Video Screencast Help

NT Kernal System Has Changed Message

Created: 09 Jan 2013 • Updated: 10 Feb 2013 | 3 comments
This issue has been solved. See solution.

I recently updated my Windows 7 Enterprise . I now get this message

NT Kernal System has changed since the last time you used it

C:\Windows\system32\ntoskrnl.exe

I select no to not allow it. This is being detected by Symantic Software

I use Symantic Endpoint Protection Small Business Edition version 12.0.122.192

 

After reading some posts on the internet it appears that this is common issue after updating Windows.

Is there any solution to this or should I just select yes and allow the change or continue to select no?

I went into the Network Threat Protection logs and did find this block. I have no idea what it means and shows up many times

1/9/2013 10:14:23 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-01-00-02    0    0.0.0.0    00-1F-D0-81-4C-F2    0    C:\Windows\system32\DRIVERS\rspndr.sys    Tony    Tony-PC    Default    1    1/9/2013 10:13:22 PM    1/9/2013 10:13:22 PM    GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_102    

I also find this in the same log a number of times:

1/9/2013 10:22:33 PM    Allowed    10    Outgoing    UDP    192.168.0.255    FF-FF-FF-FF-FF-FF    138    192.168.0.104    00-1F-D0-81-4C-F2    138    C:\Windows\system32\DRIVERS\rspndr.sys    Tony    Tony-PC    Default    1    1/9/2013 10:22:16 PM    1/9/2013 10:22:16 PM    GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP    
1/9/2013 10:22:33 PM    Allowed    10    Incoming    UDP    192.168.0.100    00-19-21-EF-5E-13    138    192.168.0.255    FF-FF-FF-FF-FF-FF    138    C:\Windows\system32\ntoskrnl.exe    Tony    Tony-PC    Default    1    1/9/2013 10:21:32 PM    1/9/2013 10:21:32 PM    GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP    

 

Any help would be appreciated

 

Comments 3 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

Are you using unmanaged sep client ?

Thanks In Advance

Ashish Sharma

 

 

.Brian's picture

It looks to be IPv6 rule which is blocked by default in 12.1. You can allow this if you want. Otherwise you can just turn off IPv6 in Windows 7. It's really up to you but this should not be malicious.

How to disable IP version 6 or its specific components in Windows

http://support.microsoft.com/kb/929852

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
Mithun Sanghavi's picture

Hello,

Check this Thread with similar Issue - 

https://www-secure.symantec.com/connect/forums/network-threat-protection-ntoskrnlexe-new

https://www-secure.symantec.com/connect/forums/network-threat-protection-9

 

Looks like a Network Application Monitoring message.

Check if - 

Clients > Policies > Location-independant Policies and Settings: Network Application Monitoring > Enable network application monitoring

is turned on. If yes, turn it off or change "When an application change is detected" to "Allow and log".

But you should only do that if you are sure that the alert was really a false positive.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.