1sass.exe on Windows Server 2008 R2

1sass.exe on Windows Server 2008 R2

I want to tell the story of the investigation of the 1sass.exe virus that was living on one of Windows 2008 R2 Servers that I am responsible for (actually it can have any name that resembles the name of any Windows system process). It was discovered when the the CPU loads became up to 100% because of it. The antivirus did not find it as a malware, the killing of it in the Task Manager did not work, so there are several solutions below to fix it manually:

The bad, lazy way

If you want to fix the consequences of it, then the basic blocking of the internet access via the firewall will do it. In my case the executable was located in the C:\Windows\Fonts folder, so two rules (Inbound and Outbound) that block its internet access (create rules for specific program, not TCP port or whatever) will lower the CPU consumption by the 1sass.exe down to 0%.

If you feel uncomfortable knowing that the tricky executable can be crushing your system while you are asleep, then we should go further:

The cause and the consequence

Knowing that the process can not be killed (actually, it can be killed, but restarts in a fraction of a second), we should see who is calling it all the time. The official Microsoft Process Monitor software (microsoft.com) will help with that – create the filter based on “Process name = 1sass.exe” and start the capture. During the capture, kill the process and see who is calling it (check out the the Parent PID). Then change the filter in the Process Monitor to capture the events for the “PID = the parent PID”, so this is how the application that keeps calling the executable will be known. In my case it showed that it was the C:\Windows\Fonts\svchost.exe, so I went to the folder and deleted it along with the 1sass.exe (make sure that Folder settings allow you to see the hidden files).

After the reboot there are no sign of both executables, so hope there will not be any sign of them ever. Anyway, without changing a password and installation of the latest anti-virus software, all these measures will be useless.