lsass.exe dfssvc.exe does not use port 25 ! maybe you got an infection in your servers. can you run a complete scan on demand?
Thanks. Have been contact with the admins of these servers. On Sunday, they were reporting that one was running slow which was then rebooted. Have recommended that they scan the servers with VirusScan & MalwareBytes. Also have started seeing some workstation having lsass.exe be blocked from emailing. These workstations are connected to one of the servers which acts as the domain controller. My gut is telling me that we might be seeing a network aware trojan that perhaps is spreading to connected workstations?
We have just come back from 2 days off work due to bad snowfall so am trying to catch up with work. Hopefully, the network guys will be in soon so we can see what these systems are doing on the network.
Need to try to get the time frame of when this happened. The boss of that dept said that they had first noticed systems, connected to the domain controller, start to lock-up or act slow. The only thing tht I have done with McAfee was to push out Patch 4 for VSE 8.7i, this happened last Thursday.
I am keeping my fingers crossed that it is not Patch 4 that is causing lsass.exe or dfssvc.exe from being blocked. McAfee Tier 2 did give me a hotfix to address issues with 16 character user defined rules in email rule.
I would say that lsass.exe should not attemtp to send any mails out and also it is my belief that some "malware" has hidden itself under this process via adding a reg key to the list that lsass.exe load underneath itself*.
This could have been avoided if VirusScan Acess Protection rule "Prevent programs registering to autorun" had been enabled for blocking. I would say this is one of the most important Access Protection rules in the set and I advise you to set it to block for workstations and servers alike in your AV policy.
*As for this particular thing I would review the following regkey HKLM\Software\Microsoft\Windows\CurrentVersion\Windows NT\Winlogon and also underneath Notify, this is one location where files are run for example under lsass.exe's context, that is defined herein. Check out what's in there and if you see any particular suspicious things/files.
As for dfssvc.exe I don't have any info, but I suspect that could be something similar.
Message was edited by: Attila Polinger on 14/01/11 07:05:51 CET