Arakasi 549 Posted December 3, 2013 Share Posted December 3, 2013 (edited) Oh my gosh, a post by me with questions ! Recently ive noticed this process using copious amounts of memory. Around 200-500k Things ive recently changed : Updated waterfox to version 24 (Dont do this, the flash bug from firefox 24 exists and alex hasnt updated yet) So i now use firefox, SSL Scanning Installed Bitcoin wallet Ive been trying out ZoneAlarms firewall. Its by Check Point and i really like those guys from using Pointsec for encryption. I started watching netflix again lately. LOL Nothing else i can think of, but i know the process is used for ACL decisions, so i dont know. Anyone seen this lately ? I recently disabled SSL to see if my issues go away. Right now its using 8,156 K - So its as if nothings wrong. Edited December 3, 2013 by Arakasi Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 948 Posted December 3, 2013 ESET Moderators Share Posted December 3, 2013 Hello Arakasi, if you re-enable SSL scanning the memory consumption of lsass.exe starts to grow rapidly? Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 3, 2013 Author Share Posted December 3, 2013 Indeed it does. With each new secure address i visit, along with the prompts for trust. I would assume it may go away when the connection is either closed or if i have shutdown firefox. ( It climbs with IE 11 as well ) However it remains in memory. Is this a new issue or a pre-existing ? _________________________________ Virus signature database: 9124P (20131203)Rapid Response module: 3381 (20131203)Update module: 1047 (20131023)Antivirus and antispyware scanner module: 1415 (20131127)Advanced heuristics module: 1145 (20131121)Archive support module: 1186 (20131125)Cleaner module: 1081 (20131127)Anti-Stealth support module: 1056 (20131112)ESET SysInspector module: 1239 (20131022)Real-time file system protection module: 1009 (20130301)Translation support module: 1131 (20131004)HIPS support module: 1104B (20131129)Internet protection module: 1092 (20131125)Database module: 1044 (20131108) _________________________________ Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 3, 2013 Author Share Posted December 3, 2013 (edited) I can add that its reporting to the security logs every time like its suppose to . . . Edited December 3, 2013 by Arakasi Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 3, 2013 Author Share Posted December 3, 2013 Adding, that it may be isolated to the protocol , same with Opera browser. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 948 Posted December 3, 2013 ESET Moderators Share Posted December 3, 2013 Hello Arakasi, some of our requests to decrypt communication are being handled by lsass.exe. The issue is that lsass.exe does not close the thread immediately but it waits for longer timeout if there wouldn't be more requests in the same session. This issue is most significant on Windows XP. To work around it, create a DWORD registry value in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa named GeneralThreadLifespan, set it to something low like 3, and reboot. This option sets for how long threads in lsass.exe wait with nothing to do before terminating (and releasing unneeded memory). The default value that is causing the issue is 60. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 3, 2013 Author Share Posted December 3, 2013 (edited) Thanks Peter for your reply, I created the key as instructed, then rebooted the computer. The problem still persists however. Edited December 3, 2013 by Arakasi Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 948 Posted December 3, 2013 ESET Moderators Share Posted December 3, 2013 Hello Arakasi, just to be sure, delete the reg key, and merge this into your registry. It should be the same, but just to be sure. If the issue will persist please disable Self-defense or entire HIPS, restart the PC and reproduce the issue. If the memory consumption by lsass.exe would be high kill ekrn.exe and observe if lsass will free the memory and report your findings back. P.S. Is the lsass.exe freeing the memory after a periond of time (2 minutes or more) or it's memory consumption is just rising? Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 3, 2013 Author Share Posted December 3, 2013 Killing ekrn did not release any memory from lsass The correct registry key was added. Issue still persists. Tested on another computer at office. Same issue. lsass.exe is not freeing memory after a period of time, it stays static on the same amount, unless a new browser is opened to a secure page, then it climbs again. It does not rise when idle. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 948 Posted December 4, 2013 ESET Moderators Share Posted December 4, 2013 Hello Arakasi, could you please provide me with full memory dump from the state when memory consumption by lsass.exe is over 500 MB and SysInspector log? Thank you. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 4, 2013 Author Share Posted December 4, 2013 Done. PM sent with requested information. Link to comment Share on other sites More sharing options...
ESET Staff MMx 28 Posted December 6, 2013 ESET Staff Share Posted December 6, 2013 Hello Arakasi, It looks like you're running the firewalling driver of ZoneAlarm called vsdatant.sys, which is known to have conflicts with application protocol filtering of Eset Smart Security due to a bug in ZoneAlarm. Would you please try to uninstall ZoneAlarm to see if it resolves the issue? Thank you. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 6, 2013 Author Share Posted December 6, 2013 (edited) I will add this to the list of tried things, however before i perform this action, know that i have a second computer at my office, experiencing the same thing, without zone alarm. I did NOT install ZA on the office machine i am also having this issue on. I also am not using ESET Smart Security. Edited December 6, 2013 by Arakasi Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 6, 2013 Author Share Posted December 6, 2013 (edited) The problem still exists after uninstalling Zone Alarm. Also add that i closed Cylance, and Stopped the service all-together, as well, to eliminate Cylance as a possible issue. However i dont think it even looks at ssl. Something else must be going on. Thank you MMx for assisting me with my issue, i will continue to be cooperative. Edited December 6, 2013 by Arakasi Link to comment Share on other sites More sharing options...
ESET Staff MMx 28 Posted December 6, 2013 ESET Staff Share Posted December 6, 2013 I also am not using ESET Smart Security. Sorry for that, we're using ESS for a lot of Eset products for lack of a better word If you plan to use ZoneAlarm along with application protocol filtering, you should be aware that this combination may cause under certain (unpredictable) circumstances that some web pages will not load. I'm afraid that the only way to find out what's going on here is to debug the problematic machine, since we don't have any solid information about the internal workings of Windows. That means replicating the problem in our environment. I'll try to do that and see what I can see. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 6, 2013 Author Share Posted December 6, 2013 I was just testing Zone Alarm probably won't reinstall. Let me know if you have any questions about my environment that may not have been obtained from sysinspector. Or if any questions, ill be here Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 15, 2013 Author Share Posted December 15, 2013 Bump, and asking for an update please. No rush for me, but other customers are starting to experience this and it is causing a grip of issues elsewhere. Add tommy456 as another user experience lsass issues. Link to comment Share on other sites More sharing options...
ESET Staff MMx 28 Posted December 16, 2013 ESET Staff Share Posted December 16, 2013 Unfortunatelly this looks like an issue with the way lsass handles memory allocations/releases, which is beyond our control. We'll communicate the issue to Microsoft, but these things usually take time. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 16, 2013 Author Share Posted December 16, 2013 (edited) Thank you MMx for your work on my case, and time testing. Thanks Peter as well. PM me if you hear anything down the road please. Edited December 16, 2013 by Arakasi Link to comment Share on other sites More sharing options...
Arakasi 549 Posted February 28, 2014 Author Share Posted February 28, 2014 MMx has been working on this issue very diligently I am extending a Thank you for all his hard work on this issue. ESET is making great progress !!!! Thanks MMx Link to comment Share on other sites More sharing options...
ESET Moderators Solution Peter Randziak 948 Posted March 10, 2014 ESET Moderators Solution Share Posted March 10, 2014 Hello, the issue is fixed in Internet protection module: 1110 + (now available on pre-release update servers) Please report any excessive memory usage (hundreds of MB) of lsass related to SSL filtering with any newer version. Thank you for reporting this issue and for cooperation. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted March 10, 2014 Author Share Posted March 10, 2014 Absolutely Peter thanks. Link to comment Share on other sites More sharing options...
Infractal 2 Posted March 10, 2014 Share Posted March 10, 2014 This seems to have fixed the LSASS memory leak issue that I was seeing. Great work! Unfortunately IMAPS scanning still breaks Outlook, but you can't have everything. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted March 10, 2014 Author Share Posted March 10, 2014 I think Mmx leaded up as project lead or main researcher in following through to resolution on this issue. Thanks Mmx !! Link to comment Share on other sites More sharing options...
Recommended Posts