ZSATrayManager.exe LSASS

We’re trying to enable as many ASR rules as possible. One of the rules blocks processes from stealing credentials from LSASS.

ZSATrayManager.exe is our only application that shows up when audit mode is enabled. Does anyone know if blocking ZSATrayManager.exe from LSASS impacts any Z-App functionality?

Hi,

When Firefox integration is active (Configuring Firefox Integration for Zscaler Client Connector | Zscaler) our agents runs through all active processes looking for the firefox one, that’s why you are seeing that we try to access that one (and, actually, all the others)

If you don’t use Firefox you can turn the integration off, or I think you could actually block the access to lsass.exe, since that’s not the process we are looking for. I haven’t tried to block lsass.exe so you might want to test it or open a support ticket so that engineering can check this out though

Hope this helps, at least, clarify that we don’t actually access the process itself, but the list of processes.

We don’t use firefox so I’ll disable the firefox integration in the ZCC portal. Thanks!!

Also keep in mind that if you are not using the local proxy, even if someone is using firefox the tunnel 1 and tunnel 2 modes would capture it as well

Just in case, so that you don’t have unnecesary blind spots

1 Like

Looks like this didn’t take effect until about 1 month later.

Might require a PC reboot. Happy to report there are no more instances of ZSATunnel.exe accessing LSASS.