Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2588
Views
0
Helpful
1
Replies

A4E showing exploit prevention warning on lsass.exe

jasond
Level 1
Level 1

‎02-12-2019 12:37 PM - edited ‎02-20-2020 09:07 PM

I keep getting this alert from AMP for Endpoints several times per day for the same endpoint.  I can't really find the source of it.  Device Trajectory is just showing me that a file associated with it is called c:\windows\system32\eac_usermode_192308288958008.dll.  I can't tell if this is a false positive or something that I need to look further into.

 

  • Event Type: Exploit Prevention
  • Computer: XXXXX(obfuscated)
  • Hostname: XXXXX(obfuscated)
  • IP: 10.37.133.223
  • User: SYSTEM@NT AUTHORITY
  • File: lsass.exe
  • File path: C:\WINDOWS\system32\lsass.exe
  • Detection SHA-256: f56dddf7a8f1aa0f3d9ffe0cd618544cfaf233a33314240eccbe5f897a91b534
  • By Application: <Non-existent Process>
  • Timestamp: 2019-02-12 19:15:48 +0000 UTC
3 people had this problem
Labels:
0 Helpful
1 Reply 1

Matthew Franks
Cisco Employee
Cisco Employee

‎02-12-2019 12:45 PM

I'm not familiar with that DLL, but any chance you're using Exchange Admin Center?

https://docs.microsoft.com/en-us/exchange/architecture/client-access/exchange-admin-center?view=exchserver-2019

 

Exprev may be interfering with that authentication by protecting lsass.  

 

Thanks,

Matt

0 Helpful
Customers Also Viewed These Support Documents