Why was LSA Shell (Export Version) added to my ZA Program Control...?

Discussion in 'other firewalls' started by bloomcounty, Mar 4, 2010.

Thread Status:
Not open for further replies.
  1. bloomcounty

    bloomcounty Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    64
    I run ZA Free Firewall 6.1.744.001, AVG Free 8.5, with XP SP2.

    Yesterday I noticed that LSA Shell (Export Version) was automatically added to my Program Control in Zone Alarm with GREEN CHECK MARKS for Access Trusted/Internet and ?'s for Server Trusted/Internet. (I just happened to notice since I regularly check the ZA Program Control.)

    Product name Microsoft® Windows® Operating System
    File name C:\WINDOWS\system32\lsass.exe
    Last policy update 7/23/2008 10:56:12
    Version 5.1.2600.2180 (xpsp_sp2_rtm.040803-215:cool:
    Last modified date 2/28/2006 4:00:00
    File size 13 KB


    It just showed up there, but I didn't get any kind of notice -- but that's because it actually didn't try to connect to the internet or anything, as far as I can tell. (I looked through the Program Alert Logs in ZA and there is no entry for it.)

    This happend a looooooong time ago once before (like a couple years ago), and I remember determining that nothing nefarious was going on. But I just wanted to verify this and to ask why this would randomly just happen like that.

    It shows lsass.ese as in the system32 folder (which is where it's supposed to be -- if it's not, then it's a virus). And this link says that it shouldn't be running at start-up. I did an "msconfig" check and it's not listed as running at start-up. (However, it does show up listed in "Processes" in Task Manager, so something starts it up somewhere at some point, right?)

    I went ahead and immediately removed it from the Program Control in ZA. And below is a screen capture of what I've got listed in the Program Control right now. (FYI, I have ?'s instead of Green Check Marks for some things because I like to know when it's accessing instead of letting it do it automatically.)

    ZAProgramControl.jpg

    (Side Note: I don't know what Application Layer Gateway Service is, but ZA automatically added it at some point in the past, but it's never asked for access to anything.)

    Any thoughts? (I will do a AVG scan right now and a search for lsass.exe to make sure it's just in System32 just to be safe...)

    Thanks!
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Hi,

    If it´s a genuine Windows system file (and it probably is) I wouldn´t worry about it, you might want to block it from internet access, and see what happens. AFAIK, lsass.exe (LSA Shell) is a process/service that is used by the Windows OS and should be always running. About the Application Layer Gateway-service, I have disabled this one my system, it´s a service related to the Windows Firewall or something.
     
  3. MaxEntropy

    MaxEntropy Registered Member

    Joined:
    May 21, 2009
    Posts:
    101
    Location:
    UK
    lsass.exe provides protected storage for private keys etc. I don't think that it requires internet access. Your version is quite old. Have you installed SP3 and the latest security patches? You need to upgrade to SP3 before July - see http://support.microsoft.com/windowsxpsp2 .

    If you're worried about this particular file, you can scan it on VirusTotal. to make sure that it's OK. You can also scan your whole PC with Hitman Pro to make sure that everything else is OK. PSI from Secunia will check your system for vulnerabilities

    alg.exe is used by Windows firewall. If you don't need it and don't want it to start automatically, then you can switch it to start manually in service manager (under Administrative Tools in the Start Programs menu). If no program starts the service, then you'll know that you can disable it if you want to (assuming that you don't want to use Windows firewall if you ever uninstall ZoneAlarm).
     
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
  5. bloomcounty

    bloomcounty Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    64
    Thanks for the replies! I guess ol' LSA Shell Export pops up about once every year and a half in my ZA! Weird!

    I knew I had asked about it before, but since repeated action (albeit over three years) raises questions in my computer layman's mind, I wanted to just verify that it wasn't anything nefarious and was just the same semi-unexplainable, but safe, situation again (and that nothing might have changed to make it something to be concerned about in this new instance).

    But it sounds like I'm still a-okay from all your posts.

    Thanks again! :thumb:
     
Loading...
Thread Status:
Not open for further replies.