Lsass.exe is trying to receive a connection

Hi,
Comodo Firewall warned me that Lsass.exe was trying to receive a connection and I allowed it. Now I’ve seen that I shouldn’t.
What risk? Can a hacker had gained remote acces to my computer?
Thanks.

Welcome. :slight_smile:

Lsass.exe can be both a safe Windows process or a trojan.

The safe Lsass.exe is the Local Security Authentication Server. Check that it is located in C:\Windows\System32. If not, it may be the Lsass.exe trojan.

Thanks for the welcome and for the reply.
Lsass.exe is the Windows process, I am sure, but I allowed the inbound connection and only then I read that I shouldn’t.
I don’t know the risks of it, I dind’t find them on the net. :frowning:

It probably won’t hurt to make it a Outgoing Only application also.

Yes, the next time I won’t allow it.
But nobody knows the risks of allowing an inbound connection to Lsass.exe?

It probably wasnt a hacker that would have been most likely catched by the firewall’s Sateful Packet Inspection.

Do you have a Router or a DSL modem? if so changes of it being malware go down even more.

I have a DSL modem, but I don’t have malware (I checked with antivirus and three antimalware).

The only reason I can think of to receive an inbound connection request in your firewall. is if you have, for example, enabled file sharing and require others to authenticate when accessing those shares.

if you don’t have a LAN and don’t need to allow remote access to your PC, I’d block this process in your firewall but ensure it’s allowed in D+ as things will stop working if you don’t.

Thanks for the reply.
I don’t have file sharing enabled, and I’ll block the process in the firewall. Do you what risk allowing the inbound connection to Lsass.exe?

Unless there was a successful connection attempt and something was imparted, I’d say you’re probably ok. You say you’ve scanned and it was clean, that’s a good starting point. Do make 100% sure that the Lsass.exe is the real McCoy and keep an eye on things.

As I said, on a stand alone machine, there is no requirement for a specific firewall rule for lsass.exe.

I’m sure that the Lsass.exe is the Microsoft one.
So, do you confirm that even if I allowed the inbound connection to Lsass.exe, I’m probably clean?
And can a hacker gains remote access to a computer with this method?
Thanks.

I all honesty, getting an alert for access to lsass by itself, unless it’s the malicious one, shouldn’t present any kind of problem.

Lsass.exe has a number of functions, for example it’s responsible for the local system security policy, which users are allowed to log on to the machine, password policies, privileges granted to users and groups, and the system security auditing settings It also handles user authentication, and sending security audit messages to the Event Log. It also works in association with a number of other subsystems, both kernel and user mode to complete the transaction.

Essentially, unless your system is totally compromised, I’d say don’t worry. :slight_smile:

Thanks.

If you allowed access from internet to lsass.exe all you receive are commands for the botnet you already have on your PC. You can check if you have a botnet by typing “netstat -abn” (without quotes)at you cmd line.
You will see that all the traffic goes from your PC to different IP adresses. Another way to check if you have botnet(and it receives remote commands) is typing “netstat -p ICMP” to your cmd line.
ICMP=Internet Control Message Protocol. You will find that lsass.exe send this request from your pc to remote host. That means a DDOS(distributed denial of service) is in progress and you’re part of it. Don’t worry about the authorities. If somebody comes accusing you of DDOS send him to ISP(internet service Provider) to check the logs.
:wink:
PS: reinstall other copy of windows, you have the botnet already installed at first logon.

Welcome Phantomas90. Did you realise you are answering a Thread from Aug 2009.
Kind regards.

sorry captain. I answered because i think anyone should know the risks. There are many win xp users. And I work everyday with this kind of attacks.

Hi Phantomas. :slight_smile: No need to be sorry, I just thought you might not have realised the date of the previous posters thats all. Thankyou for your post on this Topic it was very informative, and could very well be useful to someone with current issues of this type. Thanks for sharing that with us all and kind regards to you.