Link to home
Start Free TrialLog in
Avatar of rdilena
rdilena

asked on

Why is LSA Shell (export Version) going out to the internet to unrecognized ip addresses?

As I understand it… LSA Shell is a legitimate windows process so long as it is a valid name in a valid directory having to do with the Local Security Authority.  

C:\.WINDOWS\system32\lsass.exe is the executable and directory location and it is the only instance that is running on my computer.   I am not experiencing any problems.  I have checked for similar .exe files like isass.exe that might be hiding in another directory but have been unable to find any.  I have Spybot S&D and Adaware SE and also have Symantic corporate edition running.  I update SAV and virus scan every night and run the other programs about once a week and consistently come up clean.  I also run Zone Alarm.  

That being said why would LSA be looking to access the internet at an IP address that is not on my local network?  What business would it have looking to go out to the net?

I am running XP Pro on MS SBS 2003 at my home office and authenticate to my domain
Avatar of Tim Holman
Tim Holman
Flag of United Kingdom of Great Britain and Northern Ireland image
The LSA handles aspects of security administration on the local computer, including access and permissions.  If a remote user is trying to access local resources, then the LSA will get involved.  This is perfectly normal, although you might want to look at why this IP address is trying to authenticate with your machine.  Is it an Internet facing machine?
Avatar of rdilena
rdilena

ASKER

I am on an internal network SBS 2003 server that is physically separated to the internet with a second nic card behind a Linksys router  
ASKER CERTIFIED SOLUTION
Avatar of Tim Holman
Tim Holman
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rdilena
rdilena

ASKER

Thanks – I will double check for the most current patches and look at my port configuration but I believe I’m up to date.  What you have said regarding automated attempts make sense.  I’ve checked the log on Zone Alarm which gives the IP source/destination against an ARIN database and the previous attempts over the last month have come from various companies, mostly smaller ISP types and mostly in the US.