cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
353
Views
0
Helpful
1
Replies
Beginner

A4E showing exploit prevention warning on lsass.exe

I keep getting this alert from AMP for Endpoints several times per day for the same endpoint.  I can't really find the source of it.  Device Trajectory is just showing me that a file associated with it is called c:\windows\system32\eac_usermode_192308288958008.dll.  I can't tell if this is a false positive or something that I need to look further into.

 

  • Event Type: Exploit Prevention
  • Computer: XXXXX(obfuscated)
  • Hostname: XXXXX(obfuscated)
  • IP: 10.37.133.223
  • User: SYSTEM@NT AUTHORITY
  • File: lsass.exe
  • File path: C:\WINDOWS\system32\lsass.exe
  • Detection SHA-256: f56dddf7a8f1aa0f3d9ffe0cd618544cfaf233a33314240eccbe5f897a91b534
  • By Application: <Non-existent Process>
  • Timestamp: 2019-02-12 19:15:48 +0000 UTC
1 REPLY 1
Highlighted
Cisco Employee

Re: A4E showing exploit prevention warning on lsass.exe

I'm not familiar with that DLL, but any chance you're using Exchange Admin Center?

https://docs.microsoft.com/en-us/exchange/architecture/client-access/exchange-admin-center?view=exchserver-2019

 

Exprev may be interfering with that authentication by protecting lsass.  

 

Thanks,

Matt