"This module is blocked from loading into the Local Security Authority" message

mitja.kolsek -

When "Added LSA protection" is enabled on the computer (which can happen automatically with new, non-upgraded computers), you may see the following warning popup:

 

Untitled.png

 

The "Added LSA Protection" simply marks lsass.exe as a "protected process", which prevents 0patch Loader DLL (0patchLoader.dll or 0patchLoaderX64.dll) from being injected into it.

We occasionally have patches that have to be applied to lsass.exe (although not necessarily directly to lsass.exe but to some DLL that lsass.exe is using), and not being able to get 0patch Loader DLL loaded into lsass.exe means we cannot apply these patches. A typical example of a patch that needs to be applied to lsass.exe is our patch for PetitPotam (https://blog.0patch.com/2021/08/free-micropatches-for-petitpotam.html). This vulnerability was never properly addressed by Microsoft and one can still use it to attack computers in the network as long as NTLM is not completely disabled. Preventing 0patch Loader from loading into lsass.exe effectively disables this patch.

Currently the only way to resolve this problem is to disable the added LSA protection as described in the above-linked article. We believe allowing 0patch to work adds more value than this additional protection which an attacker with admin privileges on the computer can disable anyway unless UEFI lock is used (added LSA protection is not needed against a non-admin attacker because they can't inject into lsass.exe anyway).

Note that the message displayed above may stop showing if "Don't show this message again" was ticked, in which case our patches for lsass.exe may not be getting applied - without you noticing anything. If in doubt, please review your "Added LSA Protection" settings. 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.