Screencasts - Hilfsvideos

NT Kernal System Has Changed Message

Created: 09 Jan. 2013 • Aktualisiert: 10 Feb. 2013 | 3 Kommentare
Dieses Problem wurde gelöst. Siehe Lösung.

I recently updated my Windows 7 Enterprise . I now get this message

NT Kernal System has changed since the last time you used it

C:\Windows\system32\ntoskrnl.exe

I select no to not allow it. This is being detected by Symantic Software

I use Symantic Endpoint Protection Small Business Edition version 12.0.122.192

After reading some posts on the internet it appears that this is common issue after updating Windows.

Is there any solution to this or should I just select yes and allow the change or continue to select no?

I went into the Network Threat Protection logs and did find this block. I have no idea what it means and shows up many times

1/9/2013 10:14:23 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-01-00-02    0    0.0.0.0    00-1F-D0-81-4C-F2    0    C:\Windows\system32\DRIVERS\rspndr.sys    Tony    Tony-PC    Default    1    1/9/2013 10:13:22 PM    1/9/2013 10:13:22 PM    GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_102    

I also find this in the same log a number of times:

1/9/2013 10:22:33 PM    Allowed    10    Outgoing    UDP    192.168.0.255    FF-FF-FF-FF-FF-FF    138    192.168.0.104    00-1F-D0-81-4C-F2    138    C:\Windows\system32\DRIVERS\rspndr.sys    Tony    Tony-PC    Default    1    1/9/2013 10:22:16 PM    1/9/2013 10:22:16 PM    GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP    
1/9/2013 10:22:33 PM    Allowed    10    Incoming    UDP    192.168.0.100    00-19-21-EF-5E-13    138    192.168.0.255    FF-FF-FF-FF-FF-FF    138    C:\Windows\system32\ntoskrnl.exe    Tony    Tony-PC    Default    1    1/9/2013 10:21:32 PM    1/9/2013 10:21:32 PM    GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP    

Any help would be appreciated

Kommentare KommentareZum neuesten Kommentar

das Bild der Ashish-Sharmas

HI,

Are you using unmanaged sep client ?

Thanks In Advance

Ashish Sharma

das Bild der Brɨans

It looks to be IPv6 rule which is blocked by default in 12.1. You can allow this if you want. Otherwise you can just turn off IPv6 in Windows 7. It's really up to you but this should not be malicious.

How to disable IP version 6 or its specific components in Windows

http://support.microsoft.com/kb/929852

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

LÖSUNG
das Bild der Mithun Sanghavis

Hello,

Check this Thread with similar Issue - 

https://www-secure.symantec.com/connect/forums/network-threat-protection-ntoskrnlexe-new

https://www-secure.symantec.com/connect/forums/network-threat-protection-9

Looks like a Network Application Monitoring message.

Check if - 

Clients > Policies > Location-independant Policies and Settings: Network Application Monitoring > Enable network application monitoring

is turned on. If yes, turn it off or change "When an application change is detected" to "Allow and log".

But you should only do that if you are sure that the alert was really a false positive.

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.