Phantom print jobs, Carbon Black from VM Ware

**blackcat4866** · 03-05-2023, 03:25 PM

Re: Phantom print jobs, Carbon Black from VM Ware

It's not unheard of to have a piece of software sending data to printers that it cannot print. I think the most common for me is meter collecting software. It polls all IP addresses, seeking out meter data. If the printer cannot understand the data, you can get firmware errors on the machine. Theoretically, any software that polls all the IP addresses can cause this. =^..^=

**rthonpm** · 03-05-2023, 04:13 PM

Re: Phantom print jobs, Carbon Black from VM Ware

Security scanners often do this. I've seen it with Nessus and other tools as well. It's a bit of an annoyance, but it also be a positive as it can highlight open ports that aren't necessarily needed, or devices that aren't properly configured.

Get it touch with whomever does security and give them the IP address of any devices spitting out jobs. They can then filter those out of their scans, or work to mitigate the issue by getting the ports on the printer triggering the scan disabled.

In larger environments, I'm seeing more clients moving printers to their own network segment to better control access to them, and to also better classify network devices.

Printers tend to stay around for a long time and often support long dead protocols that can offer a means of getting deeper into a network. As much as possible before putting a machine in place, I'll work with the customer to determine what can be disabled. Things like WINS, LLMNR, FTP, and other ports aren't needed on modern networks.

Sent from my Pixel 6 Pro using Tapatalk

**PrintWhisperer** · 03-05-2023, 04:42 PM

**BillyCarpenter** · 03-05-2023, 05:04 PM

Re: Phantom print jobs, Carbon Black from VM Ware

Originally posted by rthonpm

Security scanners often do this. I've seen it with Nessus and other tools as well. It's a bit of an annoyance, but it also be a positive as it can highlight open ports that aren't necessarily needed, or devices that aren't properly configured.

Get it touch with whomever does security and give them the IP address of any devices spitting out jobs. They can then filter those out of their scans, or work to mitigate the issue by getting the ports on the printer triggering the scan disabled.

In larger environments, I'm seeing more clients moving printers to their own network segment to better control access to them, and to also better classify network devices.

Printers tend to stay around for a long time and often support long dead protocols that can offer a means of getting deeper into a network. As much as possible before putting a machine in place, I'll work with the customer to determine what can be disabled. Things like WINS, LLMNR, FTP, and other ports aren't needed on modern networks.

Sent from my Pixel 6 Pro using Tapatalk

I like the idea of placing all the copiers/printers on their own network segment. I'm assuming that you're talking about VLANS? If so, I'm also assuming that inter-vlan routing would need to be implemented?

Inter-VLAN routing is the ability to route, or send, traffic between VLANs that are normally blocked by default. Switches and VLANs work at the MAC address Layer (Layer 2). Traffic can't be routed between VLANs at Layer 2 based on MAC addresses.

PS - I had to double check because it's been a while since I've set this up. But a broadcast signal can't make it past a router...even with inter-vlan routing enabled. There is a workaround if you're using a central DHCP server and that is to use IP-Helper. This allows the DHCP broadcast signal to go past the router.

**rthonpm** · 03-05-2023, 11:31 PM

Re: Phantom print jobs, Carbon Black from VM Ware

Correct: a dedicated VLAN. Many of my larger clients have started implementing VLANs to segment out traffic or to identify what it is by location or device type.

For a printer VLAN, my recommendation is generally to only allow inbound printing (9100 and 515) from a print server, restrict web interface access to a dedicated management machine and only allow outbound SMB access to servers used for scan to folder, and SMTP access to either a relay server or the mail server for the environment (generally Microsoft 365). This allows some of those ancient devices with insecure TLS versions or other issues to remain in place and also prevent WSD or other features from causing issues, as well as preventing peer to peer printing.

Sent from my Pixel 6 Pro using Tapatalk

**slimslob** · 03-06-2023, 12:32 AM

Re: Phantom print jobs, Carbon Black from VM Ware

Originally posted by rthonpm

Correct: a dedicated VLAN. Many of my larger clients have started implementing VLANs to segment out traffic or to identify what it is by location or device type.

For a printer VLAN, my recommendation is generally to only allow inbound printing (9100 and 515) from a print server, restrict web interface access to a dedicated management machine and only allow outbound SMB access to servers used for scan to folder, and SMTP access to either a relay server or the mail server for the environment (generally Microsoft 365). This allows some of those ancient devices with insecure TLS versions or other issues to remain in place and also prevent WSD or other features from causing issues, as well as preventing peer to peer printing.

Sent from my Pixel 6 Pro using Tapatalk

I used to service the Ricoh MFP at Western Regional Office in Bakersfield. Their Corporate IT had setup their switches to only allow printing to specific ports. Normally was not a problem as new equipment was always reinstalled to the same jack as the old model. When the Bakersfield office got big enough to have their own IT staff, corporate failed to inform the Bakersfield IT of the switch settings. It became a problem when one weekend they had everything moved out of the motor maintenance garage office for repainting the office and replacing the flooring. When the moved the equipment back in, there were 2 jacks near the Ricoh and they plugged into the wrong one.

**Hoosierken** · 03-06-2023, 04:01 AM

Re: Phantom print jobs, Carbon Black from VM Ware

Originally posted by rthonpm

Security scanners often do this. I've seen it with Nessus and other tools as well. It's a bit of an annoyance, but it also be a positive as it can highlight open ports that aren't necessarily needed, or devices that aren't properly configured.

Get it touch with whomever does security and give them the IP address of any devices spitting out jobs. They can then filter those out of their scans, or work to mitigate the issue by getting the ports on the printer triggering the scan disabled.

In larger environments, I'm seeing more clients moving printers to their own network segment to better control access to them, and to also better classify network devices.

Printers tend to stay around for a long time and often support long dead protocols that can offer a means of getting deeper into a network. As much as possible before putting a machine in place, I'll work with the customer to determine what can be disabled. Things like WINS, LLMNR, FTP, and other ports aren't needed on modern networks.

Sent from my Pixel 6 Pro using Tapatalk

I know of another customer that has had to move an Imagepress to its own subnet because when connected to the network it would constantly reboot. They had damaged more than one counter board this way. I think disabling ports might be the key. Most customers only use ports for printing, SMTP, and maybe SMB scan to file.

Phantom print jobs, Carbon Black from VM Ware

Phantom print jobs, Carbon Black from VM Ware

Comment

Comment

Comment

Comment

Comment

Comment

Comment