lsass.exe is consuming all our server and internet upload capacity


A few months ago we were victim of a ransomware attack. We just recovered all the files because there was no option to unencrypt and we did remove the virus.

Now, I can see that my clients connected to the server are experiencing interruptions and very low speed in the communication via remote desktop connection. When I check the server with GlassWire, I can see that the Local Security Authority Process is sending a lot of information out to hosts in China, Romania, England, etc.

My question is how can I block that traffic, since the antivirus is showing me that there are no infections at all. I appreciate any help.

@mateito10 So many different websites and services use content delivery networks that it’s unclear if those hosts are dangerous or not. You can check the hosts inside GlassWire by clicking the three dot menu, or just type it in here in the URL (instead of to see if it’s dangerous.

We don’t currently block hosts, and one reason is because so many websites/applications use content delivery networks so it makes it difficult for host blocking to be very useful these days. More information on content delivery networks is here

If you find you’re connected to a dangerous host you can find the app responsible, and block it in GlassWire’s firewall. Also GlassWire will automatically alert you if you connect to a known suspicious host.

You can also go to our firewall and turn on our “Ask to connect” mode to allow/deny new app connections, plus make sure you’re using an antivirus that is up to date.

It’s difficult to give advice for your exact situation but I hope this helps you investigate the issue more carefully.