Maybe (not) is problem with process lsass.exe

petok

Level 1
Thread author
Sep 19, 2011
35
Hello

I think is problem but need suggestion for this lsass.exe (is original file from microsoft and in place)

Explain - I have installed Softmaker Office 2018 Standard version, but when always open TextMaker 2018 or other programs from office then show lsass.exe connection port 80 in popup message in malwarebytes windows firewall control ( I used this just create rules and then uninstall ) is blocked, but why lsass.exe make connection? My OS is Windows 10 v1909 is clean before some ask for virus or similar I use MBAM on demand and EAM Home realtime.

Need help for how to know what is correlation.
 
  • Like
Reactions: SunMan09 and AtlBo

petok

Level 1
Thread author
Sep 19, 2011
35
I use Process Hacker and here info
lsass.exe
Services:
KeyIso (CNG Key Isolation)
SamSs (Security Accounts Manager)

Connection request out is 5 IP address - 2 ip is from my IPS Provider (but I'm confused why is requesting), and other 2 from akamaitechnologies and 1 from digsigtrust.com

I would guess the best option for you is to simply start and create a contact with Softmaker Office support. They will hopefully be best suited to help.
Also I send to support message. Will see what reply from support.
 
Last edited:
Upvote 0
Feb 8, 2020
46
Hello

I think is problem but need suggestion for this lsass.exe (is original file from microsoft and in place)

Explain - I have installed Softmaker Office 2018 Standard version, but when always open TextMaker 2018 or other programs from office then show lsass.exe connection port 80 in popup message in malwarebytes windows firewall control ( I used this just create rules and then uninstall ) is blocked, but why lsass.exe make connection? My OS is Windows 10 v1909 is clean before some ask for virus or similar I use MBAM on demand and EAM Home realtime.

Need help for how to know what is correlation.

it is performing online digital certificate lookup with connects to akamai (cdn) and digsigtrust

connect to isp ip addresses not so clear as to why
 
  • Like
Reactions: TairikuOkami
Upvote 0

petok

Level 1
Thread author
Sep 19, 2011
35
I detect what is call make check from services VaultSvc (Credential Manager) is lsass.exe

But for secure purpose for now I will block this lsass.exe with rule or maybe disable service :)
 
Upvote 0

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
I get clear information from softmaker support this connection is not from softmaker have other digital certificate.
Didn't catch you, which certificate(s) are you comparing?
I use Process Hacker and here info
lsass.exe
Services:
KeyIso (CNG Key Isolation)
SamSs (Security Accounts Manager)

Connection request out is 5 IP address - 2 ip is from my IPS Provider (but I'm confused why is requesting), and other 2 from akamaitechnologies and 1 from digsigtrust.com

Also I send to support message. Will see what reply from support.
Ignore the services shown for now, they are standard.
As @manchesterunited hinted, the connections may be related to getting your sign-in workflow processed. Digsigtrust for certificate related queries.
When it comes to ISP, it is common for machines to by default use the DNS server provided by your ISP. This might be it. Did lsass.exe really make the connection to your ISP? From what i know, DNS resolution is commonly done by svchost.
Assuming that
  • the lsass.exe is from the original location (C:/Windows/System32) and
  • there may have been no apparent process injection into lsass (lsass does often get triggered when launching such apps with accounts) and
  • that the IP addresses (domain name: akamaitechnologies & hostname: digsigtrust that belongs to identrust.com) do not seem to be shady in this case
you should be good.
Blocking lsass.exe in this case may perhaps have an effect on your Office account re-signing-in. However, if it's working well right now, you're good. Let us know.
 
Upvote 0

petok

Level 1
Thread author
Sep 19, 2011
35
Now is ok with blocked rule, but I will test other way without svchost.exe (DNS Service turn off) with create two rules allow, one rule dns port udp 53 and one rule tcp ports 80,443. I think this best scheme for create rules in windows firewall.
 
Upvote 0

Similar threads

Replies
26
Views
1,185
VPN and DNS
ForgottenSeer 103564
F
Replies
10
Views
955
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top