Thread: Why does email run Lsass.exe (ell, not cap eye)?
View Single Post
  #5  
Old July 16th 09, 12:07 AM posted to microsoft.public.windows.inetexplorer.ie6_outlookexpress,microsoft.public.windowsxp.general
PA Bear [MS MVP]
external usenet poster
  
Posts: 3,647
Default Why does email run Lsass.exe (ell, not cap eye)?
OE Tools | Options | Security (tab):

Make certain that OE is running in the Restricted Sites zone.

If no joy, see if enabling or disabling (as the case may be) the "Block
images..." option resolves the behavior.

For even more security, enabled OE Tools | Options | Read | Read all
messages in plain text =this option.

PS: If NAV is configured to scan incoming/outgoing mail, disable it. It
provides no additional protection, it could be causing the behavior, and
even Symantec says it's not necessary:

QP
Disabling Email Scanning does not leave you unprotected against viruses that
are distributed as email attachments. Norton AntiVirus Auto-Protect scans
incoming files as they are saved to your hard drive, including email and
email attachments. Email Scanning is just another layer on top of this. To
make sure that Auto-Protect is providing the maximum protection, keep
Auto-Protect enabled and run LiveUpdate regularly to ensure that you have
the most recent virus definitions.
/QP
http://service1.symantec.com/SUPPORT...02111812533106

Why you don't need your anti-virus to scan your email
http://thundercloud.net/infoave/tuto...ning/index.htm
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002



WhatsUp31415 wrote:
When we[*] open a particular email in Outlook Express, it apparently
causes
Lsass.exe (with ell, not eye) to run.

Any idea why?

It causes an alleged Norton Internet Security pop-up asking for
confirmation
to allow Lsass.exe to access the Internet. (Actually, I think it is to
allow an incoming login request.) I say "alleged" because the only choice
is "allow always". It seems unusual to have only the one choice, not also
"disallow". That piques my suspicion.

When I look at the text of the message in plain ASCII (i.e. Message
Source),
it looks benign to me. It does have an HTML part; but I do not find any
explicit reference to any EXE file, much less Lsass.exe. (I did a Find in
Notepad.) However, I do not know HTML very well; I might have overlooked
some other mechanism that would trigger a remote login attempt.

(What should I look for?)

(Also, I was unable to look at the original mail headers because they are
stripped when OE forwards email .)

I know that isass.exe (usually cap eye) is considered to be a trojan
horse.
But my understanding is that Lsass.exe (usually lowercase ell) is a
Windows
service, namely the Local Security Authentication Server [sic], according
to
some web pages.

We did a file search and confirmed that isass.exe (with eye) does not
exist,
whereas Lsass.exe (with ell) does.

The system does have multiple user accounts; I assume that Lsass.exe is
invoked when we login. But I still do not understand what could cause an
incoming login request in that email.

FYI, the email is a legitimate response to email that we[*] sent. But of
course, that does not rule the possibility that the sender's system is
infected, and a trojan horse was attached to legitimate outgoing email.

Anyway, any thoughts would be appreciated. Namely:

1. Am I correct to be suspicious and to trash the email?

2. Or should I allow Lsass.exe to access the Internet?

3. And if #2, please let me know why; that is, what is going on?


[*] "We" is really my computer-illiterate mother. I am trying to
troubleshoot this from 400 miles away. It's a struggle . Her PC has
Win
XP and OE 6. I believe Win XP is SP2, but it might be SP1.

Ads