Proposal: Easier registration method

Discussion in 'ESET NOD32 Antivirus' started by Raytoo, Jan 10, 2008.

Thread Status:
Not open for further replies.
  1. Raytoo

    Raytoo Guest

    When we sell your products to home users, we would like a simpler way for us and them to enter the username and password information on registration, or most often renewal.

    I noticed that SlySoft's AnyDVD product has a clever way of doing this; it registers a file handler for extensions that end with .anydvd. If a file named license.anydvd is opened, AnyDVD is invoked, and it would know how to extract the license information and give feedback to the user whether it was updated or not.

    By keeping this as a simple text file, any reseller could make and distribute such files, and NOD32 would register a file handler for .nod32 or similar.

    Double-clicking that license.nod32 file would enter/update the registration information.
  2. webyourbusiness

    webyourbusiness Registered Member

    Nov 16, 2004
    Throughout the USA and Canada
    it could be used as an attack vector to disable nod32 update though...
  3. Raytoo

    Raytoo Guest

    Edit: I was way too quick in reading your response, but here's my second reply (first):

    This is true, but you would have to confirm entering the information, so it wouldn't go unnoticed at least?

    NOD32 would need to present the context clearly.

    "You are about to update NOD32 license information.
    Please confirm." etc

    Something to that effect. I can't run it through my head, so I would have to try various approaches.

    But still, more critique is great.


    My first (quick) reply:

    That would be the case for all files with file extensions.

    Remember that NOD32 does the parsing of this file and has the burden of verifying it.

    If it contains gibberish, it's discarded. If it holds fields such as username and password, it should then proceed to evaluate the username and password before entering it into the registry* or wherever.

    *This is far worse; having a .reg file to enter the information. NOD32 would know best.--It's real OOP. You may toss anything at NOD32, but it would only accept what it understands. The only thing wrong would be the username and password.

    More critique, please! :)
    Last edited by a moderator: Jan 10, 2008
  4. Raytoo

    Raytoo Guest

    Any of ESET's developers reading this?

    Even if they've thought about [it], I would be interested in knowing the reason why it would not be implemented. :)

    There's also no stopping the registration process from validating the username and password before entering it in the registry or wherever.

    Users receive the license.nod32 file.

    1. Users double-click the license.nod32 (for example) file.
    2. NOD32 is invoked with the file.
    3. NOD32 evaluates the username and password.
    4. NOD32 may then verify the username and password with the server (requires an Internet connection though).
    - Actually, many users manage to mistype/are not comfortable with using copy/paste regarding usernames and passwords. This is the real world.
    5. NOD32 will ask the user to confirm entering the new username and password.
    6. Done.
  5. Raytoo

    Raytoo Guest

    I'm bumping this one because I think it's a very good idea.

    Here are some more thoughts about attack vectors, which actually aren't effective at all.

    To recap; instead of the user entering registration information into the application (username and password), which requires instructions on where to click, and which changes with newer versions, the user simply double-clicks a nod32-file which is directly fed to NOD32 when it is opened. NOD32 may then check the validity of the information, and then enter the information into the application.

    Attack vectors:
    1. Bogus registration information in the file.

    NOD32 will evaluate the username and password (even the format, or anything to find any error), and if connected to the Internet, verify it (this is a bonus feature), something it doesn't even do today until the user clicks update.

    First off, for this bogus registration information to work, the user must be sent a new license information file to open, and the user would then have to open it by double-clicking the file. This is not likely to happen, because the license file usually comes once a year, and from a reliable source! Besides, NOD32 would immediately complain about not being up-to-date anyway. So much for that attack vector.

    2. Another attack vector: another application registers to use the .nod32 file extension to pretend NOD32 is updated with the license information.

    NOD32 could check whether its file extension is registered by another application. So much for that attack vector. Besides, NOD32 would complain about not being up-to-date anyway.

    Think about it.

    All the user receives is a file to double-click. The file contains the user name and password. NOD32 is invokved to parse the file, maybe even checking it against a server.

    To further reduce human error factor, the file could be made available directly from ESET from the results of the registration form, or from the lookup. Simply download and double-click the file.

    Why guide users through screen shots, which have to be updated when the GUI changes, when one could simply double-click the license information file and have it open directly in the NOD32 application, and the update it?

    Any thoughts?
  6. j0shua

    j0shua Registered Member

    Jul 20, 2008
    I think this is an AWESOME idea. It would really help me right now. Instead of having to recieve all these emails (annoying!!!) i would just have to download a file from the website as soon as I renewed it! (easy!!!!)

    Two thumbs up! :thumb: :thumb:
  7. aakash

    aakash Registered Member

    Jul 27, 2008
    I agree that this would be a good idea and would definitely help make it easier to set up Nod32.

    As for potential attack vectors, couldn't the license file potentially be digital signed with a certificate? This way, the license engine would first verify the signature, and if it doesn't work, error out and stop.
  8. rwt325

    rwt325 Registered Member

    Jul 28, 2005
    Strasburg VA
    Eset has now one of the simplest and non-intrusive methods of registering the product. You can find licence expiration date by looking in Help>About.

    Why complicate what is a simple, easy process.
  9. The Nodder

    The Nodder Registered Member

    Sep 6, 2006
    I agree, it's only a matter of cut and pasting the two items when installing NOD32.
  10. Raytoo

    Raytoo Guest

    Late reply, but still:

    Nobody would suggest this if it was that easy.

    But of course, it's easy for those of us who work in the industry and have done this many times, but don't make the big mistake of assuming too much about your run of the mill user, who actually cares very little about antivirus, other than knowing they have to use it, and that it's a good idea that it's updated.

    Most of the feedback I got regarding NOD32 was regarding the update procedure of the license. This has been true for those who use--and still use--NOD32v2, which misleadingly pops up a dialog box prompting the user to enter a username and password when the license has expired, but counter-intuitively, the information entered is only valid for that instance only, and the username and password is not stored (until you enter setup and enter the new username and password again). This is actually proven difficult to communicate, because computer users in general are quite apathetic to computers, other than the software they are trained to use.
  11. Mat3000

    Mat3000 Registered Member

    Jun 7, 2008
    I have often to explain to my customers how to enter the license information. I like the idea from Raytoo.
  12. xxJackxx

    xxJackxx Registered Member

    Oct 23, 2008
    I have to agree with this one. Eset has one of the best registration systems of any product. If they made key files they would get passed all over the internet, making it a bigger job to ban the pirated ones. I would much rather the developers work on keeping the product up to date rather than working on a new registration system for folks that are not comfortable with the idea of "copy and paste". The registration/activation process for other products is much more complicated, and those products sell to much less advanced users than what is the typical Eset customer. The current registration process is what keeps me buying this, where Norton's lost them a customer a long time ago.
  13. doktornotor

    doktornotor Registered Member

    Jul 19, 2008
    Easier? Seriously, if you are unable to input username and password in two fields, probably you shouldn't manage your AV at all... o_O :doubt:
  14. BedreAntivirus

    BedreAntivirus Registered Member

    Mar 11, 2008
    well there is people like you grandparents that only knows to read email
    they do not even notice if they got antivirus or not

    and it will be simple to make a license.nod32 file with username and password for register/update and nothing more, just a simple .txt file will do, nod32 can just read the username like EAV-00000 and the password line and drop anything else in the file

    btw: did you know nod32 even got support for .lic files?
  15. Raytoo

    Raytoo Guest

    I'm sure you misunderstood, but anyway:

    But we're not talking about changes to how you register for your license at the website.

    But we're not talking about keyfiles. What does keyfiles have to do with the content of this thread anyway, and how would it differ from spreading your username and password, for instance?

    The suggestion adds another path to enter the same information into NOD32, except that it is now independent of the UI. It would in fact be good object-oriented design.

    Well, what if you received a file from the registration process, and all you had to do was double-click it to enter the username and password into NOD32? That's what we're talking about here.

    Also, the UI changes with time, so IT people must update user explanations to reflect this change, unless ESET would be among one of the first companies in the world who kept a dedicated "common procedures" section.

    This is, as mentioned, only another path to enter the same information you enter using copy/paste.

    This is what the programmers have to do:
    - NOD32 registers its file extension .nod32 with the shell. (I believe Windows only requires a reboot in order for the icon to be displayed correctly, so the file will be opened with NOD32 anyway.)
    - NOD32 could monitor hijack attempts of this file extension.
    - NOD32 has to evaluate the information. At the same time, it could also verify the information with its database, and inform the user whether it was successfully entered.

    Anyway. This is merely a suggestion to make the application less noticable to the user, which is good! People who use computers as tools want to spend less time with various applications that attract too much attention to itself.
  16. dklein

    dklein Registered Member

    Mar 24, 2006
    Paris, France
    The licence could come with a kind of .reg file

    So when user double-click, it'll update the registry with the correct username/password (since username and password ARE in the registry, but encrypted for the password)
  17. Raytoo

    Raytoo Guest

    Now we're at the level of taste, since the registry API supports change notification. In other words, same exact function, entirely different approach.
  18. The Hammer

    The Hammer Registered Member

    May 12, 2005
    Toronto Canada
    Isn't there already a thread on the registration process?
Thread Status:
Not open for further replies.