Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Network Threat Protection: ntoskrnl.exe new?

Created: 16 Oct 2009 • Updated: 21 May 2010 | 4 comments
This issue has been solved. See solution.

Good day, I searched the threads and only saw older references to the ntoskrnl.exe..  I am just looking into if one the the latest from patch Tuesday changed the krnl?

SEP 11.0.5..  after the client installs the patches from WSUS it reboots.. then we get two to the "your machine is owned by hackers" type alerts and the users have to click yes.. then it reboots.

I have 1,300 pc's in SEPM.. its going to be a long day of phone calls.  Anyone else getting this?

The executable has changed since the last time you used C:\WINDOWS\system32\ntoskrnl.exe

File Version: 5.1.2600.5857
File Description: NT Kernel & System
File Path: C:\WINDOWS\system32\ntoskrnl.exe
Digital Signature: 
Process ID: 0x4 (Hexadecimal) 4 (Decimal)
 
Connection origin: remote initiated
Protocol: UDP
Local Address: 172.19.255.255
Local Port: 137 (NETBIOS-NS - Browsing requests of NetBIOS over TCP/IP)
Remote Name:          
Remote Address: 172.x.x.x
Remote Port: 137
 
Ethernet packet details:
Ethernet II (Packet Length: 92)
            Destination: ff-ff-ff-ff-ff-ff
            Source: xx-xx-xx-xx-xx-xx
Type: IP (0x0800)
Internet Protocol
            Version: 4
            Header Length: 20 bytes
            Flags:
                        .0.. = Don't fragment: Not set
                        ..0. = More fragments: Not set
            Fragment offset:0
            Time to live: 128
            Protocol: 0x11 (UDP - User Datagram Protocol)
            Header checksum: 0x149e (Correct)
            Source: 172.xx.xx.xx
            Destination: 172.xx.xx.xx
User Datagram Protocol
            Source port: 23300352
            Destination port: 35072
            Length: 8
            Checksum: 0xa8c1 (Correct)
Data (58 Bytes)
 
Binary dump of the packet:
0000: FF FF FF FF FF FF 00 1C : 25 20 BA 2B 08 00 45 00 | ........% .+..E.
0010: 00 4E 80 40 00 00 80 11 : 9E 14 AC 13 C4 23 AC 13 | .N.@.........#..
0020: FF FF 00 89 00 89 00 3A : C1 A8 86 F2 01 10 00 01 | .......:........
0030: 00 00 00 00 00 00 20 46 : 44 45 46 46 43 46 47 45 | ...... FDEFFCFGE
0040: 46 46 43 43 4F 45 4C 45 : 46 46 4A 43 4F 45 50 46 | FFCCOELEFFJCOEPF
0050: 43 45 48 43 41 41 41 00 : 00 20 00 01             | CEHCAAA.. ..    

Network Threat.JPG

Discussion Filed Under:

Comments 4 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

 https://www-secure.symantec.com/connect/forums/network-threat-protection-error

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

ETH0's picture

Had the same issue here on vista machines after the WSUS updates that were unable to start without unplugging the network cable because of this "feature". You can disable it or add exceptions for specific executables. In SEPM goto "Clients" and click on any of your groups. Then open the "Policies" tab. Click on the third option "Network Application Monitoring". You can switch it off or add an execption for NTOSKRNL.EXE.

SOLUTION
brokenjeep's picture

Excellent, thanks for the quick answers!  Just yanked all the updates from SUS until I can test this one.  I searched on "ntoskrnl.exe" thats why that thread didn't come up!  :)  Will verify after..

Thanks again!
Broken

007GIZ's picture

Followed Steps   Excellent, thanks for the quick answers!