Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton And Lsass.exe


  • Please log in to reply
11 replies to this topic

#1 DuaneBarry

DuaneBarry

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 24 February 2007 - 12:28 AM

Hello there guys,

Norton keeps asking me to permit or block lsass.exe and honestly I've no idea. It never asked me before. It seems harmless but you never know, right? What should I do?

Thanks in advance.

BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:13 AM

Posted 24 February 2007 - 12:57 AM

What sort of blocking? Can you provide the complete message? Also, does Norton provide a path for the file? If so, what is it?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 DuaneBarry

DuaneBarry
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 24 February 2007 - 01:10 AM

:thumbsup: Now I wish I had taken note of the whole message.

It's the regular Norton Program Control alert. Like this one: http://personalshopper.com/images/media/Norton-Permit.gif

The file is in the system32 folder. That's all I can remember.
I'll take note of the whole thing next time Norton pops up.

Thanks for replying so quickly.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:13 AM

Posted 24 February 2007 - 02:44 AM

Okay, so I take it that this was an alert that lsass.exe was trying to connect to the internet?

Can you check the Norton logs and see what information regarding the alerts is there? If it logs as well as Kerio or ZoneAlarm, you should see the file path of the file that was trying to connect as well as what it was trying to connect to, either an IP address or a domain name or something. If that information is there, can you post that please?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 DuaneBarry

DuaneBarry
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 24 February 2007 - 03:20 AM

This is what I found on the logs:

Details: The user has created a rule to "block" communications.
Inbound UDP packet.
Local address,service is (0.0.0.0,500).
Remote address,service is (70.241.123.188,500).
Process name is "C:\WINDOWS\system32\lsass.exe".

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:13 AM

Posted 24 February 2007 - 03:41 AM

Okay, according to the log entry, something was trying to come in to your computer from outside and connect to lsass.exe The file location, by the way, is the correct one - so unless you have a file infector on board, the file itself should be hunky-dorry.

lsass.exe is responsible for monitoring logging in and so forth. See here: http://www.neuber.com/taskmanager/process/lsass.exe.html
and here: http://www.liutilities.com/products/wintas...slibrary/lsass/ I see no reason why something from outside should be trying to send stuff to it unless you were doing windows updates, and I'm not sure even then as updates work through IE.

I looked up the remote IP address, and it appears to be SBC Internet Services trying to send stuff in. Do you subscribe to that internet service? Even if you do, it sounds fishy that it would be trying to communicate with lsass.exe unless you happen to be a primary computer on a network, but I'm not sure about that as I work with a stand-alone computer. Enter the IP address at this site: http://www.networksolutions.com/whois/ and you will see the full info. about the IP.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 RandomUser

RandomUser

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 24 February 2007 - 04:58 AM

Duane,

The IP number appears to be either a user on the SBC Network or a backend server from SBC. That is unclear.

The last part of that number 500, appears to be port 500 which is known to be used with Remote login and Authentication for servers.

Do you know what a VPN is? Do you have a VPN or Remote Desktop setup on your machine. If so Norton may ask for your ok in order for an outside party to connect to you through Remote Desktop. If this is NOT something you have set up. You may have a valid security concern and would need to contact either, Your Service Provider, Symantec ( Norton Distributor), or Microsoft for further assistance and to determine the cause of these events which should also be stored in the windows event logs

#8 DuaneBarry

DuaneBarry
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 24 February 2007 - 05:36 AM

I'm not a subscriber to that service. I also don't have a VPN nor a Remote Desktop setup.

I'm running all the anti bad stuff I got here (Norton, SpySweeper, AdAware, Mcafee Stinger, Spybot, Trojan Remover) and so far so good. Some of the scans haven't finished yet. I'll let you know if anything comes up.

Could this be something serious?

#9 DuaneBarry

DuaneBarry
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 24 February 2007 - 06:11 AM

All the scans have finished now. All the minor things that were found have been taken care of. I hope Norton doesn't ask me about lsass.exe again.

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:13 AM

Posted 24 February 2007 - 07:49 PM

Okay, this was probably internet static, as it were, or a port scan. This kind of thing happens all the time. For example, I've had a number of port scans from twtelecom.net As long as your firewall is blocking it, you should be fine.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#11 DuaneBarry

DuaneBarry
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 25 February 2007 - 01:51 AM

lsass hasn't bothered me again so far and I hope it doesn't.

Thanks for the support. I appreciate it.

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:13 AM

Posted 25 February 2007 - 07:54 PM

Your welcome. Don't freak out at the incoming traffic that Norton blocks or alerts you to. There is a lot of internet noise out there. As long as it's blocked you're fine. My basic rule of thumb is, if I'm not expecting it - block it. I can always change it if there is a problem.

Outbound traffic is a different matter, and I keep an eagle eye on that. Norton will also alert you to that. The XP firewall, incidentally, doesn't block any outgoing traffic which is why a third party firewall is better. If there is something trying to connect that I don't recognize at all, I put a total block on all internet traffic. I'll even pull modem line out of the phone jack. (I'm on dial-up). I'll scan like crazy, make sure everything's clean, then reconnect. If it's a program I recognize, I'll do some research first before allowing it to connect. I'll check out the IP address and so forth. Does it really need to connect? If not, it's blocked.

Here's a tutorial on firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users