Lsass.exe Virus
Written by Tomas Meskauskas on (updated)
What is lsass.exe?
The lsass.exe (Local Security Authority Subsystem Service) is a legitimate Windows system file that can be found running in Task Manager as Local Security Authority Process. The process is responsible for enforcing the security policy on the operating system.
It manages password changes, validates users logging on to Windows servers or computers and creates access tokens that contain various security credentials. Note, however, that cyber criminals often use the lsass.exe filename or its process name (or a very similar name) to disguise malicious programs.
Therefore, some anti-virus programs detect the genuine lsass.exe file as a threat. Such cases are called 'false positive' detections.
False positive virus detections occur when anti-virus programs detect legitimate files as threats. This usually happens due to mistakes in malware databases and often leads to removal of legitimate files. Therefore, important operating system files might be removed.
Fortunately, false positive detections are usually reported immediately and anti-virus software developers update their databases and correct misleading information. Despite this, malware developers can take advantage of the situation - their malicious files/programs slip through virus scans unnoticed and are identified as harmless.
The lsass.exe file can be found in the "\Windows\System32" system folder, however, if there is another file, for example, Isass.exe (with uppercase "i" rather than lowercase "L") or any file with a similar name, this is probably not a legitimate system file and could be malicious.
The same applies to files named lsass.exe that are placed in a location other than the System32 folder. Additionally, when running in Task Manager, the genuine lsass.exe process does not have an icon beside it and should run, not as lsass.exe, but as Local Security Authority Process.
If you identify a process called lsass.exe running in Task Manager that has an icon beside it (as in a screenshot below), a malicious program is running in the system background. Note that terminating the genuine (Local Security Authority Process) process in Task Manager will cause a system crash and the operating system will stop working.
Having a malicious program that runs the malicious (fake) lsass.exe process can diminish computer performance and might use extensive CPU resources. Additionally, this program might work as a trojan-type program and cause download and installation of various high-risk viruses.
Additionally, it could be running as an adware-type program and feed users with unwanted and annoying ads. It could also affect internet browser performance, and so on. If you believe that a malicious program has infected your computer, remove it immediately.
If the installed anti-virus suite does not detect it as a threat, we recommend that you scan the system using other software of this type.
| Name | lsass.exe trojan |
| Threat Type | Trojan, Password stealing virus, Banking malware, Spyware. |
| Detection Names (lsass.exe) | Avira (TR/Dropper.Gen), BitDefender (Gen:Variant.Symmi.4309), ESET-NOD32 (A Variant Of Win32/Packed.FlyStudio Potentially Unwanted), Malwarebytes (Trojan.FlyStudio), Full List (VirusTotal) |
| Malicious Process Name(s) | lsass.exe |
| Additional Information |
Malware disguised as a genuine Windows process called Local Security Authority Process, which is delivered by a genuine lsass.exe file placed in "\Windows\System32" directory. |
| Symptoms | Trojans are designed to stealthily infiltrate the victim's computer and remain silent. Thus, no particular symptoms are clearly visible on an infected machine. |
| Distribution methods | Infected email attachments, malicious online advertisements, social engineering, software cracks. |
| Damage | Stolen banking information, passwords, identity theft, victim's computer added to a botnet. |
| Malware Removal (Windows) | To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
The internet is full of malicious files and this is not the only case whereby a legitimate file can be detected as a threat, and vice versa. Some examples of other false positive detections are Fuerboos, Trojan.gen.npe.2, and ERDNT.LOC. As mentioned, these detections often lead to removal of important files. If a process or file is malicious, eliminate it immediately.
How did lsass.exe infiltrate my computer?
There are numerous ways to proliferate malicious programs/files. Typically, criminals distribute them through untrustworthy software download channels, fake (unofficial) software updating tools, spam campaigns, Trojans and third party software activation/'cracking' tools.
Using Peer-to-Peer networks (torrent clients, eMule, and so on), freeware download, file hosting websites, third party downloaders, unofficial pages, and so on, they attempt to trick people into downloading infected files. They present them as harmless, legitimate files, however, once downloaded and opened, they cause installation of malicious software.
Third party/fake software update tools cause infections by downloading and installing malware rather than the updates or fixes, or they exploit bugs/flaws of outdated software. Spam campaigns (emails) are used to trick people into opening included malicious attachments or web links that, if opened, lead to installation of malicious programs.
These attachments are often Microsoft Office documents, archive files (ZIP, RAR, and others), PDF documents, executables (like .exe), JavaScript files and so on.
If already installed, Trojans download and install various computer infections, thereby causing chain infections. Software 'cracking' tools supposedly activate software or operating systems free of charge, however, they often download and install malware.
How to avoid installation of malware?
Carefully analyze each received email, especially if it contains attached files or links that lead to them. If the email is irrelevant and is sent from an unknown/suspicious address, the safest option is to ignore it. Use only official software updating tools, implemented functions or tools that provided by official software developers.
Download software (or other files) from official websites. Do not use any of the sources mentioned above. Do not use third party activation tools to bypass paid software activation. Using these programs is a cyber crime and often leads to computer infections.
It is also strongly advised to have a reputable anti-virus or anti-spyware suite installed and to keep it enabled/active. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.
Malicious lsass.exe process running in Task Manager (note that the process has an icon and the name is not Local Security Authority Process, which the genuine lsass.exe runs):
Lsass.exe file detected as malicious by more than 50 virus detection engines:
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is lsass.exe?
- STEP 1. Manual removal of lsass.exe malware.
- STEP 2. Check if your computer is clean.
How to remove malware manually?
Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically.
To remove this malware we recommend using Combo Cleaner Antivirus for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:
If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:
Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:
Restart your computer into Safe Mode:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu".
Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".
In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Extract the downloaded archive and run the Autoruns.exe file.
In the Autoruns application, click "Options" at the top and uncheck the "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.
Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.
You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".
After removing the malware through Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.
Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.
These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.
To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.
Outstanding!
▼ Show Discussion