Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Why did ZA allow LSA Shell (Export Version) to be automatically added w/Access-Trusted/Internet

  1. #1
    bloomcounty Guest

    Default Why did ZA allow LSA Shell (Export Version) to be automatically added w/Access-Trusted/Internet

    I just noticed that in ZA Program Control LSA Shell (Export Version) was added automatically (without notifying me), with green check marks in both the Access-Trusted and Access-Internet (and ?'s in the Server-Trusted and Server-Internet). It didn't ask to allow it, it just did it (and I happened to notice).

    I'm not sure when it happened, but I was just at the library using their free wifi (which comes up in the Internet Zone, *not* the Trusted Zone, as it should) and when I checked my ZA Program Control, that's when I noticed it. I freaked out a bit and just immediately removed it from the ZA Program Control. But I do recall that the details of it did say Microsoft and I also did a search of my computer for lsass.exe and only one comes up in the C:\WINDOWS\System32 folder (which is where it's supposed to be).

    Any ideas what this is about? (It's never come up before when using the wifi at the library, or dial-up at home -- though I do recall it popping up from time to time on my old computer, and I always just removed it...) Thoughts?

    Also, is there a log somewhere that will show it getting added and what it was doing?

    Thanks!

    (Please note my OS and ZA version below...)

    Operating System:Windows XP Home Edition
    Software Version:6.5
    Product Name:ZoneAlarm (Free)

  2. #2
    prof_fate Guest

    Default Re: Why did ZA allow LSA Shell (Export Version) to be automatically added w/Access-Trusted/Internet


    <blockquote><hr>bloomcounty wrote:
    I just noticed that in ZA Program Control LSA Shell (Export Version) was added automatically (without notifying me), with green check marks in both the Access-Trusted and Access-Internet (and ?'s in the Server-Trusted and Server-Internet). It didn't ask to allow it, it just did it (and I happened to notice).

    I'm not sure when it happened, but I was just at the library using their free wifi (which comes up in the Internet Zone, *not* the Trusted Zone, as it should) and when I checked my ZA Program Control, that's when I noticed it. I freaked out a bit and just immediately removed it from the ZA Program Control. But I do recall that the details of it did say Microsoft and I also did a search of my computer for lsass.exe and only one comes up in the C:\WINDOWS\System32 folder (which is where it's supposed to be).

    Any ideas what this is about? (It's never come up before when using the wifi at the library, or dial-up at home -- though I do recall it popping up from time to time on my old computer, and I always just removed it...) Thoughts?

    Also, is there a log somewhere that will show it getting added and what it was doing?

    Thanks!

    (Please note my OS and ZA version below...)

    Operating System:
    Windows XP Home Edition
    Software Version:
    6.5
    Product Name:
    ZoneAlarm (Free)

    <hr></blockquote>Your using a Very Old version of Zone Alarm Free..a.) have you Regularly Updated your Anti-Virus and Anti-Spyware?b.) have you kept WindowsXP updated with Service Pack 2 and all the Current Windows Updates?
    Depending on your os Status, you could have the Sasser or msblast virus..

    What You Should Know About the Sasser Worm and Its Variants:
    http://www.microsoft.com/security/incident/sasser.asp

    Apply MS Security Bulletin:
    http://www.microsoft.com/technet/sec.../ms04-011.mspx

    Use One of the Following Removal Tools to Delete the Virus:
    ======================================
    1) Sasser (A-F) Worm Removal Tool (KB841720) &gt;&gt; http://www.microsoft.com/downloads/details.aspx?familyid=76C6DE7E-1B6B-4FC3-90D4...

    2) FxSasser.exe.from Symantec &gt;&gt; http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool....

    3) Stinger from McAfee &gt;&gt; http://vil.nai.com/vil/stinger/

    4) SysClean PACKAGE from TrendMicro &gt;&gt; http://www.trendmicro.com/download/dcs.asp

    5) SASSGUI\SASSSFX from Sophos &gt;&gt; http://www.sophos.com/support/disinfection/sasser.html

    6) ClnSasser from Computer Associates &gt;&gt; http://www3.ca.com/Files/VirusInform.../clnsasser.zip

    7) F-Sasser from F-Secure &gt;&gt; http://www.f-secure.com/tools/f-sasser.zip

    8) SasserFix2 from Norman &gt;&gt; http://www.norman.com/Virus/Virus_removal_tools/14938

    9) QuickRemover from Panda &gt;&gt; http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=sol&amp;idvir...

    ---------------------------------------------------------
    ZoneAlarm Security Suite version:7.0.462.000
    TrueVector version:7.0.462.000
    Driver version:7.0.462.000
    Anti-virus engine version:3
    Anti-virus SDK version:5.0.1.82
    Anti-virus signature DAT file version:944725772
    Anti-spyware engine version:5.0.189.0
    Anti-spyware signature DAT file version:01.200802.3335
    AntiSpam version:5.0.6.8903

  3. #3
    naivemelody Guest

    Default Re: Why did ZA allow LSA Shell (Export Version) to be automatically added w/Access-Trusted/Internet

    It seems you have asked this question once before and got many replies - refresh your memory - click here &gt; http://forums.zonelabs.org/zonelabs/...ssage.id=16230
    - and read thru all of the replies - again. LSA is a Microsoft service.<hr>From ProcessList.com<hr>What is lsass.exe?





    lsass.exe (LSA Shell (Export Version)) is an executable from the software Microsoft
    Windows
    Operating System version 5.1.0 by Microsoft Corporation. lsass.exe version 5.1.0 is most commonly found under the directory &quot;system32&quot; with a creation date of August 23, 2001. This is not a known spyware, adware, or trojan executable. Microsoft Windows is the most widely used PC operating system.<hr>LSA Shell (Export Version) = Windows/system32/lsass.exe on the pc - it's essential, keep it.<hr>From neuber.com<hr>What is lsass.exe? Is lsass.exe spyware or a virus?<hr>Process name: Local security authentication server

    Product: Windows

    Company: Microsoft

    File: lsass.exe

    Security Rating:

    &quot;lsass.exe&quot; is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server. It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token. More info

    Note: The lsass.exe file is located in the folder C:\Windows\System32. In other cases, lsass.exe is a virus, spyware, trojan or worm!rom neuber.com<hr>Thanks to Guru Oldsod for this -
    <hr>

    Is that Isass.exe or Lsass.exe?

    Lsass.exe is a legit Windows component, if it is in the C\WINDOWS\System32 folder. Just look for it and right click it and examine the properties. The time and date should coincide with the Windows Install. Plus the version and owner can be found verifing if it is from Microsoft.

    Yes there are worms and various malware posing as lsass.exe
    These should be held in check if you have all of Microsoft the updates. And scan with an updated antivirus.

    Dening access in the ZA Program Control will not stop it from runninng. That requires the &quot;Kill&quot; in the right click Options in the ZA itself. So yes, it will still appear in the Task Manager.

    It does not require Internet access or any server rights of any kind. Just Trusted Access and a three green bar rating. Ask for internet access is acceptable...<hr>:0NaiveMelody NYC 2-15-08 - How's It Going To Be - Third Eye Blind


    Message Edited by NaiveMelody on 02-15-2008 09:41 PM

  4. #4
    zaswing Guest

    Default Re: Why did ZA allow LSA Shell (Export Version) to be automatically added w/Access-Trusted/Internet

    Isn't it Kerberos and generally authentication (ports 500, 88, 389, 4500, few others). You may have signed into some network where authorization was needed, in which case internet access made sense. But the vulnerability is there, as Prof-Fate said.
    http://en.wikipedia.org/wiki/Local_S...system_Service
    http://technet2.microsoft.com/Window...61c1b1033.mspx

    I think you can allow it for the local network or very trusted network. So put a &quot;?&quot; for the internet access when it comes back.

    ZA normally puts untrusted networks such as wifi in the Internet zone, so I have no problem with that part, as you do.

    Prof_Fate, 6.5 isn't thaaaaaat old. It's the last one small (without the disabled suite features) and has no conflicts with other security apps I think ZA`would have alerted if the worm hit, but who knows on a public wifi really.

  5. #5
    zaswing Guest

    Default Re: Why did ZA allow LSA Shell (Export Version) to be automatically added w/Access-Trusted/Internet

    NM, I posted my thing without seeing yours (screen didn't refresh). That is one cool thread out there. Thanks for the link.

    Message Edited by zasuiteuser on 02-15-2008 11:44 PM

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Why did ZA allow LSA Shell (Export Version) to be automatically added w/Access-Trusted/Internet


    <blockquote><hr>zasuiteuser wrote:
    Isn't it Kerberos and generally authentication (ports 500, 88, 389, 4500, few others). You may have signed into some network where authorization was needed, in which case internet access made sense. But the vulnerability is there, as Prof-Fate said.
    http://en.wikipedia.org/wiki/Local_S...system_Service
    http://technet2.microsoft.com/Window...61c1b1033.mspx

    I think you can allow it for the local network or very trusted network. So put a "?" for the internet access when it comes back.

    ZA normally puts untrusted networks such as wifi in the Internet zone, so I have no problem with that part, as you do.

    Prof_Fate, 6.5 isn't thaaaaaat old. It's the last one small (without the disabled suite features) and has no conflicts with other security apps I think ZA`would have alerted if the worm hit, but who knows on a public wifi really.
    <hr></blockquote>
    Correct.


    Actually the Sasser worm exploit had been fixed in windowsXP by the updates prior to XP SP2 and is patched in the XP SP2. Not a risk anymore for a properly updated windows XP.

    The following applies to XP also ...quoted from http://support.microsoft.com/kb/832017

    Active Directory (Local Security Authority)
    Active Directory runs under the LSASS process and includes the authentication and replication engines for Windows 2000 and Windows Server 2003 domain controllers. Domain controllers, client computers and application servers require network connectivity to Active Directory over specific hard-coded ports in addition to a range of ephemeral TCP ports between 1024 and 65536 unless a tunneling protocol is used to encapsulate such traffic, An encapsulated solution might consist of a VPN gateway located behind a filtering router using Layer 2 Tunneling Protocol (L2TP) together with IPsec. In this encapsulated scenario, you must allow IPsec Encapsulating Security Protocol (ESP) (IP protocol 50), IPsec Network Address Translator Traversal NAT-T (UDP port 4500), and IPsec Internet Security Association and Key Management Protocol (ISAKMP) (UDP port 500) through the router as opposed to opening all the ports and protocols listed below. Finally, the port used for Active Directory replication may be hard-coded as described in the following article in the Microsoft Knowledge Base:


    System service name: LSASSApplication protocol Protocol Ports used:
    Global Catalog Server TCP 3269
    Global Catalog Server TCP 3268
    LDAP Server TCP 389
    LDAP Server UDP 389
    LDAP SSL TCP 636
    LDAP SSL UDP 636
    IPsec ISAKMP UDP 500
    NAT-T UDP 4500
    RPC TCP 135

    The lsass.exe will often request or require internet access when the IPSec is enabled or used and for the VPN. The remainder of the requests is for the lan itself and no further. If the user does not want the lsass.exe to be available or started in the windows for connections, then the user should disable the IPSec , NetLogon, NT LM Security Support Provider, Protected Storage and the Security Accounts Manager Services.

    Removing an entry in the ZA Program list to run away from it is self defeating. A software firewall is designed to control the ports, protocols and IP and the applications, not ignore them!

    Windows or any computer is designed to connect and interact with other computers in various ways. To hide or destroy that connecting aspect of a computer is self defeating. To control the connecting aspect of a computer is the acceptable approach and method.

    Oldsod
    Best regards.
    oldsod

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Why did ZA allow LSA Shell (Export Version) to be automatically added w/Access-Trusted/Internet

    Funny how posters panic at some new entry in the ZA Program list but forget to read the firewall logs and see if there really was an outbound connection made in the first place and to where and by what ports and protocols and what were the incoming connections. Or post the log entries for a proper breakdown and analysis. Oldsod
    Best regards.
    oldsod

  8. #8
    bloomcounty Guest

    Default Re: Why did ZA allow LSA Shell (Export Version) to be automatically added w/Access-Trusted/Internet

    <blockquote><hr>Oldsod wrote:
    Funny how posters panic at some new entry in the ZA Program list but forget to read the firewall logs and see if there really was an outbound connection made in the first place and to where and by what ports and protocols and what were the incoming connections. Or post the log entries for a proper breakdown and analysis. Oldsod
    <hr></blockquote>


    This is actually what I wanted to do (and I believe I asked about where I could find the log entry that showed what it was doing when it was automatically added to Program Control). It did not ask me to allow it to access anything or add it, but it showed up on its own in Program Control (with *two* green check marks -- Access-Trusted *and* Access-Internet, though you said it should only have been Access-Trusted, right?).

    1. I still don't understand the reason it popped up -- or, more importantly, it's okay that it popped up in Program Control on its own?

    2. Where is the log located that will show if it made a connection (and to where) and/or when it was added to Program Control?

    3. Why was it added with green check marks for *both* Access-Trusted and Access-Internet?

    Please note: I have XP SP2, AVG A/V Free and A/S Free (real-time is no longer active), Ad-Aware SE and Spybot.

    I use DIAL-UP 99.9% of the time (except when using free wifi at the library to download podcasts or watch videos at reputable sites -- and it *might* have been at this time, when using free wifi, when it was added automatically, but hopefully the log will tell?)

    Also, I did look at my old thread -- this is a somewhat different situation.

    Thanks for the help! Hope to hear from you soon!

  9. #9
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Why did ZA allow LSA Shell (Export Version) to be automatically added w/Access-Trusted/Internet

    "The following applies to XP also ...quoted from http://support.microsoft.com/kb/832017

    Active Directory (Local Security Authority)
    Active Directory runs under the LSASS process and includes the authentication and replication engines for Windows 2000 and Windows Server 2003 domain controllers. Domain controllers, client computers and application servers require network connectivity to Active Directory over specific hard-coded ports in addition to a range of ephemeral TCP ports between 1024 and 65536 unless a tunneling protocol is used to encapsulate such traffic, An encapsulated solution might consist of a VPN gateway located behind a filtering router using Layer 2 Tunneling Protocol (L2TP) together with IPsec. In this encapsulated scenario, you must allow IPsec Encapsulating Security Protocol (ESP) (IP protocol 50), IPsec Network Address Translator Traversal NAT-T (UDP port 4500), and IPsec Internet Security Association and Key Management Protocol (ISAKMP) (UDP port 500) through the router as opposed to opening all the ports and protocols listed below. Finally, the port used for Active Directory replication may be hard-coded as described in the following article in the Microsoft Knowledge Base:


    System service name: LSASSApplication protocol Protocol Ports used:
    Global Catalog Server TCP 3269
    Global Catalog Server TCP 3268
    LDAP Server TCP 389
    LDAP Server UDP 389
    LDAP SSL TCP 636
    LDAP SSL UDP 636
    IPsec ISAKMP UDP 500
    NAT-T UDP 4500
    RPC TCP 135

    The lsass.exe will often request or require internet access when the IPSec is enabled or used and for the VPN. The remainder of the requests is for the lan itself and no further. If the user does not want the lsass.exe to be available or started in the windows for connections, then the user should disable the IPSec , NetLogon, NT LM Security Support Provider, Protected Storage and the Security Accounts Manager Services.

    Removing an entry in the ZA Program list to run away from it is self defeating. A software firewall is designed to control the ports, protocols and IP and the applications, not ignore them!

    Windows or any computer is designed to connect and interact with other computers in various ways. To hide or destroy that connecting aspect of a computer is self defeating. To control the connecting aspect of a computer is the acceptable approach and method."

    Yes of course it is okay it is in the ZA program list. It is a windows component.
    Did it actually "popup" or was this merely added to the ZA program list.
    Open the Alerts and Logs and select the Log Viewer or open the ZALog.txt in the WINDOWS\Internet Logs.
    The lsass.exe does need both internet access and trusted access as described in the quote from microsoft kb.
    The real question remains if the lsass.exe actually did make any outbound connections or did windows just activate the lsass.exe when started at the open wireless lan and the ZA simply recognized the event.
    It does not matter if you have avg or spybot.These are unrelated.
    Actually no, this is still the same topic and I will not explain any further.
    No doubt your other threads in different forums yield similar answers.

    Oldsod
    Best regards.
    oldsod

  10. #10
    bloomcounty Guest

    Default Oldsod -- Here's the answers to your questions...

    <blockquote><hr>Oldsod wrote:
    Did it actually &quot;popup&quot; or was this merely added to the ZA program list.
    Open the Alerts and Logs and select the Log Viewer or open the ZALog.txt in the WINDOWS\Internet Logs.<hr></blockquote>


    As I stated, there was no &quot;pop-up&quot; asking me to allow it. I just happened to notice it in the Program Control when I checked it while using the wifi at the library. It was never added automatically like that on previous occasions I used the wife there. Only this time.

    I just checked all the internet logs back to 1/24/08 and did a search for &quot;lsass&quot; and nothing came up. Should it have shown up in the log somewhere if it got added automatically to the Program Control?


    <blockquote><hr>Oldsod wrote:
    The real question remains if the lsass.exe actually did make any outbound connections or did windows just activate the lsass.exe when started at the open wireless lan and the ZA simply recognized the event.
    <hr></blockquote>


    Since I could not find &quot;lsass&quot; listed in any of the logs, does that mean it did not make any outbound connection?

    If it didn't and Windows just activated it (for some reason only this time) and ZA recognized the event, would that still show up in a log somewhere?

    Thanks for the help.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •