Shell Power for NOD32 2.0

Discussion in 'NOD32 version 2 Forum' started by Paolo Monti, May 31, 2003.

Thread Status:
Not open for further replies.
  1. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    Hi all,

    for testing purpose I developed a special shell extension for NOD32 v. 2.0, but I don't see any motive to keep it inside the lab only, so here you are.

    An excerpt from the documentation

    "The new NOD32 scanner which comes with NOD32 v. 2.0 offers a new, powerful heuristic option to identify unknown Win32 malware (this option is included in the new IMON – Internet MONitor also). This new feature is very powerful, but on account of its nature it will notably slowdown the speed of the scanning process.
    For this motive this option cannot be enabled directly in the environment of NOD32 scanner, but it can be used only if the scanner is explicitly launched with the /AH (Advanced Heuristic) option on command line.

    The purpose of this shell extension is to supply a shortcut for users that want to run a scanning with Advanced Heuristic enabled directly from the context menu of Explorer.

    Actually, this shell extension has been written to be very flexible and it can be easily customized to pass whatever parameter to the NOD32 scanner "

    You may download it here

    http://www.nod32.it/tools/NODSE.ZIP

    To ease the installation process I developed a full fledged installer, so installing/uninstalling the shell extension should be a breeze. The installer contains also a RTF file as documentation, where you'll find how you may customize the behaviour of the shell extension.

    Enjoy it :cool:

    ciao,
    Paolo.
     
    Last edited by a moderator: May 2, 2004
  2. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    well maybe this will force eset guys to add this shell shorcut too ...
     
  3. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    For several motives, I don't think so. But after all it doesn't matter, since NOD32 users may use my shell extension. I'm planning other enhancements, by the way. When I'll have a minute I'll implement them and I'll release a new version.

    ciao,
    Paolo.
     
  4. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Only bad thing about it is that it will not keep the settings of the "normal" right click default" any chance you get that too??

    Ruben
     
  5. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    Just to be sure: do you mean that my shell extension doesn't load the profile loaded by Eset's shell extension? In this case I don't see particular problems and yes, I'll implement this feature.

    ciao,
    Paolo.
     
  6. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Yeah thats exactly what I mean. It should use the same setting as default as the "normal" one or at leats keep a setting you set when running. I remeber till version beta4 nod had that problem too

    Ruben
     
  7. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    Running NOD32 Version 2.


    I am having problems trying to get this Shell Extension to work for Limited Users on my machine under XP Pro. If they are promoted to Administrator it works fine.

    The program was installed by an Administrator as is required. When a Limited User right clicks on a file or folder to use it he is presented with an error message stating - Error executing NOD32 scanner, and the path of the file or folder to be scanned in quotes followed by %s. Where is it getting "%s" from?

    Is there anyway a Limited User can use this program by Paulo?

    I think this was alluded to in the above post, is it also possible for it to be able to scan "all file extensions" and not just default ones from NOD32?
     
  8. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    Here's an image of the error.
     

    Attached Files:

  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Linney,

    Paolo (and most probably all Eset staff members) are enjoying their - well deserved - free Sunday. Let's take this one over the weekend, OK? ;)

    regards.

    paul
     
  10. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    It seems a problem with Registry permissions. I'll investigate it.
    About the file extensions: consider that you may pass whatever parameter to the shell extension using its "Params" entry in the Registry. Try to add the "/all" switch. On the next version of the shell extension this option will be included by default.

    ciao,
    Paolo.
     
  11. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    OK, I fixed the problem and now all seems to work fine for Limited accounts also :D
    Tomorrow I'll release a new version of the shell extension. Stay tuned.

    ciao,
    Paolo.
     
  12. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Great - thanks

    Let is know if we can install on top of the "old" version

    Ruben
     
  13. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    Thanks for the great response.
     
  14. NewNOD

    NewNOD Guest

    Paolo,

    Thanks for the great little add-on. I liked it so much, I disabled the original NOD32 context-menu item so that I don't have to look at two scanning options in the menu.

    I've added the following switches to the string value of "Params" in the registry (these are in addition to the "/ah" switch). All the functions set by the switches in "Params" then run in addition to the standard defaults run by the NOD32 on-demand command line scanner, i.e. "/subdir+", "/pattern", "/heur+", "/scanfile+", "/scanboot+", etc.):

    /list+
    /scroll+
    /arch+
    /pack+
    /all
    /log=context.log*

    *I use a separate log file for on-demand scanner launched from context menu (context.log), launched from a download utility (dl.log), and normall launched from within NOD32 (nod32.log).

    Works great, so thanks again.
     
  15. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    You're welcome, I'm glad to know that you found helpful my shell extension :)
    Just a little advice: into the "Params" entry in the Registry, you might add a "not-up-to-now-documented" switch : /mailbox+
    With this switch NOD32 will scan e-mail formats also.

    ciao,
    Paolo.
     
  16. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    are you talking about a new version alreadyo_O

    Ruben

    Any indication which regkey to look at??
     
  17. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    which switch would stop checking operating memory and bootsectoro_O

    Ruben
     
  18. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    I found a key for my profile

    adv_heur_enable - was 0 set it to 1
    sensitivity 3
    enabled 1

    How about that??

    Ruben
     
  19. NewNOD

    NewNOD Guest

    Paolo,

    Thanks for the tip on the "/mailbox+(-)". I asked in a previous post if the command line switch list in the NOD32 help file was complete; I questioned its "completeness" based on the knowledge that the "/ah" switch wasn't listed. As such, I was assuming maybe others were missing, too. No one ever responded to the other post, but it seems now at least two switches aren't listed. Thanks for that info ... hopefully, a complete listing will be made available at some point.

    Now some questions regarding the "/mailbox+(-)" switch and e-mail file scanning in general:

    1. Am I correct in guessing that the switch you provided is the equivalent to checking the "Email files" option on the on-demand scanner Setup tab?

    2. If the answer to #1 is yes, then I can speak about the switch and the Setup tab option as one and the same. In neither case (switch or Setup tab option) do I get a real level of comfort that the scanner is actually scanning email files. Here's an example:

    If I scan a folder containing 3 *.pst files with "Email file" scanning option "off" (no switch in Params and "Email files" unchecked in the Setup tab), the scanner returns a log (list+) which indicates 3 files scanned. If I activate the "Email file" scanning option, either via switch or via the Setup tab, and then scan the same folder, the scanner returns a log (list+) indicating that 3 files were scanned. Shouldn't the scanner indicate that more files were scanned because the scanner should have been scanning inside the *.pst file, which is really just a special archive containing emails and attachments.

    The comparison I raise is this:

    If the option to scan archives is set to "off", and a *.zip file containing 5 files is scanned, the scanner returns a log (list+) indicating that only one file was scanned and further indicates that internal scanning was not performed. If, on the other hand, the option to scan archives is set to "on", and the same file is scanned, the scanner returns a log indicating that 5 files were scanned and lists the files inside the archive.

    Shouldn't scanning a *.pst file be similar to scanning an archive in both the "off" and "on" states. In other words, shouldn't the email scanning in the "on" state cause the scanner to show all the internal files it scanned inside the *.pst file? At the very least, even if visual (log) confirmation was impossible, shouldn't it take quite a bit longer for the scanner to scan inside a 350mb email file than when it doesn't? In either state, the scanner scanned the 350mb file in less than 1 second.

    The only "email file" that seems to be thoroughly scanned is the one that is currently active as the OutLook Inbox, and the scanner will scan the entire contents of the file even if both "Email files" and "MAPI" options are disabled.

    So, needless to say, I'm not understanding exactly what NOD32's capabilities are in scanning email files. The available options don't seem to have any affect at all on the behavior of the scanner. Can you help?

    Thanks.
     
  20. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Have found the settings

    I am running

    /ah /heurdeep /list+ /scroll+ /arch+ /pack+ /all /scanmbr+ /scanboot+ /scanmem-

    now - just one question - is the heurdeep necessary or already covered by ah??

    Keeps the question about the "normal" rightclick registry thing

    Ruben

    "I found a key for my profile

    adv_heur_enable - was 0 set it to 1
    sensitivity 3
    enabled 1

    How about that??"
     
  21. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    From my personal knowledge
    -------------------------------------
    /scanmem- disable memory scanning

    From NOD32 help
    ----------------------
    /scanboot+ (-) Enable (disable) boot sector scanning
    /scanmbr+ (-) Enable (disable) master boot record (MBR) scanning

    ciao,
    Paolo.
     
  22. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    Yes, you are right. The list inside the help is not complete. Anyway, I'm sure that many little "imperfections" will be fixed soon.

    Yes, don't worry. The lack of a exhaustive documentation is just a temporary problem due to the particular period. For the new version the International Eset's team is quite under pressure for many, many things to accomplish (new graphic, new box design, new pricelist, and so on).


    You're correct. About the remaining questions: I don't have yet a complete list concerning the type of e-mail databases that NOD32 is able to scan with that switch. I'll let you know ASAP. Anyway, you should consider that e-mail protection by NOD32 is achieved in different way. I mean, the "philosophy" is to demand a real-time protection to IMON, so I don't think that the developers will add a very deep, wide support for e-mail formats. I saw that NOD32 is able to scan .EML files, but I'm almost sure that it doesn't decode .PST files

    ciao,
    Paolo.
     
  23. NewNOD

    NewNOD Guest

    Paolo,

    Thanks. Hope I didn't sound to course. I'm just trying to understand the program and it's capabilities.

    By the way, I don't have any *.eml files to test (these seem to be "backup" copies of Outlook Express mail), but I did test *.dbx files (normal Outlook Express email file databases), and NOD32 can scan inside these.

    Help me understand the MAPI option: According to the help file:
    ___________________
    "Use MAPI interface" provides MAPI support to scan Microsoft (R) Outlook databases.
    ___________________

    But as I noted, previously, enabling the MAPI functionality does not change the behavior of the scanner. The scanner can scan inside a *.pst file if actively functioning as an Outlook inbox, but the scanner cannot scan inside "inactive" *.pst files; this behavior is the same regardless of whether MAPI is enabled or not. So what does MAPI do?

    If NOD32 can't do something, that's fine. I'm just trying to reconcile what the help file says it does with the realities of the program.

    Thanks.
     
  24. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    Don't worry :) You're welcome.

    There is a topic discussed by Anders about this issue. Please, take a look here

    http://www.wilderssecurity.com/showthread.php?t=10418;start=msg67818#msg67818

    ciao,
    Paolo.
     
  25. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    Hi all,

    new version released. The address to download it is the same

    http://www.nod32.it/tools/NODSE.ZIP

    In the new version I've fixed the problem reported by linney (thanks again for the report, by the way) and changed the default parameters used by the shell extension:

    /ah /all /shext

    Few words of explanation about the /shext option: it's an undocumented switch used to load the configuration of the context menu, Eset shell extension uses this switch to accomplish this task.

    Installation issue: before to update to the new version, to keep things clean I strongly advice to uninstall my previous shell extension (classic way, just go in the Installation applet in the Panel control and you''ll find an entry to uninstall the shell extension).

    ciao,
    Paolo.
     
Thread Status:
Not open for further replies.