I do have the Rawsocket Connection blocked.
I also have the following appearing in the Anti-Leak Control Log:
11:07:38 AM SPOOLSV.EXE: 1552 Allow network-enabled application to use DNS API
This occurs several time during startup, which looks suspicious to me.
I have blocked SPOOLSV.EXE from accessing the Internet in Network Rules and in Host Protection/Anti-Leak Control exclusions (all BLOCKED,) and it still gets access to the Internet during Startup! How is this happening?
While spoolsv.exe - the spooler service responsible for managing spooled print/fax jobs - isn't inherently dangerous there have been several viruses by that name. The spooler service does handle networked printers so occasionally it may need networked access. It's possible that such access is legitimate and happens to many people (http://askbobrankin.com/is_spoolsvexe_a_virus.html). However, if not set up that way then such access should be looked upon as suspicious.
My first instinct is to block the traffic and only allow it if I see problems.
do you have any low level system-wide rules set which might be applied to it's connection? if so are they marked high priority? are your block rules marked as high priority to move them up the processing order list?
SPOOLSV.EXE isn't dangerous. It belongs to the Microsoft Printing service.
You can safely allow this process to acces the internet.
Read this: http://www.processlibrary.com/directory/?files=SPOOLSV.EXE
Can you explain this entry? I am still waiting for a hint...
re SPOOLSV.EXE. I also see this entry (many times over) in the Anti-Leak control log when I have Print Spooler started via Windows Services; I filed a ticket about this, but not sure the reply made sense to me. In any case, my ticket was classified as 'not a bug'.
 I could use some help again...
 Lost Licences |
Spoolsv.exe - Entry in anti-leak control log