petok

Level 1
Hello

I think is problem but need suggestion for this lsass.exe (is original file from microsoft and in place)

Explain - I have installed Softmaker Office 2018 Standard version, but when always open TextMaker 2018 or other programs from office then show lsass.exe connection port 80 in popup message in malwarebytes windows firewall control ( I used this just create rules and then uninstall ) is blocked, but why lsass.exe make connection? My OS is Windows 10 v1909 is clean before some ask for virus or similar I use MBAM on demand and EAM Home realtime.

Need help for how to know what is correlation.
 

petok

Level 1
I use Process Hacker and here info
lsass.exe
Services:
KeyIso (CNG Key Isolation)
SamSs (Security Accounts Manager)

Connection request out is 5 IP address - 2 ip is from my IPS Provider (but I'm confused why is requesting), and other 2 from akamaitechnologies and 1 from digsigtrust.com

I would guess the best option for you is to simply start and create a contact with Softmaker Office support. They will hopefully be best suited to help.
Also I send to support message. Will see what reply from support.
 
Last edited:
Hello

I think is problem but need suggestion for this lsass.exe (is original file from microsoft and in place)

Explain - I have installed Softmaker Office 2018 Standard version, but when always open TextMaker 2018 or other programs from office then show lsass.exe connection port 80 in popup message in malwarebytes windows firewall control ( I used this just create rules and then uninstall ) is blocked, but why lsass.exe make connection? My OS is Windows 10 v1909 is clean before some ask for virus or similar I use MBAM on demand and EAM Home realtime.

Need help for how to know what is correlation.
it is performing online digital certificate lookup with connects to akamai (cdn) and digsigtrust

connect to isp ip addresses not so clear as to why
 

petok

Level 1
it is performing online digital certificate lookup with connects to akamai (cdn) and digsigtrust

connect to isp ip addresses not so clear as to why
I get clear information from softmaker support this connection is not from softmaker have other digital certificate.
 
I get clear information from softmaker support this connection is not from softmaker have other digital certificate.
it is not unusual to observe lsass.exe connecting out to destination port 80 for various digital certificate queries

it is no so easy to figure out why or what is triggering lsass to perform the query
 

petok

Level 1
I detect what is call make check from services VaultSvc (Credential Manager) is lsass.exe

But for secure purpose for now I will block this lsass.exe with rule or maybe disable service :)
 

Parsh

Level 24
Verified
Trusted
Malware Hunter
I get clear information from softmaker support this connection is not from softmaker have other digital certificate.
Didn't catch you, which certificate(s) are you comparing?
I use Process Hacker and here info
lsass.exe
Services:
KeyIso (CNG Key Isolation)
SamSs (Security Accounts Manager)

Connection request out is 5 IP address - 2 ip is from my IPS Provider (but I'm confused why is requesting), and other 2 from akamaitechnologies and 1 from digsigtrust.com

Also I send to support message. Will see what reply from support.
Ignore the services shown for now, they are standard.
As @manchesterunited hinted, the connections may be related to getting your sign-in workflow processed. Digsigtrust for certificate related queries.
When it comes to ISP, it is common for machines to by default use the DNS server provided by your ISP. This might be it. Did lsass.exe really make the connection to your ISP? From what i know, DNS resolution is commonly done by svchost.
Assuming that
  • the lsass.exe is from the original location (C:/Windows/System32) and
  • there may have been no apparent process injection into lsass (lsass does often get triggered when launching such apps with accounts) and
  • that the IP addresses (domain name: akamaitechnologies & hostname: digsigtrust that belongs to identrust.com) do not seem to be shady in this case
you should be good.
Blocking lsass.exe in this case may perhaps have an effect on your Office account re-signing-in. However, if it's working well right now, you're good. Let us know.
 

petok

Level 1
Now is ok with blocked rule, but I will test other way without svchost.exe (DNS Service turn off) with create two rules allow, one rule dns port udp 53 and one rule tcp ports 80,443. I think this best scheme for create rules in windows firewall.