New external agent definition for eset NOD32 v4 or newer? - ORF Forums

New external agent definition for eset NOD32 v4 or newer? RSS Back to forum

1

Hi,

anyone can provide a new external agent definition for ESET NOD32 version 4 or later? The one to download won't work. And it seems that nearly all parameters have changed since version 2.6.

Thanks

Reply
by Norbert Fehlauer more than 10 years ago
2

@Norbert Fehlauer: I made a definition based on their online documentation (http://kb.eset.com/esetkb/index?page=content&;id=SOLN565), though I have not tested it. I made it available in my public Dropbox folder for now: https://dl.dropbox.com/u/6193776/nod32v4.zip

Please let me know if it works correctly, then I will upload it to vamsoft.com as well :)

Reply
by Krisztian Fekete (Vamsoft) more than 10 years ago
(in reply to this post)

3

Hi Krisztian,

thanks for your reply. /action=none means even if a virus is found no action is taken? I tested with EICAR and it got catched after passing ORF. /action=clean gives "Could not send mail (550 5.7.1 Message rejected. NOD32 found virus in the message.)". Am I missing something here? Shouldn't /action=none exit with 1 and the mail get rejected?

Thanks.

Reply
by Norbert Fehlauer more than 10 years ago
4

BTW. version 4 ecls can be found here: http://kb.eset.com/esetkb/index?page=content&;id=SOLN2285 it changes action into clean-mode. Although both seems to work in version 4.

Reply
by Norbert Fehlauer more than 10 years ago
5

http://www.eset.sg/html/171/757/ found it. Version 4 uses exit code 50 for "Threat found".

Reply
by Norbert Fehlauer more than 10 years ago
6

@Norbert Fehlauer: ah, so they are changing it in each version. Not a good approach... It breaks batch files, scheduled scans, etc. on each upgrade.

Reply
by Krisztian Fekete more than 10 years ago
(in reply to this post)

7

Yes exactly. Are you Publishing the New Definition? It seems to work now for me. Maybe others can use it as well.

Reply
by Norbert more than 10 years ago
8

@Norbert Fehlauer: the /action= parameter is the action to be performed by the command line scanner. Since it tests a temporary copy of the email, setting it to "clean" won't do anything, because even if it disinfects the temporary copy of the email created by ORF for the External Agent test, that is not the one which will be delivered to the actual recipient.

So you should configure the command line scanner not to do anything other then reporting back the test result to ORF, which will perform the action on the "real" incoming email (reject or tag or whatever).

You cannot use External Agent to disinfect infected files: if you wish to do that, you should use the native email filtering feature/component of your anti-virus software, which is way more flexible.

Reply
by Krisztian Fekete more than 10 years ago
(in reply to this post)

9

@Norbert: Yes, I will add this exit code.

Reply
by Krisztian Fekete more than 10 years ago
(in reply to this post)

10

Ok, now i got it. ;) Thanks for the explanation.

Reply
by Norbert more than 10 years ago
11

BTW. version 5 uses the same exitcodes.
http://download.eset.com/manuals/eset_eav_5_userguide_enu.pdf

Can you please publish the definition into the external agents section?

Reply
by NorbertFe more than 10 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2