Advanced Heuristic shell extension

Discussion in 'NOD32 version 2 Forum' started by NTT7, Dec 5, 2003.

Thread Status:
Not open for further replies.
  1. NTT7

    NTT7 Guest

    Is it sufficient to use the profile "Profile for scanning objects from within the context menu" for desired scanning parameters in NOD32 to be active when using the Advanced Heuristic shell extension?

    Or must the desired scanning parameters have to be set in RegEdit under the key HKEY_LOCAL_MACHINE\SOFTWARE\NODSE\Params?

    Sorry for my bad english, hope u understand what I mean... :)

    Thanx for all answers and help. :)
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi,
    I suggest you take a look at this thread:
    http://www.wilderssecurity.com/showthread.php?t=9776
     
  3. NTT7

    NTT7 Guest

    Hi Marcos,

    Thanx for your reply and help. :)

    I have already read the thread you're reffering to several times, trying to find the answer, with no success.

    What I am unsure of, is wether the profile "Profile for scanning objects from within the context menu" works only for the standard context menu or also for the Advanced Heuristics context menu.

    The scanning log informs about use of the following switches:
    Command line: /ah /all /shext , and this makes me unsure if NOD32 AH Context Scan uses the scanning parameters set in "Profile for scanning objects from within the context menu" or only the command line switches above.
     
  4. NTT7

    NTT7 Guest

    I also searched the registry for the word "heur" and found some interesting registry values:

    HKEY_LOCAL_MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Modules\NOD32\Settings\Config000\Scanner (adv_heur_enable)

    HKEY_LOCAL_MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Modules\NMS\Settings\Config000\Scanner (adv_heur_enable)

    HKEY_LOCAL_MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Modules\Imon\Settings\Config000\Scanner (adv_heur_enable)

    HKEY_LOCAL_MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Modules\AMON\Settings\Config000\Scanner (adv_heur_enable)

    They were all set to 0 (disabled i think), so I tested them with 1 (enabled i wish)

    Does anyone know what these values are?
    After enabling them, nothing new seems to be activated, as far as I can see...
     
  5. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hi NTT7,

    I have tested it, and me to, nothing chance, I think that this option is not implementet yet and the program components doesn't read this settings..

    I have downloaded the advanced heur right click installation and when I scan anything with advanced heur every times this message comes "Arbeitsspeicher infiziert mit NewHeur_PE Virus möglicherweise unbekannter Virus! NOD32 Scanner kann diese Infektion NICHT säubern. Behandlung der Infektion des Arbeitsspeichers ist nicht möglich!"
    See the attached file for more..

    But when I scan anything without advanced heur, there are no virus message.

    And when I change the adv_heur_enable settings to 1 in the registry for NOD32 there are no virus message, too.
    So I think, it doesn't working (yet) :p

    bye

    iNsuRRecTioN
     

    Attached Files:

  6. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Try scanning all local harddrives with the advanced heuristics enabled, and make sure you also have "runtime packers" selected.. If anything is detected (except in memory) as NewHeur_PE, send that file to Eset (or me).

    If nothing is detected then, go to http://www.merijn.org/ and download HijackThis. In HijackThis, click "Scan" then "Save Log". Copy and paste that log here, or in an IM to me, or in an e-mail to me (anders @ eurosecure.com).

    Best regards,
    Anders
     
  7. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    OK anders, I would scan all local hard drives with the following command line: /ah /all /shext /local

    Then after a while the attached error message blow up.

    bye

    iNsuRRecTioN
     

    Attached Files:

  8. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    cool. ;)

    There might be problems when scanning a certain file..

    Tell it to list all files, and if possible, try to see if that error happens to a certain file or folder... if the last file it scanned was c:\program files\somefolder\blah.exe, try scanning only c:\program files\somefolder, to see if the problem is there.. or try to only scan c:\program files..

    If you locate the file that causes the problems, send that file to eset or to me.

    Best regards,
    Anders
     
  9. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    hmm, maybe a accident, but this error comes always on the same dir, but different files..
    I think it is an cosmetic error or so, because I have scanned the same dir and no error, strange, I want rescan, and at the time I click on "Nur Prüfen" (scan only?) the error blow up again..its very strange :D

    bye

    iNsuRRecTioN
     
  10. NewNOD

    NewNOD Guest

    NTT7,

    Once the AH shell extension is installed, it creates registry entries with a default set of AH extension command line switches (Default value: “/ah /all /shext”). These run in addition to defaults for the scanner itself. Here's a complete listing:
    _________
    /subdir*
    /list
    /scroll
    /pattern*
    /heurt*
    /scanfile*
    /scanboot*
    /scanmbr*
    /arch
    /pack
    /all**
    /log*
    /logappend*
    /log=****.log
    /prompt*
    /mailbox
    /shext**
    /ah**
    /heurdeep

    Add + or - sign to activate or deactivate
    * = default for scanner
    ** = default for Paolo's context menu item
    See NOD32 help file for description of switches.
    ________
    You can then add to, subtract from or otherwise modify the switches used when you select AH scan from the right-click context menu via editing the registry. If you're happy with the default registry entries (in combination with the scanner defaults), no editing is necessary.

    A recommendation: remove immediately the the "/shext" switch. It is an undocumented switch that loads the "Profile" you were asking about. The problem with using a "Profile" with the right-context scanner is that it prompts you with that "Profile Has Changed. Would You Like to Save It?" dialog every time you do a right-click context scan (that prompt is a big pain in the *ss). Running the AH scanner without the switch loads simple command line switches (not a "Profile") and therefore, you don't get prompted to save the "Profile" (because there is no "Profile" to save). Adding every item scanned to the "Profile" doesn't make sense for a right-click context scan in the first place, so neither does having to answer "NO" (don't save) to the prompt every time.

    If you choose to remove the "/shext" switch, you will notice that a scan with the AH extension shows [<Command line Profile>] in the scan results window title bar. When scanning with the standard right-click context scanner, you will see [Context menu Profile] in the title bar. If you leave the the "/shext" in the registry, the title bar will appear the same ([Context menu Profile]) whether using the AH context menu extension or the standard context menu extension, and you'll also get the same goofy prompt every time you try to close the scan results window.

    I use the AH context extension exclusively without the "/shext" switch and have added /list, /scroll, /arch, /pack and /log=****.log. I also removed the default / standard context menu item from my right-click menu. It seemed redundant at best and I never used it (and I hated the prompt).

    Does any of that make sense?
     
  11. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Are you talking about XP? I don't get that prompt on W98SE.
     
  12. NewNOD

    NewNOD Guest

    This is on a plain vanilla Win98 PC. I don't have NOD32 installed on my XP box yet (if ever).

    If you are using the standard right-click context scan and get no message, I have no answer for why you don't get the pop-up "Save Profile" dialog on Quit. It is the same Save Profile dialog you get after modifying any profile whether the profile is one you use for scheduled scans or whatever. The mod in the case of the context scanner is it wants to add the file you just scanned to the Scanning Targets direcorties and file list. This happens here even if Silent Mode and Actions set to "Nothing" (which normally it is not).

    If you are using the Advanced H scanner and don't get the Save dialog, yet you haven't modified the registry settings manually, here's a thought: Paolo released a second version sometime back to fix an issue a user identified, and in the meantime he changed the default switches....he added the "shext/" which is what forces the Save Dialog among other things. So, if you have the first version of the AH extension, you won't get the Save Dialog.

    Is this your situation?
     
  13. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Hmmm...I checked and I have the newer Jun 18 version and I am running this on W98SE and I don't get that prompt. I know what prompt you are referring to but I don't get it. I haven't modified the registry either.

    I had NOD on my new XP Pro box briefly (had to return the tower to Dell as defective and haven't put NOD on the replacement tower yet) and I must have used rt.click scanning because I was downloading a lot of stuff and I would have scanned with adv. heuristics and I don't recall seeing the prompt box there either. However, more I think about it, I might not have installed adv. heuristics on the XP box as I had my hands full with all the problems I was having with everything from Dell being defective and may have just thought the adv. heuristics could wait until I got other things done. It will be interesting to see if I get that prompt when I do install NOD32 and adv. heuristics on the replacement XP box. That would be very irritating!
     
  14. NewNOD

    NewNOD Guest

    Hey, Mele20.

    I don't know then.

    I put the /shext switch back in my registry before I made my last post, and adding that entry caused the pop-up to appear when otherwise it didn't. I was pretty sure I had determined that to be the culprit back in June when I installed the AH update, but wanted to make sure.

    The reason I remember even installing the thing is that I was extremely bummed to find out that my method of getting around that pop-up (ie, using AH extension exclusively) didn't work after the update. Then I found out about the change in default settings, removed the switch from the registry, and all was good again.

    I know you said you were busy, but could you check your registry to see if the switch is actually there? Maybe something got crossed up and the registry key didn't get added or updated properly.

    Otherwise, it's another case of NOD32 something or other working one way on one machine and completely differently on another. And I hate those situations. :)

    Thank you.
     
  15. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Yeah I have the registry key. So, I dunno....maybe we are not talking about the same thing? Maybe I misunderstood you. I get that pop up if I run a full on demand scan using any of my profiles. I don't get it though if I use adv. heuristics right click to scan say an email attachment that I downloaded to the hard drive. I think you are talking about the latter...unless I misunder stood.
     
  16. NewNOD

    NewNOD Guest

    Mele20 wrote:
    No. I'm pretty sure we're talking about the same thing. I'd post a pic, but I don't want to register just for that, and it seems we're on the same page without it. Anyway, I don't get the pop-up with the AH extension either, but I have to have the /shext switch removed from the registry entry in order to effect this behavior. I do get the "save profile?" pop-up with standard NOD32 right-click scan and with the full scans, regardless (there is no setting to prevent this).

    I don't have the exact url for the post that the following info came from, but I had it in my AH extension progam notes...I originally copied it from Paolo's post when he uploaded the AH extension zip file. It comments on what the /shext switch does, and it's what led me to figuring out that I needed to remove the switch (stress on "ME" and "I" 'cuz evidently it has no impact on you :) ). Probably makes no difference since you say the /shext is in your registry, but note Paolo's tip on installation. I know that the extension's *.dll file can't be directly deleted (you get the "In Use By Windows" warning if you attempt to do so), so maybe that's the reason for Paolo's comments.


    ------------From Paolo's comments back in June, 2003------------------
    In the new version I've fixed the problem reported by linney (thanks again for the report, by the way) and changed the default parameters used by the shell extension:

    /ah /all /shext

    Few words of explanation about the /shext option: it's an undocumented switch used to load the configuration of the context menu, Eset shell extension uses this switch to accomplish this task.

    Installation issue: before to update to the new version, to keep things clean I strongly advice to uninstall my previous shell extension (classic way, just go in the Installation applet in the Panel control and you''ll find an entry to uninstall the shell extension).
     
Thread Status:
Not open for further replies.