Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
876
Views
5
Helpful
3
Replies

CSA event - lsass.exe running cmd.exe

efink
Level 1
Level 1

‎06-30-2004 11:37 PM - edited ‎03-09-2019 07:54 AM

Hello,

I have alarm on one of the stations with CSA installed which says that lsass.exe tries to execute cmd.exe. The action is denied by default, but I ask if anybody knows any legitimate reason for such kind of action ?

Thanks in advance.

Labels:
0 Helpful
3 Replies 3

pcomeaux
Cisco Employee
Cisco Employee

‎07-02-2004 05:19 AM

This is typically an indication that the machine is trying to being infected with Sasser or a variant that is similar to Sasser.

The Sasser worm spread through by connecting to Lssass.exe on TCP/445 and then tried to return a command shell (cmd.exe) to the remote machine so that FTP could be launched to download a file and then execute it.

Since CSA has a rule to protect the command shell from being surrendered to Vulnerable Apps, such as Network based applications, CSA is protecting that machine from a Worm.

peter

azharmd
Level 1
Level 1

‎07-21-2004 01:40 AM

Its been a Tedious and canned for me get rid of the policies of CSA i would highly appreciate your sugesstion ......if you let me know the procedure to protect my servers from Worms & viruses , slammers, using the CSA policies.. I do have an understanding that CSA will have default policies chipped and this is not enough to stop such type of attacks

Waiting your earliest respose

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee
In response to azharmd

‎07-21-2004 06:40 AM

I am not sure I completely understand your situation. Could you please elaborate in further detail so we can try to assist?

thanks

peter

0 Helpful
Customers Also Viewed These Support Documents