What is isass.exe or Lsass.exe?

[Magsmom]

I have seen conflicting info as to what this is and even as to whether it is
spelled "isass.exe" or "Lsass.exe". It is listed as a process in my task
manager. Do I need to get rid of it, and if so, what is the best way to get
rid of it?

 

[Paul]

I have seen conflicting info as to what this is and even as to whether it is
spelled "isass.exe" or "Lsass.exe". It is listed as a process in my task
manager. Do I need to get rid of it, and if so, what is the best way to get
rid of it?

http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service

Paul

 

[Ronaldo]

Isass.exe (or isass.exe) is the Sasser Virus,... Lsass.exe (or lsass.exe)
(LSASS means Local Security Authority Subsystem Service) is a system process
original for Windows 2000/XP that manages local security and user
authentication procedures through the WinLogon service. It is a local
authentication server that, when a user successfully authenticates, creates
a symbol of access that allows users to connect. The original Lsass service
had a security breach used by the Sasser virus, which is repaired by
Security Update for Microsoft Windows (835732)


Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

All about the W32.Sasser.B.Worm
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050114-1001-99

 

[nass]

I have seen conflicting info as to what this is and even as to whether it is
spelled "isass.exe" or "Lsass.exe". It is listed as a process in my task
manager. Do I need to get rid of it, and if so, what is the best way to get
rid of it?

If it is isass.exe or Isass.exe it is a virus but if it was Lsass.exe or
lowercase lsass.exe it is a windows process.

http://www.castlecops.com/postt13642.html

What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.

= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit or you can send them here in your next
post) and click [OK] to confirm your Changes.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Click on Advanced Tab and scroll down under the browsing option and uncheck
this box:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) and click Apply
then OK to close your IE Properties.
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm
Run a scan from here on-line:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html
Run diskm cleanup and also this tool:
http://www.ccleaner.com/download/builds/downloading-slim

If you don't know where to go to send your log I will be happy to help you
out if you sent me the log to my address below.

download Hijackthis and send me the log/Rename the log to:
Hmmmthis.exe don't install with default name (Hijackthis.exe)!
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
Send me copy to my address is : to_you_ross(at remove this and repalce with
the obvious)yahoo.co.uk

( _ is underscore)
HTH
nass

 

[David H. Lipman]

From: "nass" <[email protected]>




| If it is isass.exe or Isass.exe it is a virus but if it was Lsass.exe or
| lowercase lsass.exe it is a windows process.


If the file is %windir%\system32\Lsass.exe then it is a legitimate file.

If Lsass.exe is found running is any OTHER location such as... %windir%\Lsass.exe
Then the propensity of it being malware is extremely high.

 

[Magsmom]

Ok: A search of my system turned up these files:

LSASS.EXE in C:\I386
isass.exe in C:\WINDOWS\$NtServicePackUninstall$
isass.exe in C:\WINDOWS\SYSTEM32
isass.exe in C:\WINDOWS\ServicePackFiles\i386

If I understand you correctly, I do not have a problem and the Process
"lsass.exe" is ok. Is that correct?

 

[David H. Lipman]

From: "Magsmom" <[email protected]>

Ok:: A search of my system turned up these files:

| LSASS.EXE in C:\I386
| isass.exe in C:\WINDOWS\$NtServicePackUninstall$
| isass.exe in C:\WINDOWS\SYSTEM32
| isass.exe in C:\WINDOWS\ServicePackFiles\i386

| If I understand you correctly, I do not have a problem and the Process
| "lsass.exe" is ok. Is that correct?


The chances are likely - Yes.

 

[Magsmom]

Thanks David:

 

[The best way is to just reinstall XP]

I have seen conflicting info as to what this is and even as to whether it is
spelled "isass.exe" or "Lsass.exe". It is listed as a process in my task
manager. Do I need to get rid of it, and if so, what is the best way to get
rid of it?

 

[Terry R.]

The date and time was Thursday, April 16, 2009 5:27:01 PM, and on a
whim, The best way is to just reinstall XP pounded out on the keyboard:

Are you asking a question? From the looks of this post, it appears you
replied to the info above with no reply.

Lsass.exe is a Windows file.

Isass.exe is NOT.
http://www.file.net/process/isass.exe.html


Terry R.

 

[Onsokumaru]

The date and time was Thursday, April 16, 2009 5:27:01 PM, and on a whim,
The best way is to just reinstall XP pounded out on the keyboard:


Are you asking a question? From the looks of this post, it appears you
replied to the info above with no reply.

Lsass.exe is a Windows file.

Isass.exe is NOT.
http://www.file.net/process/isass.exe.html

Are you sure about that?

http://www.tech-faq.com/lsass.exe.shtml

Considering your link is just full of speculation by users...

The file also belongs to microsoft, if you look at the properties.

 

[Ray Luca]

Are you sure about that?

http://www.tech-faq.com/lsass.exe.shtml

Considering your link is just full of speculation by users...

The file also belongs to microsoft, if you look at the properties.

YO!... Moron! (yeah, YOU: "Onsokumaru")

The second file mentioned was "isass.exe", it was not a repeated
typing of "lsass.exe".

 

[Terry R.]

The date and time was Saturday, April 18, 2009 10:15:37 PM, and on a
whim, Onsokumaru pounded out on the keyboard:

Are you sure about that?

http://www.tech-faq.com/lsass.exe.shtml

Considering your link is just full of speculation by users...

The file also belongs to microsoft, if you look at the properties.

If you notice, I used capital letters to make sure there wasn't a
misinterpretation. But you did regardless.


Terry R.