- This topic has 1 reply, 1 voice, and was last updated 3 days, 20 hours ago by
.
-
Posts
-
Dear NoMachine Support,
I’m part of a security team and recently observed the use of NoMachine at one of our clients. We noticed that the nxserver.bin process is being spawned by lsass.exe on a Windows 10 Pro machine.
This behavior is raising concerns, as lsass.exe is generally expected to be a childless process—except in rare cases like efsui.exe. Detection rules and EDR platforms typically flag this as suspicious or anomalous activity.
Details:
OS: Windows 10 Pro
NoMachine Version: 9.0.188
Observed Behavior: nxserver.bin spawned as a child of lsass.exe
Lsass.exe: signed by Microsoft
nxserver.bin signed by NoMachine S.a.r.l.Could you confirm whether this is expected behavior for NoMachine? Clarifying this would be helpful not only for us, but also for other security teams encountering similar alerts.
Thank you in advance for your assistance.
Best regards,
ThibaultYes, this is expected behavior. We implement a custom Authentication Package integrated with the Local Security Authority (LSA), which is responsible for several functions, including user authentication via public key mechanisms and launching nxserver.exe during system startup under the appropriate security context
You must be logged in to reply to this topic. Please login here.