Results 1 to 10 of 10

Thread: Pinging?

  1. #1
    mike_jay Guest

    Default Pinging?

    Hello.
    My congratulations to Zone Labs for designing a firewall that is so very intelligent because it is so very simple.
    Can my computer be pinged without Zone Alarm providing
    an alert and yet at the same time block that ping?
    I am having the
    following symptoms:
    /\_/\_/\_/\_/
    VSMON.EXE 94.68
    The above is a simplified version of the CPU usage.


    Each peak represents VSMON.EXE taking up 90+% of CPU resources.
    It repeats incessantly with brief pauses.
    I have closed down ZA to run
    NETSTAT and check out what is going on.
    CPU usage flatlines with no foreign ports.
    So does this mean the pinger has found a way to ping completely anonymously?
    Or does this mean something else entirely?
    I'd like to remove this annoyance from my system.
    Can anyone please help me?
    Thanks,
    Mike Jay



    Operating System:Windows 98 (original)
    Product Name:ZoneAlarm (Free)

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Pinging?

    Actually pinging and the CPU are two different things. These are not related in any way. If there is a CPU problem of course shutting off the ZA showed a flat graph- regardless of what else is running at the same time.

    1)There is possible unneccessary service ruuning that should be shut off.

    Do this Start>right click My Computer> select "manage" > right click "Services and Applications" and then left click the "+" > left click the "Services" under it > expand the window if it is small.

    Right click the items in the following list and left the Properties and use the disable in the Startup Type, then use "Apply" and use the "Stop" button and use "OK". The list is:
    Application Layer Gateway
    ClipBook
    Computer Browser
    Fast User Switching Compatibility
    Messneger or Windows Messenger
    Netmeeting Remote Desktop Sharing
    Network DDE
    Network DDE DSDM
    Network Provisioning Service
    Portable Media Serial Number Service (optional)
    Print Spooler (optional)
    Remote Access Auto Connection Manager
    Remote Access Connection Manager
    Remote Desktop Session Help Manager
    Routing and Remote Access
    SSDP Discovery Service
    Telephony (for phone connection and faxes- so you may want to keep this one)
    Terminal Service
    Universal Plug and Play Host
    Webclient
    Windows Time ( severe security risk! just enable it every few months and do a manual check in the "Date and Time" in the Control panel and then disable it when finsihed)


    Two good references for a complete breakdown on the "Services" and what to set as manual or disabled is the Services Guide for Windows XP found at the


    http://www.theeldergeek.com/s.htm


    and the Black Viper list found at


    http://www.dead-eye.net/WinXP%20Services.htm


    These actions will "harden windows" and will stop some open port issues without any firewall in place. These steps are recommended and very adviseable on any PC. Plus this will tweak the efficency of the PC by not having unrequired processes running in the background. Did I miss something or some items, quite possible since some items are now nonexistant in my pc since I have done these steps some time ago.

    HINT If you are very aware of what service does what and what you need, the use the shortcut method. Just put all listed items at Manual and OFF (not disabled) and then immediately reboot. Windows will take a very long time to startup as it individually turns each of the services that are to be used for the usual running of the OS and the system.After the Windows has finaaly started, just make all items that are now running to Automatic and Started. Do this trick if you really are sure what is needed and what is not needed.

    2) There is the DNS and DHCP server addresses to be considered>

    First Open the command prompt and type in "ipconfig /all". Very important to have an actual space between the ipconf and the /all and of course, no quotation marks.Type it where the blinking cursor is at the end of the Doc and Settings line. After typing this in , then hit the enter key of the keybord. Look for two addresses listed in the DNS Servers.Now enter these two addresses as trusted and titled as DNS Server Primary and DNS Server Secondary in the firewall zones. Just like it would have been done in the windows xp firewall for dns server. When finished with the command prompt, just type in exit at the very end hit the enter key of the keyboard. Please note that the Loopback or localhost (127.0.0.1) should be listed as Trusted as well.

    See>

    http://www.donhoover.net/dnsdhcp.html

    and >

    http://www.microsoft.com/resources/d....mspx?mfr=true

    3) The only program in the ZA program list that actually should have any server rights is the svchost.exe. This should only have server rights for the trusted zone and never for the internet zone. Anything else listed should not have any server rights what so ever! Especially for the Internet Zone.

    The only exceptions to allow and then only as a temporary basis is the IM or a FTP or perhaps a P2P. Even then, after using these it is highly adviseable to immediately turn off the server rights after finished using these items.


    4) Open the Network Places and open the Properties of the Network Connections and uncheck the Microsoft TCP/IP version 6 and leave the Internet Protocol (TCP/IP) checked. The Internet Protocol (TCP/IP) is actually the IPv4. You also may consider doing this for the "File and Printer Sharing for Microsoft Networks"and "Client for Microsoft Networks" and the "QoS Packet Scheduler". All of these can be uninstalled by using the Uninstall button that is shown in the Properties Window. They can be reinstalled using the Install that is next to the Uninstall button.

    Open the Services and then Disable and Stop the IPv6 Helper Service. The QoS RSVP can be Disabled and Stopped also if disabled in the Network Connections.

    Also, go into the Properties of the Internet Protocol and in the Advanced find the WINS and deselect the Default and select the Disable the NETBIOS over TCP. Plus deselect the LMHOSTS Lookup. Ok all and reboot immediatedly. The next startup after that may show some change in the length of time of the startup.

    5) Turn off the antivirus monitor in the ZA and if the antivirus is monitoring the email and attachments, then also disable the ZA email monitors.

    6) Possible conflicts of other software could be in the shields of other security that provide as blocking or spysite blocking. Usually site advisors and host files are fine and the same goes for PeerGuardian or Proxomitron. Usually the conflict will come from other antispy software shields such as SpySweeper. Use only one antivirus scanner on the machine and make sure the Windows XP firewall is Disabled. The adblockers, javascript blockers and cookie control software added to the browsers themselves, but those little desktop softwares that do the same are a possible conflict with the Privacy of the Zone Alarm.

    If using other security applications please make sure that the vsmon.exe and the zlclient.exe are listed in teir Trusted Zones.

    7) Make sure the Google Desktop Searches and the IMs are set not to start with Windows and just start these as needed. Make sure that any P2P applications are turned off when not in use and please reclose all ports that were opened for the P2P operations.

    8) Another trick is start the PC in the Safe Mode and slowly turn things on, instead of slowing turning things off in the Normal Mode, to help identify any possible conflicts.

    If I can think of a few more things, I will reply.

    Oldsod
    Best regards.
    oldsod

  3. #3
    mike_jay Guest

    Default Re: Pinging?

    Thanks for your response.
    On the CPU usage I am not trying to say that pinging is in any way related to CPU usage.
    What I have demonstrated is that something is repeatedly and incessantly (except for a slight pause in between spikes) causing ZA (VSMON.EXE) to hog over 90% of CPU resources in a spike-rest-spike pattern.
    I
    used the internet lock and saw the CPU flatline and so I know that it is internet related.
    I also
    turned down ZA completely for outgoing programs and the pattern continued so that is why I assume it is from outside pinging in.
    On the DNS/DHCP I have the following in the list:
    DHCP Server yxx.yxx.yxx.yxx each set of 3 digits is the same.
    And under the major category "Ethernet Adapter":
    DHCP Enabled
    ... YesIP Address ... (my ip)Subnet Mask yxx.yxx.abc.0Default Gateway ... (an address similar to my IP)DHCP Server ... (same as Default Gateway)
    And so I'm not sure which IP I should be adding...
    Thanks for your help,
    Mike Jay



    Message Edited by Mike_Jay on 12-15-200604:18 AM

    Message Edited by Mike_Jay on 12-15-200604:27 AM

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Pinging?

    Let us doing some checking and that can help trace the problem.

    Open the command and do some netstat>

    http://www.microsoft.com/resources/d....mspx?mfr=true

    Usually netstat -a will give some idea of what is occuring.

    Then netstat -an and netstat -o and netstat -s and netstat -es.

    Add the DHCP server as trusted. Same goes for the DNS server(s). Both are in the ipconfig /all command.

    Also there could be various NetBIOS/ MS items enabled on the PC causing the high CPU usage. Disabling these should quiet things down.

    No router?

    Check out these tools (freeware) for tracing any possible issues>

    Shows what process is used and where it goes, in real time:

    http://www.microsoft.com/technet/sys...g/TcpView.mspx

    Shows what processes and their threads and .dlls being used in real time:

    http://www.microsoft.com/technet/sys...sExplorer.mspx


    Shows any possible rootkit. It does not remove anything just shows possible problems. It is adviseable to clean all browser caches, Temp folders and the disk before running this tool:

    http://www.microsoft.com/technet/sys...tRevealer.mspx

    Shows all startups and their details:

    http://www.microsoft.com/technet/sys.../Autoruns.mspx


    Port Reporter shows port activity and can log the activity:

    http://www.microsoft.com/technet/abo..._083105_2.mspx

    All of these are recommended for checking processes and ports and packets and processes involved. Plus other than the Port Reporter (which can be shut down) none really run in real time when not enabled. These are excellent system tools and security tools.


    Further more, what does the ZA logs show for blocked activity for both the processes and the internet activity? is there a lspconflict.txt in the C\WINDOWS\Internet Logs?

    This entire trouble may be caused by a corrupt ZA database. To remove the database and start over to create a new database, just do this:

    Boot your computer into the Safe Mode

    Navigate to the c:\windows\internet logs folder

    Delete the backup.rdb and iamdb.rdb files in the folder

    Clean the disk using the Windows disk clean utility or just empty the Recycle Bin

    Reboot into the normal mode

    The database has been removed and the ZA will now begin to create a new database.
    It will appear as when it was first installed and there was no database yet created.



    Oldsod
    Best regards.
    oldsod

  5. #5
    mike_jay Guest

    Default Re: Pinging?

    Wow I really thought the corrupt database idea was it.
    Unfortunately this did not solve it.
    Added DHCP addresses.
    I don't have DNS addresses but I do have a Subnet Mask which I haven't added
    yet...
    No change in spike-rest-spike pattern.
    I'm already using Process Explorer which is how I identified VSMON.EXE was hogging the resources (something is causing it to do so which is not a corrupt database, DHCP reg or "normal" pinging from the outside).
    No other process is causing this spike-rest-spike pattern which is constant.
    I run Windows 98 and therefore cannot use those wonderful Microsoft reporting tools you suggested.
    However NETSTAT shows nothing and I have the ZA alerts to "all"
    and they show nothing so what would a reporting tool do anyway??
    Again, is it possible for someone to ping from the outside without allowing NETSTAT or ZA to
    recognize the ping as something reportable (but in ZA's case yet still actionable)?
    Is there some other way that ZA could be corrupted that would cause this?
    Unfortunately I cannot update my ZA because I am Win 98 and they no longer offer updates for me ;(
    Can I download "my" version again?
    Shucks, I just realized I might be in real trouble here...
    If my ZA is corrupted I might be SOL without any remedy ;O
    HELLP!
    Thanks for your help you really deserve recognition for your help here.
    Do you work for ZL?
    Mike Jay







    Message Edited by Mike_Jay on 12-16-200610:03 AM

    Message Edited by Mike_Jay on 12-16-200610:05 AM

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Pinging?

    Since you are using the Windows 98, the last compatible version of the ZA that is the ZA 6.1.744.001. Even the early ZA 5.5.094.000 will do the job.

    Download the ZAs from>

    http://download.zonelabs.com/bin/fre...seHistory.html

    The high CPU problem with the vsmon.exe is the direct result of a conclict with the Windows services or another security application. Its can even happen because of an outdated driver.

    Please take a look at this thread>

    http://forum.zonelabs.org/zonelabs/b...ssage.id=60318

    Oldsod
    Best regards.
    oldsod

  7. #7
    mike_jay Guest

    Default Re: Pinging?

    Thanks for all your help.
    A quick update:
    I began having some DSL connection dropouts and after the period of those dropouts were resolved the problem went away.
    I have had no "spiking" since.
    Maybe this had to do with my DSL company and they fixed the problem.
    The funny thing was I noticed that with every spike the DSL ACT light would come on but ZA would register no internet activity and yet VSMON would actively be blocking something (even after giving full permission to all
    outgoing applications)!

    This is still something I don't understand but it's gone now
    Thanks again,
    Mike Jay

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Pinging?

    You could be right-the provider was constantly contacting the modem to do network checks. They want to monitor the entire network and see if there are illegal servers/users or heavy P2P users or to just check traffic flow from the exact assigned IPs. They call it network maintenance.

    I am happy to learn it is gone and I am glad to see you take the internet/PC security very seriously.

    Oldsod
    Best regards.
    oldsod

  9. #9
    mike_jay Guest

    Default Re: Pinging?

    Thanks.
    So this "network maintenance" wouldn't register with NETSTAT or ZA as actual internet activity but would still prompt VSMON to block it?
    That's the confusing part for me...
    Mike Jay

  10. #10
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Pinging?

    The network maintenace, if it goes past the hardware (ie modem), it would be seen as an "intrusion" or properly called as "dropped packets". The netstat does not show external activity, just internal activty, and in this case if the vsmon.exe is working hard to block the attempts, then it would not show. Plus I doubt that the provider's DNS and the DNS of the world are using plain TCP or UDP and are using ICMP variations.

    There is something wrong in the world of the internet at this present time. I have Rogers Yahoo as a provider and I can not get to Zone Labs or the Zone Lab forum unless I change the DNS servers. My providers DNS will not have a connection for many sites. The Kaspersky antivirus could not reach any of the impressive list of update servers- the entire list is long and each country listed has many a server addresses. It went from the US to Japan to South Amercias to Africa to several European countries and simply failed at each DNS attempt. The solution was to set the desktop DNS to another DNS- I used the OpenDNS. TreeWalk is another alternate. Set it up in the NetWork connection's properties and in the firewall and rebooted and got instant and pleasant results. The KAV got a massive update and here I am posting once more. Sites, such as eBay, has developed some lost pages and a very slow connection with Rogers lately. I do suspect this is all related some how to the release of the Vista OS- it will use the just TCP IPv6 and the TCP IPv4 will slowly be phased out in the world web. Perhaps the internet is slowly gearing up for the changes that are coming. The Windows XP, I suspect, will have the TCP IPv6 package included in the Service Pack Three to keep it fully useable. The TCP IPv6 that is now used will be altered and the TCP IP v6 that is to be used maybe be different all together. The TCP IP stack of Vista is completely different from the TCP IP stack of Windows XP and the previous Wins. So let see what happens.

    Oldsod

    Message Edited by Oldsod on 12-27-2006 06:02 AM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •