TCP Connection Leak from ZAPRO 8 (Vista x64 SP2)

[ring0_event]

Hello. Hi. I have a new Inspiron 1545 laptop (will replace my desktop soon!), with Vista x64 SP2, 4 GB RAM, and a marvel 88e8040 fast PCIe NIC. I also have ZAPRO 8.0.298.000. For antivirus I use ESET NOD32 (x64 version). Basically my issue is leaked TCP connections, that is the network stack is littered with connections which are never closed. This is a serious, serious problem, as my system became a dog after 1 day of usage. After I uninstalled ZAPRO, the issue went away.

I've noticed that TCP-Z shows me that my established TCP connections keep on increasing and almost never seem to go down as time go by and I keep on accessing the Internet. Now I have only 1 IE instance running, and I currently have 303 established connections shown in TCP-Z! Also, I used "netstat -ab" to look at my connections, and I see in the system process a WHOLE SLEW of connections to sites which I had previously browsed but since closed. Moreover, "netstat -ab" confirms that I have a great deal of connections open. I checked with task manager just to make sure there were no runway IE/Firefox processes, and there were none.

It looks like there is a connection leak on my system! Can anyone confirm this with Vista x64 SP2, and ZAPRO running? I don't know where the problem is, but it is a clearly a low level issue of some kind, unless this is normal behaviour on Vista SP2. AFAIK, when a process terminates, its connections terminate with it. Otherwise insanity prevails.

So my questions:
a) Can anyone else with ZAPRO, Vista x64, and SP2 confirm this issue? I've already posted to the ZA boards.
b) Could anyone recommend a replacement?

Thanks!

[tipstir]

Quote:

Originally Posted by ring0_event

Hello. Hi. I have a new Inspiron 1545 laptop (will replace my desktop soon!), with Vista x64 SP2, 4 GB RAM, and a marvel 88e8040 fast PCIe NIC. I also have ZAPRO 8.0.298.000. For antivirus I use ESET NOD32 (x64 version). Basically my issue is leaked TCP connections, that is the network stack is littered with connections which are never closed. This is a serious, serious problem, as my system became a dog after 1 day of usage. After I uninstalled ZAPRO, the issue went away.

I've noticed that TCP-Z shows me that my established TCP connections keep on increasing and almost never seem to go down as time go by and I keep on accessing the Internet. Now I have only 1 IE instance running, and I currently have 303 established connections shown in TCP-Z! Also, I used "netstat -ab" to look at my connections, and I see in the system process a WHOLE SLEW of connections to sites which I had previously browsed but since closed. Moreover, "netstat -ab" confirms that I have a great deal of connections open. I checked with task manager just to make sure there were no runway IE/Firefox processes, and there were none.

It looks like there is a connection leak on my system! Can anyone confirm this with Vista x64 SP2, and ZAPRO running? I don't know where the problem is, but it is a clearly a low level issue of some kind, unless this is normal behaviour on Vista SP2. AFAIK, when a process terminates, its connections terminate with it. Otherwise insanity prevails.

So my questions:
a) Can anyone else with ZAPRO, Vista x64, and SP2 confirm this issue? I've already posted to the ZA boards.
b) Could anyone recommend a replacement?

Thanks!

Why are you running TCP-Z? Did you by-pass the TCP.sys limit of 10 max connections. Also your running Zone Alarm and that ZAPPRO has to run in the background, unless you stop running Zone Alarm.

[Cudni]

try tcpview instead to see if you can confim the finding
http://technet.microsoft.com/en-us/s.../bb897437.aspx

[ring0_event]

Quote:

Originally Posted by tipstir

Why are you running TCP-Z? Did you by-pass the TCP.sys limit of 10 max connections. Also your running Zone Alarm and that ZAPPRO has to run in the background, unless you stop running Zone Alarm.

I was running TCP-Z as you say to bypass the limit of 10 half open connections. Since TCP-Z modifies the memory in TCPIP.SYS, I'm guessing that ZA PRO would not be affected by this. But in any case, I did try to duplicate the issue without TCP-Z, using netstat to confirm my previous findings, and the results were the same as before.

[ring0_event]

Quote:

Originally Posted by Cudni

try tcpview instead to see if you can confim the finding
http://technet.microsoft.com/en-us/s.../bb897437.aspx

OK, I'll give it a shot, but I did use netstat as well, with the same results.

[ring0_event]

OK, I have confirmed the issue using tcpview (thanks for the link). Does anyone else here use ZA Pro/free on Vista, and if so, could they confirm the issue?

[tipstir]

Quote:

Originally Posted by ring0_event

I was running TCP-Z as you say to bypass the limit of 10 half open connections. Since TCP-Z modifies the memory in TCPIP.SYS, I'm guessing that ZA PRO would not be affected by this. But in any case, I did try to duplicate the issue without TCP-Z, using netstat to confirm my previous findings, and the results were the same as before.

First don't use TCP-Z to mod the TCPIP.SYS use TCP/IP Universal Patcher

That will backup the TCPIP.SYS
Then you type in what size you want based off your Routers max connections. I have one set to 200 and then set the software to use 100 to balance it out. Again this works on Windows Servers OS which is set to 100 max connections.

TCP/IP Universal Patcher can be found here..
http://deepxw.blogspot.com/2009/01/u...v10-build.html

I use TCP-Z just to monitor the connections to see how much of the limit is being allocated.

[Cudni]

don't use it all because the limit is removed
http://technet.microsoft.com/en-us/l...29.aspx?ppud=4

[ring0_event]

Quote:

Originally Posted by tipstir

I use TCP-Z just to monitor the connections to see how much of the limit is being allocated.

Same here mostly, but I do modify the limit when I use bit torrent because while MS says that the limit is removed, I'm not sure that it really is, because TCP-Z reports that the current limit both in the file and in memory is 10. And I have Vista x64 SP2, which is supposed to remove this, but TCP-Z says otherwise.

[ring0_event]

Quote:

Originally Posted by Cudni

don't use it all because the limit is removed
http://technet.microsoft.com/en-us/l...29.aspx?ppud=4

Have you confirmed that as a fact with TCP-Z? It does not seem to be the case over here.

[Cudni]

Quote:

Originally Posted by ring0_event

Have you confirmed that as a fact with TCP-Z? It does not seem to be the case over here.

confirmed what? the original patch was never needed for bt even when there was a limit

[ring0_event]

Quote:

Originally Posted by Cudni

confirmed what? the original patch was never needed for bt even when there was a limit

Speaking from my own experience, I found that on XP SP2-3 the patch was needed for optimal download rates on bt. Now MS says that they have removed the limit on 7 and on Vista SP2 (also server 2008 SP2 I believe). However, TCP-Z indicates that the limit is still in place in Vista SP2 (at least for me)- contrary to what MS has said. This is all that I have meant to say on this, really. It has nothing to do really with the connection leaks which I noted in my first posting to my thread, except that I happened to first notice the leaks using TCP-Z.

[Cudni]

back to the original subject; using tcpview what apps keep what open and does that roughly translate to what you are doing on the comp. so browsing, downloading maybe shifting files on home network?

[ring0_event]

Quote:

Originally Posted by Cudni

back to the original subject; using tcpview what apps keep what open and does that roughly translate to what you are doing on the comp. so browsing, downloading maybe shifting files on home network?

Hi Cudni, when I launch Firefox with several tabs deployed, I quite clearly see within tcpview the connections which Firefox has open. When I close Firefox, the connections do not all disappear. Later they appear in the system process as opposed to the once loaded Firefox process. Contrast this to the case with ZA Pro uninstalled, where this does not happen at all. If I keep on opening and closing Firefox, the number of stray TCP connections keeps on growing, instead of closing. I could easily at the end of the day end up with 1000+ open connections and my computer as slow as h*ll. Clearly there is an issue on my laptop (even with NOD32 unsinstalled). If I have a chance I'll see if I can test this with free ZA on other machines later in the week.

[tipstir]

Quote:

Originally Posted by ring0_event

Hi Cudni, when I launch Firefox with several tabs deployed, I quite clearly see within tcpview the connections which Firefox has open. When I close Firefox, the connections do not all disappear. Later they appear in the system process as opposed to the once loaded Firefox process. Contrast this to the case with ZA Pro uninstalled, where this does not happen at all. If I keep on opening and closing Firefox, the number of stray TCP connections keeps on growing, instead of closing. I could easily at the end of the day end up with 1000+ open connections and my computer as slow as h*ll. Clearly there is an issue on my laptop (even with NOD32 unsinstalled). If I have a chance I'll see if I can test this with free ZA on other machines later in the week.

TCPVIEW is okay but what does TCP-Z show.. How do you have so may open connections? Are you seeding several files also. What client of BT are you running? Sounds like it leaving ports opens. Are you running a firewall on that system.

Wait you using wireless laptop with BT connections? Wired or wireless?

[ring0_event]

Quote:

Originally Posted by tipstir

TCPVIEW is okay but what does TCP-Z show.. How do you have so may open connections? Are you seeding several files also. What client of BT are you running? Sounds like it leaving ports opens. Are you running a firewall on that system.

Wait you using wireless laptop with BT connections? Wired or wireless?

Hi, I can reproduce the issue only with Firefox and with more difficulty, IE. BT does not have to enter the picture. Also, AFAIK, when a process exits, then ALL its connections must be closed. This is what I observed when I had uninstalled ZA. I only have connections linger when I have ZA installed. This system has a router, a wired Linksys router, and the host has ZA Pro 8.0.400.020.

[tipstir]

Quote:

Originally Posted by ring0_event

Hi, I can reproduce the issue only with Firefox and with more difficulty, IE. BT does not have to enter the picture. Also, AFAIK, when a process exits, then ALL its connections must be closed. This is what I observed when I had uninstalled ZA. I only have connections linger when I have ZA installed. This system has a router, a wired Linksys router, and the host has ZA Pro 8.0.400.020.

Then use another firewall I can't use ZA and some of the others only PC Tools Firewall Plus 3.14 and Rising Personal Firewall International Free works very well. Rising is better though.

[ring0_event]

One more data point: at work, I have a Vista SP1 (x64) test machine, and I so installed the latest ZA and performed my usual tests. I did NOT have the issue at all! Tomorrow I will upgrade it to SP2 and I'll post the results. I will also see if I can borrow a USB network adapter and try it here at home on my problematic laptop.

[ring0_event]

Continuing here from the official Zone Alarm forums:

I have some new information. First, I'll start out by saying that when I first received the laptop, I wiped it clean, and reinstalled Windows Vista SP1 from the DVD, then installed NOD32, then all updates, and then Vista SP2. I used the latest drivers as well, but I should verify that. So I don't think there are any oddball apps which are in the background here. The only other low level software which I have installed in ESET NOD32 (64 bit version), and even when uninstalled I had the issue. Of course, I don't know the source of the problem.

The new information is this: I acquired a USB to ethernet controller, and even with only this network device installed, I still have the problem. Next I tried with Comodo free firewall, and the problem disappeared.

Now this thread is a bit abbreviated from the Zone Alarm forum version, but to make a long story short, I tried at work on Vista x64 SP1-2, and XP SP2 x86, and I did NOT reproduce the issue. These were all desktops. One hell of a problem, that's for sure. If anyone is interested, they can view the slightly longer thread on the Zone Alarm forum here:

http://forum.zonelabs.org/zonelabs/b...cending&page=1

[ring0_event]

Update: ZA tech support replied to me, and said that they had been unable to duplicate the issue on XP Pro, Vista 32 and Vista 64 (both ultimate). When I get home I will pass them my system NFO file. Perhaps I should have mentioned that I have Vista x64 SP2 *Home premium* (whatever the "premium" means). I will note this fact to them in my email, and tell them that even with another network adapter the problem with leaked connections using ZA persisted.

Obviously this problem is pretty hard to reproduce, but I'm not sure that most users would spot it.