New external agent definition for eset NOD32 v4 or newer? RSS



anyone can provide a new external agent definition for ESET NOD32 version 4 or later? The one to download won't work. And it seems that nearly all parameters have changed since version 2.6.


by Norbert Fehlauer 6 years ago

@Norbert Fehlauer: I made a definition based on their online documentation (, though I have not tested it. I made it available in my public Dropbox folder for now:

Please let me know if it works correctly, then I will upload it to as well :)

by Krisztian Fekete (Vamsoft) 6 years ago
(in reply to this post)


Hi Krisztian,

thanks for your reply. /action=none means even if a virus is found no action is taken? I tested with EICAR and it got catched after passing ORF. /action=clean gives "Could not send mail (550 5.7.1 Message rejected. NOD32 found virus in the message.)". Am I missing something here? Shouldn't /action=none exit with 1 and the mail get rejected?


by Norbert Fehlauer 6 years ago

BTW. version 4 ecls can be found here: it changes action into clean-mode. Although both seems to work in version 4.

by Norbert Fehlauer 6 years ago
5 found it. Version 4 uses exit code 50 for "Threat found".

by Norbert Fehlauer 6 years ago

@Norbert Fehlauer: ah, so they are changing it in each version. Not a good approach... It breaks batch files, scheduled scans, etc. on each upgrade.

by Krisztian Fekete 6 years ago
(in reply to this post)


Yes exactly. Are you Publishing the New Definition? It seems to work now for me. Maybe others can use it as well.

by Norbert 6 years ago

@Norbert Fehlauer: the /action= parameter is the action to be performed by the command line scanner. Since it tests a temporary copy of the email, setting it to "clean" won't do anything, because even if it disinfects the temporary copy of the email created by ORF for the External Agent test, that is not the one which will be delivered to the actual recipient.

So you should configure the command line scanner not to do anything other then reporting back the test result to ORF, which will perform the action on the "real" incoming email (reject or tag or whatever).

You cannot use External Agent to disinfect infected files: if you wish to do that, you should use the native email filtering feature/component of your anti-virus software, which is way more flexible.

by Krisztian Fekete 6 years ago
(in reply to this post)


@Norbert: Yes, I will add this exit code.

by Krisztian Fekete 6 years ago
(in reply to this post)


Ok, now i got it. ;) Thanks for the explanation.

by Norbert 6 years ago

BTW. version 5 uses the same exitcodes.

Can you please publish the definition into the external agents section?

by NorbertFe 6 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed