I was wondering if anyone can help me with a problem I’m having.  Im using Norton 2009 Internet Security and I have my firewall set up to where I have to give permission to any program that attempts to access the internet before it can. Normally Norton has a set of allowed programs it automatically allows through, i have disabled that feature.  My problem is that recently I granted permission to a program called “lsass.exe”, then I read on the net that this is a trogan.  My problem is that this is not showing up in the list of programs that have access to the internet and I have no idea on how to disable this from accessing the internet now that i’ve given it permission.  Does anyone know how to solve this problem I’m having not only for this app. but any in the future I may change my mind about and decide to deny them access to the internet.  Ive noticed that the list that shows programs permission does not contain everything.  Thanks for any help you can provide.

I was wondering if anyone can help me with a problem I’m having.  Im using Norton 2009 Internet Security and I have my firewall set up to where I have to give permission to any program that attempts to access the internet before it can. Normally Norton has a set of allowed programs it automatically allows through, i have disabled that feature.  My problem is that recently I granted permission to a program called “lsass.exe”, then I read on the net that this is a trogan.  My problem is that this is not showing up in the list of programs that have access to the internet and I have no idea on how to disable this from accessing the internet now that i’ve given it permission.  Does anyone know how to solve this problem I’m having not only for this app. but any in the future I may change my mind about and decide to deny them access to the internet.  Ive noticed that the list that shows programs permission does not contain everything.  Thanks for any help you can provide.

Let's back up for a moment:

You should have (based on what you have said) the following set in the Smart Firewall settings -

Automatic File / Printer Sharing Control => OFF

Automatic Program Control => OFF

The rest need to be in the default states.  Then if you go to Program Control under the Smart Firewall setting menu, you say there are programs that you gave permission to that are not listed?  If you chose Auto in the pop up, then you may not see this in the list now as you have turned off auto program control.

To answer your question on the lsass.exe program; search for add a manual rule to block this program.  You should then see the rule in the Program Control list.  Let us know if you do not. 

Yes as you said I have Auto Program Control set to off and printer everything else is default settings.  However when going to program control.  Lsass.exe is not in the list whatsoever???   Arent the settings you tell norton to implement added to that list after you give the instructions???  I thought they were, how are we supposed to changed those settings in the future if there not added to the list???  Any advice???

I do realize what that thread mentioned but also have read this on the net:

lsass.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system. We strongly recommend that you run a FREE registry scan to identify lsass.exe related errors.


Other instances of LSASS.EXE:

1) lsass.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system. Click here to run a free registry scan now.

2) lsass.exe is registered as a downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer. This process is a security risk and should be removed from your system. Click here to run a free registry scan now.

My question was since this process is also a known trojan and Norton does not detect it as such, how is one to know if what they have is the microsoft process or the trojan> 

Hi smiller6620,

In regard to what you have read about lsass.exe on the internet, some websites can be a bit "alarmist" trying to get users to try their "free" scanners.

Although this file name may be used as a disguise for malware, you can check the path as mentioned in the link provided by Yogesh. It is normally located in C:\Windows\System32.  Once found there you can right click on lsass and check the Details tab. Under that tab you should see references to Microsoft listed as vendor or copyright.

Additionally, lsass can be found in the Norton Insight list. Insight uses a a variety of methods including checking the signature to analyze and apply the "Trusted" rating to various common files.

The automated components in NIS 2009 are based upon sound technologies and provide a very high level of accuracy so that the user does not have to make decisions which may at times be unclear.

Out of the five possible choices, only Allow Always, Block Always and Manual Rule will add to the Rules list.  The Allow Instance and Block Instance will not show at all; these are not added to the Rules list.  Is it possible you clicked one of those two?

As Phil_D has pointed out, Norton will indentify the Trojan file if it is present.  Insight will keep you safe if you have Auto Protect enabled.

The other way to check on this file is to search Microsoft for the proper file Hash value, size and date of the file and to check for a signature on the file.

Smiller6620,

I think, you have not checked the information in the thread I provided in the previous post. If you are unable to find the Lsass.exe listed, check for Local Security Authority Process. It should be set to Auto, NOT Allow or Block. Please check the screenshot below :

Yogesh

Yogesh,

The user should not have Auto set as they have Auto Program Control turned OFF.

ok due to differences between your post and the one that followed i am confused as to what to set the process to.  Should it be auto?  A post following yours said it should not be set to auto because of the fact that i have auto turned off?? also how do i access Norton Insight?

Sorry for not including this in my last post but I thought i should mention the fact that you said that programs set to allow or block wouldnt be added to the list therefore would not show.  I thought I should tel you that I have quite a few programs in that list that are set to allow and block that are showing up?? Does that mean anything in particular??  I am pretty confused by this firewall program, I am used to having to manually allow or deny access to all programs when they first try to connect, therefore this trusted program list does not sit well with me and that is why I disabled the auto program control.  However, I find it even more unsettling that now I cannot change the commands to programs I have already told the firewall what to do with…  So basically Im stuck with whatever choice I first made right?  if not is there a way to change my original command?

Hi smiller6620,

If this is your first experience with the NIS 2009 Smart Firewall, it might be beneficial that you start by using Automatic Program Control and allow Norton to make the initial decisions for you.

Even when Norton creates Firewall rules, you still have to option to modify or even delete those rules under "Program Control". In this way, you can become familiar with the workings of NIS 2009 and then choose to create custom rules as you see fit.

I actually leave Automatic Program Control on and let Norton make the decisions for me. The only time I vary from this is when I research an issue for a forum member.

If you would like to proceed in this manner, go to the same window where you turned off Automatic Program Control. Turn that feature back ON. Be sure to click "Apply".

In the same window, go to "Firewall Reset" and click "Reset."

"The Firewall Reset option returns the Smart Firewall to its default state. The Firewall Reset option resets firewall settings such as firewall rules and trust control settings. For example, if you reset the firewall, any custom rules or settings that you have configured are removed. All computer networks are removed from the trusted list and the restricted list in Trust Control. Therefore, Norton Internet Security prompts you with a confirmation dialog box when you reset firewall."

Now, when you open a program, Norton will create a rule for that program. You may get a notification that a rule was automatically created.

Using this method, you will have a reliable set of Firewall Rules as a benchmark from where you can make modifications if you so desire.

Let us know how you do.

[edit: grammar]

Adding a small information:

When you turn on Advanced Events Monitoring feature, you are prompted with numerous firewall alerts. This Advanced Event Monitoring is recommended only for Advanced Users. This is because you may need to recognize each file which tries to access the Internet and then only you need to allow the access. Otherwise, there is a possiblity of allowing threats(unrecognized programs) to access Internet from your computer by accident, which will download several other threats in return. The normal users can have Automatic Program Control enabled(recommended), which is more safer and highly efficient.

Yogesh