New 2.07b1 version

Discussion in 'LnS English Forum' started by Frederic, Sep 12, 2009.

Thread Status:
Not open for further replies.
  1. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi All,

    A new 2.07b1 beta version is available.

    Here are the download links:

    Update from a 2.06px (or if VC2005-SP1 libraries are installed yet):
    32 bits version:
    - English release
    - French release
    - Release with the translation plugin
    64 bits version:
    - English release
    - French release
    - Release with the translation plugin
    (For an update, no need to uninstall your current version first.)

    Fresh install (VC2005-SP1 libraries are not installed):
    32 bits version:
    - English release
    - French release
    - Release with the translation plugin (for other languages)
    64 bits version:
    - English release
    - French release
    - Release with the translation plugin

    The content of this version:

    Additions:
    • Windows 7: Registration to the Action Center.
    • 64 bits versions: Protocols detection.
    • IPV6: Extension headers support (in filtering rules and packet content display).
    • Support for ECE & CWR TCP flags (congestion control) in rule edition and packet content display.
    • ICMPV6: for packet content display, added some new text description (for types 141 to 147)
    • IGMP: display of the type in the log
    Modifications:
    • Vista SP1: Update of the registration to the security center.
    • Improvements in protocol detection (available through the registry only).
    • For applications starting themselves (typical case: Internet Explorer :cool:, it's now the initial application (i.e. the grand-parent application) that is detected as starting the application.
    • Default rulesets are updated with IGMP, DHCPV6, and ICMPV6 rules to avoid systematic alerts in Vista/Windows7.
    • Packet content display: TCP flags now are indicated through letters
    • Software registration now requires an online activation
    • Registration text (in "Registration" tab) now updates with the registration status.
    • In the tray icon zone, added some alert message on some important events.
    • The registry entry: [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort] is used to compute the maximum value of local port.
    Fixes
    • Sometimes some Application Connections popup contained pathname with "\Device\harddisk0…" format.
    • Vista/Windows 7: the starting mode as a Service was sometimes available (notably after opening the Advanced Options dialog box and clicking Ok).
    • When the configuration is locked with a password, some menus were no longer disabled after translation with the plugin.
    • Some errors/crashes appeared with one of the driver when the Driver Verifier tool was used.
    • Application Filtering IPV6: port & IP selection through range & mask were not working properly.
    • Application Filtering: fixed a problem when full alerts (with IP and Port) were reported to the log with a high rate flow.
    Any feedback welcome here.

    Thanks,

    Frederic
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Superb release, .. and even though it's been released as beta, you can be sure it's a very stable release. I highly recommend everyone to upgrade.


    Kudos Frederic! :)
     
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Working very well! :thumb:

    Thanks Frederic
     
  4. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Must download and install?Is Automatic Update available?
     
  5. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, you have to use one of the above links.
    Automatic update is only for official releases (non-beta).

    Frederic
     
  6. redline

    redline Registered Member

    Joined:
    May 30, 2006
    Posts:
    19
    Before I update, I would like to know if I will be able to activate my license multiple times on one computer. I am running multiple OSes.

    Also, Phant0m, is your ruleset compatible with this release?

    Thank you!
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi redline,

    It is allowed to use the same Look 'n' Stop licence for multiple OS on the same PC.

    Yes, the P. Ruleset is compatible with this here version. Look 'n' Stop release notes though, would likely detail changes to the ruleset structure in anyway. ;)
     
  8. thylacine

    thylacine Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    41
    Frederic, can u post the MD5 hashas for the files above?

    i keep getting corrupted file for LooknStop_Setup_207b1_VC2005.exe

    thx!
     
  9. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi thylacine,

    Here it is:
    576A8FEA5355C5A87BA19C29C1C67E91 LooknStop_Setup_207b1_VC2005.exe

    Did you try the standard setup (LooknStop_Setup_207b1.exe) ?
    VC2005 libraries are very often installed yet, and there is no need to use the full setup.

    Regards,

    Frederic
     
  10. thylacine

    thylacine Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    41
    frederic, maybe u need to check ur source.

    no matter how i download it with various browsers, i'm still getting a corrupted file with this hash: 58e7846b84244707301efd41086d107d
     
  11. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    You are right, there was a problem with the file on the server.
    It is fixed now.

    Frederic
     
  12. thylacine

    thylacine Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    41
    yes! file is intact :D thx!
     
  13. isail

    isail Registered Member

    Joined:
    Apr 4, 2008
    Posts:
    16
    Location:
    Mianyang, Sichuan, China
    1)C:\WINDOWS\SYSTEM32\SERVICES.EXE & C:\WINDOWS\EXPLORER.EXE must be allowed or not? (Never meet these two issues in 2.05 & 2.06 editions, so I don't know yes or no)

    2)The default value of 'Automatic start' is 'None'? (It seems to be 'System' in older editions)
     
    Last edited: Sep 14, 2009
  14. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Which version of windows are you running ?
    Did you a fresh install or an update ?

    For the 1), are Services.exe and Explorer.exe detected as connecting directly, or detected as a parent application ?
    There are some changes in parent detection, that could explain you observe a difference now.

    For the 2), there is no change there. Did Look 'n' Stop start automatically anyway ?

    Thanks,

    Frederic
     
  15. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Great additions there Fred! And the 965kb installer... lol... you really don't come around apps like this very often.
    Working well here for a few days already, tried filtering CWR, ECE, all is good :thumb:
    Thank you and keep up the good work please.
     
  16. isail

    isail Registered Member

    Joined:
    Apr 4, 2008
    Posts:
    16
    Location:
    Mianyang, Sichuan, China
    Thanks, Frederic!

    I'm running it on Windows XP Professional SP3,freshly installed maybe(Uninstalled 2.06p4 and then installed 2.07b1).

    SERVICES.EXE is detected with SVHOST.EXE as its parent application.
    EXPLORER.EXE is detected when Brower IE or Firefox launched.

    And this morning, when I turned on my PC, WINLOGON.EXE came into detection, conecting the internet directly with no parent applications.

    Look 'n' Stop does not start automatically, so I find 'None' becomes the default value. And it starts automatically after I set it as 'System'.
     
  17. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    The new version is purring along beautifully here, cheers...:thumb: :D
     
  18. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    These new detections are normal with the 2.07b1. It comes from this changelog item:
    For applications starting themselves (typical case: Internet Explorer 8 ), it's now the initial application (i.e. the grand-parent application) that is detected as starting the application.
    and from the fact the ActivatedSoon registry tweak is now enabled by default (it was the case already for x64 version, now it is the case for both versions).

    Ok, in that case, there was a problem for the setup program to write into the HKLM/.../Run registry key.
    Maybe you have another security software preventing applications to write there ?
    Note that there is also a checkbox on the setup dialog box (for a fresh install) to have Look 'n' Stop started automatically. I assume you didn't untick this checkbox.

    Regards,

    Frederic
     
  19. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Thanks for the update Frederic!

    Interesting installation:

    1.) After installation and reboot I was asked to enter my registration info. I did this and then I was informed that LnS is not allowed to access the internet... hmm...

    2.) So checking my logs I found an outbound attempt from the internet filtering (to "sherif1.hiwit.net"). But there is no block of the LnS application itself! When checking my list of application filtering, I could not see any entry for the application "LnS"... hmmm (see attached picture).

    3.) So LnS.exe somehow passed the application filtering and was stopped at the internet connection level.

    4.) Frederic, is this normal o_O ?

    Again, thanks for the awesome support of LnS!!!

    Thomas :)
     

    Attached Files:

  20. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Thomas,

    Look 'n' Stop should detect itself as connecting to internet, and has to be allowed like any other application. There is no automatic authorization.
    So I don't know what happened exactly.

    Which kind of packets were blocked by the internet filtering ?

    Did you finally succeed to register, still with no alert about Look 'n' Stop ?

    Thanks,

    Frederic
     
  21. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Frederic,

    Re: 1)
    09-15-09,20:08:16 U-18 'TCP : Block any other pa' 194.150.236.86 TCP Ports Dest:www-http=80 Src:1032

    Re: 2)
    Yes, after I allowed these packets in internet filtering, the registration worked fine.
    This brings me to the point that LnS mentioned that without registration I will not have all features available. And actually, in the application filtering there was one column with buttons missing first (the one for "application starting another application"). Maybe application filtering is disabled until fully registered??

    Now after registering everything is working fine :)

    Thomas
     
  22. vince100

    vince100 Registered Member

    Joined:
    Dec 9, 2007
    Posts:
    5
    I was getting occational BSOD with 2.06p4 with windbg suggesting lnsfw driver problem.
    So I tried 2.07b1, still getting BSOD randomly.

    Probably due to conflict with some other drivers, the only thing I think I might have changed recently at driver level was adding a UDF 2.5 driver.

    Any comment would be appreciated.

    Code:
    
    **********Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\WINDOWS\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available
    
    Symbol search path is: SRV*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp_sp3_gdr.090206-1234
    Machine Name:
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
    Debug session time: Tue Sep 15 21:01:42.258 2009 (GMT-4)
    System Uptime: 0 days 15:40:48.282
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ...............
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    *********************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck D1, {b2aed172, 2, 0, b831de74}
    
    *** ERROR: Module load completed but symbols could not be loaded for lnsfw.sys
    *** ERROR: Module load completed but symbols could not be loaded for vmnetbridge.sys
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for VMNET.SYS - 
    *** ERROR: Module load completed but symbols could not be loaded for vmnetuserif.sys
    PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details
    PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details
    Probably caused by : lnsfw.sys ( lnsfw+5e74 )
    
    Followup: MachineOwner
    ---------
    
    1: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: b2aed172, memory referenced
    Arg2: 00000002, IRQL
    Arg3: 00000000, value 0 = read operation, 1 = write operation
    Arg4: b831de74, address which referenced memory
    
    Debugging Details:
    ------------------
    
    PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details
    PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details
    
    READ_ADDRESS:  b2aed172 
    
    CURRENT_IRQL:  2
    
    FAULTING_IP: 
    lnsfw+5e74
    b831de74 0fb602          movzx   eax,byte ptr [edx]
    
    DEFAULT_BUCKET_ID:  DRIVER_FAULT
    
    BUGCHECK_STR:  0xD1
    
    PROCESS_NAME:  vmware-vmx.exe
    
    TRAP_FRAME:  b2aec3bc -- (.trap 0xffffffffb2aec3bc)
    ErrCode = 00000000
    eax=89498f38 ebx=8a46dad0 ecx=000000b6 edx=b2aed172 esi=888a0736 edi=b2aec516
    eip=b831de74 esp=b2aec430 ebp=b2aec430 iopl=0         nv up ei pl nz na po nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
    lnsfw+0x5e74:
    b831de74 0fb602          movzx   eax,byte ptr [edx]         ds:0023:b2aed172=??
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from b831de74 to 805446f0
    
    STACK_TEXT:  
    b2aec3bc b831de74 badb0d00 b2aed172 00000000 nt!KiTrap0E+0x238
    WARNING: Stack unwind information not available. Following frames may be wrong.
    b2aec430 b831e3f2 89498f38 b2aed172 00000002 lnsfw+0x5e74
    b2aec470 b831b05f 89498f0c b2aec4ec 0000000e lnsfw+0x63f2
    b2aecb14 b7bfc985 89494000 890f4e18 00000080 lnsfw+0x305f
    b2aecb3c b62df528 89490150 890f4e18 890f4db0 NDIS!ndisMSendX+0x1d6
    b2aecb78 b7bfc985 89491490 890f4e18 00000080 psched!MpSend+0x706
    b2aecba0 b8458e30 892f0008 890f4e18 890fbf10 NDIS!ndisMSendX+0x1d6
    b2aecbf4 b8598e0b 00000000 888a06e8 888c6008 vmnetbridge+0xe30
    b2aecc20 b16d8222 00eeb8f0 890f3b38 888a06e8 VMNET!VNet_Send+0x175
    b2aecc5c 80580487 890f3b38 00000001 194f4800 vmnetuserif+0x1222
    b2aecd00 80579274 00000628 00000000 00000000 nt!IopXxxControlFile+0x255
    b2aecd34 8054162c 00000628 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    b2aecd34 7c90e514 00000628 00000000 00000000 nt!KiFastCallEntry+0xfc
    0f32eb84 00000000 00000000 00000000 00000000 0x7c90e514
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    lnsfw+5e74
    b831de74 0fb602          movzx   eax,byte ptr [edx]
    
    SYMBOL_STACK_INDEX:  1
    
    SYMBOL_NAME:  lnsfw+5e74
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: lnsfw
    
    IMAGE_NAME:  lnsfw.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  4a99682b
    
    FAILURE_BUCKET_ID:  0xD1_lnsfw+5e74
    
    BUCKET_ID:  0xD1_lnsfw+5e74
    
    Followup: MachineOwner
    ---------
    
    
     
  23. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Thomas,

    Yes, it looks like the trial period had expired yet before you install the 2.07b1, and there was no serial entered with the previous installed version.
    In that case, the Application Filtering was disabled and it would explain why you didn't get alerts.

    Regards,

    Frederic
     
  24. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Could you send me the minidump file at lnssupport@soft4ever.com.
    I used yet the Windbg information you provided to locate the issue, but I will have more information with the dump itself.

    Thanks,

    Frederic
     
  25. vince100

    vince100 Registered Member

    Joined:
    Dec 9, 2007
    Posts:
    5
    sorry, due to frequent BSOD i had to go back to 2.06p4. i only had the kernel dump. The file was too big to send by email.

    the last one was pointing to the same problem in lnsfw.sys: lnsfw+5e74

    Code:
    Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\WINDOWS\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available
    
    Symbol search path is: SRV*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp_sp3_gdr.090206-1234
    Machine Name:
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
    Debug session time: Wed Sep 16 10:53:39.593 2009 (GMT-4)
    System Uptime: 0 days 0:01:22.296
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    .................
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    .....
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck D1, {b84e0288, 2, 0, b831de74}
    
    *** ERROR: Module load completed but symbols could not be loaded for lnsfw.sys
    Page 14fa5 not present in the dump file. Type ".hh dbgerr004" for details
    *** ERROR: Module load completed but symbols could not be loaded for Rtenicxp.sys
    PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
    PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
    Probably caused by : lnsfw.sys ( lnsfw+5e74 )
    
    Followup: MachineOwner
    ---------
    
    1: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: b84e0288, memory referenced
    Arg2: 00000002, IRQL
    Arg3: 00000000, value 0 = read operation, 1 = write operation
    Arg4: b831de74, address which referenced memory
    
    Debugging Details:
    ------------------
    
    Page 14fa5 not present in the dump file. Type ".hh dbgerr004" for details
    PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
    PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
    
    READ_ADDRESS:  b84e0288 
    
    CURRENT_IRQL:  2
    
    FAULTING_IP: 
    lnsfw+5e74
    b831de74 0fb602          movzx   eax,byte ptr [edx]
    
    DEFAULT_BUCKET_ID:  DRIVER_FAULT
    
    BUGCHECK_STR:  0xD1
    
    PROCESS_NAME:  ekrn.exe
    
    TRAP_FRAME:  b84df6d8 -- (.trap 0xffffffffb84df6d8)
    ErrCode = 00000000
    eax=89482f38 ebx=89808308 ecx=000000b6 edx=b84e0288 esi=8980203c edi=b84df82c
    eip=b831de74 esp=b84df74c ebp=b84df74c iopl=0         nv up ei pl nz na po nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00210202
    lnsfw+0x5e74:
    b831de74 0fb602          movzx   eax,byte ptr [edx]         ds:0023:b84e0288=??
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from b831de74 to 805446f0
    
    STACK_TEXT:  
    b84df6d8 b831de74 badb0d00 b84e0288 8947ce48 nt!KiTrap0E+0x238
    WARNING: Stack unwind information not available. Following frames may be wrong.
    b84df74c b831ea1c 89482f38 b84e0288 00000002 lnsfw+0x5e74
    b84df78c b8319ddc 89482f0c b84df7f0 0000000e lnsfw+0x6a1c
    b84dfe10 b7c1eb9f 8947e000 89808370 898b8000 lnsfw+0x1ddc
    b84dfe64 b636f1fc 002c5a58 b84dff04 00000001 NDIS!ethFilterDprIndicateReceivePacket+0x1c2
    b84dff9c b6371d1c 898b8000 8afe8ad0 898b8f00 Rtenicxp+0xb1fc
    b84dffb4 b7c14e99 898b8000 01540783 b83409c0 Rtenicxp+0xdd1c
    b84dffcc 80545e7f 898b8f14 898b8f00 00000000 NDIS!ndisMDpcX+0x21
    b84dfff4 805459eb b14bcd44 00000000 00000000 nt!KiRetireDpcList+0x61
    b84dfff8 b14bcd44 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2b
    805459eb 00000000 00000009 0081850f bb830000 0xb14bcd44
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    lnsfw+5e74
    b831de74 0fb602          movzx   eax,byte ptr [edx]
    
    SYMBOL_STACK_INDEX:  1
    
    SYMBOL_NAME:  lnsfw+5e74
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: lnsfw
    
    IMAGE_NAME:  lnsfw.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  4a99682b
    
    FAILURE_BUCKET_ID:  0xD1_lnsfw+5e74
    
    BUCKET_ID:  0xD1_lnsfw+5e74
    
    Followup: MachineOwner
    ---------
    
    
     
Thread Status:
Not open for further replies.