NOD32 using spooler to update AV definitions

In reference to : https://www.wilderssecurity.com/showthread.php?t=183322&highlight=Maximillium


This was posted today ( Jan 28, 2008 ) to ESET Support:

Hello...?

I haven't heard from anyone for a while.

Referring to an earlier e-mail exchange in which ZA was blamed for
mis-identifying the spooler, here is some additional information:

When I re-name the spooler so it's not available for use by the
system, the spooler's connection requests to ESET servers stop.

When I re-name the spooler so it's available to the OS again,
the spooler's connection requests to ESET servers resume.

This is NOT a misidentification by ZA of a process.

When the spooler is trying to connect, it is asking specifically
for any one of 28 different ESET servers. When the spooler is
disabled, NOD32 gets its updates the way I would expect it to, by
the NOD32 kernel making a direct request, which works just fine
as I have afforded the kernel specific permissions through ZA to
all the ESET servers -- or at least 25 of them.

If the print spooler can be made to connect to the internet, I
consider this to be a major security hole, which is why I have
blocked the spooler from connecting through ZA to the internet.

The spooler is still free to connect INSIDE the local network to
find the printers.

The only problem I see here is NOD32 trying to use the spooler.
NOD32 is the only anti-virus I have ever used that does this.

Please either fix this or let me know if you can't so I can go
to another anti-virus program.

C.A. Kerschner
Los Angeles CA

 

Not getting much of a response, here.

Any thoughts, anyone? I believe my best bet may be to go back to AVG.

 

I had AVG Anti Malware on my daughters computer, along with Webroot Spysweeper (paid subscription), and I uninstalled them both, and put in NOD32. Ran a scan and found 16 incidences of infiltrations, including trojans. At the end of the trial period, I for one, am registering her NOD32, and I am NOT going back to AVG.

I've never heard of the spooler that you described, as being a part of Anti Virus configurations. But, I am open to learn something new each day.

 

FWIW, I'm not seeing what you see. If I totally stop the spooler service (go out to a command prompt and use "net stop spooler"), NOD32 version 3 still updates with no issue. My free ZoneAlarm 6.1.744.001 has no listing at all for the spooler service ever making any requests for an outbound connection or to act as a server...

 

Hi Darth:

Well, this information just adds to my frustration. Barf!

Same for me. No other anti-virus application has ever done this for me either!

 

Hi Han:

Interesting; I seem to have reverted from the "Pro" version to the same version number as the "free" one (6.1.744.001), now that no one wants to support Win98 anymore. Mine still does have the functions that allow setup/choice of IPs in Firewall>Zones. I'm not sure exactly what the "free" version will do.

I'm using NOD32 v2.7. Not sure if v3 will work in Win98SE.

In ZoneAlarm, Program-Control>Main>Program-Control-Custom brings a dialog in which you can choose "Advanced Program Control" which "informs you when one program tries to use another program to gain access to the internet", and "Component Control", "an advanced security feature designed to prevent malicious programs from hijacking trusted programs." -- Quoting further; "However, some programs that use other programs to access the Internet are legitimate. For your convenience, the most common of these legitimate programs are pre-configured with permission to acces the Internet. To view and adjust these pre-configured programs, see the Programs tab of the Program Control panel."

This is, I am assuming, the function which detects NOD32's use of the spooler to go out onto the Internet, and if no one else has this function enabled, may be the reason no one else has noticed what NOD32 is doing with the spooler.

So far, the only opinions received here have been to blame ZoneAlarm for "mis-identifying" a process. I have disabled and re-enabled the spooler (SPOOL32.EXE in Win9x). ZA is definitely NOT mis-identifying anything, and if NOD32 can use the spooler to access the Internet, so can anything else. Not real great, ESET! And I still have yet to receive an answer from ESET Tech Support about Case #79535 - "NOD32 using spooler to update AV definitions" ( January 21, 2008 ).

 

Here is a SMALL example of what I'm seeing in my ZA Alerts, edited down somewhat for clarity and with the requested IPs identified:


OutgoingConnectRequests.txt

IPs called ----------- Firewall --------------------- Requesting ---- Server
--------------------- Action ---------------------- Program ------ Requested

89.202.149.40:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u30.eset.com
89.202.149.41:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u31.eset.com
89.202.149.42:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u32.eset.com
89.202.149.43:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u33.eset.com
89.202.149.44:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u34.eset.com
89.202.149.46:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u36.eset.com
89.202.149.47:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u37.eset.com
89.202.149.49:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u39.eset.com
89.202.157.130:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u20.eset.com
89.202.157.132:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u22.eset.com
89.202.157.133:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u23.eset.com
89.202.157.135:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u25.eset.com
89.202.157.136:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u26.eset.com
89.202.157.137:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u27.eset.com
89.202.157.138:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u28.eset.com
89.202.157.139:80 - Blocked 2 Outgoing (Connect) - SPOOL32.EXE - u29.eset.com
217.67.22.97:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u15.eset.com
217.67.22.106:80 - Blocked 1 Outgoing (Connect) - SPOOL32.EXE - u14.eset.com
217.67.22.110:80 - Blocked 2 Outgoing (Connect) - SPOOL32.EXE - u13.eset.com

This was abbreviated to only be a partial list of ESET servers to which the
spooler is making dozens and dozens (hundreds?) of connection attempts.

 

Would you happen to have a Lexmark printer? I have seen some odd things with the spooler service and Lexmarks...

 

Heh - I WAS printing to the Canon BJC2100 I inherited from my son when he got his PIXMA6000d (or something like that) - and since the BJC died I'm printing to his shared PIXMA through the LAN.

No Lexmarks here, and the ancient HP gave up a long time ago....

In any case, the spooler is only currently aiming itself toward ESET IPs -- and I haven't printed anything to them yet....

 

Hello, I'd try to:

1. uninstall ZA and NOD32 Antivirus
2. install NOD32 Antivirus again
3. install a different firewall to see if you still have problems with spool32.exe trying to connect to our servers

I'd say it's a ZA thing.

 

Hi Mayth:

And I would agree. Seems to me ZA is just doing exactly what it's designed to do -- trap unauthorized use of programs.

I just went through a ZA re-install not too long ago, which had no effect on this behavior. It may be that other firewalls aren't capable of detecting programs' use of other programs to access the internet. I don't know.

I do know if I uninstall NOD32 over this, it ain't gonna get re-installed.

I'd be interested to know if anyone else here is running ZA PRO and would test the settings for "Program Control":

* In ZoneAlarm, Program-Control>Main>Program-Control-Custom

* check "Enable Advanced Program Control"
* and "Enable Component Control"

* "OK" out of the dialogs, then check the "Alerts and Logs" page, "Alert type [Program]" over the following few days, and let us all know what happens.

WinXP may or may not have this problem, and/or may not have the spooler service active if on a laptop.

I know on my (Win98SE) tower if I disable (re-name) spool32.exe, NOD32 functions normally -- it CAN'T FIND the spooler -- but I can't print either.

Nod32 seems to have very protective fans/users. Nice to see, but I see nothing so far to indicate a problem with ZA or the spooler -- other than finding out that a program other than a print driver can use it to connect to the Internet.

Not carping, here, just ruminating:

If the spooler "sub service", as it's labeled by ZA, is capable of printing to a network printer by using an IP address, I guess it could, in fact, be directed to other IP addresses as well. So far, in my experience, nothing else has ever actually used the spooler in this way -- I print, and that works, and other programs go to their "update" sites in their own way. Only NOD32 wants to connect BOTH directly AND invoke the spooler.

So here I sit, between two tech support sites (ESET and ZA), each of whom is pointing at the other, and in my opinion, neither of whom seems to know enough about either their own programs or Winders to have a definitive answer. Not real comforting, to envision programmers in both companies sitting around scratching their heads.

Still haven't heard from ESET Tech Support about Case #79535 - "NOD32 using spooler to update AV definitions" ( January 21, 2008 ).

 

Well guys I just used my FW to force spooler to ask for access to the internet.

I then ran a NOD 32 update which ran fine, not a problem spooler didn't run. I checked the cpu times for it and zero time was used by spooler.

Observation: On my Windows xp sp2, using OA 2 as a FW and Nod 32 2.7 as the AV, NOD 32 doesn't use spooler to update anything.


This ZA log recording may be wrong it looks that way to me.

 

Hi "Esc": Thanks for testing!

Your entry left me wondering: You're using ZA PRO? I don't know "OA 2".

You set or changed your settings for "Program Control" in ZA?

* In ZoneAlarm PRO, Program-Control>Main>Program-Control-Custom

* check "Enable Advanced Program Control"
* and "Enable Component Control"

* "OK" out of the dialogs... etc.

"WinXP may or may not have this problem, and/or may not have the spooler service active if on a laptop."

Are you on a desktop or a laptop, and is your spooler service activated? (type "net start" without the quotes at a command prompt for a list of running processes in XP)

Probably nothing you don't already know -- but all of which I just learned by looking in my son's computer....

How did you "force the spooler to ask for access to the internet, using the firewall?

 

Just to be clear:

1) I don't use ZA Pro any more, I now use OA 2 for my FW and HIPS
2) My spooler service is active
3) In OA 2,the user can force any exe to ask for access including services.

I am not on a laptop. I have an attached HP printer.

My test shows that NOD 32 doesn't use spooler to update. Given that ZA says it did, that seems an incorrect display you posted. Have you considered the possibility that ZA itself is calling home via that method? It wouldn't be the first time that has happened.

See ya

 

Thanks for checking, Escalader.

I may have a NOD32 Win98 problem that's not a problem in XP.

Regarding 3) above; are you forcing an .exe to ask for access, or are you forcing OA 2 to alert you that an access is being made?

Can OA 2 be set to alert you when a program uses another program to access the Internet?

Why would ZA "call home" to a different company?

 

Not a problem, it is an iinteresting matter, testing is better than speculations

Yes, that is possible, have you checked if NOD32 offically works with w98?

The 1st, it asks for access, user grants it or not. If the access was already made it is past tense and the horse has left the barn!

Yes, on a program by program basis you can have it allow, ask or block to even start another program. On FF for example I block it from starting other applications. But OA uses a white list of trusted programs to keep the user from being nagged to much.

You would have to ask them that. This matter takes us OT IMO, but you may want to consider a packet sniffer to find out more about what info is leaving your PC and which exe is sending it and where it is going. That one is above my pay grade at this time.

Security firms have used gathering sites to collect outbreak information on virus detection from your PC and mine. It is a question of whether or not they tell the user that and offer an opt out on a privacy basis, AND if the opt out option is actually effective. For more information on that see the ZA Pro learning thread :

https://www.wilderssecurity.com/showthread.php?t=172579

This was a very controversial thread at the time and I have moved on from that one. But it is fair to say I changed my FW as a result of the learnings in that thread.

I invite you to the learning thread on OA 2 here

https://www.wilderssecurity.com/showthread.php?t=189414


I have no time to post OA learning stuff in more than one thread.

 

Thank you, Escalader

 

Hooray! Got a reply from ESET Tech Support about Case #79535 - "NOD32 using spooler to update AV definitions" on Thursday ( February 14, 2008 )!

Maybe we'll all find out why:

The spooler tries to connect to the Internet when NOD32 wants to update itself,

ZoneAlarm identifies the fact that a program is using another program to connect to the Internet,

The URLs in question all point to ESET servers,

I am not printing anything to an ESET server,

Other programs connect to the Internet, but the only one that invokes the spooler is NOD32,

and

When the spooler is disabled (SPOOL32.EXE renamed to SPOOL32.EXE.XXX), NOD32 simply can't find the spooler and updates itself the normal way (direct connection) with no problem. If only it would just do THAT and leave the spooler alone!

Nobody else seems to know or believe that this happens, and so far, no one else who also runs ZA Pro has tested this and written in about it.

As of now, I am convinced that ZA is doing exactly what it's supposed to do. I must say, the amount of time ESET Tech Support is taking to come up with some sort of answer to this does not inspire great confidence, even though NOD32 does seem to have an extremely loyal (and protective) customer base.

 

here is some useful information:

spool32.exe is a part of the Microsoft Windows Operating System which deals with the spooling of Microsoft Windows print jobs. This process is only executed when this method is selected in the printers configuration properties. This program is important for the stable and secure running of your computer and should not be terminate

I would like to give you some my suggestions.If you worry that NOD32 is trying to connect Internet by using spooler that may cause privacy leaking,you can uninstall ZA and install another firewall like OP and see if it happens.OP has the same function as ZA that can detect and block a program connect Internet by using other program.You can proform this function by enable Anti-leak module in OP.

 

Thank you, viruscraft.

You can't have read this whole thread, but to bring you up-to-date; ZA is already doing its intended function of alerting me that "a program is trying to use another program to access the Internet."

I need the spooler function to print to the printer that is attached to another computer on the LAN.

The spooler does not call out to the Internet on its own. It is used by other programs for this, presumably in search of a connection to a networked printer.

Since I consider this to be a security hole, I have blocked the spooler's access to the Internet and allowed its access to the LAN so as to print.

NOD32 has been allowed full access to 25 of its servers so as to get direct connection, and doesn't need the spooler to do it. When the spooler is disabled, updates are performed regularly and normally -- but I lose my printer.

If I keep the spooler enabled, NOD32 hammers the Internet continually, generating multiple alerts from ZoneAlarm -- doing what ZA is supposed to do, alerting me that "a program is trying to use another program to access the Internet."

NOD32 is the only AV with which I have ever had this experience -- not that I have tried all of them.

People on this list seem unable to acknowledge a possible fault in their pet AV program, and are ready to blame anything else, most notably the ZA firewall. I have used ZoneAlarm since it was first put into circulation, and it has not failed me nor has it given me a lot of bogus alerts. It may well be that other firewalls block the activity but simply don't report it -- in which case how would the user know about the activity?

In summary, NOD32 has no possible need to use the spooler, but it does, and no one, including ESET, seems to be aware of it or understand it, or, possibly, acknowledge it.

 

I see.
It's really strange.

Let's see is there anyone esle can explain this issues.

 

Hi all,
Newbie to Wilders...I tripped over the forum via a Google search. I rarely print or fax therefore I don't need spooler (spoolsv.exe) to be resident all the time. It's been said, in the forum and others, that Windows requires it (I am assuming for reasons other than print/fax spooling to memory) and that it should not be stopped or prevented from starting and, it is the only program control entry that ZA warns about if you try and change access to "ask" from "allow. I find it a bit distressing that I can't control internet access even with a firewall. Can someone tell me why the spooler subsystem is on such hallowed ground?
Thanks in advance, Duke
P.S. As an aside, I don't understand why the program control list keeps growing and where half of these programs originated from? A lot are duplicated many times like "avg anti-rootkit", "Java (TM) platform..." etc. and some have no reference at all; such as "SL1E1.tmp" and one named just plain "M". Thanks again.

 

Hi, wjwduke:

This site is devoted (I do mean devoted) to ESET's NOD32 antivirus, which seems to do things that generate "alerts" in ZoneAlarm, that are not done by (most?) other AVs.
I think you probably should be looking here for ZA stuff:
http://www.zonealarm.com/store/content/support/userForum/userForum_agreement.jsp?dc=12bms&ctry=US&lang=en
where you can find yourself between software companies that point at each other, saying "It ain't us!"

Maximillium