I've been meaning to do this for a while and I've finally finished it. NOD32 2.50.25 for XPE with IMON and AMON active.

I have been using XPE with NOD32 for quite some time now and on 1 in 3 systems, NOD32KUI.EXE will lock during the xpeinit process. I was just going to change the process by which I launched the control panel but 2 days later here I am with a NOD32 inf that has both AMON and IMON active. I'm sure there's somebody out there that would find this of some interest.

What I really need is for somebody to test this thing out. I've used it on my 3 systems and my Vaio laptop without any issues other than the tray icon not appearing on the Vaio. KUI was still active though.

The reason IMON didn't work until you started it manually is because NOD32 activates the WS2IFSL service and adds some Winsock2 interfaces so it can intercept any HTTP, SMTP, and POP3 traffic. I probably should have just created a plugin for the WS2IFSL service by itself. I'll do that later.

Anyway, somebody try this out and let me know it if works for you. If you have anything to add, please let me know. I think my email is in my profile here so you can drop me a line.

Download Plugin Here

thanks I will give this a try can this be update it from within XPE ?

@crand

i like the idea of resident protection for some cases.

I did a test and noticed, that there is no
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2....
key when you load the setupreg.hiv from the output directory pebldr.

I did not apply your winsock2.reg when running nod32_25.cmd but all the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2....
keys, subkeys and values where created dynamicaly at runtime of BartPE.

When you compare the keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
....
....
....

you will notice that they differ from machine to machine.
(On my PC i have entries from 000000000001 to 000000000035 on another from 000000000001 to 000000000007)

So i guess it is not necessary to apply the winsock2.reg.

edit
there are some lines in NOD32_25.inf that should be changed:
if you use variables in the values it should be:

Having the catalog entries misnumbered in the winsock can cause tcp issues as well.

The first 3 entries are created by IMON when it starts and it won't (for me at least) automatically start without them. If you look at the binary data of those keys, you'll see imon.dll.

The first time I built this script, I put the winsock entries in the inf file and TCP/IP services would fail. Later I noticed that this also could have been caused by them being in Software.AddReg instead of Setup.AddReg. I did't have the time to chase that one down.

I think the numbering scheme may be different depending on what software has installed extra interfaces or by the number of NICs in the system. That's why I left it a reg file instead of scripting it in. You can start XPE and IMON then export that section of the registry to winsock2.reg.

The next step for this is writing a little vb script to rename the existing winsock interfaces and add IMON where it should go. It'll probably be another couple of weeks before I have that done since I'm so freakin busy during the week.

@ponzandro

Crand is using regexpander to set those at runtime:

when watching the registry entries in:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
....
....
i noticed that some more Catalog Entries were added when e.g. starting the dialup services.They were added in ascending order e.g.:


Starting IMON 3 new Catalog Entries were added with the next free numbers 00000000000x
in the catalog entries.

I guess exporting from BartpE and reapplying the IMON Catalog Entrie Numbers in another session will only work if no other network interfaces or services have been registered to the Winsock and the number range/order of the Catalog Entries has changed due to that.
This could lead to overwrite existing entries when starting IMON.

@d4vr0s

sorry, i've overlooked that...

Hi Crand,

In your Plugin there is a File Named : "Winsock2.reg". What is this and How can I build it. Can you explain me by two word, what is this ?

Thanks for your Help !!!

Excuse-me for my BAD ENGLISH !!!

When IMON starts, it modifies the winsock entries. If IMON doesn't start automatically, start it manually and export the keys from the working registry and save them in this file for your next PE build.

Hi Crand,

I am tested your Plugin with the version : 2.51.8 and I have some questions :

1/ Can I use "Nod32 2.51.8" on another computers without Troubles. Obviously I have a Licence.

2/ I use "Nod32 2.51.8" in combination with "Ultimate Boot CD Win 2.5" and with another Anti-Virus on An USB Key 2.0. The reason is that it is very quick. With a DiskOnkey Intuix S500 of 1 Go, It is 4 times fast than a CD for booting and up to 10 times fast for loading Programs. With Usb Key, I never could to build an application with XPE and Nu2XPE at the last version, without Troubles. For this reason, I want to use "NOD32 2.51.8" with "Nu2Menu", but it don't work. Can you build for me your "Nod32.xml".

Thanks For your Help !!!!


Excuse-me for my "BAD ENGLISH" !!!

Regards.

i have a question too
i'm a total noob trying to lear a lil bit more

i don't understand this part


from which registry i take those values out?
thx for your help

from your real windows registry.
start regedit and get them.
i hope you have installed NOD.

Joshua

thx for the info joshua
yes i have it installed
i'm gonna try it later
gotta go out right now
thx again