Author Topic: question on "LSASS Exploit (SXP) attack" question  (Read 3825 times)

0 Members and 1 Guest are viewing this topic.

Will91

  • Guest
question on "LSASS Exploit (SXP) attack" question
« on: March 24, 2007, 04:25:45 AM »
Hi:

I got a message from Network Shield about "LSASS Exploit (SXP) attack".  It was followed by a bunch of numbers (IP address?)

I THINK it said it was blocked but the message flashed so quickly I'm not sure now.  The Avast logger only indicates an attack - not that is was blocked. 

What happened?  I am using McAffee firewall protection and had just logged onto the internet through my dial-up ISP.  Windows XP firewall is OFF.  Should it be on also??

My Windows XP is always auto-updating.

Should I do a scheduled boot scan?  I routinely do "thorough" scans with archives checked.  Is the scheduled boot scan different?

Thanks for the help.
« Last Edit: March 24, 2007, 04:35:13 AM by Will91 »

mauserme

  • Guest
Re: question on "LSASS Exploit (SXP) attack" question
« Reply #1 on: March 24, 2007, 05:21:21 AM »
Hi Will91,

If your Windows is up to date you are not vulnerable to this exploit, but that doesn't stop attempted attacks.  These originate from outside your computer.  As long as your network shield is active it will block the attack, as should your firewall.

Its normal for a third party firewall to turn off the Windows Firewall upon installation, so if the Windows one is off I would leave it that way.  I know of only one exception to this (AShampoo).  I don't see a need for a boot scan right now unless it will put your mind at ease.

Will91

  • Guest
Re: question on "LSASS Exploit (SXP) attack" question
« Reply #2 on: March 24, 2007, 05:55:15 AM »
Thanks:

I read on wikipedia that LSASS attacks are related to the sasser worm which first appeared in 2004.  I understand it was stopped by Microsoft security patches.  So.... why didn't my operating system stop it in the first place in which case Avast would have had to do nothing, right??

Actually, whether or not my Windows XP SP2 really is up to date is a concern for me.  I DO have automatic updates turned on and I always see the little yellow exclamation mark frequently indicating a download.  Also, when I shut down the pc, it does freqently indicate it is installing updates.  However, when I went to windows update website tonight and tried the "scan" feature to see if I need updates, I got an error message....

[Error number: 0x8024001D]
  The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem. 


Also, when I click on the button indicating microsoft will tell me my update history, all the updates show red question marks instead of green check marks BUT under control panel, add/remove programs and show updates, I do show many windows security updates as having been installed.

I have submitted this question to MS, but my experience is their replies are very generic in nature and it is difficult to solve an individuals problems.  Would you happen to know if it is common for automatic updates to APPEAR to be working, but for a manual attempt to fail??

thanks for the help.
« Last Edit: March 24, 2007, 06:15:24 AM by Will91 »

mauserme

  • Guest
Re: question on "LSASS Exploit (SXP) attack" question
« Reply #3 on: March 24, 2007, 06:37:03 AM »
The patch for the lsass exploit was released in April 2004 so if your update problems are recent you're probably still OK in this regard.  But you're right to be concerned about the rest of the updates.

First, make sure you're updating as an administrator and that you've allowed Windows Genuine Advantage to install.  This is necessary to confirm that your copy of Windows is legitimate (and is different from Windows Genuine Advantage Notifications.  I advise against installing the latter).

If those don't help try the advice about deleting the SoftwareDistribution folder posted here

But note this procedure will delete your update history.

Will91

  • Guest
Re: question on "LSASS Exploit (SXP) attack" question
« Reply #4 on: March 24, 2007, 06:49:18 AM »
Thank you.

I am logging on with adminstrator privilege.

How do I know if WGA is installed?

Is the update history limited to WINDOWS updates?

mauserme

  • Guest
Re: question on "LSASS Exploit (SXP) attack" question
« Reply #5 on: March 24, 2007, 07:03:16 AM »
How do I know if WGA is installed?
If you try to install from the Microsoft support site without WGA you will be asked to allow an active-x control.  Once the active-x is installed updates should procede as normal.
 
Also, you can check by opening the Internet Explorer, then click Tools>Internet Options>Programs>Manage Add Ons.  In the "Show" drop down box choose Add-ons that have been used by Internet Explorer and see if Windows Genuine Advantage Validation Tool is listed.

Is the update history limited to WINDOWS updates?
As far as i know, yes.  But I'm only going by what's posted in that thread - I've never had to do it.

Will91

  • Guest
Re: question on "LSASS Exploit (SXP) attack" question
« Reply #6 on: March 24, 2007, 07:13:57 AM »
Interesting...I do NOT show the WGA add on and I never got the active X request.  Perhaps this IS this reason for the update failure.  I guess I can go to windows and download the WGA validation tool.  For what it's worth, I do know I have a legal copy of Windows as it came loaded on this Dell pc but I guess I still need this WGA tool.

mauserme

  • Guest
Re: question on "LSASS Exploit (SXP) attack" question
« Reply #7 on: March 24, 2007, 07:23:38 AM »
Are you blocking active x in your browser settings?  If you are you might get the active x notiifcation that you will need to click and allow.

Will91

  • Guest
Re: question on "LSASS Exploit (SXP) attack" question
« Reply #8 on: March 24, 2007, 07:30:04 AM »
I am using Medium on security settings (IE6.0).  I THINK that should prompt me if active X wants to run and I never saw the request to allow activeX when I tried the manual Windows update.  I think the answer may be in downloading the WGA tool and perhaps following the instructions contained in that link on the IE error code you sent.

WuLFe

  • Guest
Re: question on "LSASS Exploit (SXP) attack" question
« Reply #9 on: March 24, 2007, 02:41:25 PM »
try out the Autopatcher app, its much more convenient to update Windows this way (for me, that is)

http://www.autopatcher.com/