NOD32 Anti-Virus Filter

Discussion, support and announcements for third party applications that work with MailEnable.
Post Reply
Nightma12
Posts: 7
Joined: Sat Apr 08, 2006 7:17 pm

NOD32 Anti-Virus Filter

Post by Nightma12 »

im unable to get NOD32 anti-virus to work with Mail Enable Enterprise Edition :(
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters]
"Processing Order"="MEAVNOD,MEAVFPI,MEAVGRI,MEAVMAC,MEAVNAV,MEAVNOR,MEAVPAN,MEAVSOP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD]
"Status"=dword:00000000
"Antivirus Notification Message"="<<- Attachment was removed because it appears to contain a virus ->>"
"Antivirus Scratch Directory"="C:\\Program Files\\Mail Enable\\Scratch"
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" /scanmbr- /scanboot- /all /delete /quit+"
"Antivirus Agent"="C:\NOD32"
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="NOD32"
"Program Info"="NOD32 Antivirus software has been developed by Eset Software since 1992. Eset today is a privately held software development and research company with offices in San Diego, USA, London, UK, Prague, CZ and Bratislava, SK."
"Exit Code Enabled"=dword:00000000
"Exit Codes Error Inclusive"=dword:00000001
"Exit Codes"="3"
this is the code for the registry key i ran, yet it dousnt even show up in the List of anti-virus venders :?

how wouldi get this working?

pqxl
Posts: 48
Joined: Mon May 15, 2006 12:01 pm

Post by pqxl »

OK, here it is, tested and confirmed to work with 2.04 (at least with the Pro version)

1. Merge this modified reg key (copy to a file nod32.reg, right click and select merge or just double click it).


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters]
"Processing Order"="MEAVFPI,MEAVGRI,MEAVMAC,MEAVNAV,MEAVNOR,MEAVPAN,MEAVSOP,MEAVNOD"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD]
"Status"=dword:00000001
"Antivirus Notification Message"="<<- Attachment was removed because it appears to contain a virus ->>"
"Antivirus Scratch Directory"="C:\\Program Files\\Mail Enable\\Scratch"
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" /scanmbr- /scanboot- /scanmem- /arch+ /all /quit+"
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="NOD32"
"Program Info"="NOD32 Antivirus software has been developed by Eset Software since 1992. Eset today is a privately held software development and research company with offices in San Diego, USA, London, UK, Prague, CZ and Bratislava, SK."
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Type"=dword:00000001
"Antivirus Agent"="C:\\Program Files\\ESET\\nod32.exe"
"Send Return Notification"=dword:00000000
"Notification Address"=""
"Message Handling"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD\Default]
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" /scanmbr- /scanboot- /scanmem- /arch+ /all /quit+"
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Antivirus Agent"="C:\\Program Files\\ESET\\NOD32.EXE"


2. Go to Mail Enable > Mail Enable Management > Servers > localhost > Filters, double click the MailEnable Antivirus filter and enable the NOD32 entry, test the configuration.

3. Go to Mail Enable > Mail Enable Management > Servers > localhost > MTA, right click it and select Stop, right click it and select Start

4. Go to Mail Enable > Mail Enable Management > Messaging Manager > Filters, right click and create a new filter, double click the new filter, select "When the message contains a virus", add the action "Delete message", close the filter and make sure its enabled.

5. Go to www.eicar.org and get the eicar test virus, send it to an email account on your system. Read the logs on the Mail Enable > Mail Enable Management > Servers > localhost > Filters > Antivirus to make sure it was catched.

Thats all, really simple and intuitive isn't it, lol

MartynK
Posts: 1376
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Post by MartynK »

Have you tested it against the emails from http://www.webmail.us/testvirus ?

I would like to know how it goes ?

pqxl
Posts: 48
Joined: Mon May 15, 2006 12:01 pm

Post by pqxl »

No, like I said in the text, I tested it with the actual test virus from www.eicar.org this is the site to visit and they warn about trusting other websites that say they provide the test virus.

http://www.eicar.org/anti_virus_test_file.htm IS the page to get the test virus from, not any other sites.

MartynK
Posts: 1376
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Post by MartynK »

Yep, fine, but like I said you need to test with the likes of the site I said as they send a copy of the eicar virus in multiple ways.

I have tested it against a number of AV scanners and some miss quite a few of the tests. If I send just the eicar virus, any scanner will pick it up. But there are a number of ways in email to mask a virus. This web site attempts to test your config against all of these types.

pqxl
Posts: 48
Joined: Mon May 15, 2006 12:01 pm

Post by pqxl »

Well, use it or don't use it.

This is a list of things that need to be done to make NOD32 work, it was derived from an old reg file posted by mailenable for another version back in 2004 and then modified by me with the help from the mailenable support (Ian M).

Since I made this work in our server several other viruses have been catched, not only the eicar test virus, so it certainly works.

Like I said, use it or don't use it, this for people that do want NOD32 to work with Mail Enable.

MartynK
Posts: 1376
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Post by MartynK »

Maybe I missed this here, what version of NOD did you test this on, server or workstation ?

pqxl
Posts: 48
Joined: Mon May 15, 2006 12:01 pm

Post by pqxl »

The "desktop" version.

There is no server version of NOD32, there is a desktop and a enterprise version.

The only difference between them is that the Enterprise version has remote administration.
NOD32 antivirus system information
Virus signature database version: 1.1548 (20060519)
Dated: Friday, May 19, 2006
Virus signature database build: 7298

Information on other scanner support parts
Advanced heuristics module version: 1.028 (20060324)
Advanced heuristics module build: 1107
Internet filter version: 1.002 (20040708)
Internet filter build: 1013
Archive support module version: 1.044 (20060424)
Archive support module build version: 1155

Information about installed components
NOD32 For Windows NT/2000/XP/2003 - Base
Version: 2.50.45
NOD32 For Windows NT/2000/XP/2003 - Internet support
Version: 2.50.45
NOD32 for Windows NT/2000/XP/2003 - Standard component
Version: 2.50.45

Operating system information
Platform: Windows 2003
Version: 5.2.3790 Service Pack 1
Version of common control components: 5.82.3790
RAM: 2048 MB
Processor: Intel(R) Xeon(TM) CPU 2.66GHz (2666 MHz)

juliandormon
Posts: 19
Joined: Fri May 13, 2005 10:00 pm

Can you tell me how to add the registy file more precisely

Post by juliandormon »

Hi pqxl,
You said to 1. Merge this modified reg key (copy to a file nod32.reg, right click and select merge or just double click it).

Can you be more specific. I have no idea how to add registry settings.

Much appreciated!

juliandormon
Posts: 19
Joined: Fri May 13, 2005 10:00 pm

Figured it out

Post by juliandormon »

Hi pqxl,
Nevermind. I figured it out.

Just copy all that text to a file and save it as suggested.
Then rightmouse click it and select merge. It's that easy!

D Warner
Posts: 1
Joined: Tue Apr 03, 2018 12:10 pm

Re:

Post by D Warner »

pqxl wrote:OK, here it is, tested and confirmed to work with 2.04 (at least with the Pro version)

1. Merge this modified reg key (copy to a file nod32.reg, right click and select merge or just double click it).


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters]
"Processing Order"="MEAVFPI,MEAVGRI,MEAVMAC,MEAVNAV,MEAVNOR,MEAVPAN,MEAVSOP,MEAVNOD"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD]
"Status"=dword:00000001
"Antivirus Notification Message"="<<- Attachment was removed because it appears to contain a virus ->>"
"Antivirus Scratch Directory"="C:\\Program Files\\Mail Enable\\Scratch"
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" /scanmbr- /scanboot- /scanmem- /arch+ /all /quit+"
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="NOD32"
"Program Info"="NOD32 Antivirus software has been developed by Eset Software since 1992. Eset today is a privately held software development and research company with offices in San Diego, USA, London, UK, Prague, CZ and Bratislava, SK."
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Type"=dword:00000001
"Antivirus Agent"="C:\\Program Files\\ESET\\nod32.exe"
"Send Return Notification"=dword:00000000
"Notification Address"=""
"Message Handling"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD\Default]
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" /scanmbr- /scanboot- /scanmem- /arch+ /all /quit+"
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Antivirus Agent"="C:\\Program Files\\ESET\\NOD32.EXE"


2. Go to Mail Enable > Mail Enable Management > Servers > localhost > Filters, double click the MailEnable Antivirus filter and enable the NOD32 entry, test the configuration.

3. Go to Mail Enable > Mail Enable Management > Servers > localhost > MTA, right click it and select Stop, right click it and select Start

4. Go to Mail Enable > Mail Enable Management > Messaging Manager > Filters, right click and create a new filter, double click the new filter, select "When the message contains a virus", add the action "Delete message", close the filter and make sure its enabled.

5. Go to http://www.eicar.org and get the eicar test virus, send it to an email account on your system. Read the logs on the Mail Enable > Mail Enable Management > Servers > localhost > Filters > Antivirus to make sure it was catched.

Thats all, really simple and intuitive isn't it, lol
I had the same issue and was unable to get ESET NOD32 anti-virus to work with Mail Enable Enterprise Edition but know after following the above procedure it is all set once again. Source: https://www.criticthoughts.com/security/eset-review/

ekazon
Posts: 1
Joined: Wed Nov 28, 2018 10:21 am

Re:

Post by ekazon »

pqxl wrote:OK, here it is, tested and confirmed to work with 2.04 (at least with the Pro version)

1. Merge this modified reg key (copy to a file nod32.reg, right click and select merge or just double click it).


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters]
"Processing Order"="MEAVFPI,MEAVGRI,MEAVMAC,MEAVNAV,MEAVNOR,MEAVPAN,MEAVSOP,MEAVNOD"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD]
"Status"=dword:00000001
"Antivirus Notification Message"="<<- Attachment was removed because it appears to contain a virus ->>"
"Antivirus Scratch Directory"="C:\\Program Files\\Mail Enable\\Scratch"
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" /scanmbr- /scanboot- /scanmem- /arch+ /all /quit+"
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="NOD32"
"Program Info"="NOD32 Antivirus software has been developed by Eset Software since 1992. Eset today is a privately held software development and research company with offices in San Diego, USA, London, UK, Prague, CZ and Bratislava, SK."
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Type"=dword:00000001
"Antivirus Agent"="C:\\Program Files\\ESET\\nod32.exe"
"Send Return Notification"=dword:00000000
"Notification Address"=""
"Message Handling"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD\Default]
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" /scanmbr- /scanboot- /scanmem- /arch+ /all /quit+"
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Antivirus Agent"="C:\\Program Files\\ESET\\NOD32.EXE"


2. Go to Mail Enable > Mail Enable Management > Servers > localhost > Filters, double click the MailEnable Antivirus filter and enable the NOD32 entry, test the configuration.

3. Go to Mail Enable > Mail Enable Management > Servers > localhost > MTA, right click it and select Stop, right click it and select Start

4. Go to Mail Enable > Mail Enable Management > Messaging Manager > Filters, right click and create a new filter, double click the new filter, select "When the message contains a virus", add the action "Delete message", close the filter and make sure its enabled.

5. Go to http://www.eicar.org and get the eicar test virus, send it to an email account on your system. Read the logs on the Mail Enable > Mail Enable Management > Servers > localhost > Filters > Antivirus to make sure it was catched.

Thats all, really simple and intuitive isn't it, lol

I have added theses registary settings but after that they seems to miss some test. I am worried on the possible vulnerabilities it can bring

robertaser
Posts: 47
Joined: Mon Jan 23, 2006 4:28 pm

Re: NOD32 Anti-Virus Filter

Post by robertaser »

On MTA logs I am getting below errors

06/21/21 20:56:50 Error scanning attachment - Command Line Scanner Process (C:\Program Files\eset\ESET File Security\ecls.exe /arch /no-quarantine /mail /rtp /adware /sfx /pattern /adv-heur /unsafe /unwanted /clean-mode=delete) took too long and was terminated

robertaser
Posts: 47
Joined: Mon Jan 23, 2006 4:28 pm

Re: NOD32 Anti-Virus Filter

Post by robertaser »

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD]
"Status"=dword:00000001
"Antivirus Notification Message"="<<- Attachment was removed because it appears to contain a virus ->>"
"Antivirus Scratch Directory"="C:\\Program Files (x86)\\Mail Enable\\Scratch"
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="NOD32"
"Program Info"="NOD32 Antivirus software has been developed by Eset Software since 1992. Eset today is a privately held software development and research company with offices in San Diego, USA, London, UK, Prague, CZ and Bratislava, SK."
"Exit Code Enabled"=dword:00000000
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Type"=dword:00000001
"Antivirus Agent"="C:\\Program Files\\eset\\ESET File Security\\ecls.exe"
"Send Return Notification"=dword:00000000
"Notification Address"=""
"Message Handling"=dword:00000000
"Antivirus Parameters"="C:\\Program Files\\eset\\ESET File Security\\ecls.exe /arch /no-quarantine /mail /rtp /adware /sfx /pattern /adv-heur /unsafe /unwanted /clean-mode=delete"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD\Default]
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Antivirus Agent"="C:\\Program Files\\eset\\ESET File Security\\ecls.exe"

Post Reply