A4E showing exploit prevention warning on lsass.exe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2019 12:37 PM - edited 02-20-2020 09:07 PM
I keep getting this alert from AMP for Endpoints several times per day for the same endpoint. I can't really find the source of it. Device Trajectory is just showing me that a file associated with it is called c:\
- Event Type: Exploit Prevention
- Computer: XXXXX(obfuscated)
- Hostname: XXXXX(obfuscated)
- IP: 10.37.133.223
- User: SYSTEM@NT AUTHORITY
- File: lsass.exe
- File path: C:\WINDOWS\system32\lsass.exe
- Detection SHA-256: f56dddf7a8f1aa0f3d9ffe0cd618544cfaf233a33314240eccbe5f897a91b534
- By Application: <Non-existent Process>
- Timestamp: 2019-02-12 19:15:48 +0000 UTC
- Labels:
-
AMP for Endpoints

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2019 12:45 PM
I'm not familiar with that DLL, but any chance you're using Exchange Admin Center?
Exprev may be interfering with that authentication by protecting lsass.
Thanks,
Matt
