LSA Executable and Server DLL (port 500)

[aangen]

Since installing µTorrent the firewall I use (Zone Alarm Pro) has asked me more than a few times if LSA Excecutable and Server DLL can access the net via port 500. Having gone through a virus situation with LSASS.EXE a few years ago I know to not let it have access. Could the use of µTorrent cause this? (I thought I read somehwere that it could be doing this). (and yeah, I checked my machine for Sasser, I'm clean)

Thanks.

[Firon]

are you sure it's not just ZA thinking it's a virus because some peer is using port 500? much like the "it's sending e-mails!" thing.

[Ultima]

It's never happened to me here... µTorrent shouldn't be causing LSASS.EXE to be doing anything out of the ordinary...

[aangen]

I don't think ZA "thinks" it's a virus. ZA just knows LSASS.exe is trying to access the net and knows it has to ask permission. But why LSASS.exe is trying to access the net is what I can't answer. It's blocked, so no big deal. I just noticed it started happening a lot after I started using µTorrent.

[Firon]

Well, it is possible you have some other kind of backdoor/trojan/worm/etc...

[hofshi]

I have the same phenomenon since I installed µtorrent. I block LSA shell and µtorrent functions A OK.

Edit: my computer is clean, and I use ZA pro as well.

[boo]

I don't get this, maybe it some security program that causes this phenomenon for you two

[Firon]

You know, I think it's just ZA thinking it's LSASS doing it, because you're connecting to something on port 500. Kind of like how it thinks it sends out e-mails too.

[bleh]

It seems that µtorrent and zonealarm doesn't mix, on any level.

It would be hilarious, if it weren't for everyone going "omg it's a virus!" two seconds later on the forums. Perhaps the faq needs to make the distinction that every user that uses µtorrent needs to get a proper firewall installed? (my sister actually just has the xp firewall, and is despite information from me, still 100% sure it's "safe" because microsoft says so)

[aangen]

Oh yeah sure, start the "proper firewall" argument. One mans proper firewall is anothers junk. To each his own. I am not having any trouble using µTorrent with ZA, just noticing what I noticed. For the record, it's a simple thing to "fix", but if you know better good for you. For the record, what is the appropriate firewall bleh? Please say Blackice. (LOL)

Firon, I agree with your thought that it's just someone using port 500. I wish someone would not use port 500.

[hofshi]

I too don't have any problem with µtorrent and ZA.

However, I don't think it's just ZA thinking that it's the LSA shell. ZA specifies both port number and filename, and in this case the filename isn't utorrent.exe.

[Ultima]

@bleh: What makes you say that µTorrent and ZoneAlarm don't mix? I haven't had any problems with it, whatsoever... I'm sure anyone who's configured it properly wouldn't either. At least ZoneAlarm 6.x...

@Firon: ZoneAlarm doesn't mix process names up though. If µTorrent were accessing port 25, it would say that µTorrent was trying to send mail through the SMTP port. Similarly, if µTorrent were accessing port 500, and there's some problem with that, ZoneAlarm should say that µTorrent's trying to access that port (and not LSASS.EXE). Either way, this is still an odd phenomenom =T

[bleh]

Well, the most so called "alerts" I've seen in these forums that pertain to firewalls and µtorrent seem to go something like this "I used zonealarm, and it says that µtorrent is sending telnet, smtp , ping messages. and it's a real security risk!" now if zonealarm if properly configured suppresses these messages, it's all golden for the ZA crowd from here on.

(it's due to a configuration setting, that should be mentioned in the faq I think)

The thing that pisses me off most about this whole deal , is that the program seems to assume that everything on port 80 would be just http traffic, or that everything on port 23 would just be telnet traffic and etc... without checking anything out!

Also, for me there really isn't such a thing as a proper firewall, not in a windows enviroment at least. (I've been doing far too many lab experiments with linux based firewalls lately)

But, I'd say that any firewall that doesn't mess with my applications too much, and that doesn't give me false positives, is a firewall worth having. (and that of course has a good code of security)

But, in this case... there seems to be something else lurking in the shadows....

[aangen]

Sounds like you don't have any personal experience with ZA bleh, so I forgive you.

It's actually not so bad. But as you pointed out, the folks who USE ZA can sometimes leave something to be desired. I know what I'm doing with mine, trust me.

[splintax]

The best protection is a regular visit to update.microsoft.com and a NAT, as well as some common sense (like DON'T INSTALL SMILEY PACKS, FFS).

I have the same phenomenon since I installed µtorrent. I block LSA shell and µtorrent functions A OK.

Maybe it is, as Firon suggested, somehow just a connection on port 500 through µTorrent, and you're just blocking one peer. It would appear to be working normally.

[hofshi]

It's not just a connection through µtorrent. read the posts above more carefully. If ZA blocks a connection, it specifies which application is responsible for that connection.

[chaosblade]

Used ZA 6.x for a very short while (meh @ ZA, but leave that alone), Seemed to have no problems. Never had LSA ask for internet connection at all though, not before and not after using uTorrent.

For the record, I'm now using Look n' stop firewall 2.05p2.

[hofshi]

it happens from time to time, not too often though.

[splintax]

It's not just a connection through µtorrent. read the posts above more carefully. If ZA blocks a connection, it specifies which application is responsible for that connection.

I know, I did read the posts. But we all know that ZoneAlarm isn't always the most reliable.. Just an idea. I agree that this needs to be looked into further, though.

[Ultima]

Seems reliable for me... lol I guess my shallow knowledge of networking and whatnot deceives me xP

[splintax]

The main issue that we've had in the past is that it trusts that any assigned port is doing what it's supposed to. For example, it thinks that any outbound traffic on port 25 (assigned to SMTP) is "sending emails". µTorrent does that when a peer is operating on that port, and ZA pops up and tells them that, worrying a lot of people..

This shouldn't be the problem at hand, but I'm just saying, ZoneAlarm isn't exactly trustworthy IMO.

[Vlad_Drac]

Sorry to revive the dead.

Just thought I'd let it be known that this isn't only a uTorrent/ZoneAlarm thing.

I use TPF firewall and it also reports LSASS.EXE and port 500, however, all scans say my PC is clean, so agree its probably a peer.

[Ultima]

Yah, this happens with any firewall that pretends to "identify" connections, but really only assumes the identity based on some stupid criterion like destination port.

[Firon]

Basically, yeah. It's a false positive.

[frogmaster]

I do not necessarily agree it's a false positive. I use ZoneAlarm and ЧTorrent as well. Normally I would never allow LSASS requests on port 500 but here recently I did, with the result that I got phyton and spyware installed, possibly due to tunneling. My SUPER AntiSpyware application stopped it and I cleaned out and removed the rest with CCleaner ;-)

By the way, I absolutely do not agree that ZoneAlarm is unreliable ;-D