Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Local Security Authority Process has changed...hack attempt?

Created: 18 Apr 2012 • Updated: 19 Apr 2012 | 3 comments
jc-pro's picture
This issue has been solved. See solution.

I'm running Windows Server 2008 SBS with Symantec Endpoint Protection v12.

I installed the latest bout of Windows updates and now I'm seeing a dialog box pop up saying:

=========================
Local Security Authority Process has changed since the last time you used it.
Name: Local Security Authority Process
Application: lsass.exe

Do you want to allow it to access the network?

Name:  Local Security Authority Process
Version:  6.0.6002.18541
File Path:  C:\Windows\System32\lsass.exe

Connection Origin:  remote initiated
Protocol:  UDP
Local Address:  192.168.0.2
Local Port:  88 (KERBEROS - Kerberos v5)
Remote Name:      
Remote Address:  192.168.0.196
Remote Port:  3550
=========================

The remote address listed above is a regular Windows PC on my LAN, I don't believe any PC's are infected at this time. At least SEP isn't reporting anything as such.
The only updates I've installed are as follows:

Is this something that is okay to just proceed with?  I'm not clicking 'Yes' until I know more.

Thanks

-j-

Comments 3 CommentsJump to latest comment

BNH's picture

This lsass version belong to MS12-006 vuln that is in KB http://support.microsoft.com/kb/2585542 .

In the screenshot above, I saw KB2585542 applied.

So looks like your patching just updated lsass.exe :)

-- Got new virus ? Try update your defs here : ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rap... --

SOLUTION