you should heed your anti
virus program,
unless you find a legitimate
reason to run the suspicious
process.
you can easily google
ISASS.exe and LSASS.exe.
to find out which processes
are legitimate or phony.
also if I recall, the norton
website explains these
issues in detail.
--
db·´¯`·...¸)))º
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- Microsoft Partner
- @hotmail.com
~~~~~~~~~~"share the nirvana" - dbZen
"WhatsUp31415" wrote in message ...
When we[*] open a particular email in Outlook Express, it apparently causes Lsass.exe (with ell, not eye) to run.
Any idea why?
It causes an alleged Norton Internet Security pop-up asking for confirmation to allow Lsass.exe to access the Internet.
(Actually, I think it is to allow an incoming login request.) I say "alleged" because the only choice is "allow always". It
seems unusual to have only the one choice, not also "disallow". That piques my suspicion.
When I look at the text of the message in plain ASCII (i.e. Message Source), it looks benign to me. It does have an HTML part;
but I do not find any explicit reference to any EXE file, much less Lsass.exe. (I did a Find in Notepad.) However, I do not know
HTML very well; I might have overlooked some other mechanism that would trigger a remote login attempt.
(What should I look for?)
(Also, I was unable to look at the original mail headers because they are stripped when OE forwards email
.)
I know that isass.exe (usually cap eye) is considered to be a trojan horse. But my understanding is that Lsass.exe (usually
lowercase ell) is a Windows service, namely the Local Security Authentication Server [sic], according to some web pages.
We did a file search and confirmed that isass.exe (with eye) does not exist, whereas Lsass.exe (with ell) does.
The system does have multiple user accounts; I assume that Lsass.exe is invoked when we login. But I still do not understand what
could cause an incoming login request in that email.
FYI, the email is a legitimate response to email that we[*] sent. But of course, that does not rule the possibility that the
sender's system is infected, and a trojan horse was attached to legitimate outgoing email.
Anyway, any thoughts would be appreciated. Namely:
1. Am I correct to be suspicious and to trash the email?
2. Or should I allow Lsass.exe to access the Internet?
3. And if #2, please let me know why; that is, what is going on?
[*] "We" is really my computer-illiterate mother. I am trying to troubleshoot this from 400 miles away. It's a struggle
. Her
PC has Win XP and OE 6. I believe Win XP is SP2, but it might be SP1.