Windows Defender - Warning Event ID 3004 -spoolsv.exe

D

Des

Defender is posting - Event - 3004 error code approx. every minute. I have
tried adding spoolsv.exe to the:
firewall ignore list -no change
defender ignore list - no change.

The file shows in defender as a permitted file? It is an original XP
operating system file but still shows unclassified? Is there somewhere that I
need to change the permissions for this file to kill this continious warning?

EVENT ID:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {56E59D0B-5DBC-49D1-9919-F835BC59C4EB}
User: A1640N\HP_Administrator
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
firewallokfile:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe
Alert Type: Unclassified software
Detection Type:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
M

MowGreen

Des,

How did you determine that spoolsv.exe is still a legitimate file ?
I fail to see any reason it should be trying to circumvent the native XP
firewall as it
http://www.liutilities.com/products/wintaskspro/processlibrary/spoolsv/
transfers the data in a buffer. If the printer needs the data, it will retrieve it from the
buffer. While the spoolsv.exe file is storing the data in the buffer, the user can carry out
other operations. The spoolsv.exe process is also responsible for queuing printing tasks.
Through this function, the user does not need to wait for each printing task to be completed
one after the other.

Also, read the " Other instances of SPOOLSV.EXE: " section.
I'd have the file scanned here and hope the scanner can detect whether
it's legit or not: http://www.virustotal.com/

MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"
 
D

Des

I verified the original file dates for spoolsv.exe in the system32 folder and
also the changed file date. They both match every other OS system file date
for XP mce. Defender is only issuing the warning in the event log, not
identifying it as any type virus or malware. The file is not listed in either
allow or quarantine and I am sure I have never been asked noe have I cleared
the Defender history file.

Everything works fine, Event log just records the defender warning every
minute or so... I'm thinking it has to do with permissions, maybe?
 
D

David H. Lipman

From: "Des" <[email protected]>

| I verified the original file dates for spoolsv.exe in the system32 folder and
| also the changed file date. They both match every other OS system file date
| for XP mce. Defender is only issuing the warning in the event log, not
| identifying it as any type virus or malware. The file is not listed in either
| allow or quarantine and I am sure I have never been asked noe have I cleared
| the Defender history file.

| Everything works fine, Event log just records the defender warning every
| minute or so... I'm thinking it has to do with permissions, maybe?
| --
| Des



The Spooler Service can become compromised and act "differently" by such malware as the
TDSS (TDL3) RootKit.
 
M

MowGreen

Here's MS' explanation of the Event ID:

Event ID 3004 — Real-Time Protection Detection
http://technet.microsoft.com/en-us/library/cc774009(WS.10).aspx

Have you viewed the details provided in Software Explorer ?
SE is available in XP in the Control Panel.
Set it to Currently Running Programs.
On my XP box, SE shows the file as Permitted but it's *not* listed as a
Network Connected Program, which is why I am suspicious about the file
on your system, Des.
Suggest you use Software Explorer to see the Process ID of spoolsv.exe
Then open a Command Prompt, type in the following and then press Enter

netstat -a -o

The Active Connections will be listed. Look in the far right column to
locate the Process ID of spoolsv.exe and then see which Foreign Address
it's connected to, if any.
Then please post back with what the Foreign Address is.

EX: My newsgroup reader's Process ID is 2560 and it's current Foreign
Address is msnews.microsoft.com:nntp


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"
 
D

Des

Mow,
Thanks in advance for your help... Here's where I am currently,

Yes , I have been watching SE processes but I appriciate your suggestion.
Ran netstat with switches at the command line and results show no foriegn
connections, just local address (of this computer on router) popping in and
out. Foriegn address shows as (*:*) spoolsv is listed under the network group
i suspect due to my network printer, I have a wireless HP6000(e609n) printer
connected via wireless through a Linksys router on a home network.

I ran spyware/malware repair/checkers beyond Defender and all show clean
system other than a few ad server cookies tied to yahoo home page. I recently
upgraded to SP3 just to see if that would clear up the issue, no change. I
have turned off spoolsv in services, removed both spoolsv.exe & spoolss.dll
from system32 dir and let reinstall at boot from the I386 diectory, no
change. Before reinstalling I verified dates and files in I386 cab folder.
 
D

Des

More info:
After some research in the registry: This location of the registry is what
is identified in the system event warning with the ID 3004.

firewallokfile:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe

The file is continiously added and mysteriously removed from this location
in the registry? each time it shows as an eveint ID... Yet I have bever been
asked by the Windows Firewall to allow or block or in defender? It shows as
permitted to run in the SE.

I also tried to manually add the file to the registry ok list just to see
what effect and it just gets deleted from the list. What the heck try
anything at this point? Event file just keeps growing with the same Event
warning from Defender... Almost seems like Firewall and Defender can't decide
what, if any action to take creating the loop...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top