Posted: 10/15/2008 10:11:00 PM EDT
|
I have a pop up from my zonealarm firewall for: LSA Shell (exporter version) Source IP: 151.13.145.246:port500 this is the programs first attempt to access the internet. Located in : C:\\WINDOWS\systems32\lsass.exe Size of file: 13 KB Is this program the correct version and not a spware version? |
|
It is (or is supposed to be) the Local Security Authority Subsystem Service. I can't tell from what you posted if ZoneAlarm blocked an incoming request from that address, or an outgoing request. In other words, I can't tell which machine originated the request - yours, or that address in Italy. I suspect it blocked an incoming request. If not, and this was originated from your machine, I'd be...concerned. |
|
Apparently MS has a tool to remove the worm... support.microsoft.com/kb/841720 You should be able to run that with no ill effects, though we don't know what OS you're running... that's not a vista tool. |
You have the right version. Don't worry about it. ZoneAlarm blocked an incoming request to port 500 (which lsass.exe listens on). The Windows firewall (or even a simple router doing NAT) would have blocked this just as well as ZoneAlarm, and without bugging you with useless annoying messages in a misguided attempt to justify it's miserable existence. Some dude in Italy is port scanning, looking for vulnerabilities. Don't worry about it. |
zonealarm is asking me if this program is ok to be a server, so I believe its on my computer. I went to the web site another poster linked to and I have a shit ton of IPs listed there. I opened run and typed Notepad \windows\system32\drivers\etc\hosts I am going through them but I have not found any anti virus sites listed that would indicate a sasser hit me. My computer has been running fairly normal, with the exception of ar15.com going down on me occasionally. edit read that page wrong, it is coming from outside my computer. |
Again, the version you have is fine. It's correct. It's the actual Microsoft version. And no, there is no reason (for you) to have it act as a server. And again, there's no reason to have ZoneAlarm bugging you needlessly with bullshit like this. I swear they do this to trick people into thinking it's "doing something". I do it for a living, I don't run Zone Alarm, never have, and neither does any other IT professional I personally know (help desk monkeys don't count). |
Hope you don't mind help from a computer girl..........  "lsass.exe" is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server. It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token. Note: The lsass.exe file is located in the folder C:\Windows\System32. In other cases, lsass.exe is a virus, spyware, trojan or worm! There are three at least three viruses that use either this exact file name or a darn similar one: * W32.Nimos.Worm * W32.Sasser.E.Worm (Lsasss.exe) * W32.HLLW.Lovgate.C@mm If you need to, the backup copy of lsass.exe can be found on your original Windows install disk in the folder F:\i386\lsass.ex_ (I'm guessing that "F:" is the identification of your CD/DVD drive. If not, use "E:" or similar as required). Because the backup copy is compressed, you need to copy the .ex_ file into your System32 folder, then rename it from ".ex_" to ".exe". My lsass.exe file size is 12.0 KB (12,288 bytes), Vista Home Premium 32 bit with SP1. File version -- 6.0.6001.18000 and is in the proper folder. |
Gee Mr Sub., You're feeling very generous and altruistic this morning! Carry on, My good Man. 
|