New 2.07b1 version

Hi All,

A new 2.07b1 beta version is available.

Here are the download links:

Update from a 2.06px (or if VC2005-SP1 libraries are installed yet):
32 bits version:
- English release
- French release
- Release with the translation plugin
64 bits version:
- English release
- French release
- Release with the translation plugin
(For an update, no need to uninstall your current version first.)

Fresh install (VC2005-SP1 libraries are not installed):
32 bits version:
- English release
- French release
- Release with the translation plugin (for other languages)
64 bits version:
- English release
- French release
- Release with the translation plugin

The content of this version:

Additions:

• Windows 7: Registration to the Action Center.
• 64 bits versions: Protocols detection.
• IPV6: Extension headers support (in filtering rules and packet content display).
• Support for ECE & CWR TCP flags (congestion control) in rule edition and packet content display.
• ICMPV6: for packet content display, added some new text description (for types 141 to 147)
• IGMP: display of the type in the log

Modifications:

• Vista SP1: Update of the registration to the security center.
• Improvements in protocol detection (available through the registry only).
• For applications starting themselves (typical case: Internet Explorer , it's now the initial application (i.e. the grand-parent application) that is detected as starting the application.
• Default rulesets are updated with IGMP, DHCPV6, and ICMPV6 rules to avoid systematic alerts in Vista/Windows7.
• Packet content display: TCP flags now are indicated through letters
• Software registration now requires an online activation
• Registration text (in "Registration" tab) now updates with the registration status.
• In the tray icon zone, added some alert message on some important events.
• The registry entry: [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort] is used to compute the maximum value of local port.

Fixes

• Sometimes some Application Connections popup contained pathname with "\Device\harddisk0…" format.
• Vista/Windows 7: the starting mode as a Service was sometimes available (notably after opening the Advanced Options dialog box and clicking Ok).
• When the configuration is locked with a password, some menus were no longer disabled after translation with the plugin.
• Some errors/crashes appeared with one of the driver when the Driver Verifier tool was used.
• Application Filtering IPV6: port & IP selection through range & mask were not working properly.
• Application Filtering: fixed a problem when full alerts (with IP and Port) were reported to the log with a high rate flow.

Any feedback welcome here.

Thanks,

Frederic

 

Superb release, .. and even though it's been released as beta, you can be sure it's a very stable release. I highly recommend everyone to upgrade.


Kudos Frederic!

 

Working very well!

Thanks Frederic

 

Must download and install?Is Automatic Update available?

 

Yes, you have to use one of the above links.
Automatic update is only for official releases (non-beta).

Frederic

 

Before I update, I would like to know if I will be able to activate my license multiple times on one computer. I am running multiple OSes.

Also, Phant0m, is your ruleset compatible with this release?

Thank you!

 

Hi redline,

It is allowed to use the same Look 'n' Stop licence for multiple OS on the same PC.

Yes, the P. Ruleset is compatible with this here version. Look 'n' Stop release notes though, would likely detail changes to the ruleset structure in anyway.

 

Frederic, can u post the MD5 hashas for the files above?

i keep getting corrupted file for LooknStop_Setup_207b1_VC2005.exe

thx!

 

Hi thylacine,

Here it is:
576A8FEA5355C5A87BA19C29C1C67E91 LooknStop_Setup_207b1_VC2005.exe

Did you try the standard setup (LooknStop_Setup_207b1.exe) ?
VC2005 libraries are very often installed yet, and there is no need to use the full setup.

Regards,

Frederic

 

frederic, maybe u need to check ur source.

no matter how i download it with various browsers, i'm still getting a corrupted file with this hash: 58e7846b84244707301efd41086d107d

 

You are right, there was a problem with the file on the server.
It is fixed now.

Frederic

 

yes! file is intact thx!

 

1)C:\WINDOWS\SYSTEM32\SERVICES.EXE & C:\WINDOWS\EXPLORER.EXE must be allowed or not? (Never meet these two issues in 2.05 & 2.06 editions, so I don't know yes or no)

2)The default value of 'Automatic start' is 'None'? (It seems to be 'System' in older editions)

 

Which version of windows are you running ?
Did you a fresh install or an update ?

For the 1), are Services.exe and Explorer.exe detected as connecting directly, or detected as a parent application ?
There are some changes in parent detection, that could explain you observe a difference now.

For the 2), there is no change there. Did Look 'n' Stop start automatically anyway ?

Thanks,

Frederic

 

Great additions there Fred! And the 965kb installer... lol... you really don't come around apps like this very often.
Working well here for a few days already, tried filtering CWR, ECE, all is good
Thank you and keep up the good work please.

 

Thanks, Frederic!

I'm running it on Windows XP Professional SP3,freshly installed maybe(Uninstalled 2.06p4 and then installed 2.07b1).

SERVICES.EXE is detected with SVHOST.EXE as its parent application.
EXPLORER.EXE is detected when Brower IE or Firefox launched.

And this morning, when I turned on my PC, WINLOGON.EXE came into detection, conecting the internet directly with no parent applications.

Look 'n' Stop does not start automatically, so I find 'None' becomes the default value. And it starts automatically after I set it as 'System'.

 

The new version is purring along beautifully here, cheers...

 

These new detections are normal with the 2.07b1. It comes from this changelog item:

For applications starting themselves (typical case: Internet Explorer 8 ), it's now the initial application (i.e. the grand-parent application) that is detected as starting the application.​

and from the fact the ActivatedSoon registry tweak is now enabled by default (it was the case already for x64 version, now it is the case for both versions).

Ok, in that case, there was a problem for the setup program to write into the HKLM/.../Run registry key.
Maybe you have another security software preventing applications to write there ?
Note that there is also a checkbox on the setup dialog box (for a fresh install) to have Look 'n' Stop started automatically. I assume you didn't untick this checkbox.

Regards,

Frederic

 

Thanks for the update Frederic!

Interesting installation:

1.) After installation and reboot I was asked to enter my registration info. I did this and then I was informed that LnS is not allowed to access the internet... hmm...

2.) So checking my logs I found an outbound attempt from the internet filtering (to "sherif1.hiwit.net"). But there is no block of the LnS application itself! When checking my list of application filtering, I could not see any entry for the application "LnS"... hmmm (see attached picture).

3.) So LnS.exe somehow passed the application filtering and was stopped at the internet connection level.

4.) Frederic, is this normal ?

Again, thanks for the awesome support of LnS!!!

Thomas

 

Hi Thomas,

Look 'n' Stop should detect itself as connecting to internet, and has to be allowed like any other application. There is no automatic authorization.
So I don't know what happened exactly.

Which kind of packets were blocked by the internet filtering ?

Did you finally succeed to register, still with no alert about Look 'n' Stop ?

Thanks,

Frederic

 

Frederic,

Re: 1)
09-15-09,20:08:16 U-18 'TCP : Block any other pa' 194.150.236.86 TCP Ports Dest:www-http=80 Src:1032

Re: 2)
Yes, after I allowed these packets in internet filtering, the registration worked fine.
This brings me to the point that LnS mentioned that without registration I will not have all features available. And actually, in the application filtering there was one column with buttons missing first (the one for "application starting another application"). Maybe application filtering is disabled until fully registered??

Now after registering everything is working fine

Thomas

 

I was getting occational BSOD with 2.06p4 with windbg suggesting lnsfw driver problem.
So I tried 2.07b1, still getting BSOD randomly.

Probably due to conflict with some other drivers, the only thing I think I might have changed recently at driver level was adding a UDF 2.5 driver.

Any comment would be appreciated.

Code:

**********Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue Sep 15 21:01:42.258 2009 (GMT-4)
System Uptime: 0 days 15:40:48.282
Loading Kernel Symbols
...............................................................
................................................................
...............
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details
Loading unloaded module list
*********************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {b2aed172, 2, 0, b831de74}

*** ERROR: Module load completed but symbols could not be loaded for lnsfw.sys
*** ERROR: Module load completed but symbols could not be loaded for vmnetbridge.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for VMNET.SYS - 
*** ERROR: Module load completed but symbols could not be loaded for vmnetuserif.sys
PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details
Probably caused by : lnsfw.sys ( lnsfw+5e74 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: b2aed172, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: b831de74, address which referenced memory

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details

READ_ADDRESS:  b2aed172 

CURRENT_IRQL:  2

FAULTING_IP: 
lnsfw+5e74
b831de74 0fb602          movzx   eax,byte ptr [edx]

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  vmware-vmx.exe

TRAP_FRAME:  b2aec3bc -- (.trap 0xffffffffb2aec3bc)
ErrCode = 00000000
eax=89498f38 ebx=8a46dad0 ecx=000000b6 edx=b2aed172 esi=888a0736 edi=b2aec516
eip=b831de74 esp=b2aec430 ebp=b2aec430 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
lnsfw+0x5e74:
b831de74 0fb602          movzx   eax,byte ptr [edx]         ds:0023:b2aed172=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from b831de74 to 805446f0

STACK_TEXT:  
b2aec3bc b831de74 badb0d00 b2aed172 00000000 nt!KiTrap0E+0x238
WARNING: Stack unwind information not available. Following frames may be wrong.
b2aec430 b831e3f2 89498f38 b2aed172 00000002 lnsfw+0x5e74
b2aec470 b831b05f 89498f0c b2aec4ec 0000000e lnsfw+0x63f2
b2aecb14 b7bfc985 89494000 890f4e18 00000080 lnsfw+0x305f
b2aecb3c b62df528 89490150 890f4e18 890f4db0 NDIS!ndisMSendX+0x1d6
b2aecb78 b7bfc985 89491490 890f4e18 00000080 psched!MpSend+0x706
b2aecba0 b8458e30 892f0008 890f4e18 890fbf10 NDIS!ndisMSendX+0x1d6
b2aecbf4 b8598e0b 00000000 888a06e8 888c6008 vmnetbridge+0xe30
b2aecc20 b16d8222 00eeb8f0 890f3b38 888a06e8 VMNET!VNet_Send+0x175
b2aecc5c 80580487 890f3b38 00000001 194f4800 vmnetuserif+0x1222
b2aecd00 80579274 00000628 00000000 00000000 nt!IopXxxControlFile+0x255
b2aecd34 8054162c 00000628 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b2aecd34 7c90e514 00000628 00000000 00000000 nt!KiFastCallEntry+0xfc
0f32eb84 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
lnsfw+5e74
b831de74 0fb602          movzx   eax,byte ptr [edx]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  lnsfw+5e74

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: lnsfw

IMAGE_NAME:  lnsfw.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a99682b

FAILURE_BUCKET_ID:  0xD1_lnsfw+5e74

BUCKET_ID:  0xD1_lnsfw+5e74

Followup: MachineOwner
---------

 

Hi Thomas,

Yes, it looks like the trial period had expired yet before you install the 2.07b1, and there was no serial entered with the previous installed version.
In that case, the Application Filtering was disabled and it would explain why you didn't get alerts.

Regards,

Frederic

 

Could you send me the minidump file at lnssupport@soft4ever.com.
I used yet the Windbg information you provided to locate the issue, but I will have more information with the dump itself.

Thanks,

Frederic

 

sorry, due to frequent BSOD i had to go back to 2.06p4. i only had the kernel dump. The file was too big to send by email.

the last one was pointing to the same problem in lnsfw.sys: lnsfw+5e74

Code:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Sep 16 10:53:39.593 2009 (GMT-4)
System Uptime: 0 days 0:01:22.296
Loading Kernel Symbols
...............................................................
................................................................
.................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {b84e0288, 2, 0, b831de74}

*** ERROR: Module load completed but symbols could not be loaded for lnsfw.sys
Page 14fa5 not present in the dump file. Type ".hh dbgerr004" for details
*** ERROR: Module load completed but symbols could not be loaded for Rtenicxp.sys
PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
Probably caused by : lnsfw.sys ( lnsfw+5e74 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: b84e0288, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: b831de74, address which referenced memory

Debugging Details:
------------------

Page 14fa5 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details

READ_ADDRESS:  b84e0288 

CURRENT_IRQL:  2

FAULTING_IP: 
lnsfw+5e74
b831de74 0fb602          movzx   eax,byte ptr [edx]

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  ekrn.exe

TRAP_FRAME:  b84df6d8 -- (.trap 0xffffffffb84df6d8)
ErrCode = 00000000
eax=89482f38 ebx=89808308 ecx=000000b6 edx=b84e0288 esi=8980203c edi=b84df82c
eip=b831de74 esp=b84df74c ebp=b84df74c iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00210202
lnsfw+0x5e74:
b831de74 0fb602          movzx   eax,byte ptr [edx]         ds:0023:b84e0288=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from b831de74 to 805446f0

STACK_TEXT:  
b84df6d8 b831de74 badb0d00 b84e0288 8947ce48 nt!KiTrap0E+0x238
WARNING: Stack unwind information not available. Following frames may be wrong.
b84df74c b831ea1c 89482f38 b84e0288 00000002 lnsfw+0x5e74
b84df78c b8319ddc 89482f0c b84df7f0 0000000e lnsfw+0x6a1c
b84dfe10 b7c1eb9f 8947e000 89808370 898b8000 lnsfw+0x1ddc
b84dfe64 b636f1fc 002c5a58 b84dff04 00000001 NDIS!ethFilterDprIndicateReceivePacket+0x1c2
b84dff9c b6371d1c 898b8000 8afe8ad0 898b8f00 Rtenicxp+0xb1fc
b84dffb4 b7c14e99 898b8000 01540783 b83409c0 Rtenicxp+0xdd1c
b84dffcc 80545e7f 898b8f14 898b8f00 00000000 NDIS!ndisMDpcX+0x21
b84dfff4 805459eb b14bcd44 00000000 00000000 nt!KiRetireDpcList+0x61
b84dfff8 b14bcd44 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2b
805459eb 00000000 00000009 0081850f bb830000 0xb14bcd44


STACK_COMMAND:  kb

FOLLOWUP_IP: 
lnsfw+5e74
b831de74 0fb602          movzx   eax,byte ptr [edx]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  lnsfw+5e74

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: lnsfw

IMAGE_NAME:  lnsfw.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a99682b

FAILURE_BUCKET_ID:  0xD1_lnsfw+5e74

BUCKET_ID:  0xD1_lnsfw+5e74

Followup: MachineOwner
---------