In reference to "Spooler32.exe using NOD to access internet (http://www.wilderssecurity.com/showthread.php?t=148380&highlight=spooler)"
http://www.wilderssecurity.com/showthread.php?t=148380&highlight=spooler
in September of 2006 (considered too old a thread to sustain additional posts):

I am having the same problem NOW, with the exception that instead of an occasional spooler message, I'm getting them by the hundreds, virtually continuously -- and it's seriously affecting my use of the internet.

ESET Tech Support is putting it down as a flaw in ZoneAlarm, and I just don't buy it. No other legitimate program I've ever used has ever used the spooler to call out on the internet, and the calls are all to eset.com servers.

If the spooler can be used for this purpose, can't the same be said for other, perhaps malware, programs? For this reason, I have the printing and spooling restricted to the LAN, and blocked from the internet zone in ZA.

The NOD32 Kernel Service has complete access to updates and updates are done regularly, so I'm not missing updates.

I can kill the spooler, but don't want to kill my printer.

Anyone know a way to get NOD32 to stop screwing with the bloody spooler?

From my first post to ESET Tech support:

-----

2006-12-31 2300 to ESET Tech support via site dialog:

Why does the spooler have to talk to my ISP?

And why is it trying use NOD32 to do it?

Shortly after boot-up, I get this ZoneAlarm Security Alert:

"Spooler Sub System Process is trying to
use NOD32 Kernel Service to access the
Internet.

Destination IP is 66.51.205.100:DNS (My ISP)

Why does the spooler have to talk to the internet at all?

I'm getting these alerts repeatedly, and despite repeated manual
denials and program settings in ZoneAlarm set for denial, the damn
spooler repeats and repeats, ad nauseum.

Is there a way to kill this thing?

What's happening?

C.A. Kerschner
Los Angeles CA
Winders 98SE -- and no, I'm not going to "upgrade" to XP.
-----------------------------------------------------------------------

In ZoneAlarm's "Alerts & Logs" tab, Alert type "Program",
this alert occurs about 12 times per minute:

"Spooler Sub System Process requested permission to be a parent."

About once a minute, SPOOL32.EXE tries to make an outbound connection:

"Spooler Sub System Process is trying to
use NOD32 Kernel Service to access the
Internet.

This time, to IP
89.202.157.133.HTTP

IP address: 89.202.157.133
Reverse DNS: [No reverse DNS entry per
ns0.interoute.net.uk.]
Reverse DNS authenticity: [Unknown]
ASN: 8928
ASN Name: INTEROUTE (Interoute Communications
Ltd)
IP range connectivity: 2
Registrar (per ASN): RIPE
Country (per IP registrar): GB [United Kingdom]
Country Currency: GBP [United Kingdom Pounds]
Country IP Range: 89.202.128.0 to 89.202.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): CZ [Czech Republic]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 89.202.157.133

bottom of message sent; web dialog space limited.
-----------------------------------------------------------------------
~~
In the "Alerts & Logs" tab, Alert type "Firewall",

82.165.177.174:80 = ESET.com

IP address: 82.165.177.174
Reverse DNS: u12.eset.com.
Reverse DNS authenticity: [Verified]
ASN: 8560
ASN Name: SCHLUND-AS (Schlund + Partner AG)
IP range connectivity: 2
Registrar (per ASN): RIPE
Country (per IP registrar): DE [Germany]
Country Currency: EUR [euros]
Country IP Range: 82.165.0.0 to 82.165.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): US [United States]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 82.165.177.174
-----------------------------------------------------------------------

multiple alerts to destination IP (probably by SPOOL32):

207.151.118.196:80
207.151.118.194:80

These last two are tried alternately,
cycling consecutively through ports, looking for a hole on my machine:
:4989
:2446
:2442
:2436
:2428
:2410
:2406
:2400
:2396
:2391
:2384
:2380
:2376
:2371
:2361
:2205
:2200
etc. etc. down to :1586 this time.

Reverse DNS for 207.151.118.196:80:
United States [City: Redondo Beach, California]Sorry, bogus IPv6
address detected.(sic)

WHOIS results for 207.151.118.196:
OrgName: Los Nettos
OrgID: LNET
Address: USC Information Services Division
Address: University Park Campus
City: Los Angeles
StateProv: CA
PostalCode: 90089-0251
Country: US

NetRange: 207.151.0.0 - 207.151.255.255
CIDR: 207.151.0.0/16
NetName: LOS-NETTOS-BLK3
NetHandle: NET-207-151-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: CATA.LN.NET
NameServer: C30.LN.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1996-06-18
Updated: 2005-01-11

RTechHandle: LH-ORG-ARIN
RTechName: LosNettos Hostmaster
RTechPhone: +1-213-740-1531
RTechEmail:hostmaster@ln.net

OrgAbuseHandle: LNAT-ARIN
OrgAbuseName: Los Nettos Abuse Team
OrgAbusePhone: +1-213-740-1531
OrgAbuseEmail:abuse@ln.net

-----------------------------------------------------------------------

89.202.157.133:HTTP (ESET)

IP address: 89.202.157.133
Reverse DNS: [No reverse DNS entry per
ns0.interoute.net.uk.]
Reverse DNS authenticity: [Unknown]
ASN: 8928
ASN Name: INTEROUTE (Interoute Communications
Ltd)
IP range connectivity: 2
Registrar (per ASN): RIPE
Country (per IP registrar): GB [United Kingdom]
Country Currency: GBP [United Kingdom Pounds]
Country IP Range: 89.202.128.0 to 89.202.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): CZ [Czech Republic]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 89.202.157.133

Looking up 89.202.157.133 at whois.ripe.net.
Location: Czech Republic [City: ]

It seems to be a bug in Zone Alarm. The problem seems to be that they assigned a wrong app name to the kernel process.

{QUOTE-> It seems to be a bug in Zone Alarm. The problem seems to be that they assigned a wrong app name to the kernel process. <-QUOTE}
I don't think so.

BOTH the NOD32 kernel process AND the spooler are screaming for the eset.com servers, and originally I was getting ZA alerts for both.

Now the spooler is blocked from the internet and ZA is configured to allow connection with the eset.com servers. NOD32 gets all its updates directly via connection by the NOD32 kernel to the servers. There is NO logical reason for the spooler to be involved at all.

If the spooler weren't calling out, I don't believe ZA would be generating a spooler alert message.

So far, everything is as usual; Eset blames ZA, ZA says "Say what...?"

What type of printer do you have? Some printer drivers use TCP/IP as a means of internal communication. In effect, they use a client/server model for the driver, with both the client and server running on the local computer.

I am just wondering if something is getting confused with combination of printer driver + NOD32 + ZA.

{QUOTE-> What type of printer do you have? Some printer drivers use TCP/IP as a means of internal communication. In effect, they use a client/server model for the driver, with both the client and server running on the local computer.

I am just wondering if something is getting confused with combination of printer driver + NOD32 + ZA. <-QUOTE}

I couldn't say how the printer driver might be tangled up with TCP/IP. All I know is if the spooler goes, the printer goes with it.

The printer (Canon BJC2100) is plugged into lpt1, the parallel printer port.

I just discovered this:

Microsoft Security Bulletin MS05-043

Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)

Published: August 9, 2005 | Updated: April 18, 2007

http://www.microsoft.com/technet/security/Bulletin/MS05-043.mspx

Affected Software:
•Microsoft Windows 2000 Service Pack 4
•Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
•Microsoft Windows Server 2003
•Microsoft Windows Server 2003 for Itanium-based Systems


We're all up-to-date with our updates, yes?

So it looks like programs other than printer drivers can use the spooler....

{QUOTE-> I couldn't say how the printer driver might be tangled up with TCP/IP. All I know is if the spooler goes, the printer goes with it.
<-QUOTE}
The printer (Canon BJC2100) is plugged into the parallel printer port, lpt1, and is shared over the LAN with other computers in the LAN (ZA "Trusted" zone.)

Spooler connections to the "Internet" zone are blocked.

Every time the NOD32 kernel calls for an update, the spooler does the same, and to the same (NOD32) server.

Any gurus here?

{QUOTE-> Winders 98SE -- and no, I'm not going to "upgrade" to XP. <-QUOTE}

I can't believe you still use Windows 98. If you're as paranoid about security as you seem, you should know that MS stopped providing security updates and other support for Win 98 more than a year ago. It's a dead OS.

{QUOTE-> I can't believe you still use Windows 98. If you're as paranoid about security as you seem, you should know that MS stopped providing security updates and other support for Win 98 more than a year ago. It's a dead OS. <-QUOTE}
Sigh....

(Patiently...) The hardware here won't support XP.

As soon as I can get my Winders-based programs to run under Linux, that's where I'm going -- and I've already picked the distribution. I just have to stay compatible with some really legacy programs & hardware that I use daily. Think DOS and HP 200LX -- STILL my idea of the best pocket computer ever made. Too bad HP "improved" it with Win CE.

Does anyone here understand the NOD32 program enough to know why it needs to use the spooler -- and how to prevent it?

Why programmers & tech support people for programs designed to RUN on Windows don't seem to understand how their programs USE Windows is difficult for me to understand.

Hi Maximillium,

It has been common enough in my own experience for even some of the best firewalls to misidentify traffic.
NOD32 doesn't use a print spooler to access its servers. If what you are suggesting was possibly NOD32 issue I'm certain that Marcos would have said so as he is one who would know.

Cheers :)

EDIT: And Blackspear is another with a great deal of experience both with NOD32, firewalls and PC's in general{QUOTE-> ... however if you have other software that likes to mess with Winsock (such as ZoneAlarm firewall), ... <-QUOTE}

This was posted today (Jan 28, 2008) to ESET Support:

Hello...?

I haven't heard from anyone for a while.

Referring to an earlier e-mail exchange in which ZA was blamed for
mis-identifying the spooler, here is some additional information:

When I re-name the spooler so it's not available for use by the
system, the spooler's connection requests to ESET servers stop.

When I re-name the spooler so it's available to the OS again,
the spooler's connection requests to ESET servers resume.

This is NOT a misidentification by ZA of a process.

When the spooler is trying to connect, it is asking specifically
for any one of 28 different ESET servers. When the spooler is
disabled, NOD32 gets its updates the way I would expect it to, by
the NOD32 kernel making a direct request, which works just fine
as I have afforded the kernel specific permissions through ZA to
all the ESET servers -- or at least 25 of them.

If the print spooler can be made to connect to the internet, I
consider this to be a major security hole, which is why I have
blocked the spooler from connecting through ZA to the internet.

The spooler is still free to connect INSIDE the local network to
find the printers.

The only problem I see here is NOD32 trying to use the spooler.
NOD32 is the only anti-virus I have ever used that does this.

Please either fix this or let me know if you can't so I can go
to another anti-virus program.

C.A. Kerschner
Los Angeles CA

So as not to have duplicate ongoing discussions and considering this was a fairly old thread, we'll bring this one to a close and continue in your newly created thread concerning this matter.

Continue here---> http://www.wilderssecurity.com/showthread.php?t=199135

Regards,
Bubba