NOD32 Version 3

MartynK
Posts: 1322
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

NOD32 Version 3

Postby MartynK » Tue Mar 25, 2008 12:42 pm

Anyone had a look at this yet, it seems they have removed the program NOD32.exe which could be used with MailEnable ?

gorn
Posts: 1
Joined: Tue Jul 01, 2008 5:58 pm

Yes, use the new ecls.exe

Postby gorn » Tue Jul 01, 2008 6:27 pm

ESET has replaced NOD32.exe with their command line scanner program ECLS.EXE. You can import the old registry file from other posts and then change a few settings, which I'll list below. It was funny that ESET support referred me back to this forum, and no one had posted anything on ecls.exe settings yet, so hopefully this will be helpful to some.

After importing a registry file from the old version, you should see a NOD32 listed...go under Servers->Localhost->Mail Enable Message Filter -> Mail Enable AnitVirus Filters.

Change these settings: (assumes you install on C:)
Program Path: C:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe
Command Line Arguments: "[AGENT]" /base-dir="C:\Program Files\ESET\ESET NOD32 Antivirus" /no-log-all /log-file="C:\Program Files\ESET\ESET NOD32 Antivirus\mailenablelog.txt" /no-boots /mail /rtp /adware /sfx /unsafe /unwanted /pattern /heur /adv-heur /action=clean "[FILENAME]"

Check Command Line Argument will delete attachment.

This seems to work well. I picked the options that I thought would do the best job. It creates a log file mailenablelog.txt in your ESET directory. The no-log-all should tell it to only log files that are cleaned, but that doesn't seem to work, which is frustrating. I get logs of other scans as well. You can also view the mailenable log under the virus filter log area.

It's supposed to insert "virus detected" in the body of the message. This doesn't always work. If I send a file from webmail, it won't insert the little tag line (it will remove the virus though! and show up in the ESET log, but not always in the MailEnable log). It will however insert the tag line if I send the message using Outlook Express set on my outgoing mail server (same as webmail uses though, so it's weird). I guess it's not a biggy, but I decided to add an additional message filiter to insert a subject line prefix which seems to always work. See below.

I added another FILTER under MESSAGE MANAGER->Filters.
I added a new filter and titled it NOD32 and told it when it detected a virus to add a prefix to the subject line, and I typed in my own prefix. This seemed to work well using a few test files even if the it didn't show "detected a virus" in the body of the message.

Tried Exit Codes:
I didn't have much luck using the exit code option on the NOD32 anti virus filter screen. It seemed to work better to just check off "Command Line Argument Will Delete Attachment".. Theoretically, it should have worked by putting in:
0 100
as the only valid exit codes and choose "any return code not in the list"..., but I had better success just checking off the line argument will delete instead.

dawesi
Posts: 3
Joined: Wed Jun 02, 2004 2:22 pm
Contact:

This is what I used...

Postby dawesi » Sat Aug 02, 2008 10:06 pm

Using Mail Enable Enterprise 3.x and Nod32 3.x

My install directory is obviously: C:\Program Files\Nod32

Note that the syntax now recommended by nod in the docs is -- not /

Also note that you need to change --no-log-all to --log-all to this to log every attempt. The test tool provided with Nod32 returns negative, however real scanning is ok.

"[AGENT]" --base-dir="C:\Program Files\Nod32" --arch --quarantine --mail --rtp --adware --sfx --pattern --adv-heur --unsafe --unwanted --action=clean --quarantine --no-log-all --log-file="C:\Program Files\Nod32\mail-log.txt" "[FILENAME]"

I also used the return code of 0 (zero) in the 'Return code will be checked against this list" as nod32 returns the code 0 for scanned ok

so the reg file would be:

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD]
"Status"=dword:00000001
"Antivirus Notification Message"="<<- Attachment was removed because it appears to contain a virus ->>"
"Antivirus Scratch Directory"=""
"Antivirus Parameters"="\"\[AGENT\]\" --base-dir=\"C:\\Program Files\\Nod32" --arch --quarantine --mail --rtp --adware --sfx --pattern --adv-heur --unsafe --unwanted --action=clean --quarantine --no-log-all --log-file=\"C:\\Program Files\\Nod32\\mail-log.txt\" \"\[FILENAME\]\""
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="NOD32"
"Program Info"="NOD32 Antivirus software has been developed by Eset Software since 1992. Eset today is a privately held software development and research company with offices in San Diego, USA, London, UK, Prague, CZ and Bratislava, SK."
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Type"=dword:00000001
"Antivirus Agent"="C:\\Program Files\\Nod32\\ecls.exe"
"Send Return Notification"=dword:00000000
"Notification Address"=""
"Message Handling"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD\Default]
"Antivirus Parameters"="\"\[AGENT\]\" --base-dir=\"C:\\Program Files\\Nod32" --arch --quarantine --mail --rtp --adware --sfx --pattern --adv-heur --unsafe --unwanted --action=clean --quarantine --no-log-all --log-file=\"C:\\Program Files\\Nod32\\mail-log.txt\" \"\[FILENAME\]\""
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Antivirus Agent"="C:\\Program Files\\Nod32\\ecls.exe"



1. change the directory C:\\Program Files\\Nod32\\ and C:\Program Files\Nod32 to your install directory
2. save this code to mailenable-nod32.reg
3. double click on the file to insert it into mail enable
4. go to Servers > Filters > MailEnable Message Filter
5. Double click on Mailenable antivirus filter
6. Select Enabled for Nod32 (if reqd)
7. Click on Options
8. Make sure Program Path and options are as above
9. Make sure "Return code will be checked against this list" is ticked
10. Make sure 0 (zero) is in the list
11. Make sure "Any return code not in list" is selected in Return code check box.
12 Hit Ok, Ok

Restart MTA Service[/list]

NiallDavis
Posts: 22
Joined: Thu Jan 17, 2008 10:12 pm

NOD32 ECLS error

Postby NiallDavis » Wed Aug 20, 2008 9:42 am

Hi Guys,

I am using NOD32 v3 ECLS

I have tried my own configuration and the one in this thread but I always get an error:

Info="error opening archive"

This error only occurs when I tell it to scan a mail file i.e. .mai file - any other file is fine.

I have tried many combinations of switches including of course --mail and --arch.

Anyone got any ideas?

Thanks,

Niall.

base2
Posts: 4
Joined: Fri Aug 22, 2008 2:22 am

Re: This is what I used...

Postby base2 » Fri Aug 29, 2008 2:19 pm

dawesi wrote:I also used the return code of 0 (zero) in the 'Return code will be checked against this list" as nod32 returns the code 0 for scanned ok
...
...
9. Make sure "Return code will be checked against this list" is ticked
10. Make sure 0 (zero) is in the list
11. Make sure "Any return code not in list" is selected in Return code check box.
12 Hit Ok, Ok


Thanks for posting this. Like Gorn, I was unable to get the return codes working correctly so I've switched to "Command Line Argument Will Delete Attachment" instead.

Will give it a week or so to see if this works as expected.

NiallDavis
Posts: 22
Joined: Thu Jan 17, 2008 10:12 pm

Postby NiallDavis » Fri Aug 29, 2008 2:49 pm

Hi base2,

I have tried that but I still got errors - in the end I raised a support ticket with ESET and they told me that .mai files wern't supported becuase they were proprietory mail files and that was why nod is returning the error.

What seems weird to me is that if that is the case, how come other people can get it to work - I am using NOD32 v3 ecls.exe

Thanks,

Niall.

base2
Posts: 4
Joined: Fri Aug 22, 2008 2:22 am

Postby base2 » Fri Aug 29, 2008 2:59 pm

NiallDavis wrote:I have tried that but I still got errors - in the end I raised a support ticket with ESET and they told me that .mai files wern't supported becuase they were proprietory mail files and that was why nod is returning the error.

What seems weird to me is that if that is the case, how come other people can get it to work - I am using NOD32 v3 ecls.exe


Here's the details from the log file created at "C:\Program Files\ESET\ESET NOD32 Antivirus\mailenablelog.txt"

Code: Select all

ECLS Command-line scanner, version 3.0.621.0, (C) 2007 ESET, spol. s r.o.
Module loader, version 1024 (20080514), build 1025
Module perseus, version 1141 (20080828), build 1169
Module scanner, version 3399 (20080829), build 3453
Module archiver, version 1081 (20080729), build 1036
Module advheur, version 1074 (20080803), build 1024

Command line: --base-dir=C:\Program Files\ESET\ESET NOD32 Antivirus --no-log-all --log-file=C:\Program Files\ESET\ESET NOD32 Antivirus\mailenablelog.txt --no-boots --mail --rtp --adware --sfx --unsafe --unwanted --pattern --heur --adv-heur --action=clean C:\PROGRA~1\MAILEN~1\Scratch\151D7C~1.MAI\2.ATT

Scan started at:   08/29/08 10:27:34
name="C:\PROGRA~1\MAILEN~1\Scratch\151D7C~1.MAI\2.ATT", threat="Win32/Spy.Agent.PZ trojan", action="deleted", info=""
name="C:\PROGRA~1\MAILEN~1\Scratch\151D7C~1.MAI\2.ATT » ZIP » In776162.exe", threat="Win32/Spy.Agent.PZ trojan", action="was a part of the deleted object", info=""


It appears to work (using 3.0 Business Edition).

In my inbox, I receive the original virus-attached email with the attachment removed from the body. In place of the attachment is the line

Code: Select all

<<- Attachment was removed because it appears to contain a virus ->>


What error message are you receiving?

NiallDavis
Posts: 22
Joined: Thu Jan 17, 2008 10:12 pm

Postby NiallDavis » Fri Aug 29, 2008 3:35 pm

Hi - thanks for the reply!

Here is an example of the log:

Code: Select all

ECLS Command-line scanner, version 3.0.650.0, (C) 1992-2008 ESET, spol. s r.o.
Module loader, version 1024 (20080514), build 1025
Module perseus, version 1138 (20080818), build 1166
Module scanner, version 3367 (20080819), build 3383
Module archiver, version 1081 (20080729), build 1036
Module advheur, version 1074 (20080803), build 1024

Command line: /no-boots /max-archive-level=5 /mail /arch /adware /sfx /rtp /pattern /action=clean /quarantine /log-file=d:\ME-NOD32.txt d:\program files\mail enable\478FE435F311483F9C1F3A23CB0C67B2.MAI

Scan started at:   08/19/08 10:49:49
name="d:\program", threat="", action="", info="error opening"
name="files\mail", threat="", action="", info="error opening"
name="enable\478FE435F311483F9C1F3A23CB0C67B2.MAI", threat="", action="", info="error opening"

Scan completed at: 08/19/08 10:49:49
Scan time:         0 sec (0:00:00)
Total:             files - 3, objects 0
Infected:          files - 0, objects 0
Cleaned:           files - 0, objects 0


ESET seem to think it will never work, but and a whole load of other people seem to be using it fine?

Thanks again!

Niall.

base2
Posts: 4
Joined: Fri Aug 22, 2008 2:22 am

Postby base2 » Fri Aug 29, 2008 3:50 pm

NiallDavis wrote:

Code: Select all

Command line: /no-boots /max-archive-level=5 /mail /arch /adware /sfx /rtp /pattern /action=clean /quarantine /log-file=d:\ME-NOD32.txt d:\program files\mail enable\478FE435F311483F9C1F3A23CB0C67B2.MAI

Scan started at:   08/19/08 10:49:49
name="d:\program", threat="", action="", info="error opening"
name="files\mail", threat="", action="", info="error opening"
name="enable\478FE435F311483F9C1F3A23CB0C67B2.MAI", threat="", action="", info="error opening"



Hi Niall.. it looks like the path is giving ECLS a problem. ECLS sees the path, "d:\program files\mail enable\478FE435F311483F9C1F3A23CB0C67B2.MAI", as 3 files to scan:

- "d:\program"
- "files\mail"
- "enable\478FE435F311483F9C1F3A23CB0C67B2.MAI"

Make sure your "Command Line Arguments" field looks similar to this:

Code: Select all

"[AGENT]" --base-dir="C:\Program Files\ESET\ESET NOD32 Antivirus" --log-file="C:\Program Files\ESET\ESET NOD32 Antivirus\mailenablelog.txt" --no-log-all --no-boots --mail --rtp --adware --sfx --unsafe --unwanted --pattern --heur --adv-heur --action=clean "[FILENAME]"

Notice [AGENT] and [FILENAME] are both enclosed in double-quotes.

Hope this helps.

Zento
Posts: 11
Joined: Tue Nov 07, 2006 12:17 pm

Postby Zento » Mon Mar 23, 2009 11:39 am

Hi all.

I've a problem trying to use NOD32 v4.0.314.0 with MailEnable Professional 3.61 under Windows 2008 Web Edition:

From the solution in this thread, I modified registry to use my path:

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD]
"Status"=dword:00000001
"Antivirus Notification Message"="<<- Adjunto quitado porque parece contener un virus ->>"
"Antivirus Scratch Directory"=""
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="NOD32"
"Program Info"="NOD32 Antivirus software has been developed by Eset Software since 1992. Eset today is a privately held software development and research company with offices in San Diego, USA, London, UK, Prague, CZ and Bratislava, SK."
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Type"=dword:00000001
"Antivirus Agent"="C:\\PROGRA~1\\ESET\\ESETNO~1\\ecls.exe"
"Send Return Notification"=dword:00000000
"Notification Address"=""
"Message Handling"=dword:00000000
"Antivirus Parameters"="\"[AGENT]\" --base-dir=\"C:\\Program Files\\ESET\\ESET NOD32 Antivirus\" --arch --quarantine --mail --rtp --adware --sfx --pattern --adv-heur --unsafe --unwanted --clean-mode=delete --no-quarantine --no-log-all --log-file=\"C:\\Program Files\\ESET\\ESET NOD32 Antivirus\\mail-log.txt\" \"[FILENAME]\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNOD\Default]
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000000
"Exit Codes"="0"
"Antivirus Agent"="C:\\PROGRA~1\\ESET\\ESETNO~1\\ecls.exe"
"Antivirus Parameters"="\"[AGENT]\" --base-dir=\"C:\\Program Files\\ESET\\ESET NOD32 Antivirus\" --arch --quarantine --mail --rtp --adware --sfx --pattern --adv-heur --unsafe --unwanted --action=clean --quarantine --no-log-all --log-file=\"C:\\Program Files\\ESET\\ESET NOD32 Antivirus\\mail-log.txt\" \"[FILENAME]\""


When using Antivirus Filter "Test settings..." button, everything seems correct, and one entry like this is created in mail-log.txt:

Code: Select all

ECLS Command-line scanner, version 4.0.314.0, (C) 1992-2009 ESET, spol. s r.o.
Módulo loader, versión 1028 (20090302), revisión 1031
Módulo perseus, versión 1199 (20090321), revisión 1241
Módulo scanner, versión 3953 (20090321), revisión 4647
Módulo archiver, versión 1091 (20090213), revisión 1046
Módulo advheur, versión 1092 (20090309), revisión 1049

Línea de comandos: --base-dir=C:\Program Files\ESET\ESET NOD32 Antivirus --arch --quarantine --mail --rtp --adware --sfx --pattern --adv-heur --unsafe --unwanted --clean-mode=delete --no-quarantine --no-log-all --log-file=C:\Program Files\ESET\ESET NOD32 Antivirus\mail-log.txt c:\plesk\Mail Servers\Mail Enable\Scratch\EICAR.ZIP

Inicio del análisis: 03/23/09 12:19:55
nombre="c:\plesk\Mail Servers\Mail Enable\Scratch\EICAR.ZIP", amenaza="Eicar test file", acción="deleted", información=""

Análisis completado     03/23/09 12:19:55
Tiempo de análisis:      0 seg (0:00:00)
Total:          archivos - 1, objetos 1
Infectados:   archivos - 0, objetos 0
Desinfectados:    archivos - 1, objetos 1


But when a message is received, it is not processed, received in mailbox with virus attachments included, and no log entry is created in mail-log.txt. I've tried using short path names, giving permissions to All to NOD32 folder and running MTA service as Administrator, with no luck.

This is what shows MAVGEN.Report.log;

Code: Select all

03/23/09 12:28:54   Could not find path to antivirus executable (2): ()
03/23/09 12:28:54   Could not find path to antivirus executable (2): ()


This is what shows MTA-Debug.log:

Code: Select all

03/23/09 12:28:54   Processing file 489D6C8BDE5E4B22964E9AA99FA7EAC0.MAI from queue SMTP
03/23/09 12:28:54   MTADeliverMessage::Pre Pickup Event executing:  489D6C8BDE5E4B22964E9AA99FA7EAC0.MAI SMTP
03/23/09 12:28:54   MTADeliverMessage::Pickup Event could not find path to executable (2): ( 489D6C8BDE5E4B22964E9AA99FA7EAC0.MAI SMTP)
03/23/09 12:28:54   MTADeliverMessage::Executing external COM event pleskmemta.PleskMEMTA with message 489D6C8BDE5E4B22964E9AA99FA7EAC0.MAI from SMTP queue
03/23/09 12:28:54   ME-MTA-ROUTE [489D6C8BDE5E4B22964E9AA99FA7EAC0.MAI] from [SMTP] Connector queued to [SMTP] Connector as [5B80928012AE4342885FA31C8DA5F722.MAI]


Any thoughts? Thank you in advance.

deadlove
Posts: 4
Joined: Tue Nov 07, 2006 6:49 pm
Location: Rhodes - Greece
Contact:

Postby deadlove » Sat Apr 11, 2009 5:38 pm

Hi,

had the same error "executable not found".

after some tests, I came up with the solution (to my case).

run the executable from the command prompt adding the /help switch (or --help).

If the arguments are showing with "/" then you have to use /argument instead of --argument.

something else that was blocking the scan is a duplicated argument, so make sure everything is correct and typed once!


my parameters are:

"[AGENT]" /base-dir="C:\Program Files\ESET\ESET NOD32 Antivirus" /arch /quarantine /mail /rtp /adware /sfx /pattern /adv-heur /unsafe /unwanted /action=clean /log-file="C:\Program Files\ESET\ESET NOD32 Antivirus\mail-log.txt" /no-log-all "[FILENAME]"

Hope that helps...

Zento
Posts: 11
Joined: Tue Nov 07, 2006 12:17 pm

Postby Zento » Mon Apr 13, 2009 5:57 pm

Hi.

deadlove wrote:If the arguments are showing with "/" then you have to use /argument instead of --argument.


First, thanks for posting. I tried using "/" argument instead of "--", but made no difference.

I think it's related to something internal to MailEnable, because the "Test settings..." button works perfectly, removing attached EICAR file and writing in the mail-log.txt file, but MTA service can't find executable.

deadlove
Posts: 4
Joined: Tue Nov 07, 2006 6:49 pm
Location: Rhodes - Greece
Contact:

Postby deadlove » Tue Apr 14, 2009 7:03 am

Hi,

As I can see for your previews post in the arguments you have some duplicates...
you use "--quarantine" 2 times and in the second parameters (default) you use "--quarantine" and "--no-quarantine" at the same parameter line...

have a look on that and make sure that every switch you need to use is not in conflict with any other and is typed only once!

Also something that may help, is to run the executable from a command prompt and try to pass all the arguments you want to use and see the results. If it works then the problem is somewhere else.

Now as for the test button that say it works... I think it only check to see if the executable is there... noting more.

Good luck ;-)

Zento
Posts: 11
Joined: Tue Nov 07, 2006 12:17 pm

Postby Zento » Tue Apr 14, 2009 10:08 am

deadlove wrote:my parameters are:

"[AGENT]" /base-dir="C:\Program Files\ESET\ESET NOD32 Antivirus" /arch /quarantine /mail /rtp /adware /sfx /pattern /adv-heur /unsafe /unwanted /action=clean /log-file="C:\Program Files\ESET\ESET NOD32 Antivirus\mail-log.txt" /no-log-all "[FILENAME]"

Hi deadlove.

I simply copied your parameters, restarted MTA, and it started working. So, seems that my parameters were wrong.

Thank you a lot!

deadlove
Posts: 4
Joined: Tue Nov 07, 2006 6:49 pm
Location: Rhodes - Greece
Contact:

Postby deadlove » Wed Apr 15, 2009 8:32 am

You are welcome... glad I helped ;-)

Who is online

Users browsing this forum: No registered users and 1 guest