is this normail?

  • Thread starter Thread starter gs
  • Start date Start date
G

gs

what should I do about this?

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 2006-11-20
Time: 08:36:59
User: NT AUTHORITY\SYSTEM
Computer: IEI-A64
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 1064
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 4500
Allowed: No
User notified: No

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
C:\WINDOWS\system32\lsass.exe

lsass.exe is a Windows XP file called LSA Shell (Export Version).

It is also called the Local Security Administration Subsystem Service .

Local Security Authority Subsystem Service (LSASS) provides an interface for
managing local security, domain authentication, and Active Directory
processes. LSASS handles authentication for the client and for the server.
It also contains features that are used to support Active Directory
utilities.

I got this somewhere at ZoneAlarms site, but cannot find the link.

[[LSA Shell (Export Version) is trying to connect to the Internet or your
local network

What should I do?
Give LSA Shell (Export Version) permission to connect.

Why?
LSA Shell (Export Version) (file name lsass.exe) is a component of Windows
NT and 2000 operating systems that helps administer access permissions. It
sometimes requires access to the Internet to perform legitimate tasks. It is
normal for this program to request access permission, and it is safe to
grant permission.

LSA Shell (Export Version) is trying to connect to the Internet or your
local network
ZoneAlarm is asking you whether to allow the connection. No breach in your
security has occurred. Your computer is safe.

How LSA Shell (Export Version) uses the Internet
LSA Shell (Export Version) (filename lsass.exe) is the Local Security
Administration Subsystem, the process that runs the Local Security Authority
component of the Windows NT Security Subsystem. (It is also a feature of the
Windows 2000 operating system.) This process handles aspects of security
administration on local computers, including access and permissions. For
example, LSA Shell (Export Version) generates the process responsible for
authenticating users for the Winlogon service.]]

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Beside the great Explanation by Wes I would keep an Eye on it as it could
also be used by Worm/Trojans to gain access to your computer specialy Sasser
Worm.
Monitor the Processor used by it.
HTH.
Regs,
nass
 
thank you all for the explanation.


Further to the saser worm, I have already scanned for expanded threat with
symantec security. and found nothing. and the pc is actually standalone
without server connection.

How Do I monitor? the process for the lsas
 
gs said:
thank you all for the explanation.


Further to the saser worm, I have already scanned for expanded threat with
symantec security. and found nothing. and the pc is actually standalone
without server connection.

How Do I monitor? the process for the lsas
Click to expand...

Hi gs,
By Monitoring I mean check the log file for the firewall and the Usage of
the CPU by accessing the Task Manager.
This way you will know if there is an application is using the Processor and
What it is, is it legitimate app or unwanted Traffics or Activities?.
HTH.
Regs,
nass
 
thx.
nass said:
Hi gs,
By Monitoring I mean check the log file for the firewall and the Usage of
the CPU by accessing the Task Manager.
This way you will know if there is an application is using the Processor
and
What it is, is it legitimate app or unwanted Traffics or Activities?.
HTH.
Regs,
nass
Click to expand...
 
Back
Top