Mirdus0001
Technical User
Signature 432 - Suspicious Function Invocation
From one day it started apearing on wrkstations, but not all of those we have.
After this alert many installed apps freezes. Restart of spooler helps, but next day lot of affected users has the same issue again.
Happening usually soon after pc starts. We have major amount of calls till 10 AM. Spooler is propably checking printers, drivers, port monitors etc when it starts..
We have printing through prnt server, http in use.
For printers to be installed through printserver web interface it was needed to create exception for this signature and spoolsv. It works few months properly an works even now.
But the main question is what happened, what strange spooler performes that it trigers it, and why exception is not applied in this particular case.
I found various adware, some virus on some PCs, but most of affected PCs is clean. As time goes I am starting to be convinced it is false positive alert. But I welcome any ideas about it, cause I want to be of course sure.
Thanks in advance for every idea.
ALERT DETAILS
An attempt to execute code resulting from a buffer overflow was detected. The buffer overflow occurred in process Windows Print/Fax Spool Manager (C:\WINDOWS\system32\spoolsv.exe) running with the privileges of user xxx on the system with Agent pcname1.
API Name : InternetOpenA
Workstation Name : Local
From one day it started apearing on wrkstations, but not all of those we have.
After this alert many installed apps freezes. Restart of spooler helps, but next day lot of affected users has the same issue again.
Happening usually soon after pc starts. We have major amount of calls till 10 AM. Spooler is propably checking printers, drivers, port monitors etc when it starts..
We have printing through prnt server, http in use.
For printers to be installed through printserver web interface it was needed to create exception for this signature and spoolsv. It works few months properly an works even now.
But the main question is what happened, what strange spooler performes that it trigers it, and why exception is not applied in this particular case.
I found various adware, some virus on some PCs, but most of affected PCs is clean. As time goes I am starting to be convinced it is false positive alert. But I welcome any ideas about it, cause I want to be of course sure.
Thanks in advance for every idea.
ALERT DETAILS
An attempt to execute code resulting from a buffer overflow was detected. The buffer overflow occurred in process Windows Print/Fax Spool Manager (C:\WINDOWS\system32\spoolsv.exe) running with the privileges of user xxx on the system with Agent pcname1.
API Name : InternetOpenA
Workstation Name : Local