Why does email run Lsass.exe (ell, not cap eye)?

W

WhatsUp31415

When we [*] open a particular email in Outlook Express, it apparently causes
Lsass.exe (with ell, not eye) to run.

Any idea why?

It causes an alleged Norton Internet Security pop-up asking for confirmation
to allow Lsass.exe to access the Internet. (Actually, I think it is to
allow an incoming login request.) I say "alleged" because the only choice
is "allow always". It seems unusual to have only the one choice, not also
"disallow". That piques my suspicion.

When I look at the text of the message in plain ASCII (i.e. Message Source),
it looks benign to me. It does have an HTML part but I do not find any
explicit reference to any EXE file, much less Lsass.exe. (I did a Find in
Notepad.) However, I do not know HTML very well I might have overlooked
some other mechanism that would trigger a remote login attempt.

(What should I look for?)

(Also, I was unable to look at the original mail headers because they are
stripped when OE forwards email
sad.gif
.)

I know that isass.exe (usually cap eye) is considered to be a trojan horse.
But my understanding is that Lsass.exe (usually lowercase ell) is a Windows
service, namely the Local Security Authentication Server [sic], according to
some web pages.

We did a file search and confirmed that isass.exe (with eye) does not exist,
whereas Lsass.exe (with ell) does.

The system does have multiple user accounts I assume that Lsass.exe is
invoked when we login. But I still do not understand what could cause an
incoming login request in that email.

FYI, the email is a legitimate response to email that we [*] sent. But of
course, that does not rule the possibility that the sender's system is
infected, and a trojan horse was attached to legitimate outgoing email.

Anyway, any thoughts would be appreciated. Namely:

1. Am I correct to be suspicious and to trash the email?

2. Or should I allow Lsass.exe to access the Internet?

3. And if #2, please let me know why that is, what is going on?


[*] "We" is really my computer-illiterate mother. I am trying to
troubleshoot this from 400 miles away. It's a struggle
wink.gif
. Her PC has Win
XP and OE 6. I believe Win XP is SP2, but it might be SP1.
 
D

db

you should heed your anti
virus program,

unless you find a legitimate
reason to run the suspicious
process.

you can easily google

ISASS.exe and LSASS.exe.

to find out which processes
are legitimate or phony.

also if I recall, the norton
website explains these
issues in detail.
--

db·´¯`·...¸>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- Microsoft Partner
- @hotmail.com
~~~~~~~~~~"share the nirvana" - dbZen

>
>

"WhatsUp31415" wrote in message news:eA3mUdYBKHA.1248@TK2MSFTNGP04.phx.gbl...
> When we [*] open a particular email in Outlook Express, it apparently causes Lsass.exe (with ell, not eye) to run.
>
> Any idea why?
>
> It causes an alleged Norton Internet Security pop-up asking for confirmation to allow Lsass.exe to access the Internet.
> (Actually, I think it is to allow an incoming login request.) I say "alleged" because the only choice is "allow always". It
> seems unusual to have only the one choice, not also "disallow". That piques my suspicion.
>
> When I look at the text of the message in plain ASCII (i.e. Message Source), it looks benign to me. It does have an HTML part
> but I do not find any explicit reference to any EXE file, much less Lsass.exe. (I did a Find in Notepad.) However, I do not know
> HTML very well I might have overlooked some other mechanism that would trigger a remote login attempt.
>
> (What should I look for?)
>
> (Also, I was unable to look at the original mail headers because they are stripped when OE forwards email
sad.gif
.)
>
> I know that isass.exe (usually cap eye) is considered to be a trojan horse. But my understanding is that Lsass.exe (usually
> lowercase ell) is a Windows service, namely the Local Security Authentication Server [sic], according to some web pages.
>
> We did a file search and confirmed that isass.exe (with eye) does not exist, whereas Lsass.exe (with ell) does.
>
> The system does have multiple user accounts I assume that Lsass.exe is invoked when we login. But I still do not understand what
> could cause an incoming login request in that email.
>
> FYI, the email is a legitimate response to email that we [*] sent. But of course, that does not rule the possibility that the
> sender's system is infected, and a trojan horse was attached to legitimate outgoing email.
>
> Anyway, any thoughts would be appreciated. Namely:
>
> 1. Am I correct to be suspicious and to trash the email?
>
> 2. Or should I allow Lsass.exe to access the Internet?
>
> 3. And if #2, please let me know why that is, what is going on?
>
>
> [*] "We" is really my computer-illiterate mother. I am trying to troubleshoot this from 400 miles away. It's a struggle
wink.gif
. Her
> PC has Win XP and OE 6. I believe Win XP is SP2, but it might be SP1.
 
C

chisom

gjikdfkir coijnkderwe
"WhatsUp31415" wrote in message
news:eA3mUdYBKHA.1248@TK2MSFTNGP04.phx.gbl...
> When we [*] open a particular email in Outlook Express, it apparently
> causes Lsass.exe (with ell, not eye) to run.
>
> Any idea why?
>
> It causes an alleged Norton Internet Security pop-up asking for
> confirmation to allow Lsass.exe to access the Internet. (Actually, I
> think it is to allow an incoming login request.) I say "alleged" because
> the only choice is "allow always". It seems unusual to have only the one
> choice, not also "disallow". That piques my suspicion.
>
> When I look at the text of the message in plain ASCII (i.e. Message
> Source), it looks benign to me. It does have an HTML part but I do not
> find any explicit reference to any EXE file, much less Lsass.exe. (I did
> a Find in Notepad.) However, I do not know HTML very well I might have
> overlooked some other mechanism that would trigger a remote login attempt.
>
> (What should I look for?)
>
> (Also, I was unable to look at the original mail headers because they are
> stripped when OE forwards email
sad.gif
.)
>
> I know that isass.exe (usually cap eye) is considered to be a trojan
> horse. But my understanding is that Lsass.exe (usually lowercase ell) is a
> Windows service, namely the Local Security Authentication Server [sic],
> according to some web pages.
>
> We did a file search and confirmed that isass.exe (with eye) does not
> exist, whereas Lsass.exe (with ell) does.
>
> The system does have multiple user accounts I assume that Lsass.exe is
> invoked when we login. But I still do not understand what could cause an
> incoming login request in that email.
>
> FYI, the email is a legitimate response to email that we [*] sent. But of
> course, that does not rule the possibility that the sender's system is
> infected, and a trojan horse was attached to legitimate outgoing email.
>
> Anyway, any thoughts would be appreciated. Namely:
>
> 1. Am I correct to be suspicious and to trash the email?
>
> 2. Or should I allow Lsass.exe to access the Internet?
>
> 3. And if #2, please let me know why that is, what is going on?
>
>
> [*] "We" is really my computer-illiterate mother. I am trying to
> troubleshoot this from 400 miles away. It's a struggle
wink.gif
. Her PC has
> Win XP and OE 6. I believe Win XP is SP2, but it might be SP1.
 
P

PA Bear [MS MVP]

OE Tools | Options | Security (tab):

Make certain that OE is running in the Restricted Sites zone.

If no joy, see if enabling or disabling (as the case may be) the "Block
images..." option resolves the behavior.

For even more security, enabled OE Tools | Options | Read | Read all
messages in plain text When we [*] open a particular email in Outlook Express, it apparently
> causes
> Lsass.exe (with ell, not eye) to run.
>
> Any idea why?
>
> It causes an alleged Norton Internet Security pop-up asking for
> confirmation
> to allow Lsass.exe to access the Internet. (Actually, I think it is to
> allow an incoming login request.) I say "alleged" because the only choice
> is "allow always". It seems unusual to have only the one choice, not also
> "disallow". That piques my suspicion.
>
> When I look at the text of the message in plain ASCII (i.e. Message
> Source),
> it looks benign to me. It does have an HTML part but I do not find any
> explicit reference to any EXE file, much less Lsass.exe. (I did a Find in
> Notepad.) However, I do not know HTML very well I might have overlooked
> some other mechanism that would trigger a remote login attempt.
>
> (What should I look for?)
>
> (Also, I was unable to look at the original mail headers because they are
> stripped when OE forwards email
sad.gif
.)
>
> I know that isass.exe (usually cap eye) is considered to be a trojan
> horse.
> But my understanding is that Lsass.exe (usually lowercase ell) is a
> Windows
> service, namely the Local Security Authentication Server [sic], according
> to
> some web pages.
>
> We did a file search and confirmed that isass.exe (with eye) does not
> exist,
> whereas Lsass.exe (with ell) does.
>
> The system does have multiple user accounts I assume that Lsass.exe is
> invoked when we login. But I still do not understand what could cause an
> incoming login request in that email.
>
> FYI, the email is a legitimate response to email that we [*] sent. But of
> course, that does not rule the possibility that the sender's system is
> infected, and a trojan horse was attached to legitimate outgoing email.
>
> Anyway, any thoughts would be appreciated. Namely:
>
> 1. Am I correct to be suspicious and to trash the email?
>
> 2. Or should I allow Lsass.exe to access the Internet?
>
> 3. And if #2, please let me know why that is, what is going on?
>
>
> [*] "We" is really my computer-illiterate mother. I am trying to
> troubleshoot this from 400 miles away. It's a struggle
wink.gif
. Her PC has
> Win
> XP and OE 6. I believe Win XP is SP2, but it might be SP1. [/COLOR]
 
N

nate hudgen

"WhatsUp31415" wrote in message
news:eA3mUdYBKHA.1248@TK2MSFTNGP04.phx.gbl...
> When we [*] open a particular email in Outlook Express, it apparently
> causes Lsass.exe (with ell, not eye) to run.
>
> Any idea why?
>
> It causes an alleged Norton Internet Security pop-up asking for
> confirmation to allow Lsass.exe to access the Internet. (Actually, I
> think it is to allow an incoming login request.) I say "alleged" because
> the only choice is "allow always". It seems unusual to have only the one
> choice, not also "disallow". That piques my suspicion.
>
> When I look at the text of the message in plain ASCII (i.e. Message
> Source), it looks benign to me. It does have an HTML part but I do not
> find any explicit reference to any EXE file, much less Lsass.exe. (I did
> a Find in Notepad.) However, I do not know HTML very well I might have
> overlooked some other mechanism that would trigger a remote login attempt.
>
> (What should I look for?)
>
> (Also, I was unable to look at the original mail headers because they are
> stripped when OE forwards email
sad.gif
.)
>
> I know that isass.exe (usually cap eye) is considered to be a trojan
> horse. But my understanding is that Lsass.exe (usually lowercase ell) is a
> Windows service, namely the Local Security Authentication Server [sic],
> according to some web pages.
>
> We did a file search and confirmed that isass.exe (with eye) does not
> exist, whereas Lsass.exe (with ell) does.
>
> The system does have multiple user accounts I assume that Lsass.exe is
> invoked when we login. But I still do not understand what could cause an
> incoming login request in that email.
>
> FYI, the email is a legitimate response to email that we [*] sent. But of
> course, that does not rule the possibility that the sender's system is
> infected, and a trojan horse was attached to legitimate outgoing email.
>
> Anyway, any thoughts would be appreciated. Namely:
>
> 1. Am I correct to be suspicious and to trash the email?
>
> 2. Or should I allow Lsass.exe to access the Internet?
>
> 3. And if #2, please let me know why that is, what is going on?
>
>
> [*] "We" is really my computer-illiterate mother. I am trying to
> troubleshoot this from 400 miles away. It's a struggle
wink.gif
. Her PC has
> Win XP and OE 6. I believe Win XP is SP2, but it might be SP1.
 
O

o;;

"nate hudgen" wrote in message
news:OYai6weQKHA.4244@TK2MSFTNGP06.phx.gbl...
>
> "WhatsUp31415" wrote in message
> news:eA3mUdYBKHA.1248@TK2MSFTNGP04.phx.gbl...
>> When we [*] open a particular email in Outlook Express, it apparently
>> causes Lsass.exe (with ell, not eye) to run.
>>
>> Any idea why?
>>
>> It causes an alleged Norton Internet Security pop-up asking for
>> confirmation to allow Lsass.exe to access the Internet. (Actually, I
>> think it is to allow an incoming login request.) I say "alleged" because
>> the only choice is "allow always". It seems unusual to have only the one
>> choice, not also "disallow". That piques my suspicion.
>>
>> When I look at the text of the message in plain ASCII (i.e. Message
>> Source), it looks benign to me. It does have an HTML part but I do not
>> find any explicit reference to any EXE file, much less Lsass.exe. (I did
>> a Find in Notepad.) However, I do not know HTML very well I might have
>> overlooked some other mechanism that would trigger a remote login
>> attempt.
>>
>> (What should I look for?)
>>
>> (Also, I was unable to look at the original mail headers because they are
>> stripped when OE forwards email
sad.gif
.)
>>
>> I know that isass.exe (usually cap eye) is considered to be a trojan
>> horse. But my understanding is that Lsass.exe (usually lowercase ell) is
>> a Windows service, namely the Local Security Authentication Server [sic],
>> according to some web pages.
>>
>> We did a file search and confirmed that isass.exe (with eye) does not
>> exist, whereas Lsass.exe (with ell) does.
>>
>> The system does have multiple user accounts I assume that Lsass.exe is
>> invoked when we login. But I still do not understand what could cause an
>> incoming login request in that email.
>>
>> FYI, the email is a legitimate response to email that we [*] sent. But
>> of course, that does not rule the possibility that the sender's system is
>> infected, and a trojan horse was attached to legitimate outgoing email.
>>
>> Anyway, any thoughts would be appreciated. Namely:
>>
>> 1. Am I correct to be suspicious and to trash the email?
>>
>> 2. Or should I allow Lsass.exe to access the Internet?
>>
>> 3. And if #2, please let me know why that is, what is going on?
>>
>>
>> [*] "We" is really my computer-illiterate mother. I am trying to
>> troubleshoot this from 400 miles away. It's a struggle
wink.gif
. Her PC has
>> Win XP and OE 6. I believe Win XP is SP2, but it might be SP1.
>
>
 
O

o;;

"nate hudgen" wrote in message
news:OYai6weQKHA.4244@TK2MSFTNGP06.phx.gbl...
>
> "WhatsUp31415" wrote in message
> news:eA3mUdYBKHA.1248@TK2MSFTNGP04.phx.gbl...
>> When we [*] open a particular email in Outlook Express, it apparently
>> causes Lsass.exe (with ell, not eye) to run.
>>
>> Any idea why?
>>
>> It causes an alleged Norton Internet Security pop-up asking for
>> confirmation to allow Lsass.exe to access the Internet. (Actually, I
>> think it is to allow an incoming login request.) I say "alleged" because
>> the only choice is "allow always". It seems unusual to have only the one
>> choice, not also "disallow". That piques my suspicion.
>>
>> When I look at the text of the message in plain ASCII (i.e. Message
>> Source), it looks benign to me. It does have an HTML part but I do not
>> find any explicit reference to any EXE file, much less Lsass.exe. (I did
>> a Find in Notepad.) However, I do not know HTML very well I might have
>> overlooked some other mechanism that would trigger a remote login
>> attempt.
>>
>> (What should I look for?)
>>
>> (Also, I was unable to look at the original mail headers because they are
>> stripped when OE forwards email
sad.gif
.)
>>
>> I know that isass.exe (usually cap eye) is considered to be a trojan
>> horse. But my understanding is that Lsass.exe (usually lowercase ell) is
>> a Windows service, namely the Local Security Authentication Server [sic],
>> according to some web pages.
>>
>> We did a file search and confirmed that isass.exe (with eye) does not
>> exist, whereas Lsass.exe (with ell) does.
>>
>> The system does have multiple user accounts I assume that Lsass.exe is
>> invoked when we login. But I still do not understand what could cause an
>> incoming login request in that email.
>>
>> FYI, the email is a legitimate response to email that we [*] sent. But
>> of course, that does not rule the possibility that the sender's system is
>> infected, and a trojan horse was attached to legitimate outgoing email.
>>
>> Anyway, any thoughts would be appreciated. Namely:
>>
>> 1. Am I correct to be suspicious and to trash the email?
>>
>> 2. Or should I allow Lsass.exe to access the Internet?
>>
>> 3. And if #2, please let me know why that is, what is going on?
>>
>>
>> [*] "We" is really my computer-illiterate mother. I am trying to
>> troubleshoot this from 400 miles away. It's a struggle
wink.gif
. Her PC has
>> Win XP and OE 6. I believe Win XP is SP2, but it might be SP1.
>
>
 
You must log in or register to reply here.

Similar threads

V
After Upgrading to Windows 11 Laptop display started giving me eye strain.
Replies
0
Views
48
VVarun
V
J
Why does it say Cision after I factory reset?
Replies
0
Views
43
jamia17
J
G
Windows won't allow me to login into my Microsoft account "Oops, something went wrong."
Replies
0
Views
69
Gerrrrrrrrr
G
M
How do I remove my email from an account I can’t access?
Replies
0
Views
55
Miffy101
M
M
How do I remove my email from an account I can’t access?
Replies
0
Views
58
Miffy101
M
Back
Top Bottom