /scanboot+ /scanmbr+ /heurdeep /log+ /prompt. Also does heurdeep need to be included with ah ? Thank you for your help.

{QUOTE-> Blackspear, if this is the switches do they have to be in this order?/clean /ah /all /subdir+ /heur+ /scanfile+ /scanboot+ /scroll+ /arch+ /pack+ /mapi- /pattern+ /scanboot+ /scanmbr+ /heurdeep /log+ /prompt. Also does heurdeep need to be included with ah ? Thank you for your help. <-QUOTE}

Hi William, the switches don't have to be in any particular order as far as I can tell, and regarding the /heurdeep switch, as far as I can tell it has a different function, again with this I am still waiting on someone from Eset to advise further in the same thread:

http://www.wilderssecurity.com/showthread.php?t=33275&page=2&pp=25

Hope this helps...

Cheers ;D

I hate to keep bothering you. But in this thread post 83 it shows /ah /all shext . In the other thread post 46 the shext is gone. Looking at the list of switches,I can't find shext. Do I need to remove it? Also shouldn't it have [quit] at the end?

Hi, Blackspear and WilliamP

{QUOTE-> Also does heurdeep need to be included with ah ? Thank you for your help. <-QUOTE}

{QUOTE-> and regarding the /heurdeep switch, as far as I can tell it has a different function, <-QUOTE}

Deep Heuristics is what you had in the nomal right click.[scan]

Paolo's Right Click added the Advance Heuristics. [Instead of deep]

Advance Heuristics is more thorougher than Deep Heuristics.

As I understand it to be that anyway.

Hope this help in some small way.
Take Care to you both,
TheQuest 8)

{QUOTE-> I hate to keep bothering you. But in this thread post 83 it shows /ah /all shext . In the other thread post 46 the shext is gone. Looking at the list of switches,I can't find shext. Do I need to remove it? Also shouldn't it have [quit] at the end? <-QUOTE}

No bother at all ;D

/shext switch is for Paolo Monti's shell extension...

I removed quit so it remains on screen and I can see the results of the scan...

Cheers ;D

It's me again. This thread is dealing with the registry and I have followed what you spelled out. I'm still a little confused. When I asked about the switches you sent me to the post about setting up a scan to automaticly clean infections. Is the same switches to be used in the registry and spelled out when setting up the weekly scan? If so and if the shext is removed from the registry what will happen to the right click scan with the Shell Extension? Thank you for the help. P.S. I plan to keep both right click scans.

{QUOTE-> It's me again. This thread is dealing with the registry and I have followed what you spelled out. I'm still a little confused. When I asked about the switches you sent me to the post about setting up a scan to automaticly clean infections. Is the same switches to be used in the registry and spelled out when setting up the weekly scan? If so and if the shext is removed from the registry what will happen to the right click scan with the Shell Extension? Thank you for the help. P.S. I plan to keep both right click scans. <-QUOTE}

If you just install the Shell Extension from this thread, you will have both options with Right Click, you may also add further switches such as /all.

If you remove /shext switch after installing the shell extension, you will also remove the right click option (as far as I know).

If you save and 'merge' the 'remove.reg' file, you will remove the standard right click Nod32 scan option and be left with only the AH right click option.

Hope this helps...

Cheers ;D

I installed the Shell Extension a log time ago and have added the additional switches that were recomended in this thread. I will leave the shext switch in in order to use the right click option. Now ,with the added switches, what will the changes be to the Shell Extention?

{QUOTE-> I installed the Shell Extension a log time ago and have added the additional switches that were recomended in this thread. I will leave the shext switch in in order to use the right click option. Now ,with the added switches, what will the changes be to the Shell Extention? <-QUOTE}

If you make a scan of your entire hard drive by right clicking on C: and using the AH option, and you have additional switches added, it will scan according to those switches, such as /all will scan every file regardless of extension...

Cheers ;D

If I understand this, with the shext in there I can right click on a single file or the c drive and it will scan everything using all the added switches. Have I got it right??

{QUOTE-> If I understand this, with the shext in there I can right click on a single file or the c drive and it will scan everything using all the added switches. Have I got it right?? <-QUOTE}

Indeed you have ;D

Cheers ;D

It is a pleasure to run into people like you who are willing to take the time to help and share their expertise. Thank you.

{QUOTE-> It is a pleasure to run into people like you who are willing to take the time to help and share their expertise. Thank you. <-QUOTE}

My pleasure William, and as you learn you also will be able to help someone with what you have learnt ;D I did the same here, wanted to know how it was done, had someone advise and teach me, then went on to make it simple for others...

Cheers ;D

Blackspear, guess what buddy? YOU FRIGGIN KICK ARSE, VERY MUCH AT THAT. I have came back home to NOD32 on my main pc and just used your switch parameters on the right click in the registry. THE PROFILE HAS CHANGED QUESTION IS NOT HERE ANYMORE, WOOOOOOOOOOOOHOOOOOOOOOOOOOO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Man, thanks so much ;D

{QUOTE-> Blackspear, guess what buddy? YOU FRIGGIN KICK ARSE, VERY MUCH AT THAT. I have came back home to NOD32 on my main pc and just used your switch parameters on the right click in the registry. THE PROFILE HAS CHANGED QUESTION IS NOT HERE ANYMORE, WOOOOOOOOOOOOHOOOOOOOOOOOOOO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Man, thanks so much ;D <-QUOTE}

lmao, my pleasure, glad I could be of service ;D

Cheers ;D

Me too. You should have seen me right click and scan about 10-12 diff files and folders to make sure it wasn't a dream/fluke :o 8)

I was like "Ya, right, its gonna show up next scan" for about the first 4 or 5 tries. I can' say enough how happy to not have that question I am *puppy*