Symantec Endpoint Protection 12.1: Blocked System Change Events produce unexpected messages

Article:TECH161646  |  Created: 2011-06-06  |  Updated: 2011-06-28  |  Article URL
Article Type
Technical Solution


You have configued SONAR in Symantec Endpoint Protection 12.1 to block System Change Events, i.e. DNS and host file changes will be blocked. When you choose "Block" instead of "Prompt", there is no prompt from Endpoint Protection but you may receive unexpected messages from the operating system.


When there is an attempt to change DNS settings for a network adapter, you will receive the following operating system message: "You must shut down and restart you computer before the new settings will take effect. Do you want to restart your computer now?" Note that the DNS changes will be blocked--it is not necessary to restart.

If you attempt to edit the hosts file and save changes (e.g. with Notepad), you will receive the following operating system message: "Cannot create the C:\WINDOWS\system32\drivers\etc\hosts file. Make sure the path and filename are correct."


This happens because SONAR has been configured to block System Change Events. When you choose "Block" instead of "Prompt", there is no prompt from Endpoint Protection, but you will receive the messages above from the operating system.


By default, SONAR is configured to ignore System Change Events--you may choose to use the default configuration if you do not wish to block these events. Or, you may choose "Prompt" and the user will receive a more informative message from Endpoint Protection, but the choice to block or allow will be up to the user.

See also Symantec Endpoint Protection 12.1: Manager Risk distribution summary report lists "Microsoft Windows Operating System" as a risk name

Supplemental Materials


With Action of prompt -> block, or block, an attempted DNS setting change using explorer produces a "system needs to restart prompt"

Article URL

Terms of use for this information are found in Legal Notices