Thread: Windows Defender - Warning Event ID 3004 -spoolsv.exe
View Single Post
  #3  
Old December 30th 09, 10:59 PM posted to microsoft.public.windowsxp.security_admin
DES
external usenet poster
  
Posts: 9
Default Windows Defender - Warning Event ID 3004 -spoolsv.exe
I verified the original file dates for spoolsv.exe in the system32 folder and
also the changed file date. They both match every other OS system file date
for XP mce. Defender is only issuing the warning in the event log, not
identifying it as any type virus or malware. The file is not listed in either
allow or quarantine and I am sure I have never been asked noe have I cleared
the Defender history file.

Everything works fine, Event log just records the defender warning every
minute or so... I'm thinking it has to do with permissions, maybe?
--
Des


"MowGreen" wrote:

Des,

How did you determine that spoolsv.exe is still a legitimate file ?
I fail to see any reason it should be trying to circumvent the native XP
firewall as it
http://www.liutilities.com/products/...brary/spoolsv/

transfers the data in a buffer. If the printer needs the data, it will retrieve it from the
buffer. While the spoolsv.exe file is storing the data in the buffer, the user can carry out
other operations. The spoolsv.exe process is also responsible for queuing printing tasks.
Through this function, the user does not need to wait for each printing task to be completed
one after the other.

Also, read the " Other instances of SPOOLSV.EXE: " section.
I'd have the file scanned here and hope the scanner can detect whether
it's legit or not: http://www.virustotal.com/

MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"



Des wrote:

Defender is posting - Event - 3004 error code approx. every minute. I have
tried adding spoolsv.exe to the:
firewall ignore list -no change
defender ignore list - no change.

The file shows in defender as a permitted file? It is an original XP
operating system file but still shows unclassified? Is there somewhere that I
need to change the permissions for this file to kill this continious warning?

EVENT ID:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {56E59D0B-5DBC-49D1-9919-F835BC59C4EB}
User: A1640N\HP_Administrator
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe
Alert Type: Unclassified software
Detection Type:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
.
Ads