lsass.exe – a brief description

lsass stands for “Local Security Authentication Server.  The lsass.exe file is a legitimate Windows file and should not be removed.  lsass is a process used in Micrsoft operating systems to enforce the system security policy.  To do this, lsass authenticates users logging on to a Windows computer or sever using the Winlogon service.  Once authenticated, an access token is generated and the token is then used to launch the initial shell (the outermost interface).  Other processes can then inherit this security token.  The lsass process cannot be terminated from Task Manager.

Issues

There are known malware (“malicious software”) issues associated with lsass.  Many of these involve using a similar name and can exploit vulnerabilities in your system.  Viruses with the same name include:

• W32.Nimos.Worm
• W32.HLLW.Lovgate.C@mm
• W32.Sasser.E.Worm (lsasss.exe)

The last one in this list, the worm known as “Sasser”, takes advantage of an lsass vulnerability.  It will proliferate using a buffer overflow (an error in a program that can lead to non-standard memory access, the termination of the program, or even a security breach).  This worm is considered a dangerous one in that in can spread using atypical methods.  It does not require human interaction such as email as it can take advantage of any non-secure network ports.  Once it takes hold it has been commonly known to randomly shut down programs that are running.  When shutting down the lsass program, a countdown timer is displayed along with a warning to save any un-saved work and close all programs before the computer is turned off.

Another known computer malware threat is: issas.exe.  It is important to note the difference between lsass (which in lower case is “lsass”) and isass (upper case: “Isass”).  In this report we will refer to the virus using the lower case spelling.  isass.exe is known as the Optix.Pro virus and it is capable of disabling firewalls and computer security in order to gain access to your system.  This backdoor Trojan is capable of modifying the system registry, intercepting and releasing confidential information, and can disable and terminate active processes for your firewall and anti-virus programs. 

In the event that the wrong file is deleted, the following system error: lsass.EXE object name not found is displayed.  In this case the user must recover the lsass file in order to restore normal functioning of their computer.  Fortunately there are methods available to solve these issues.

Solutions

There are ways to deal with the Sasser timer.  You can buy yourself some time by double-clicking your system clock in the system tray and temporarily adjusting the time.  You can also shut the timer off by do the following:

1. Click the Start button and select Run.
2. Type: shutdown –a
3. Click OK.

This terminates the system shutdown and gives you the opportunity to find and remove the unwanted item.  Make sure that you do not remove the lsass.exe file.  It is a valid Windows file that is essential to your system functioning.  It can be recovered using the Windows XP Recovery Console.  The Dell support site described ways for you to recover the file if you have deleted it.  See: http://support.dell.com/support/topics/global.aspx/support/dsn/en/document?docid =F7C2CE720E6043E9A9C7BC633223D508&c=us&l=en&s=gen

We recommend using an efficient scanning and cleaning tools described below.  It is also advisable to install and properly configure a firewall to prevent security breaches and exposure to malware attacks.  Afterwards, make sure that you are running the most recent patches and updates by going to the Microsoft web site or by clicking the Start button in your taskbar and selecting Windows Update.

When choosing an anti-spyware program, be sure to choose a program that is reputable.   There are anti-spyware tools that claim to be effective in detecting and removing malicious items and then run mock scans and display false detection results.  These “rogue security tools” are themselves malware and are attempting to get you to pay for a full version.  Some can be difficult to remove from your system.

Some anti-virus tools are not robust enough to alleviate the problem.  User reports on the Internet have descriptions of discovering isass.exe in the task manager and using a well-known anti-virus tool without any affect.  We recommend that you use…

Best practices

There are a number of best practices that you should follow to prevent malware attacks and to protect normal functioning of your computer.  These include:

1. Registry Cleaning: Perform regular scanning and cleaning of your registry to remove failed & incomplete installations and un-installations, corrupt and obsolete drivers, and remnants remaining from Spyware. We recommend using RegCure Registry Cleaner since it has the highest detection rate and scanning speed in the industry.
2. Anti-Spyware Protection: install and periodically run anti-spyware software to detect and remove malicious and unwanted items. XoftSpySE AntiSpyware is highly recommended.
3. Firewall Protection: you can prevent hackers from downloading malicious software content by setting up firewall protection.  For reasons why you should use a firewall see: http://www.microsoft.com/athome/security/viruses/fwbenefits.mspx
4. Configure your security settings: you can adjust your Internet browsing settings to determine how much web content you are willing to accept when surfing the Internet.
5. Safe surfing: by downloading content from sites that you trust, you can prevent malware form being downloaded in the first place.  Review license agreements, security warnings, and privacy statements before decided to download content.

You can manually remove malware, however it is likely that the uninstall.exe file is buried and inaccessible.  Also, many malware items are sophisticated and have either propagated throughout your system or are designed to be evasive and difficult to remove. Having the proper tools to address malware infections will likely save time and be less risky.  A good anti-spyware tool will have scheduling, quarantine, and backup capabilities.  You will also want an anti-spyware utility such as XoftSpySE that does frequent updates and is capable of thorough scans.