Video Screencast Help

NT Kernel & System (ntoskrnl.exe) blocking message repeatedly appearing...

Created: 12 Nov 2007 • Updated: 21 May 2010 | 23 comments

What does the following mean and how can I keep it from continually popping up:

"Symantec Endpoint Protection
Traffic has been blocked from this application: NT Kernel & System (ntoskrnl.exe)"

It's coming from Symantec Endpoint Protection 11.0 on Windows XP SP2.

Thanks in advance for any help,
Ned Grubb
ngrubb@draffin-tucker.com

Comments 23 CommentsJump to latest comment

Carsten Hoffmann's picture
Have you modified the default FW policies?
 
Carsten
Ned Grubb's picture

I apologize.  I have indeed.  I removed the checkbox from "Allow RDP" since we do not use Remote Desktop.  I have placed the check back and assume that the messages will go away.

Thanks,
Ned

Update:  Actually, they haven't gone away...



Message Edited by Ned Grubb on 11-12-2007 01:47 PM

Message Edited by Ned Grubb on 11-12-2007 01:49 PM

allenkt's picture

I have the same problem on my Vista Business laptop.  I didn't change any policies but I did install updates from Lenovo.  I don't remember any of them having anything to do with sharing though but ever since I updated I get that message every 20 seconds or so.

DTS's picture
I have gone with the default settings and on my test system Windows XP SP2 and I have the same problem, about every few minutes or so I get the popup warning (ntoskrnl.exe).  At least I turned the sound alert off.
 
Ned Grubb's picture

An uninstall, reboot, and "typical" re-installation fixed my problem.  After it was re-installed I didn't monkey with any of the settings and left things "as-is.'

Hope that helps somebody,
Ned Grubb

DTS's picture
Yes, the uninstall, reboot, reinstall worked, almost.  It did fix my message popup problem, however I lost my Exchange client protection, so I had to do an install, modify add Exchange client protection back in and everything seems to be OK.   Of course this is my test system, hopefully I will not have to do this process on each install.  Maybe I should wait until 11.1...
DarkHorseSki's picture

You might note that I reported this problem a while back with no real answer.

Crackersplace's picture
I am seeing the same error.  I had a machine all setup and running fine, but then the windows automatic updates kicked in and rebooted the pc.  The machine then would allow you to long and then the screen would be blank and no icons ever appeared and the machine was locked.  I found that unplugging the network cable will allow her to login, and then I plugged her in after boot up.  I then let it do the rest of the updates and well I received the NToskrnl.exe error.  My updates are now hung. 
 
I had this happen on another computer as well, but I uninstalled our previous antivirus and installed endpoint.  It then did the same thing where it would login and never pull up the desktop.  I placed the harddrive into another machine (did not have the network plugged in) and it worked.  I realized that it was the network connection that worked, and not switching the hardware.
 
So if your desktop is not comming up try unplugging your Network connection.  If I find out more I'll post more..



Message Edited by Crackersplace on 12-10-2007 12:30 PM

Message Edited by Crackersplace on 12-10-2007 12:32 PM

AaronMS's picture
Symantec Support? Hello!?
 
I'm having the same issue here with the ntoskrnl.exe traffic blocked message. I'm testing this product to see if it's going to work on our network of about 3,000 machines, you MIGHT want to fix this issue if you desire corporate environments to use your product, it's KIND of important. Just a suggestion though.
 
XP Pro SP2
SEP 11.0.780.1109 - Current Definitions (March 04 , 2008 r41)
pbogu's picture

@AaronMS

I'm not Symantec Support, but first thing I would try is upgrading to MR1 11.0.1000.1375 or wait until MR2 (ETA 21st March)

sedlerj1's picture
I am already at v. 11.0.1000.1375 and had this happen yesterday.  I was getting the message from both ntoskrnl.exe and svchost.exe.  I was using the default FW policy and the rule that was enabled causing this was "Block all other traffic."  Once I disabled it, those messages stopped.
 
I don't know how I feel now that that rule is off (and what it could be allowing in), but it did stop the ntoskrnl.exe and svchost.exe messages from displaying.  And thankfully this was just on a test system.
SKlassen's picture
As things currently stand, the default FW policies do not allow all possible traffic that people may want to allow.  They are a guideline and are meant to be tweaked and customized to your unique environment.
 
What you need to do is create your own rules to allow the traffic and services you need and order them in the rule set to be above the block all else rule, then you can re-enable that rule.
 
I remember when XP SP2 first came out with the firewall feature added.  When I first enabled it, I got hit with quite a few of the "would you like to allow an exception" dialogs. 
 
The difference here being that in a managed environment with SEP/SEPM, the admin has to create the firewall rules in policy on the SEPM server.
Crackersplace's picture
I disabled the network threat and have not yet seen the issue here.  I may slowly enable portions of it and see which part cause the issue, but so far we are good here.
 
Since we have went with Endpoint I have only had 3 different issues.  Like you said you compare it to Windows SP2 we eventually work the bugs out.
 
 
Melissa
 
 
 
 
 
JDDAVIS 2's picture

I still don't consider disabling the Network Threat Protection as a good viable solution. I've seen this issue show up again and again on threads without any real concrete solution. I am now on the latest build (MR2) and still get this error. Some forums suggest that this is a legacy issue from the Sygate acquisition and has never really gone away.

Just for the record, I'm running Windows Vista.

I'd like to see Symantec address this issue properly and identify the exact root cause and specific permanent solution.

James

UnmanagedPerson's picture

Hi,
When you're creating your package in the firwall policy you need to change the option to "ASK" for any application.
This way your applications are only permitted if you select yes. My scenario is for an unmanaged client.

I'm still using the initial release since the MR1 was a hit and miss and MR2 haven't had time to test it yet. I asked the question if the unmanaged was better but got no response.

Every now and then if you reboot you might loose your Application list..

tramp21's picture

Quote:  Every now and then if you reboot you might loose your Application list..

I have this annoying "feature" after almost every booting.
I can produce this behavior with a simple restarting the SMCService.

virusgirl's picture

i too was seeing the notices, here is the resolution.

sep manager
clients
select your group
click the policies tab
expand the section location specific settings (insert your location name here):
edit the client user interface control settings (we are using mixed control)
under mixed control, select customize
at the very bottom, under show/hide intrusion prevention notifications, set to server control
select the client user interface settings tab
uncheck the box to display intrustion prevention notifications

sabo-fx's picture

Thank you very very much 'virusgirl'!!

Finally someone that seems to have actually solved the issue!

Reading through the later posts in this forum It appears that other users didn't notice that you figured it out!

Best regards!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Joost Kuin
System Admin / Developer / Office Security
Business Systems & Platforms
Online Breedband BV
The Netherlands
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sandeep Cheema's picture
"Blocked messages" in the taskbar are from the Intrusion Prevention.
 
To check which rule is blocking it, you would have to visit the firewall log.
 
If its the "block_all" rule, then this is not visible but an integral component.
 
If its affecting the connectivity or functionality, create a rule in the firewall with the allow condition in counter to the blocked, the things that could be included in the rule would be the protocol, ip(remote and local), port, which would be available from the logs.
 
 
 

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

ACW-Matt's picture

Getting A LOT of complaints of these pop ups from NTOSKRNL.EXE and SVCHOST.EXE.  Im stumped.  I know if I disable the BLOCK ALL TRAFFIC rule this will go away.  Obviously that is not an option. 

 

 

XP SP2, SEP11 MR3, Intrusion Detection Notification has been disabled.

notable

 

-13. BLOCK ALL TRAFFIC rule - enabled. 

-11. ALLOW ALL OTHER IP TRAFFIC rule - disabled.

--blue line--

-8. ALLOW ALL LAN TRAFFIC rule that permits ANY kind of traffic to/from any of our internal subnets -enabled  (each subnet specified in the rule)

-7. ALLOW INTERNET EXPLORER rule that permits IEXPLORE.EXE to do whatever it wants - enabled (until i created this rule, user received pop ups for IE, it was blocked as well)

jeffwichman's picture

Check your IDS logs.  I have seen blocks for these specific items many of times.

 

FYI... go directly into the database for the easiest view.  You'll want to look at the dbo_AGENT_SECURITY_LOG_1.  Dump all the fields in that table to an excel spreadsheet and sort on the APP_NAME field.  For the ntoskrnl.exe I normally see the following hits:

 

SID: 20615 MSRPC Malicious LSASS DS Request BO

SID 20409: MS ASN1 Integer Overflow TCP

 

Good Luck

ComputerFlake's picture

We had this same problem (as well as a TON of other problems that Symantec couldn't fix no matter how many MRs they released!) and we fixed it by removing SEP and installing Trend Worry-Free Advanced. Now no more popups! And no more broken OMA on the server, no more hardlocks in the middle of the day because of the firewall component that interfaces with the server network card, etc. And what they did to Veritas is just criminal.