Hi Hoov
Many thanks for your suggestion and yes I should like help as I've never written an expert rule before.

FYI; I've just switched on to prepare for a full day meeting and ZAISS has frozen out on me!

Hi, this is my second boot-up since I reinstalled and ZAISS has frozen again. When I right click for the control center I get the menu but it just hangs. Yesterday it started working after I opened Outlook but today it's still hanging. Another un-install/ re-installation?????

Hi Hoov

I may have isolated the problem!

I ran an expert rule and allowed everything. It throws up 'agent.exe', which is going to ''updates.installsheild.com" (or or else IP address 173.128) every couple of seconds. That exe is the installsheild update manager. I opened update manager to try and turn it off but it only opens about a quarter of the way then freezes, so it seems corrupted.

I can't say for certain it is the cause of my problems, but it would tie in with the traffic meter running all the time. Perhaps it corrupted when I upgraded ZAISS? However I cannot find a way to repair or un-install the programme. It doesn't show up on the windows control panel (and I cannot open it in ZAISS programme control), so I'm a bit stuck. I've been surfing the web and I wonder if you have any advice??

Hi Hoov

Well it was too good to be true!

I un-installed update manager and re-installed it from the installshield site. Now it works (but the utility has been renamed software manager from Programme Manager), but the traffic is still going on, so that wasn't the solution.

The agent.exe doesn't figure on the log anymore but I attach a screenshot. I'm not sure if I have configured expert rules correctly because now no programme is named but it seems my PC is sending to another of my PCs (but they're all turned off).

The strange thing is it seems to have added 4 characters to the end of my IP address and then sent it under 'UDP protocol' to what seems my other PC's IP address, but with the characters :53 added. All my other PCs are turned off, and when I check my wireless modems control panel only my PC is logged-on.

Any ideas? I added the row to my trusted and that didn't solve anything.

ZAISS Settings4.jpg
Description:
Filesize:	168.12 KB
Viewed:	73 Time(s)

Sorry I didn't get back to you in a timely manner. Very bad sinus infection laid me out. Then CCSP had problems.

From what the log is showing, there is something on your machine doing a pot full of DNS lookups.

By the way, anything in the 192.168 subnet, you don't have to blur. Everyone can have those same IP address's. They are used for local LAN's. Those IP address's are not routable over the internet, they are good for local traffic only.

A program called active ports will tell you what program is doing this. Run it and watch for whatever process is going to remote port 53. Let me know which program is doing it. There may be a way to lock it down.

http://www.devicelock.com/freeware.html

Hi Hoov
Thanks for getting back and sorry to hear you've been unwell; I hope you are recovered.

I set up active ports and here's a screenshot but I'm not sure what I'm looking for as I don't see port 53, although there's an amount of traffic through port 80. Does this offer any clues?

ZAISS Settings5.jpg
Description:
Filesize:	95.8 KB
Viewed:	65 Time(s)

Been playing around with different configurations, to try and duplicate what I am seeing. And to be honest about it I am very confused. There is not nearly enough showing in the active ports display. So what I need you to do is to turn off ZA and run active ports again and see if it changes at all. There should be many more process's listed.

Hi Hoov
Many apologies for such a delay in replying to your last mesage but I've been away from the PC travelling on business and only recently back just before Easter.

I turned off ZA but it didn't seem to do anything (see attached). Should I switch off at start-up and see if that allows a better picture?

Also a clue may exist in this story. When I logged-on a couple of days ago, the ASUS WiFi-AP Solo icon popped up in the system tray and a few clicks and whirls later the ZA traffic meter had gone. Unfortunately it was a prelude to a problem in ASUS and 5/ 10 mins later I lost wireless contact with my modem and the network crashed. It took several re-boots and a restore until things worked properly again. However I wonder if there's a setting problem in ASUS, rather than the Philips modem, which is creating this problem???

ZAISS-Settings6.jpg
Description:
Filesize:	126.11 KB
Viewed:	58 Time(s)

Going back and looking over things, I need you to do something. The ZA log that you posted on Feb 21st, what is blanked out under the source DNS column?

The other thing to try is to go to the rule you made for port 53, and set it to block. Then see what fails.

As for the problem you had with losing the connection, I think that was just something that happened, and isn't connected. I could be wrong, but lets see what happens when you block the port. You may have to look in the event viewer to see if something is failing.

Hi Hoov
Apologises for not getting back to your earlier mail. I started a period of travelling and then I've been up to my eyes on business (the raison d'etre of this PC).

The blanked out DNS address is my wireless router control panel. You mention about the rule I made for port 53 but I'm not sure I know what this is as I haven't made rules as such (or how I determine which port is 53 as the numbers I see are different - apols if I am being thick here). I noticed that the svchost log allows the data direction "Allowed (once)/auto" (where it includes the source ips as my router) but there are a whole bunch of other svchost messages that are blocked, with no source of destination data info.

Lastly I tried to compare with my other pc and laptop and found something peculiar: on my laptop and other pc, the smartdefence column on the programme control page gives a choice between 'system' or 'custom'. Yet on this machine the choice is 'auto' or 'custom', which means it is not reading it as a system component.

FYI, I updated ZAISS a few weeks ago to V. 7.0.470.0000. Interestingly the traffic meter has worked properly twice since my last mail (for one session only each time) but I cannot seem to see any differences when I compared logs from working correctly and not working correctly.

Does any of the above offer any clues?

Hi Hoov

I just found a way to see the last minute or two of active connections. The result below was repeated every few seconds during a two minute survey (I renamed my PC and overlayed the last figure with an '*' to keep things anonymous:

Active Connections

Proto Local Address Foreign Address State PID
TCP My PC:1041 localhost:2701* ESTABLISHED 276*
[iTunesHelper.exe]

TCP My PC:2701* localhost:104* ESTABLISHED 988
[AppleMobileDeviceService.exe]

TCP My PC:141* .:http ESTABLISHED 1424
c:\windows\system32\WS2_32.dll
c:\windows\system32\WINHTTP.dll
[svchost.exe]

TCP My PC:185* a1981.g.akamai.net:http TIME_WAIT 0
TCP My PC:185* a1981.g.akamai.net:http TIME_WAIT 0

Does this offer any further ideas???? The akamai address is a ZoneLabs address of some description.

Hi Hoov
Another possibility seems to be Network Time (NTP).

On my ZAISS Firewall log there's swisstime and NTPS 1 of Berlin (on port 123) and at the same time I see 'can't find NTP time' at a corresponding rate on my Router's log.

I've tried adding both swiss and ntps to my Trusted Zone (as well as Nist and Windows time, which are the 2 sites on my date & time properties) but without success.

Are there some expert settings I should be trying or am I barking up the wrong tree??

You may be barking up the right tree.

Itunes Helper you can turn off. It only needs to run when if/when you stream music with Itunes. As for AppleMobileDeviceService.exe it is used if you are connecting to an Iphone (as far as I have been able to find out) I have permanently stopped it, and have had no problems with ITunes or with my IPod. Those two might be doing it. As for the Time synchronizer in windows, I have had very little luck with it, even when turning off the ZA firewall, and the windows firewall. I have been using a program called Dimension 4 (freeware)http://www.thinkman.com/dimension4/ and it works good.

Try turning off the two apple components and the Windows time sync, this may stop the activity.

As for the two entries for Akamai, this could be the update server for ZA, but it is just waiting for a response.

Hi Hoov

Thought it was too easy just switching those off... It started OK when I logged on this morning (and I thought we'd cracked it) but I had to reboot early on and it's clicking away again. What else can I do or try or what info can I give you to help?

How did you turn them off?