Question about an event (lsass.exe)
I've been recently monitoring multiple computers and print workstations using an event analyzer and have been seeing multple counts that relate to lsass.exe which at first freaked me out (sasser worm), but haven't had any automatic shutdowns or anything.
This is what the event says:
The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\WINDOWSsystem32lsass.exe Process Identifier: 808 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: UDP Port Number: 2320 Allowed: No User notified: No
Is there anything I should be concerned about? I'm getting this error at least four dozen times on about 9 stations and it has been checking since midnight this morning. Im in the process of running a virus scan (we have mcafee) on one of the systems that is having the failure, I ran one on the system32 folder and didn't find anything and am now running one on the whole computer.
Any suggestions?
This is what the event says:
The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\WINDOWSsystem32lsass.exe Process Identifier: 808 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: UDP Port Number: 2320 Allowed: No User notified: No
Is there anything I should be concerned about? I'm getting this error at least four dozen times on about 9 stations and it has been checking since midnight this morning. Im in the process of running a virus scan (we have mcafee) on one of the systems that is having the failure, I ran one on the system32 folder and didn't find anything and am now running one on the whole computer.
Any suggestions?
Comments
-
macdude
Member Posts: 173
Check out this site for information on lsass.exe
http://sysinfo.org/startuplist.php?submit=&filter=lsass&submit.x=0&submit.y=0&submit=%3E -
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
What is the event id number, category, and type?All things are possible, only believe. -
Zoomer
Member Posts: 126
Event ID is 861, the category is detailed tracking and the type is failure aud.
Hope that helps. It's also happens with svchost.exe as well on a few other occasion usually like 5 times in a row.
The mcafee scan didn't detect anything, but I've had situations where it didn't detect something which I knew was on the system. -
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Try a good spyware scanner.
Also use netstat to find out the ports opened and listening by lsass.
The computers that are logging this, do they have a common denominator like a certain application - maybe a logitec webcam or something that other computers do not have?All things are possible, only believe.