lsass.exe....is this a trojan

You guys helped me clean up my system...thanks again. I was poking around with TCPView and noticed I have 2 instances of lsass.exe:684 both listening; one TCP and the other TCPV6

Is this a trojan? I have attached a picture of the TCPView log.


AMD Phenom 9950 BE Quadcore 2.6Ghz, 8GB RAM, 64bit Vista Ultimate

After doing some more homework, I am starting to believe the 2 instances of lsass that I have are not malicious. But I would like an experts opinion.

lsass.exe is the Local Security Authentication Server which verifies the validity of user logons to your computer and generates the process responsible for authenticating users for the Winlogon service. The lsass.exe process receives authentication requests from WINLOGON and calls the appropriate authentication package (implemented as a DLL) to perform the actual verification, such as checking whether a password matches what is stored in the SAM (the part of the registry that contains the definition of the users and groups). This process is important for stable and secure operation of your system and should not be terminated. Determining whether lsass.exe is malware or a legitimate Windows process depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. The legit lsass.exe file is located in the C:\Windows\System32 folder. If found running from a different location it is malware.

Sorry for my ignorance.....but how do I determine where it is running from?

Also...todayI purchased, installed and scanned with NOD32 Antivirus, do you think it would have identified the lsass.exe if it were malware?

Edited by ethelsfred, 28 May 2009 - 01:50 PM.

Tools to investigate running processes and gather additional information to identify them and resolve problems:

• AnVir TaskManager Free
• Process Explorer
• System Explorer
• ProcessHacker
• Process Monitor
• svchostViewer

These tools will provide information about each process, CPU usage, file description and its path location If you right-click on a file and select properties, you will see more details.

Thank you....I do not have any problems, the file is located where it should be.

An unrelated question...you and a few others in here have mentioned ESET NOD 32 Antivirus for AV/spyware protection (I bought it today), but I have not seen any comments regarding their Smart Security 4 which adds firewall and anti spam protection. Your thoughts would be appreciated.


P.S. For others reading this, the aforementioned ESET NOD32 Antivirus 4 (I have Vista SP1 by the way) and Smart Security 4 have a known conflict they are working to resolve with SP2 updated Vista and Windows Server 2008....read the link below before considering a purchase.

http://kb.eset.com/esetkb/index?page=conte...ctp=LIST_RECENT

They recommend using version 3 until the conflict is resolved.

I have not seen any comments regarding their Smart Security 4 which adds firewall and anti spam protection. Your thoughts would be appreciated.

I'm not an advocate of suites. All-in-one tools and suites generally use more system resources than separate programs that do the same task. They tend to have varying degrees of strengths and weaknesses for each feature. In contrast, separate tools are designed, built and maintained with a greater focus in a specific area so they are generally of better quality. This means the program's performance for that particular feature is usually superior than their all-in-one counterpart. Further, all-in-one tools generally do not allow the user as much flexibility in tailoring default settings and usage.