TCP Connection Leak from ZAPRO 8 (Vista x64 SP2)

Discussion in 'other firewalls' started by ring0_event, Jul 5, 2009.

Thread Status:
Not open for further replies.
  1. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
    Hello. Hi. I have a new Inspiron 1545 laptop (will replace my desktop soon!), with Vista x64 SP2, 4 GB RAM, and a marvel 88e8040 fast PCIe NIC. I also have ZAPRO 8.0.298.000. For antivirus I use ESET NOD32 (x64 version). Basically my issue is leaked TCP connections, that is the network stack is littered with connections which are never closed. This is a serious, serious problem, as my system became a dog after 1 day of usage. After I uninstalled ZAPRO, the issue went away.

    I've noticed that TCP-Z shows me that my established TCP connections keep on increasing and almost never seem to go down as time go by and I keep on accessing the Internet. Now I have only 1 IE instance running, and I currently have 303 established connections shown in TCP-Z! Also, I used "netstat -ab" to look at my connections, and I see in the system process a WHOLE SLEW of connections to sites which I had previously browsed but since closed. Moreover, "netstat -ab" confirms that I have a great deal of connections open. I checked with task manager just to make sure there were no runway IE/Firefox processes, and there were none.

    It looks like there is a connection leak on my system! Can anyone confirm this with Vista x64 SP2, and ZAPRO running? I don't know where the problem is, but it is a clearly a low level issue of some kind, unless this is normal behaviour on Vista SP2. AFAIK, when a process terminates, its connections terminate with it. Otherwise insanity prevails.

    So my questions:
    a) Can anyone else with ZAPRO, Vista x64, and SP2 confirm this issue? I've already posted to the ZA boards.
    b) Could anyone recommend a replacement?

    Thanks!
     
  2. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Why are you running TCP-Z? Did you by-pass the TCP.sys limit of 10 max connections. Also your running Zone Alarm and that ZAPPRO has to run in the background, unless you stop running Zone Alarm.
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  4. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
    I was running TCP-Z as you say to bypass the limit of 10 half open connections. Since TCP-Z modifies the memory in TCPIP.SYS, I'm guessing that ZA PRO would not be affected by this. But in any case, I did try to duplicate the issue without TCP-Z, using netstat to confirm my previous findings, and the results were the same as before.
     
  5. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
  6. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
    OK, I have confirmed the issue using tcpview (thanks for the link). Does anyone else here use ZA Pro/free on Vista, and if so, could they confirm the issue?
     
  7. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    First don't use TCP-Z to mod the TCPIP.SYS use TCP/IP Universal Patcher

    That will backup the TCPIP.SYS
    Then you type in what size you want based off your Routers max connections. I have one set to 200 and then set the software to use 100 to balance it out. Again this works on Windows Servers OS which is set to 100 max connections.

    TCP/IP Universal Patcher can be found here..
    http://deepxw.blogspot.com/2009/01/universal-tcpipsys-patch-v10-build.html

    I use TCP-Z just to monitor the connections to see how much of the limit is being allocated.
     
  8. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  9. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
    Same here mostly, but I do modify the limit when I use bit torrent because while MS says that the limit is removed, I'm not sure that it really is, because TCP-Z reports that the current limit both in the file and in memory is 10. And I have Vista x64 SP2, which is supposed to remove this, but TCP-Z says otherwise.
     
  10. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
  11. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    confirmed what? the original patch was never needed for bt even when there was a limit
     
  12. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
    Speaking from my own experience, I found that on XP SP2-3 the patch was needed for optimal download rates on bt. Now MS says that they have removed the limit on 7 and on Vista SP2 (also server 2008 SP2 I believe). However, TCP-Z indicates that the limit is still in place in Vista SP2 (at least for me)- contrary to what MS has said. This is all that I have meant to say on this, really. It has nothing to do really with the connection leaks which I noted in my first posting to my thread, except that I happened to first notice the leaks using TCP-Z.
     
  13. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    back to the original subject; using tcpview what apps keep what open and does that roughly translate to what you are doing on the comp. so browsing, downloading maybe shifting files on home network?
     
  14. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
    Hi Cudni, when I launch Firefox with several tabs deployed, I quite clearly see within tcpview the connections which Firefox has open. When I close Firefox, the connections do not all disappear. Later they appear in the system process as opposed to the once loaded Firefox process. Contrast this to the case with ZA Pro uninstalled, where this does not happen at all. If I keep on opening and closing Firefox, the number of stray TCP connections keeps on growing, instead of closing. I could easily at the end of the day end up with 1000+ open connections and my computer as slow as h*ll. Clearly there is an issue on my laptop (even with NOD32 unsinstalled). If I have a chance I'll see if I can test this with free ZA on other machines later in the week.
     
  15. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA

    TCPVIEW is okay but what does TCP-Z show.. How do you have so may open connections? Are you seeding several files also. What client of BT are you running? Sounds like it leaving ports opens. Are you running a firewall on that system.

    Wait you using wireless laptop with BT connections? Wired or wireless?
     
  16. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
    Hi, I can reproduce the issue only with Firefox and with more difficulty, IE. BT does not have to enter the picture. Also, AFAIK, when a process exits, then ALL its connections must be closed. This is what I observed when I had uninstalled ZA. I only have connections linger when I have ZA installed. This system has a router, a wired Linksys router, and the host has ZA Pro 8.0.400.020.
     
  17. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA

    Then use another firewall I can't use ZA and some of the others only PC Tools Firewall Plus 3.14 and Rising Personal Firewall International Free works very well. Rising is better though.
     
  18. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
    One more data point: at work, I have a Vista SP1 (x64) test machine, and I so installed the latest ZA and performed my usual tests. I did NOT have the issue at all! Tomorrow I will upgrade it to SP2 and I'll post the results. I will also see if I can borrow a USB network adapter and try it here at home on my problematic laptop.
     
  19. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
    Continuing here from the official Zone Alarm forums:

    I have some new information. First, I'll start out by saying that when I first received the laptop, I wiped it clean, and reinstalled Windows Vista SP1 from the DVD, then installed NOD32, then all updates, and then Vista SP2. I used the latest drivers as well, but I should verify that. So I don't think there are any oddball apps which are in the background here. The only other low level software which I have installed in ESET NOD32 (64 bit version), and even when uninstalled I had the issue. Of course, I don't know the source of the problem.

    The new information is this: I acquired a USB to ethernet controller, and even with only this network device installed, I still have the problem. Next I tried with Comodo free firewall, and the problem disappeared.

    Now this thread is a bit abbreviated from the Zone Alarm forum version, but to make a long story short, I tried at work on Vista x64 SP1-2, and XP SP2 x86, and I did NOT reproduce the issue. These were all desktops. One hell of a problem, that's for sure. If anyone is interested, they can view the slightly longer thread on the Zone Alarm forum here:

    http://forum.zonelabs.org/zonelabs/...thread.id=57424&view=by_date_ascending&page=1
     
  20. ring0_event

    ring0_event Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    12
    Update: ZA tech support replied to me, and said that they had been unable to duplicate the issue on XP Pro, Vista 32 and Vista 64 (both ultimate). When I get home I will pass them my system NFO file. Perhaps I should have mentioned that I have Vista x64 SP2 *Home premium* (whatever the "premium" means). I will note this fact to them in my email, and tell them that even with another network adapter the problem with leaked connections using ZA persisted.

    Obviously this problem is pretty hard to reproduce, but I'm not sure that most users would spot it.
     
Loading...
Thread Status:
Not open for further replies.