Author Topic: avast 4.8 trying to access a printer?  (Read 7937 times)

0 Members and 1 Guest are viewing this topic.

Offline numskully

  • Newbie
  • *
  • Posts: 10
Re: avast 4.8 trying to access a printer?
« Reply #15 on: January 28, 2009, 07:22:07 AM »
Provide us screen-shot so we don't need to guess.

Sorry about that. Thanks for your help AlexFeren.


Well, obviously it's not seen in Avast Alerts setup.
Even if Sygate is incorrect about the parent of AshServ.exe, it still don't fix your problem, which is - knowing why AshServ.exe trying to reach 192.168.1.1.
The way I'd approach it is to figure out who is 192.168.1.1 and what services it's hosting; then, work backwards to guestimate the reason.
(BTW, you checked there's nothing in Avast's .ini that includes 192.168.1.1?)


Thanks for the great info. Never had to track down anything like this before. I searched the avast.ini files for that address, and nothing shown up. Tonight, I will search my harddrive for any files containing 192.168.1.1.

192.168.1.1 is the default gateway for Linksys routers. Is this telling me anything?

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1879
    • AVAST Software
Re: avast 4.8 trying to access a printer?
« Reply #16 on: January 28, 2009, 11:49:59 AM »
Hello Numskully,

ARP packet from your popup just queries the ethernet address of 192.168.1.1, I assume that is your router. If you are in a position that you investigate IP to ethernet conversion packets (ARP) you certainly know what is your IP, what is your router's IP. Why don't you post that info for us?

Furthermore, as you no doubt already know, knowing the ethernet address for your router is absolutely essential before you can send any other packet. So it makes no sense to me discussing about why something wants to know the ethernet address for the router, everybody needs that, more interresting perhaps would be to know what the process (be it ither spool32.exe or ashserv.exe - don't what your firewall is trying to say us) wants to send.

Why don't you ignore ARP protocol completely, as it brings no harm and is not routed outside our own house and post us the communication that you are really concerned about.

Thanks a lot,
Lukas.


Offline numskully

  • Newbie
  • *
  • Posts: 10
Re: avast 4.8 trying to access a printer?
« Reply #17 on: January 29, 2009, 03:26:15 AM »
192.168.1.1 is my router's IP address.

"post us the communication that you are really concerned about."
Ashserv.exe/spool32.exe are trying to communicate. The first post has a picture about it.

thanks!

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1879
    • AVAST Software
Re: avast 4.8 trying to access a printer?
« Reply #18 on: January 29, 2009, 10:42:46 AM »
"post us the communication that you are really concerned about."
Ashserv.exe/spool32.exe are trying to communicate. The first post has a picture about it.

thanks!

It is the ARP protocol then. This packet will not leave your wire and dies inside your router, nothing harmfull. What do you got next?

Offline AlexFeren

  • Newbie
  • *
  • Posts: 12
Re: avast 4.8 trying to access a printer?
« Reply #19 on: January 30, 2009, 04:38:51 AM »
192.168.1.1 is my router's IP address.
It's unusual that you'd be seeing ARP request being sent to the router (beyond boot), because the router is usually the one that answers computer's DHCP Discovery request at boot at which point the its ARP Table would be populated with the MAC/IP of the router.
You're using DHCP to obtain computer's IP, right? If so, is this the only DHCP server/router on your network?
I find it strange that "arp -a" doesn't show you anything. Are you sure?
« Last Edit: January 30, 2009, 04:41:21 AM by AlexFeren »

Offline numskully

  • Newbie
  • *
  • Posts: 10
Re: avast 4.8 trying to access a printer?
« Reply #20 on: January 30, 2009, 09:29:40 PM »
192.168.1.1 is my router's IP address.
It's unusual that you'd be seeing ARP request being sent to the router (beyond boot), because the router is usually the one that answers computer's DHCP Discovery request at boot at which point the its ARP Table would be populated with the MAC/IP of the router.
You're using DHCP to obtain computer's IP, right? If so, is this the only DHCP server/router on your network?
I find it strange that "arp -a" doesn't show you anything. Are you sure?

This time when I ran it, it did find an entry. It found 192.168.1.100. Which is linked to my router.