Jump to content

Local security authority process


Go to solution Solved by Peter Randziak,

Recommended Posts

Oh my gosh, a post by me with questions ! :huh:

 

Recently ive noticed this process using copious amounts of memory. Around 200-500k

 

Things ive recently changed :
 

Updated waterfox to version 24 (Dont do this, the flash bug from firefox 24 exists and alex hasnt updated yet) So i now use firefox, :angry:

SSL Scanning

Installed Bitcoin wallet

Ive been trying out ZoneAlarms firewall. Its by Check Point and i really like those guys from using Pointsec for encryption.

I started watching netflix again lately. LOL

 

Nothing else i can think of, but i know the process is used for ACL decisions, so i dont know.

Anyone seen this lately ?

 

I recently disabled SSL to see if my issues go away.

 

Right now its using 8,156 K  :blink:  - So its as if nothings wrong.

Edited by Arakasi
Link to post
Share on other sites

Indeed it does.

With each new secure address i visit, along with the prompts for trust.

I would assume it may go away when the connection is either closed or if i have shutdown firefox. ( It climbs with IE 11 as well )

However it remains in memory.

 

Is this a new issue or a pre-existing ?

 

 

_________________________________

Virus signature database: 9124P (20131203)
Rapid Response module: 3381 (20131203)
Update module: 1047 (20131023)
Antivirus and antispyware scanner module: 1415 (20131127)
Advanced heuristics module: 1145 (20131121)
Archive support module: 1186 (20131125)
Cleaner module: 1081 (20131127)
Anti-Stealth support module: 1056 (20131112)
ESET SysInspector module: 1239 (20131022)
Real-time file system protection module: 1009 (20130301)
Translation support module: 1131 (20131004)
HIPS support module: 1104B (20131129)
Internet protection module: 1092 (20131125)
Database module: 1044 (20131108)

_________________________________

Link to post
Share on other sites
  • ESET Moderators
Hello Arakasi,

 

some of our requests to decrypt communication are being handled by lsass.exe.

The issue is that lsass.exe does not close the thread immediately but it waits for longer timeout if there wouldn't be more requests in the same session.

This issue is most significant on Windows XP.

 

To work around it, create a DWORD registry value in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa named GeneralThreadLifespan, set it to something low like 3, and reboot.

This option sets for how long threads in lsass.exe wait with nothing to do before terminating (and releasing unneeded memory). The default value that is causing the issue is 60.

Link to post
Share on other sites
  • ESET Moderators

Hello Arakasi,

 

just to be sure, delete the reg key, and merge this into your registry.

It should be the same, but just to be sure.

 

If the issue will persist please disable Self-defense or entire HIPS, restart the PC and reproduce the issue.

If the memory consumption by lsass.exe would be high kill ekrn.exe and observe if lsass will free the memory and report your findings back.

 

P.S.

Is the lsass.exe freeing the memory after a periond of time (2 minutes or more) or it's memory consumption is just rising?

Link to post
Share on other sites

Killing ekrn did not release any memory from lsass

The correct registry key was added. Issue still persists. Tested on another computer at office. Same issue.

 

lsass.exe is not freeing memory after a period of time, it stays static on the same amount, unless a new browser is opened to a secure page, then it climbs again.

It does not rise when idle.

Link to post
Share on other sites
  • ESET Staff

Hello Arakasi,

 

It looks like you're running the firewalling driver of ZoneAlarm called vsdatant.sys, which is known to have conflicts with application protocol filtering of Eset Smart Security due to a bug in ZoneAlarm. Would you please try to uninstall ZoneAlarm to see if it resolves the issue?

 

Thank you.

Link to post
Share on other sites

I will add this to the list of tried things, however before i perform this action, know that i have a second computer at my office, experiencing the same thing, without zone alarm.

I did NOT install ZA on the office machine i am also having this issue on.

 

I also am not using ESET Smart Security.

Edited by Arakasi
Link to post
Share on other sites

The problem still exists after uninstalling Zone Alarm.

Also add that i closed Cylance, and Stopped the service all-together, as well, to eliminate Cylance as a possible issue.

However i dont think it even looks at ssl.

Something else must be going on. :)

Thank you MMx for assisting me with my issue, i will continue to be cooperative.

Edited by Arakasi
Link to post
Share on other sites
  • ESET Staff

I also am not using ESET Smart Security.

Sorry for that, we're using ESS for a lot of Eset products for lack of a better word ;)

 

If you plan to use ZoneAlarm along with application protocol filtering, you should be aware that this combination may cause under certain (unpredictable) circumstances that some web pages will not load.

 

I'm afraid that the only way to find out what's going on here is to debug the problematic machine, since we don't have any solid information about the internal workings of Windows. That means replicating the problem in our environment. I'll try to do that and see what I can see.

Link to post
Share on other sites

I was just testing Zone Alarm :) probably won't reinstall.

Let me know if you have any questions about my environment that may not have been obtained from sysinspector.

Or if any questions, ill be here

Link to post
Share on other sites
  • 2 weeks later...

Bump, and asking for an update please. No rush for me, but other customers are starting to experience this and it is causing a grip of issues elsewhere.

Add tommy456 as another user experience lsass issues.

Link to post
Share on other sites
  • ESET Staff

Unfortunatelly this looks like an issue with the way lsass handles memory allocations/releases, which is beyond our control. We'll communicate the issue to Microsoft, but these things usually take time.

Link to post
Share on other sites
  • 2 months later...
  • 2 weeks later...
  • ESET Moderators
  • Solution

Hello,

 

the issue is fixed in Internet protection module: 1110 + (now available on pre-release update servers)

Please report any excessive memory usage (hundreds of MB) of lsass related to SSL filtering with any newer version.

 

Thank you for reporting this issue and for cooperation.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...