lsass.exe – a safe Windows file which name can be used by malware
lsass.exe is a legitimate Windows process known as Local Security Authority Service. It’s a critical system file created by Microsoft corporation which is responsible for managing important tasks such as:
- security policies enforcement
- user login verification to Windows computer or server;
- handling password changes,
- creating access tokens.
Originally, the lsass.exe file is located in “C:\WINDOWS\SYSTEM32\” and cannot be ended using Windows Task Manager. If you terminate this task, it may lead to various computer-related problems. Thus, doing that is not recommended.
However, if you find this file located in a different directory or it uses lots of computer’s CPU, it might be the sign that your computer is infected. Unfortunately, cyber criminals often use the names of legitimate files to install or run malware on the computer.
Some parasites, for example, Sasser worm, use the lsass.exe filename to deceive the user by hiding their processes under the name of this file. The same filename is used by OnTarget, Pexmor, Rontokbro, Satiloler, Crutle, Wowcraft and other variants of these malware parasites.
Criminals have bene noticed using an obfuscated name of the lsass.exe where they used lowercase “l” instead of a capital “I.” In this way, inattentive computer users can be quite easily tricked by this hoax.
You can suspect that your computer is infected if you also noticed these symptoms:
- the general sluggishness of the computer;
- crashing or unresponsive programs;
- an increased amount of ads;
- browser redirects to questionable sites;
- errors popping up on the screen;
- installation of unknown programs or browser extensions.
So, you may have a virus that runs the same named process and silently works in the background and performs harmful actions. To check your PC, run a full system scan with reputable anti-malware programs. We recommend using Reimage and Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus.
Malicious executable might be dropped on the system after one inattentive click
Original lsass.exe file arrives on the system together with Windows OS. However, the malicious file can be dropped using a couple of methods, for example:
- when a user opens a malicious email attachment;
- when malware-laden ad tricks into installing fake software or its update;
- when users download illegal or cracked content;
- when browsing via insecure websites.
Therefore, users are advised to be careful when browsing the web and especially downloading content from unknown sources. Always download software or updates from trusted developer’s websites.
Additionally, you should not rush opening unknown email attachments, links or other received files on messaging apps or social networks.
Remove malicious lsass.exe file
Before you proceed with lsass.exe removal, you have to make sure that this file is actually malicious. If you accidentally delete a legit executable, your computer’s work will be disturbed. As a result, you will need to deal with computer-related problems.
For this reason, if you suspect that your PC is infected, you should scan the system with Reimage or another malware removal program. Security software will check the system and remove lsass.exe together with other suspicious components if needed.