consume's alot of memory

Discussion in 'LnS English Forum' started by OlderMan, Jul 28, 2006.

Thread Status:
Not open for further replies.
  1. OlderMan

    OlderMan Registered Member

    Joined:
    Jul 19, 2006
    Posts:
    19
    I just installed v2.05p2 last week. I was tired of all the problems with ZoneAlarmPro so am testing some better firewalls.

    Taskmanager shows the 'looknstop.exe' process at this moment using 35,346K of memory with a peak of 71,352K & PageFaults 10,848,239 , with the page faults slowly climbing as I type this message.

    I have even disabled/removed the plugins with no change.

    Also, I have an Dlink DSM-320 MediaCenter in my small network & once I finally got LNS to allow it thru I must disable the log rule or CPU useage goes over 70% due to the constant flow of packets.

    Another weird(to me) thing is it is showing/logging & saying 'blocked' packets for one of the other systems trying to talk to my hardware firewall(Fortinet60) and/or an outside site. and neither source or dest. are this system.

    I would like to get the 'bugs' out of this firewall so I do not have to try another one and 'start over' .

    Please any helpfull ideas/suggestions/thoughts are welcomed !
     
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi OlderMan :)

    Tired with ZA problems? :D

    It's seems that you still have a problem with ZA.
    It "well known" that ZA can not be normally uninstalled...

    They provide a manual procedure to uninstall ZA but it's a real mess...

    Here's a cut and paste from a web site (sorry : I lost the reference and the link :-( )

    «

    The way to get rid of all of Zone Alarm is as follows:

    1B. Open the ZoneAlarm Pro program, go to the OVERVIEW >>
    PREFERENCES tab, and make sure the Load At Startup box is UNchecked.

    3. REBOOT.

    4. You should now have no ZoneAlarm/ZoneAlarm Pro processes running
    on your system.

    5. Now run Start, Programs, Zone Labs, Uninstall. Be sure to say YES
    to delete all files, and you MUST allow TrueVector service to shut
    down in order to remove files.

    WARNING - Do NOT run the ZoneAlarm Uninstall program while in Safe
    Mode. The program may not be able to make the proper registry
    changes in Safe Mode, thus generating errors after a reboot.

    6. REBOOT.

    7. To make sure that you can see the ZoneAlarm/ZoneAlarm Pro system
    files, if they are still on your computer:

    a. Right-click on Start, then left-click on Explore. When the
    Windows Explorer panel appears:
    - In Windows 95,98,and NT: Click View>Options (in Windows 98, this
    will be called "Folder Options"). Click the "View" tab, then click
    the "Show all files" radio button.
    - In Windows ME, 2000: Click Tools>Folder Options. Click the "View"
    tab, then click the "Show hidden files and folders" radio button.

    b. Make sure you also UNcheck the box to "Hide Protected Operating
    System Files" if you have one.

    c. Click OK.

    IMPORTANT NOTE: Making modifications to system files may disable
    crucial functions of your Windows operating system. We strongly
    suggest re-enabling the "Hide files and folders" feature once all
    ZoneAlarm/ZoneAlarm Pro files have been removed. See the following
    web page, and verify that the files and folders are removed:

    8. Click on Start, then Search or Find, and select Files. Make sure
    that the location box is set to search your local hard drive
    (usually C or All Local Drives.

    Type the following exactly - delete any folders found:

    zonelabs
    "zone labs"
    "Internet logs"

    Type the following exactly - delete any files found in \Windows or
    any subfolder below it, or in your \Temp folder):

    vsdata.dll
    vsdata95.vxd
    vsdatant.sys
    vsmon.*
    vsmonapi.dll
    vsnetutils.dll
    vspubapi.dll
    vsutil.dll
    zaplus.*
    zapro.*
    zllictbl.dat
    zlparser.dll
    zonealarm.exe

    Type the following exactly - delete any files found in any folder
    with "Programs" in the pathname):

    zapro
    zonealarm
    "zonealarm pro"

    Type the following exactly - delete any files found in the registry:

    ZAMailSafe
    ZoneAlarm
    Zone Alarm

    Some that could be in the registry:

    vsdata.dll
    vsdata95.vxd
    vsdatant.sys
    vsmon.*
    vsmonapi.dll
    vsnetutils.dll
    vspubapi.dll
    vsutil.dll
    zaplus.*
    zapro.*
    zllictbl.dat
    zlparser.dll
    zonealarm.exe

    Open the Internet Logs directory (in 95/98/ME this will
    be "c:\windows\internet logs", in NT and 2000 it will be
    c:\winnt\internet logs, in Windows XP it could be either of these
    folders). If you need to keep a copy of old alerts, copy the
    ZAlog.txt file to another location first - then delete ALL files in
    this folder.

    9. Make sure your Recycle Bin is empty (right-click and select
    Empty).

    10. REBOOT
    »

    Funny right? :rolleyes:

    You may also used a script from this page (I Know the guy: JacK a MS MVP):

    http://babin.nelly.free.fr/kerio.htm

    Look for ZAPCLEAN ... download and run.

    I guess that you have also uninstall LNS and reinstall it after the ZA clean up...

    Hope this help.
    Let us know.

    :)
     
  3. OlderMan

    OlderMan Registered Member

    Joined:
    Jul 19, 2006
    Posts:
    19
    I did a very good scrubbing to remove any trace of ZAP. It sure spread itself everywhere !

    thanx for the quick response.
     
  4. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Olderman,
    Climenole has given you good information for removal of ZAP scraps and bits of resource hogging gremlins from ZA.

    We all who have used ZA at sometime have gone through the ritual.

    Welcome to the Club. :D

    ZAPClean is a new one to me. It sure sounds good.
     
  5. OlderMan

    OlderMan Registered Member

    Joined:
    Jul 19, 2006
    Posts:
    19
    As I stated above, I have totally removed all of ZAP.

    I have installed and tested other firewalls before this and for each one I set a RestorePoint and even use a seperate util to log what was installed and be sure it's removed after and I also use a reg cleaner just to be extra safe.

    I agree ZAP is a real bugger to get out of the system, almost as bad as Norton(IMHO).
     
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi OlderMan,

    There is a memory leak in the 2.05p2.
    This is supposed to be visible only if you have a lot of applications connecting and disconnecting (because it is linked to the display of the connected app icons in the application filtering).

    To fix that you should use the 2.05p3. Just don't activate the beta features (through the .reg), to have the 2.05p3 working like the 2.05p2 (but with bug fixes).

    Otherwise, perhaps you have a lot of alerts in the logs. All packets are kept in memory, so if you have sometking like 10000, 20000 alerts in the logs, it could explain the memory usage you are seeing.

    Regards,

    Frederic
     
  7. OlderMan

    OlderMan Registered Member

    Joined:
    Jul 19, 2006
    Posts:
    19
    Am I able to get the p3 beta version on the website ? *never mind on that, I saw the Sticky !! *

    Am I able to overwrite the current install or will I need to save the .rls & UNinstall the current ?

    Also any ideas on the capturing of packets that do not start/end in the system LnS is installed in ? if they truely are being grabbed by LnS, which I beleive is happening as I can create a rule for some of them, how do I get it to stop intercepting them ?

    thanx for the help !
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Just install the 2.05p3 on top of the 2.05p2 without removing/saving anything.

    For your second question, the ethernet boar has to be in promiscuous mode to see all packets. I don't know how to set this mode, and if it would be compatible with Look 'n' Stop. And it would work only if you are not using a router/switch.

    Frederic
     
  9. OlderMan

    OlderMan Registered Member

    Joined:
    Jul 19, 2006
    Posts:
    19
    so even tho I see this packacts from another system on my network & I can make rules to filter them should I just ignore them completly ? I mean I ma not really able to filter/control them correct ?

    Is there any way to get the log window to show if the connection in/out bound & if it was blocked or passed thru ?

    I do thank you all for the quick response & help !
     
  10. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, if Look 'n' Stop is showing you some packet you can filter them, for the PC where Look 'n' Stop is installed only (of course it will change nothing for the source/dest machine of the packet).

    But I'm not sure to understand your point.

    In the first column:
    U for Uplink/Out
    D for Downlink/In
    + if the packet is allowed
    - if the packet has been blocked

    Frederic
     
  11. OlderMan

    OlderMan Registered Member

    Joined:
    Jul 19, 2006
    Posts:
    19
    Sorry ! ! my bad, I did not notice the '+' or '-' on the left side...... DOH!

    I seem to get quite a few packets, usually 3-4 at a time, that show --
    TYPE=ETH... ADDRESS=FF:FF:FF:FF:FF:FF...... ADDITIONAL=type Ethernet 0054 it's an 'U' or outgoing packet that is blocked.
    Could this also be due to my Network card being in "promiscuous mode" and be causing my other question of seeing packets not going in/out of the system LnS is installed in ?

    And the beta version seems to have dropped the memory useage from 65meg to 3.6meg at the moment ! ! !
     
  12. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    By default your network adapter is probably not in promiscuous mode.
    Sorry for the confusion about that, I thought you initially asked how to get packets exchanged between two other machines. This is only why I mentioned that.

    FF:FF:FF:FF:FF:FF is a a broadcast address, that's why for U packet sometimes you don't see the MAC address of the remote machine but this special address.

    type Ethernet 0054 could be related to NetBios protocol but I'm not sure.

    If everything is Ok with kind of packets blocked you can let the configuration as it is.

    Frederic
     
  13. OlderMan

    OlderMan Registered Member

    Joined:
    Jul 19, 2006
    Posts:
    19
    Have worked out quite a few of the kinks.. thanx to all the great help here.

    Many thanx for quick response's and dealing with a 'newbie' to this program. I kinda prefer this firewall to most of the others..Jetico/8signs to name a few.

    Of course I wish LnS had some of the things the others do, but overall this is really nice, and since i've dumped McAfee Ent. Pro anti-virus for NOD32 and dumped ZAP for LnS, my resource useage has droped & the system is more responsive.

    I'm sure as I delve deeper into LnS i'll find more that I do not know and will be tossing out questions once again !
     
Thread Status:
Not open for further replies.