Why does email run Lsass.exe (ell, not cap eye)?

[WhatsUp31415]

When we [*] open a particular email in Outlook Express, it apparently causes
Lsass.exe (with ell, not eye) to run.

Any idea why?

It causes an alleged Norton Internet Security pop-up asking for confirmation
to allow Lsass.exe to access the Internet. (Actually, I think it is to
allow an incoming login request.) I say "alleged" because the only choice
is "allow always". It seems unusual to have only the one choice, not also
"disallow". That piques my suspicion.

When I look at the text of the message in plain ASCII (i.e. Message Source),
it looks benign to me. It does have an HTML part; but I do not find any
explicit reference to any EXE file, much less Lsass.exe. (I did a Find in
Notepad.) However, I do not know HTML very well; I might have overlooked
some other mechanism that would trigger a remote login attempt.

(What should I look for?)

(Also, I was unable to look at the original mail headers because they are
stripped when OE forwards email .)

I know that isass.exe (usually cap eye) is considered to be a trojan horse.
But my understanding is that Lsass.exe (usually lowercase ell) is a Windows
service, namely the Local Security Authentication Server [sic], according to
some web pages.

We did a file search and confirmed that isass.exe (with eye) does not exist,
whereas Lsass.exe (with ell) does.

The system does have multiple user accounts; I assume that Lsass.exe is
invoked when we login. But I still do not understand what could cause an
incoming login request in that email.

FYI, the email is a legitimate response to email that we [*] sent. But of
course, that does not rule the possibility that the sender's system is
infected, and a trojan horse was attached to legitimate outgoing email.

Anyway, any thoughts would be appreciated. Namely:

1. Am I correct to be suspicious and to trash the email?

2. Or should I allow Lsass.exe to access the Internet?

3. And if #2, please let me know why; that is, what is going on?


[*] "We" is really my computer-illiterate mother. I am trying to
troubleshoot this from 400 miles away. It's a struggle . Her PC has Win
XP and OE 6. I believe Win XP is SP2, but it might be SP1.

 

[db]

you should heed your anti
virus program,

unless you find a legitimate
reason to run the suspicious
process.

you can easily google

ISASS.exe and LSASS.exe.

to find out which processes
are legitimate or phony.

also if I recall, the norton
website explains these
issues in detail.
--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- Microsoft Partner
- @hotmail.com
~~~~~~~~~~"share the nirvana" - dbZen

When we [*] open a particular email in Outlook Express, it apparently causes Lsass.exe (with ell, not eye) to run.

Any idea why?

It causes an alleged Norton Internet Security pop-up asking for confirmation to allow Lsass.exe to access the Internet.
(Actually, I think it is to allow an incoming login request.) I say "alleged" because the only choice is "allow always". It
seems unusual to have only the one choice, not also "disallow". That piques my suspicion.

When I look at the text of the message in plain ASCII (i.e. Message Source), it looks benign to me. It does have an HTML part;
but I do not find any explicit reference to any EXE file, much less Lsass.exe. (I did a Find in Notepad.) However, I do not know
HTML very well; I might have overlooked some other mechanism that would trigger a remote login attempt.

(What should I look for?)

(Also, I was unable to look at the original mail headers because they are stripped when OE forwards email .)

I know that isass.exe (usually cap eye) is considered to be a trojan horse. But my understanding is that Lsass.exe (usually
lowercase ell) is a Windows service, namely the Local Security Authentication Server [sic], according to some web pages.

We did a file search and confirmed that isass.exe (with eye) does not exist, whereas Lsass.exe (with ell) does.

The system does have multiple user accounts; I assume that Lsass.exe is invoked when we login. But I still do not understand what
could cause an incoming login request in that email.

FYI, the email is a legitimate response to email that we [*] sent. But of course, that does not rule the possibility that the
sender's system is infected, and a trojan horse was attached to legitimate outgoing email.

Anyway, any thoughts would be appreciated. Namely:

1. Am I correct to be suspicious and to trash the email?

2. Or should I allow Lsass.exe to access the Internet?

3. And if #2, please let me know why; that is, what is going on?


[*] "We" is really my computer-illiterate mother. I am trying to troubleshoot this from 400 miles away. It's a struggle . Her
PC has Win XP and OE 6. I believe Win XP is SP2, but it might be SP1.

 

[chisom]

gjikdfkir coijnkderwe

 

[PA Bear [MS MVP]]

OE Tools | Options | Security (tab):

Make certain that OE is running in the Restricted Sites zone.

If no joy, see if enabling or disabling (as the case may be) the "Block
images..." option resolves the behavior.

For even more security, enabled OE Tools | Options | Read | Read all
messages in plain text <=this option.

PS: If NAV is configured to scan incoming/outgoing mail, disable it. It
provides no additional protection, it could be causing the behavior, and
even Symantec says it's not necessary:

<QP>
Disabling Email Scanning does not leave you unprotected against viruses that
are distributed as email attachments. Norton AntiVirus Auto-Protect scans
incoming files as they are saved to your hard drive, including email and
email attachments. Email Scanning is just another layer on top of this. To
make sure that Auto-Protect is providing the maximum protection, keep
Auto-Protect enabled and run LiveUpdate regularly to ensure that you have
the most recent virus definitions.
</QP>
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2002111812533106

Why you don't need your anti-virus to scan your email
http://thundercloud.net/infoave/tutorials/email-scanning/index.htm
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002

When we [*] open a particular email in Outlook Express, it apparently
causes
Lsass.exe (with ell, not eye) to run.

Any idea why?

It causes an alleged Norton Internet Security pop-up asking for
confirmation
to allow Lsass.exe to access the Internet. (Actually, I think it is to
allow an incoming login request.) I say "alleged" because the only choice
is "allow always". It seems unusual to have only the one choice, not also
"disallow". That piques my suspicion.

When I look at the text of the message in plain ASCII (i.e. Message
Source),
it looks benign to me. It does have an HTML part; but I do not find any
explicit reference to any EXE file, much less Lsass.exe. (I did a Find in
Notepad.) However, I do not know HTML very well; I might have overlooked
some other mechanism that would trigger a remote login attempt.

(What should I look for?)

(Also, I was unable to look at the original mail headers because they are
stripped when OE forwards email .)

I know that isass.exe (usually cap eye) is considered to be a trojan
horse.
But my understanding is that Lsass.exe (usually lowercase ell) is a
Windows
service, namely the Local Security Authentication Server [sic], according
to
some web pages.

We did a file search and confirmed that isass.exe (with eye) does not
exist,
whereas Lsass.exe (with ell) does.

The system does have multiple user accounts; I assume that Lsass.exe is
invoked when we login. But I still do not understand what could cause an
incoming login request in that email.

FYI, the email is a legitimate response to email that we [*] sent. But of
course, that does not rule the possibility that the sender's system is
infected, and a trojan horse was attached to legitimate outgoing email.

Anyway, any thoughts would be appreciated. Namely:

1. Am I correct to be suspicious and to trash the email?

2. Or should I allow Lsass.exe to access the Internet?

3. And if #2, please let me know why; that is, what is going on?


[*] "We" is really my computer-illiterate mother. I am trying to
troubleshoot this from 400 miles away. It's a struggle . Her PC has
Win
XP and OE 6. I believe Win XP is SP2, but it might be SP1.

 

[nate hudgen]

When we [*] open a particular email in Outlook Express, it apparently
causes Lsass.exe (with ell, not eye) to run.

Any idea why?

It causes an alleged Norton Internet Security pop-up asking for
confirmation to allow Lsass.exe to access the Internet. (Actually, I
think it is to allow an incoming login request.) I say "alleged" because
the only choice is "allow always". It seems unusual to have only the one
choice, not also "disallow". That piques my suspicion.

When I look at the text of the message in plain ASCII (i.e. Message
Source), it looks benign to me. It does have an HTML part; but I do not
find any explicit reference to any EXE file, much less Lsass.exe. (I did
a Find in Notepad.) However, I do not know HTML very well; I might have
overlooked some other mechanism that would trigger a remote login attempt.

(What should I look for?)

(Also, I was unable to look at the original mail headers because they are
stripped when OE forwards email .)

I know that isass.exe (usually cap eye) is considered to be a trojan
horse. But my understanding is that Lsass.exe (usually lowercase ell) is a
Windows service, namely the Local Security Authentication Server [sic],
according to some web pages.

We did a file search and confirmed that isass.exe (with eye) does not
exist, whereas Lsass.exe (with ell) does.

The system does have multiple user accounts; I assume that Lsass.exe is
invoked when we login. But I still do not understand what could cause an
incoming login request in that email.

FYI, the email is a legitimate response to email that we [*] sent. But of
course, that does not rule the possibility that the sender's system is
infected, and a trojan horse was attached to legitimate outgoing email.

Anyway, any thoughts would be appreciated. Namely:

1. Am I correct to be suspicious and to trash the email?

2. Or should I allow Lsass.exe to access the Internet?

3. And if #2, please let me know why; that is, what is going on?


[*] "We" is really my computer-illiterate mother. I am trying to
troubleshoot this from 400 miles away. It's a struggle . Her PC has
Win XP and OE 6. I believe Win XP is SP2, but it might be SP1.

 

[o;;]

When we [*] open a particular email in Outlook Express, it apparently
causes Lsass.exe (with ell, not eye) to run.

Any idea why?

It causes an alleged Norton Internet Security pop-up asking for
confirmation to allow Lsass.exe to access the Internet. (Actually, I
think it is to allow an incoming login request.) I say "alleged" because
the only choice is "allow always". It seems unusual to have only the one
choice, not also "disallow". That piques my suspicion.

When I look at the text of the message in plain ASCII (i.e. Message
Source), it looks benign to me. It does have an HTML part; but I do not
find any explicit reference to any EXE file, much less Lsass.exe. (I did
a Find in Notepad.) However, I do not know HTML very well; I might have
overlooked some other mechanism that would trigger a remote login
attempt.

(What should I look for?)

(Also, I was unable to look at the original mail headers because they are
stripped when OE forwards email .)

I know that isass.exe (usually cap eye) is considered to be a trojan
horse. But my understanding is that Lsass.exe (usually lowercase ell) is
a Windows service, namely the Local Security Authentication Server [sic],
according to some web pages.

We did a file search and confirmed that isass.exe (with eye) does not
exist, whereas Lsass.exe (with ell) does.

The system does have multiple user accounts; I assume that Lsass.exe is
invoked when we login. But I still do not understand what could cause an
incoming login request in that email.

FYI, the email is a legitimate response to email that we [*] sent. But
of course, that does not rule the possibility that the sender's system is
infected, and a trojan horse was attached to legitimate outgoing email.

Anyway, any thoughts would be appreciated. Namely:

1. Am I correct to be suspicious and to trash the email?

2. Or should I allow Lsass.exe to access the Internet?

3. And if #2, please let me know why; that is, what is going on?


[*] "We" is really my computer-illiterate mother. I am trying to
troubleshoot this from 400 miles away. It's a struggle . Her PC has
Win XP and OE 6. I believe Win XP is SP2, but it might be SP1.

 

[o;;]

When we [*] open a particular email in Outlook Express, it apparently
causes Lsass.exe (with ell, not eye) to run.

Any idea why?

It causes an alleged Norton Internet Security pop-up asking for
confirmation to allow Lsass.exe to access the Internet. (Actually, I
think it is to allow an incoming login request.) I say "alleged" because
the only choice is "allow always". It seems unusual to have only the one
choice, not also "disallow". That piques my suspicion.

When I look at the text of the message in plain ASCII (i.e. Message
Source), it looks benign to me. It does have an HTML part; but I do not
find any explicit reference to any EXE file, much less Lsass.exe. (I did
a Find in Notepad.) However, I do not know HTML very well; I might have
overlooked some other mechanism that would trigger a remote login
attempt.

(What should I look for?)

(Also, I was unable to look at the original mail headers because they are
stripped when OE forwards email .)

I know that isass.exe (usually cap eye) is considered to be a trojan
horse. But my understanding is that Lsass.exe (usually lowercase ell) is
a Windows service, namely the Local Security Authentication Server [sic],
according to some web pages.

We did a file search and confirmed that isass.exe (with eye) does not
exist, whereas Lsass.exe (with ell) does.

The system does have multiple user accounts; I assume that Lsass.exe is
invoked when we login. But I still do not understand what could cause an
incoming login request in that email.

FYI, the email is a legitimate response to email that we [*] sent. But
of course, that does not rule the possibility that the sender's system is
infected, and a trojan horse was attached to legitimate outgoing email.

Anyway, any thoughts would be appreciated. Namely:

1. Am I correct to be suspicious and to trash the email?

2. Or should I allow Lsass.exe to access the Internet?

3. And if #2, please let me know why; that is, what is going on?


[*] "We" is really my computer-illiterate mother. I am trying to
troubleshoot this from 400 miles away. It's a struggle . Her PC has
Win XP and OE 6. I believe Win XP is SP2, but it might be SP1.