danno778
asked on
lsass.exe excessive cpu usage...
I have a Windows 2003 Standard Edition server that for the last few weeks has seen an increase in the amount of CPU usage by lsass.exe. I've run several virus checks on the machine and verified that it's the correct lsass.exe. I've even added an additional processor to the system but the usage still averages 50 percent. It occasionally spikes us to 60 percent, at which point a reboot brings it back down to 40 or 50 percent.
The system is running a mail proxy (Symantec Mail Security) and an internet proxy (Symantec SWS), and is not a domain controller.
Any advice would be greatly appreciated.
The system is running a mail proxy (Symantec Mail Security) and an internet proxy (Symantec SWS), and is not a domain controller.
Any advice would be greatly appreciated.
ASKER
Thanks for the post Tech. Using your input, I believe I've found the source of the elevated usage, but I need a second opinion as to whether the cause is legitimate. Using Process Explorer from MS (Sysinternals), I've found that lsass.exe is listening on the following ports.
TCP 1035
UDP 1028
UDP 4500
UDP "isakmp" - huh?
The TCP port is actually connected to the same machine on port 0. I'm assuming that this is traffic caused by our mail gateway, which has been getting slammed by spoofed NDR's as of late. We're not an open relay, and virus scans come up clean, so I don't think the machine's been compromised in any way.
The increase in LSASS.exe usage seems to have coincided with the increase in spam hitting our gateway. I didn't put 2 and 2 together at first, but I still need opinions as to whether this looks legit. Comments welcome...
TCP 1035
UDP 1028
UDP 4500
UDP "isakmp" - huh?
The TCP port is actually connected to the same machine on port 0. I'm assuming that this is traffic caused by our mail gateway, which has been getting slammed by spoofed NDR's as of late. We're not an open relay, and virus scans come up clean, so I don't think the machine's been compromised in any way.
The increase in LSASS.exe usage seems to have coincided with the increase in spam hitting our gateway. I didn't put 2 and 2 together at first, but I still need opinions as to whether this looks legit. Comments welcome...
Hrmm...ISAKMP is the Security Associations control, for lack of a better word (on UDP port 500) . Details at http://www.networksorcery.com/enp/protocol/isakmp.htm
I being called away by a client. I'll follow up further when I return, if we're still digging :)
-TI
I being called away by a client. I'll follow up further when I return, if we're still digging :)
-TI
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Unfortunately the version of the symantec product we use doesn't filter NDR's based on verification through LDAP or AD. The newest version does, but a tech from Symantec shied me away from deploying it without significant testing, and I don't have the facilities or equipment for extensive testing. I'm now looking at their premium antispam product, and messagelabs, as possible solutions for blocking the email before it hits our gateway, or even our network.
To the point, the most likely cause I can find for the CPU usage was a program I installed on the system as a replacement for the symantec product. Open Relay Filter was running on the system as a service, but was disable, according to the program. Once I stopped and disabled the service and rebooted, the usage went away.
Thanks for all your input.
To the point, the most likely cause I can find for the CPU usage was a program I installed on the system as a replacement for the symantec product. Open Relay Filter was running on the system as a service, but was disable, according to the program. Once I stopped and disabled the service and rebooted, the usage went away.
Thanks for all your input.
If no recent modifications have taken place to the server, it is more than likely that one of your workstations is pounding the server with either bad data/packets (i.e. bad nic card or cable) or zombie/virus/malware traffic.
If the size of your organization permits you to take the bull by the horns, I'd say station one guy infront the server watching Task Manager (lsass.exe specifically), while another guy walks around and shuts down every single workstation. The 'bad' workstation should easily be exposed.
If your organization too large for this to be practical, you'll need to use your available network tools to find out where all this traffic is coming from. You should be able to nail down a machine name (or at least a MAC or an IP) in short order.
Hope that helps!