Re: CSA event - lsass.exe running cmd.exe

efink · ‎06-30-2004

Hello,

I have alarm on one of the stations with CSA installed which says that lsass.exe tries to execute cmd.exe. The action is denied by default, but I ask if anybody knows any legitimate reason for such kind of action ?

Thanks in advance.

pcomeaux · ‎07-02-2004

This is typically an indication that the machine is trying to being infected with Sasser or a variant that is similar to Sasser.

The Sasser worm spread through by connecting to Lssass.exe on TCP/445 and then tried to return a command shell (cmd.exe) to the remote machine so that FTP could be launched to download a file and then execute it.

Since CSA has a rule to protect the command shell from being surrendered to Vulnerable Apps, such as Network based applications, CSA is protecting that machine from a Worm.

peter

azharmd · ‎07-21-2004

Its been a Tedious and canned for me get rid of the policies of CSA i would highly appreciate your sugesstion ......if you let me know the procedure to protect my servers from Worms & viruses , slammers, using the CSA policies.. I do have an understanding that CSA will have default policies chipped and this is not enough to stop such type of attacks

Waiting your earliest respose

pcomeaux · ‎07-21-2004

I am not sure I completely understand your situation. Could you please elaborate in further detail so we can try to assist?

thanks

peter