Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: numskully on January 14, 2009, 08:07:29 AM
-
Why would avast try to send info to my printer? I wasn't trying to print at the time my firewall stopped it.
(http://mysite.verizon.net/res7p72g/sitebuildercontent/sitebuilderpictures/New.jpg)
Anyone have any ideas?
-
Hi,
All I can see here is that Sygate thinks that aswserv.exe ("Avast! Antivirus" service) was started by Spooler (which is probably a mistake from the firewall). Since it does not say where the packet is going to we can hardly guess if it is sending something to the printer ( i doubt that ) or just downloading new virus definition file.
Lukas.
-
I have Sygate too, and it does do these "mistakes" every now and then. It's just better to click "no".
-
Ah, thanks for the info all. If I get more info I'll post it.
-
It happened again so I clicked on the details and took a screen shot. The picture looks a little odd since I had to copy/paste a few screen shots together.
Anyone know why Avast is doing this?
(http://mysite.verizon.net/res7p72g/sitebuildercontent/sitebuilderpictures/full.jpg)
-
Before the experts jump in...
This is a broadcast ARP packet (sent to every node in your LAN) - requesting the owner of IP=192.168.100.1 to respond with its own MAC address so that the more datagrams can be sent to it.
Normally, neighbouring router is configured as 192.168.100.254 not 192.168.100.1, so, perhaps the latter really is a printer or a machine hosting a printer? Any chance you accidentally set up Avast!Settings->Alerts->Printers?
Simple commands for you to play with:
to see your current ARP Table content: arp -a
to see your routng table: netstat -rn
-
Thanks for the info AlexFeren!
Under "Settings->Alerts->Printers" there is an entry for printers. I never put in any info for alerts. Should I just get rid of all the entries? What are these alerts doing?
When I ran arp -a it reported "No ARP Entries Found".
-
> When I ran arp -a it reported "No ARP Entries Found".
ARP Table is a fundamental resource in IP networking, so, something must be there. ARP Table isn't updated until you start communicating with adjacent nodes in the network (ie. router, other PCs on same switch, etc). So, if you're reading this web-page, you must have at least the entry of the nearest router or gateway in the ARP Table.
> Under "Settings->Alerts->Printers" there is an entry for printers. I never put in any info for alerts. Should I just get rid of all the entries? What are these alerts doing?
Well, what are the enties in there? Avast can configured to send alert when a virus is detected, so, perhaps at startup it's ping-ing the node hosting the printer. Provide us screen-shot so we don't need to guess.
-
@ numskully
I don't believe there are any Printer alerts, just the empty shell they would go in ?
Is this what you see or are there any additional entries under the Printer alert section, see image ?
I don't get any of the firewall notifications that you are But I'm using Agnitum's Outpost Firewall Pro 2009, I have no printer alert setup.
-
I still find the parent - child relationship between spooler.exe and ashserv.exe strange. ashserv.exe if this is really our process is a service. It is running since the computer was started and it's parent process should be "services.exe".
You can verify this with for example "Process Explorer" - downloadable from Microsoft.
I can not imagine any situation where spooler.exe should start ashserv.exe process. It is either not our process or the firewall is confused.
-
Provide us screen-shot so we don't need to guess.
Sorry about that. Thanks for your help AlexFeren.
(http://mysite.verizon.net/res7p72g/sitebuildercontent/sitebuilderpictures/alerts.jpg)
-
@ numskully
I don't believe there are any Printer alerts, just the empty shell they would go in ?
Is this what you see or are there any additional entries under the Printer alert section, see image ?
I don't get any of the firewall notifications that you are But I'm using Agnitum's Outpost Firewall Pro 2009, I have no printer alert setup.
My alert is empty also. I could not edit it. My alerts look the same as yours. There is a screen shot in the post before this.
Does Agnitum's Outpost Firewall Pro 2009 protect your printer (odd question maybe)?
-
I still find the parent - child relationship between spooler.exe and ashserv.exe strange. ashserv.exe if this is really our process is a service. It is running since the computer was started and it's parent process should be "services.exe".
You can verify this with for example "Process Explorer" - downloadable from Microsoft.
I can not imagine any situation where spooler.exe should start ashserv.exe process. It is either not our process or the firewall is confused.
Under "msconfig" I am starting ashServ.exe, found in c:\Program Files\Avast4\ashServ.exe.
I did a search for ashServ.exe, finding only 1 entry. It was digital signed by ALWIL software.
-
Well I don't have file and printer sharing enabled, but as has been said Sygate does from time to time make these mistakes.
The only real relationship ashServ.exe (the main scanning engine of avast) might have with spool32.exe is to scan that file when it starts as a resident scanner should. There should however as lukor said no way spool32.exe would be starting ashServ.exe, so I too believe this is a firewall error.
-
Provide us screen-shot so we don't need to guess.
Sorry about that. Thanks for your help AlexFeren.
(http://mysite.verizon.net/res7p72g/sitebuildercontent/sitebuilderpictures/alerts.jpg)
Well, obviously it's not seen in Avast Alerts setup.
Even if Sygate is incorrect about the parent of AshServ.exe, it still don't fix your problem, which is - knowing why AshServ.exe trying to reach 192.168.1.1.
The way I'd approach it is to figure out who is 192.168.1.1 and what services it's hosting; then, work backwards to guestimate the reason.
(BTW, you checked there's nothing in Avast's .ini that includes 192.168.1.1?)
-
Provide us screen-shot so we don't need to guess.
Sorry about that. Thanks for your help AlexFeren.
(http://mysite.verizon.net/res7p72g/sitebuildercontent/sitebuilderpictures/alerts.jpg)
Well, obviously it's not seen in Avast Alerts setup.
Even if Sygate is incorrect about the parent of AshServ.exe, it still don't fix your problem, which is - knowing why AshServ.exe trying to reach 192.168.1.1.
The way I'd approach it is to figure out who is 192.168.1.1 and what services it's hosting; then, work backwards to guestimate the reason.
(BTW, you checked there's nothing in Avast's .ini that includes 192.168.1.1?)
Thanks for the great info. Never had to track down anything like this before. I searched the avast.ini files for that address, and nothing shown up. Tonight, I will search my harddrive for any files containing 192.168.1.1.
192.168.1.1 is the default gateway for Linksys routers. Is this telling me anything?
-
Hello Numskully,
ARP packet from your popup just queries the ethernet address of 192.168.1.1, I assume that is your router. If you are in a position that you investigate IP to ethernet conversion packets (ARP) you certainly know what is your IP, what is your router's IP. Why don't you post that info for us?
Furthermore, as you no doubt already know, knowing the ethernet address for your router is absolutely essential before you can send any other packet. So it makes no sense to me discussing about why something wants to know the ethernet address for the router, everybody needs that, more interresting perhaps would be to know what the process (be it ither spool32.exe or ashserv.exe - don't what your firewall is trying to say us) wants to send.
Why don't you ignore ARP protocol completely, as it brings no harm and is not routed outside our own house and post us the communication that you are really concerned about.
Thanks a lot,
Lukas.
-
192.168.1.1 is my router's IP address.
"post us the communication that you are really concerned about."
Ashserv.exe/spool32.exe are trying to communicate. The first post has a picture about it.
thanks!
-
"post us the communication that you are really concerned about."
Ashserv.exe/spool32.exe are trying to communicate. The first post has a picture about it.
thanks!
It is the ARP protocol then. This packet will not leave your wire and dies inside your router, nothing harmfull. What do you got next?
-
192.168.1.1 is my router's IP address.
It's unusual that you'd be seeing ARP request being sent to the router (beyond boot), because the router is usually the one that answers computer's DHCP Discovery request at boot at which point the its ARP Table would be populated with the MAC/IP of the router.
You're using DHCP to obtain computer's IP, right? If so, is this the only DHCP server/router on your network?
I find it strange that "arp -a" doesn't show you anything. Are you sure?
-
192.168.1.1 is my router's IP address.
It's unusual that you'd be seeing ARP request being sent to the router (beyond boot), because the router is usually the one that answers computer's DHCP Discovery request at boot at which point the its ARP Table would be populated with the MAC/IP of the router.
You're using DHCP to obtain computer's IP, right? If so, is this the only DHCP server/router on your network?
I find it strange that "arp -a" doesn't show you anything. Are you sure?
This time when I ran it, it did find an entry. It found 192.168.1.100. Which is linked to my router.