Local security authority process

[Arakasi 549]

Oh my gosh, a post by me with questions !

 

Recently ive noticed this process using copious amounts of memory. Around 200-500k

 

Things ive recently changed :
 

Updated waterfox to version 24 (Dont do this, the flash bug from firefox 24 exists and alex hasnt updated yet) So i now use firefox,

SSL Scanning

Installed Bitcoin wallet

Ive been trying out ZoneAlarms firewall. Its by Check Point and i really like those guys from using Pointsec for encryption.

I started watching netflix again lately. LOL

 

Nothing else i can think of, but i know the process is used for ACL decisions, so i dont know.

Anyone seen this lately ?

 

I recently disabled SSL to see if my issues go away.

 

Right now its using 8,156 K    - So its as if nothings wrong.

Edited December 3, 2013 by Arakasi

[Peter Randziak 948]

Hello Arakasi,

 

if you re-enable SSL scanning the memory consumption of lsass.exe starts to grow rapidly?

[Arakasi 549]

Indeed it does.

With each new secure address i visit, along with the prompts for trust.

I would assume it may go away when the connection is either closed or if i have shutdown firefox. ( It climbs with IE 11 as well )

However it remains in memory.

 

Is this a new issue or a pre-existing ?

 

 

_________________________________

Virus signature database: 9124P (20131203)
Rapid Response module: 3381 (20131203)
Update module: 1047 (20131023)
Antivirus and antispyware scanner module: 1415 (20131127)
Advanced heuristics module: 1145 (20131121)
Archive support module: 1186 (20131125)
Cleaner module: 1081 (20131127)
Anti-Stealth support module: 1056 (20131112)
ESET SysInspector module: 1239 (20131022)
Real-time file system protection module: 1009 (20130301)
Translation support module: 1131 (20131004)
HIPS support module: 1104B (20131129)
Internet protection module: 1092 (20131125)
Database module: 1044 (20131108)

_________________________________

[Arakasi 549]

I can add that its reporting to the security logs every time like its suppose to . . .

Edited December 3, 2013 by Arakasi

[Arakasi 549]

Adding, that it may be isolated to the protocol , same with Opera browser.

[Peter Randziak 948]

Hello Arakasi,

 

some of our requests to decrypt communication are being handled by lsass.exe.

The issue is that lsass.exe does not close the thread immediately but it waits for longer timeout if there wouldn't be more requests in the same session.

This issue is most significant on Windows XP.

 

To work around it, create a DWORD registry value in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa named GeneralThreadLifespan, set it to something low like 3, and reboot.

This option sets for how long threads in lsass.exe wait with nothing to do before terminating (and releasing unneeded memory). The default value that is causing the issue is 60.

[Arakasi 549]

Thanks Peter for your reply,

 

I created the key as instructed, then rebooted the computer.

The problem still persists however.

Edited December 3, 2013 by Arakasi

[Peter Randziak 948]

Hello Arakasi,

 

just to be sure, delete the reg key, and merge this into your registry.

It should be the same, but just to be sure.

 

If the issue will persist please disable Self-defense or entire HIPS, restart the PC and reproduce the issue.

If the memory consumption by lsass.exe would be high kill ekrn.exe and observe if lsass will free the memory and report your findings back.

 

P.S.

Is the lsass.exe freeing the memory after a periond of time (2 minutes or more) or it's memory consumption is just rising?

[Arakasi 549]

Killing ekrn did not release any memory from lsass

The correct registry key was added. Issue still persists. Tested on another computer at office. Same issue.

 

lsass.exe is not freeing memory after a period of time, it stays static on the same amount, unless a new browser is opened to a secure page, then it climbs again.

It does not rise when idle.

[Peter Randziak 948]

Hello Arakasi,

 

could you please provide me with full memory dump from the state when memory consumption by lsass.exe is over 500 MB and SysInspector log?

 

Thank you.

[Arakasi 549]

Done.

PM sent with requested information.

[MMx 28]

Hello Arakasi,

 

It looks like you're running the firewalling driver of ZoneAlarm called vsdatant.sys, which is known to have conflicts with application protocol filtering of Eset Smart Security due to a bug in ZoneAlarm. Would you please try to uninstall ZoneAlarm to see if it resolves the issue?

 

Thank you.

[Arakasi 549]

I will add this to the list of tried things, however before i perform this action, know that i have a second computer at my office, experiencing the same thing, without zone alarm.

I did NOT install ZA on the office machine i am also having this issue on.

 

I also am not using ESET Smart Security.

Edited December 6, 2013 by Arakasi

[Arakasi 549]

The problem still exists after uninstalling Zone Alarm.

Also add that i closed Cylance, and Stopped the service all-together, as well, to eliminate Cylance as a possible issue.

However i dont think it even looks at ssl.

Something else must be going on.

Thank you MMx for assisting me with my issue, i will continue to be cooperative.

Edited December 6, 2013 by Arakasi

[MMx 28]

I also am not using ESET Smart Security.

Sorry for that, we're using ESS for a lot of Eset products for lack of a better word

 

If you plan to use ZoneAlarm along with application protocol filtering, you should be aware that this combination may cause under certain (unpredictable) circumstances that some web pages will not load.

 

I'm afraid that the only way to find out what's going on here is to debug the problematic machine, since we don't have any solid information about the internal workings of Windows. That means replicating the problem in our environment. I'll try to do that and see what I can see.

[Arakasi 549]

I was just testing Zone Alarm probably won't reinstall.

Let me know if you have any questions about my environment that may not have been obtained from sysinspector.

Or if any questions, ill be here

[Arakasi 549]

Bump, and asking for an update please. No rush for me, but other customers are starting to experience this and it is causing a grip of issues elsewhere.

Add tommy456 as another user experience lsass issues.

[MMx 28]

Unfortunatelly this looks like an issue with the way lsass handles memory allocations/releases, which is beyond our control. We'll communicate the issue to Microsoft, but these things usually take time.

[Arakasi 549]

Thank you MMx for your work on my case, and time testing.

Thanks Peter as well.

PM me if you hear anything down the road please.

Edited December 16, 2013 by Arakasi

[Arakasi 549]

MMx has been working on this issue very diligently   

 

I am extending a Thank you for all his hard work on this issue.

ESET is making great progress !!!!

 

Thanks MMx

[Peter Randziak 948]

Hello,

 

the issue is fixed in Internet protection module: 1110 + (now available on pre-release update servers)

Please report any excessive memory usage (hundreds of MB) of lsass related to SSL filtering with any newer version.

 

Thank you for reporting this issue and for cooperation.

[Arakasi 549]

Absolutely Peter thanks.

[Infractal 2]

This seems to have fixed the LSASS memory leak issue that I was seeing. Great work! Unfortunately IMAPS scanning still breaks Outlook, but you can't have everything.

[Arakasi 549]

I think Mmx leaded up as project lead or main researcher in following through to resolution on this issue.

 

Thanks Mmx !!