lsass.exe concerns. Anyone advice please?

When I look in COMODO Firewall / Active Connections, I see the following running:

C:/Windows/System32/lsass.exe TCP Listening: 49156

Is this a trojan or rootkit or virus?

Thanks

 

In that location it should be Windows Local security authentication server

One way to tell is to open a command window....Start > Run > and type tasklist /svc and you should see similar results. What does the LASSS.exe entry say ?

 

When I typed: tasklist /svc

Image Name PID Services
========================= ======== ========================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 420 N/A
csrss.exe 472 N/A
csrss.exe 524 N/A
wininit.exe 532 N/A
services.exe 568 N/A
lsass.exe 580 KeyIso, SamSs
lsm.exe 588 N/A
winlogon.exe 716 N/A
svchost.exe 772 DcomLaunch, PlugPlay
svchost.exe 828 RpcSs
svchost.exe 960 Audiosrv, Dhcp, Eventlog, lmhosts, wscsv
svchost.exe 996 AudioEndpointBuilder, hidserv, Netman,
PcaSvc, TabletInputService, TrkWks, UxSm
WdiSystemHost, Wlansvc, WPDBusEnum, wudf
svchost.exe 1024 AeLookupSvc, BITS, Browser, CertPropSvc,
EapHost, gpsvc, IKEEXT, iphlpsvc,
LanmanServer, MMCSS, ProfSvc, RasMan,
Schedule, seclogon, SENS, SessionEnv,
ShellHWDetection, Winmgmt, wuauserv
audiodg.exe 1140 N/A
SLsvc.exe 1168 slsvc
svchost.exe 1200 EventSystem, fdPHost, FDResPub,
LanmanWorkstation, netprofm, nsi, SSDPSR
upnphost, W32Time, wcncsvc, WebClient
svchost.exe 1308 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiS
TermService
ASLDRSrv.exe 1444 ASLDRService
HControl.exe 1484 N/A
ATKOSD2.exe 1492 N/A
wcourier.exe 1500 N/A
ACMON.exe 1508 N/A
BatteryLife.exe 1516 N/A
ACEngSvr.exe 1548 N/A
svchost.exe 1588 BFE, DPS, MpsSvc
ATKOSD.exe 1752 N/A
svchost.exe 1788 BthServ
cmdagent.exe 1816 cmdAgent
PnkBstrA.exe 124 PnkBstrA
PnkBstrB.exe 344 PnkBstrB
svchost.exe 584 PolicyAgent
spmgr.exe 1128 spmgr
svchost.exe 1196 stisvc
StkCSrv.exe 1348 StkSSrv
WUDFHost.exe 2160 N/A
taskeng.exe 2252 N/A
WmiPrvSE.exe 2400 N/A
taskeng.exe 3052 N/A
dwm.exe 3084 N/A
explorer.exe 3164 N/A
ehsched.exe 3260 ehSched
ehrecvr.exe 3340 ehRecvr
jusched.exe 3688 N/A
cfp.exe 3696 N/A
ehtray.exe 3704 N/A
ehmsas.exe 3784 N/A
wmpnscfg.exe 4064 N/A
usnsvc.exe 3668 usnjsvc
firefox.exe 1300 N/A
taskeng.exe 2784 N/A
TrustedInstaller.exe 2284 TrustedInstaller
WmiPrvSE.exe 2852 N/A
cmd.exe 2664 N/A
tasklist.exe 644 N/A


Does that look OK?

THanks

 

As far as the executable LSASS goes, that is fine.

LSASS.EXE and it's services are Netlogon,NtLmSsp,PolicyAgent and SamSs, which is the Security Accounts Manager service. The KeyIso entry next to the LSASS entry is Vista's CNG Key Isolation service. So your LSASS entry is fine and legit in regards to your initial question as it related to Comodo.

 

cool thanks.