Spool32.exe using NOD to access internet

Discussion in 'NOD32 version 2 Forum' started by Maximillium, Aug 21, 2007.

Thread Status:
Not open for further replies.
  1. Maximillium

    Maximillium Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    19
    In reference to "Spooler32.exe using NOD to access internet"
    https://www.wilderssecurity.com/showthread.php?t=148380&highlight=spooler
    in September of 2006 (considered too old a thread to sustain additional posts):

    I am having the same problem NOW, with the exception that instead of an occasional spooler message, I'm getting them by the hundreds, virtually continuously -- and it's seriously affecting my use of the internet.

    ESET Tech Support is putting it down as a flaw in ZoneAlarm, and I just don't buy it. No other legitimate program I've ever used has ever used the spooler to call out on the internet, and the calls are all to eset.com servers.

    If the spooler can be used for this purpose, can't the same be said for other, perhaps malware, programs? For this reason, I have the printing and spooling restricted to the LAN, and blocked from the internet zone in ZA.

    The NOD32 Kernel Service has complete access to updates and updates are done regularly, so I'm not missing updates.

    I can kill the spooler, but don't want to kill my printer.

    Anyone know a way to get NOD32 to stop screwing with the bloody spooler?

    From my first post to ESET Tech support:

    -----

    2006-12-31 2300 to ESET Tech support via site dialog:

    Why does the spooler have to talk to my ISP?

    And why is it trying use NOD32 to do it?

    Shortly after boot-up, I get this ZoneAlarm Security Alert:

    "Spooler Sub System Process is trying to
    use NOD32 Kernel Service to access the
    Internet.

    Destination IP is 66.51.205.100:DNS (My ISP)

    Why does the spooler have to talk to the internet at all?

    I'm getting these alerts repeatedly, and despite repeated manual
    denials and program settings in ZoneAlarm set for denial, the damn
    spooler repeats and repeats, ad nauseum.

    Is there a way to kill this thing?

    What's happening?

    C.A. Kerschner
    Los Angeles CA
    Winders 98SE -- and no, I'm not going to "upgrade" to XP.
    -----------------------------------------------------------------------

    In ZoneAlarm's "Alerts & Logs" tab, Alert type "Program",
    this alert occurs about 12 times per minute:

    "Spooler Sub System Process requested permission to be a parent."

    About once a minute, SPOOL32.EXE tries to make an outbound connection:

    "Spooler Sub System Process is trying to
    use NOD32 Kernel Service to access the
    Internet.

    This time, to IP
    89.202.157.133.HTTP

    IP address: 89.202.157.133
    Reverse DNS: [No reverse DNS entry per
    ns0.interoute.net.uk.]
    Reverse DNS authenticity: [Unknown]
    ASN: 8928
    ASN Name: INTEROUTE (Interoute Communications
    Ltd)
    IP range connectivity: 2
    Registrar (per ASN): RIPE
    Country (per IP registrar): GB [United Kingdom]
    Country Currency: GBP [United Kingdom Pounds]
    Country IP Range: 89.202.128.0 to 89.202.255.255
    Country fraud profile: Normal
    City (per outside source): Unknown
    Country (per outside source): CZ [Czech Republic]
    Private (internal) IP? No
    IP address registrar: whois.ripe.net
    Known Proxy? No
    Link for WHOIS: 89.202.157.133

    bottom of message sent; web dialog space limited.
    -----------------------------------------------------------------------
    ~~
    In the "Alerts & Logs" tab, Alert type "Firewall",

    82.165.177.174:80 = ESET.com

    IP address: 82.165.177.174
    Reverse DNS: u12.eset.com.
    Reverse DNS authenticity: [Verified]
    ASN: 8560
    ASN Name: SCHLUND-AS (Schlund + Partner AG)
    IP range connectivity: 2
    Registrar (per ASN): RIPE
    Country (per IP registrar): DE [Germany]
    Country Currency: EUR [euros]
    Country IP Range: 82.165.0.0 to 82.165.255.255
    Country fraud profile: Normal
    City (per outside source): Unknown
    Country (per outside source): US [United States]
    Private (internal) IP? No
    IP address registrar: whois.ripe.net
    Known Proxy? No
    Link for WHOIS: 82.165.177.174
    -----------------------------------------------------------------------

    multiple alerts to destination IP (probably by SPOOL32):

    207.151.118.196:80
    207.151.118.194:80

    These last two are tried alternately,
    cycling consecutively through ports, looking for a hole on my machine:
    :4989
    :2446
    :2442
    :2436
    :2428
    :2410
    :2406
    :2400
    :2396
    :2391
    :2384
    :2380
    :2376
    :2371
    :2361
    :2205
    :2200
    etc. etc. down to :1586 this time.

    Reverse DNS for 207.151.118.196:80:
    United States [City: Redondo Beach, California]Sorry, bogus IPv6
    address detected.(sic)

    WHOIS results for 207.151.118.196:
    OrgName: Los Nettos
    OrgID: LNET
    Address: USC Information Services Division
    Address: University Park Campus
    City: Los Angeles
    StateProv: CA
    PostalCode: 90089-0251
    Country: US

    NetRange: 207.151.0.0 - 207.151.255.255
    CIDR: 207.151.0.0/16
    NetName: LOS-NETTOS-BLK3
    NetHandle: NET-207-151-0-0-1
    Parent: NET-207-0-0-0-0
    NetType: Direct Allocation
    NameServer: CATA.LN.NET
    NameServer: C30.LN.NET
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 1996-06-18
    Updated: 2005-01-11

    RTechHandle: LH-ORG-ARIN
    RTechName: LosNettos Hostmaster
    RTechPhone: +1-213-740-1531
    RTechEmail:hostmaster@ln.net

    OrgAbuseHandle: LNAT-ARIN
    OrgAbuseName: Los Nettos Abuse Team
    OrgAbusePhone: +1-213-740-1531
    OrgAbuseEmail:abuse@ln.net

    -----------------------------------------------------------------------

    89.202.157.133:HTTP (ESET)

    IP address: 89.202.157.133
    Reverse DNS: [No reverse DNS entry per
    ns0.interoute.net.uk.]
    Reverse DNS authenticity: [Unknown]
    ASN: 8928
    ASN Name: INTEROUTE (Interoute Communications
    Ltd)
    IP range connectivity: 2
    Registrar (per ASN): RIPE
    Country (per IP registrar): GB [United Kingdom]
    Country Currency: GBP [United Kingdom Pounds]
    Country IP Range: 89.202.128.0 to 89.202.255.255
    Country fraud profile: Normal
    City (per outside source): Unknown
    Country (per outside source): CZ [Czech Republic]
    Private (internal) IP? No
    IP address registrar: whois.ripe.net
    Known Proxy? No
    Link for WHOIS: 89.202.157.133

    Looking up 89.202.157.133 at whois.ripe.net.
    Location: Czech Republic [City: ]
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It seems to be a bug in Zone Alarm. The problem seems to be that they assigned a wrong app name to the kernel process.
     
  3. Maximillium

    Maximillium Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    19
    I don't think so.

    BOTH the NOD32 kernel process AND the spooler are screaming for the eset.com servers, and originally I was getting ZA alerts for both.

    Now the spooler is blocked from the internet and ZA is configured to allow connection with the eset.com servers. NOD32 gets all its updates directly via connection by the NOD32 kernel to the servers. There is NO logical reason for the spooler to be involved at all.

    If the spooler weren't calling out, I don't believe ZA would be generating a spooler alert message.

    So far, everything is as usual; Eset blames ZA, ZA says "Say what...?"
     
  4. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    What type of printer do you have? Some printer drivers use TCP/IP as a means of internal communication. In effect, they use a client/server model for the driver, with both the client and server running on the local computer.

    I am just wondering if something is getting confused with combination of printer driver + NOD32 + ZA.
     
  5. Maximillium

    Maximillium Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    19
    I couldn't say how the printer driver might be tangled up with TCP/IP. All I know is if the spooler goes, the printer goes with it.

    The printer (Canon BJC2100) is plugged into lpt1, the parallel printer port.

    I just discovered this:

    Microsoft Security Bulletin MS05-043

    Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)

    Published: August 9, 2005 | Updated: April 18, 2007

    http://www.microsoft.com/technet/security/Bulletin/MS05-043.mspx

    Affected Software:
    •Microsoft Windows 2000 Service Pack 4
    •Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
    •Microsoft Windows Server 2003
    •Microsoft Windows Server 2003 for Itanium-based Systems


    We're all up-to-date with our updates, yes?

    So it looks like programs other than printer drivers can use the spooler....
     
    Last edited: Aug 24, 2007
  6. Maximillium

    Maximillium Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    19
    The printer (Canon BJC2100) is plugged into the parallel printer port, lpt1, and is shared over the LAN with other computers in the LAN (ZA "Trusted" zone.)

    Spooler connections to the "Internet" zone are blocked.

    Every time the NOD32 kernel calls for an update, the spooler does the same, and to the same (NOD32) server.

    Any gurus here?
     
  7. dannyboy

    dannyboy Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    113
    Location:
    UK
    I can't believe you still use Windows 98. If you're as paranoid about security as you seem, you should know that MS stopped providing security updates and other support for Win 98 more than a year ago. It's a dead OS.
     
  8. Maximillium

    Maximillium Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    19
    Sigh....

    (Patiently...) The hardware here won't support XP.

    As soon as I can get my Winders-based programs to run under Linux, that's where I'm going -- and I've already picked the distribution. I just have to stay compatible with some really legacy programs & hardware that I use daily. Think DOS and HP 200LX -- STILL my idea of the best pocket computer ever made. Too bad HP "improved" it with Win CE.

    Does anyone here understand the NOD32 program enough to know why it needs to use the spooler -- and how to prevent it?

    Why programmers & tech support people for programs designed to RUN on Windows don't seem to understand how their programs USE Windows is difficult for me to understand.
     
  9. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi Maximillium,

    It has been common enough in my own experience for even some of the best firewalls to misidentify traffic.
    NOD32 doesn't use a print spooler to access its servers. If what you are suggesting was possibly NOD32 issue I'm certain that Marcos would have said so as he is one who would know.

    Cheers :)

    EDIT: And Blackspear is another with a great deal of experience both with NOD32, firewalls and PC's in general
     
  10. Maximillium

    Maximillium Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    19
    This was posted today (Jan 28, 200:cool: to ESET Support:

    Hello...?

    I haven't heard from anyone for a while.

    Referring to an earlier e-mail exchange in which ZA was blamed for
    mis-identifying the spooler, here is some additional information:

    When I re-name the spooler so it's not available for use by the
    system, the spooler's connection requests to ESET servers stop.

    When I re-name the spooler so it's available to the OS again,
    the spooler's connection requests to ESET servers resume.

    This is NOT a misidentification by ZA of a process.

    When the spooler is trying to connect, it is asking specifically
    for any one of 28 different ESET servers. When the spooler is
    disabled, NOD32 gets its updates the way I would expect it to, by
    the NOD32 kernel making a direct request, which works just fine
    as I have afforded the kernel specific permissions through ZA to
    all the ESET servers -- or at least 25 of them.

    If the print spooler can be made to connect to the internet, I
    consider this to be a major security hole, which is why I have
    blocked the spooler from connecting through ZA to the internet.

    The spooler is still free to connect INSIDE the local network to
    find the printers.

    The only problem I see here is NOD32 trying to use the spooler.
    NOD32 is the only anti-virus I have ever used that does this.

    Please either fix this or let me know if you can't so I can go
    to another anti-virus program.

    C.A. Kerschner
    Los Angeles CA
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    So as not to have duplicate ongoing discussions and considering this was a fairly old thread, we'll bring this one to a close and continue in your newly created thread concerning this matter.

    Continue here---> https://www.wilderssecurity.com/showthread.php?t=199135

    Regards,
    Bubba
     
Thread Status:
Not open for further replies.