ZSATunnel.exe and LSASS

We’re trying to enable Windows Defender ASR rules and one of the rules blocks processes from stealing credentials from LSASS.

ZSATunnel.exe is the only application that shows up when audit mode is enabled. Can you please advise if blocking ZSATunnel.exe from LSASS will impact any Z-App functionality? Thanks.

Hi @FelixT ,

ZSATunnel is the service responsible for creating a tunnel and sending traffic to Zscaler, so yes, blocking the ZSATunnel service will impact Z-App functionality.

Here is a link that details the client connector processes:
https://help.zscaler.com/zscaler-client-connector/locating-where-zscaler-client-connector-installed

Why does the ZSATunnel trying to access LSASS?

I’ve been looking into the same issue. We actually have the ASR rule for blocking this on. We see several blocks taking place but no impact on the ZSATunnel process. To clarify, it is blocking the ZSATunnel.exe from interacting with the LSASS process, not blocking the tunnel altogether. Here is a link to the article from MS on this ASR rule: Attack surface reduction rules | Microsoft Docs

We also have Credential Guard enabled which means that this ASR is really only serving as an alerting mechanism since the creds are already protected.

@jkelly Can you clarify what the interaction with LSASS is actually doing or attempting to do?