4 Replies Latest reply on Jan 14, 2011 12:06 AM by Attila Polinger

    McAfee Access Protection Mass Mailing rule is blocking lsass.exe and dfssvc.exe, is this legitimate or a virus?

    twenden

      Our McAfee EPO server is reporting over 1200 alerts regarding to the lsass.exe & dfssvc.exe being blocked by the Access Protection rule for mass mailing. This just started about 2 days ago. This is occuring on two Windows 2003 servers. Has anyone else seen this happen on servers or is it a possible trojan? Back on Jan 2nd, McAfee did delete a backdoor trojan called Generic BackDoor!cul.

       

      Can't find any info about whether lsass.exe and dfssvc.exe should be sending out emails. I am worried that this could be some type of mass mailing worm.

       

      These servers are running McAfee VirusScan 8.7i with Patch 4.

        • 1. Re: McAfee Access Protection Mass Mailing rule is blocking lsass.exe and dfssvc.exe, is this legitimate or a virus?
          HermanSchenk

          lsass.exe dfssvc.exe does not use port 25 ! maybe you got an infection in your servers. can you run a complete scan on demand?

          • 2. Re: McAfee Access Protection Mass Mailing rule is blocking lsass.exe and dfssvc.exe, is this legitimate or a virus?
            twenden

            Thanks. Have been contact with the admins of these servers. On Sunday, they were reporting that one was running slow which was then rebooted. Have recommended that they scan the servers with VirusScan & MalwareBytes. Also have started seeing some workstation having lsass.exe be blocked from emailing. These workstations are connected to one of the servers which acts as the domain controller. My gut is telling me that we might be seeing a network aware trojan that perhaps is spreading to connected workstations?

             

            We have just come back from 2 days off work due to bad snowfall so am trying to catch up with work. Hopefully, the network guys will be in soon so we can see what these systems are doing on the network.

            • 3. Re: McAfee Access Protection Mass Mailing rule is blocking lsass.exe and dfssvc.exe, is this legitimate or a virus?
              twenden

              Need to try to get the time frame of when this happened. The boss of that dept said that they had first noticed systems, connected to the domain controller, start to lock-up or act slow. The only thing tht I have done with McAfee was to push out Patch 4 for VSE 8.7i, this happened last Thursday.

               

              I am keeping my fingers crossed that it is not Patch 4 that is causing lsass.exe or dfssvc.exe from being blocked. McAfee Tier 2 did give me a hotfix to address issues with 16 character user defined rules in email rule.

               

               

              Message was edited by: twenden on 1/13/11 3:52:02 AM CST
              • 4. Re: McAfee Access Protection Mass Mailing rule is blocking lsass.exe and dfssvc.exe, is this legitimate or a virus?
                Attila Polinger

                I would say that lsass.exe should not attemtp to send any mails out and also it is my belief that some "malware" has hidden itself under this process via adding a reg key to the list that lsass.exe load underneath itself*.

                 

                This could have been avoided if VirusScan Acess Protection rule "Prevent programs registering to autorun" had been enabled for blocking. I would say this is one of the most important Access Protection rules in the set and I advise you to set it to block for workstations and servers alike in your AV policy.

                 

                *As for this particular thing I would review the following regkey HKLM\Software\Microsoft\Windows\CurrentVersion\Windows NT\Winlogon and also underneath Notify, this is one location where files are run for example under lsass.exe's context, that is defined herein. Check out what's in there and if you see any particular suspicious things/files.

                 

                As for dfssvc.exe I don't have any info, but I suspect that could be something similar.

                 

                A.

                 

                 

                Message was edited by: Attila Polinger on 14/01/11 07:05:51 CET

                 

                 

                Message was edited by: Attila Polinger on 14/01/11 07:06:35 CET