Since mid August, we have been experiencing multiple daily heuristic detections of "Bloodhound.Exploit.45" on one of our print servers. The files detected as risks are always found in C:\Temp and have a naming convention of SPLxxxx.tmp (where xxxx is a string of four numbers/letters ie SPL392C.tmp). Using Process Monitor I can see that these temp files are being generated by the spoolsv.exe process (the windows print spooler). The spool folder is set to E:\spool\ in the print server options.
The server is running Windows Server 2003 SP2, and SEP RU6A. Definitions are current. Nobody logs into this machine interactively except for a handful of administrators. No web browsing or other high risk behavior occurs on the server. I have submitted files to Symantec for review on two occassions (tracking numbers are 17223368 and
17013426). I have also opened a case with tracking number 412-654-398 but am not really getting anywhere. Has anyone encountered this before or have any suggestions?