A4E showing exploit prevention warning on lsass.exe

jasond · ‎02-12-2019

I keep getting this alert from AMP for Endpoints several times per day for the same endpoint. I can't really find the source of it. Device Trajectory is just showing me that a file associated with it is called c:\windows\system32\eac_usermode_192308288958008.dll. I can't tell if this is a false positive or something that I need to look further into.

Event Type: Exploit Prevention
Computer: XXXXX(obfuscated)
Hostname: XXXXX(obfuscated)
IP: 10.37.133.223
User: SYSTEM@NT AUTHORITY
File: lsass.exe
File path: C:\WINDOWS\system32\lsass.exe
Detection SHA-256: f56dddf7a8f1aa0f3d9ffe0cd618544cfaf233a33314240eccbe5f897a91b534
By Application: <Non-existent Process>
Timestamp: 2019-02-12 19:15:48 +0000 UTC

Matthew Franks · ‎02-12-2019

I'm not familiar with that DLL, but any chance you're using Exchange Admin Center?

https://docs.microsoft.com/en-us/exchange/architecture/client-access/exchange-admin-center?view=exchserver-2019

Exprev may be interfering with that authentication by protecting lsass.

Thanks,

Matt

A4E showing exploit prevention warning on lsass.exe

Exploit prevention events from McAfee, WebAdvisor, BrowserHost.exe

[AMP] Exploit Prevention Diagnostic Toolの使用方法

[AMP] Exploit Prevention DLL Debug Toolの使用方法

Troubleshoot Exploit Prevention in Secure Endpoint

[AMP][事象]Windows Connector 7.3.1 - 7.3.3でExploit Preventionの過検知が増加する