Data Center Security

Hi Newcomer here,

I have been getting a lot of events for "Process Limited Access Denied for SVCHOST.EXE on C:\WINDOWS\SYSTEM32\LSASS.EXE" when a domain controller is placed in Block Mode. From my understanding, Symantec has a default policy ( I am on 6.7 DCS)  to block all access to lsass.exe.

I am hoping to gather some ideas of what might be the issue here and what's the best practise around this?

I just want to understand why it is designed to be blocked by default? In my case this is currently blocked on Domain Controller and so far I don't see any problem but one of my colleague has concern if a legitimate process is blocked by DCS it might cause issue in the future.

is it common to see this event?  "Process Limited Access Denied for SVCHOST.EXE on C:\WINDOWS\SYSTEM32\LSASS.EXE"

and how should I approach the whitelist? I have created a process allowed access rule under the default window process sandbox. But I think the Block rule will take place before the allow rule?

Thanks for your help,

Rob

Hi,

There is obviously a very good reason for that process being blocked. However, if it isn't causing any issues in the production environment now, I'd leave it as-is but keep an eye on it for anything in future. A number of viruses attack that specific process, and the blocking action has probably been instituted due to this.

Check your sandbox environment and run those rules. I'd assume that even if the Block rule takes place first, that an Allow rule will override it and allow the process to run as per normal.

Thanks!