Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

NTOSKRNL.EXE errors clogging up Network Threat Protection traffic log

Created: 25 Sep 2008 • Updated: 21 May 2010 | 9 comments
This issue has been solved. See solution.

Hi.

 

We are getting constant error messages in the Network Threat Protection traffic log on our SEPM server, running Windows 2003 SP2 ENG fully patched, with SEP 11.0.3001.2224.

 

The balloontips in systemtray comes up with:

 

####################################

Symantec Endpoint Protection

Traffic has been blocked from this application: (ntoskrnl.exe)

####################################

 

And in the following is logged:

 

25.09.2008 13:46:55 Blocked 10 Incoming UDP computername.ourdomain.com [10.0.0.70] "HOSTS-MAC-ADDRESS-HERE" 49540 10.0.0.255 FF-FF-FF-FF-FF-FF 137 C:\WINDOWS\system32\ntoskrnl.exe Administrator "OUR-AD-DOMAIN" Default 8 25.09.2008 13:45:53 25.09.2008 13:45:53 GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP 
 

25.09.2008 13:49:59 Blocked 10 Incoming UDP computername.ourdomain.com [10.0.0.70] "HOSTS-MAC-ADDRESS-HERE" 49547 10.0.0.255 FF-FF-FF-FF-FF-FF 137 C:\WINDOWS\system32\ntoskrnl.exe Administrator "OUR-AD-DOMAIN Default" 7 25.09.2008 13:48:57 25.09.2008 13:48:57 GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP 

 

 

The IP causing the blocklogs is a MAC running OSX 10.5.5, which is integrated into our AD, getting IP from DHCP, and does not have any Symantec products installed.

 

Is this just "broadcast-spam" that SEP is blocking?

Is there a known way of unblocking (allowing) this by creating a rule on SEPM?

 

Cheers

Message Edited by manager on 09-25-2008 02:48 PM

Comments 9 CommentsJump to latest comment

Sandeep Cheema's picture

It's the IPS over here that's blocking the traffic.

 

Some more reference : https://forums.symantec.com/syment/board/print?board.id=endpoint_protection11&message.id=16455&page=1&format=page 

 

Login to Manager > Policies > Intrusion Prevention polices 

 

You may choose to exclude the host or withdraw the policy or exclude the signature.

 

 

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

manager's picture

Thanks for the quick reply. 

 

The hosts IP is already in the exclusion list, so why is it being blocked?

Not sure which signature to exclude here, can't find anything that matches the log output.

Message Edited by manager on 09-25-2008 09:14 PM
Sandeep Cheema's picture

If the exclusion is already there, and it's not being excluded then the chance's are that the polices are not flowing across.

 

Make some other change like enabling the liveupdate, Update the content for the client, Does it happen ?

 

 

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

manager's picture

Sorry, my bad here.

The server this happens on is the server with SEPM installed, it has SEP client (MR3) also, but is not managed by SEPM (itself).

 

There are no options as I can find, that can add exclusions to an unmanaged no-sepm client.

Is there a way?

 

On the other hand, the broadcast-spam from OSX machines and some ip-printers disappeared from all the other SEPM managed clients logs, when MR3 was installed. Also turned off some services, ipx and appletalk etc, on some ip-printers to clear the logs.

Citlali's picture

There's no way to edit intrusion prevention signatures on an unmanaged client.  You could export a package for an unmanaged client with the settings you want.  Its probably a better idea to have the client on your server managed though.  Just put it in a separate group with separate policies. 

SOLUTION
manager's picture

So it's ok to have SEPM manage the SEP client installed on the same server (itself)?

Citlali's picture

Absolutely.  The only reason I would run a client unmanaged is if it didn't access my network on a somewhat consistent basis, like a laptop or something.  Even then, you could always setup location awareness for the laptop.  But the client on the SEPM should absolutely be managed.    In terms of intrusion prevention, the logs for those detections are actually in the security log under client management. 

manager's picture

Setting the SEP client on the SEPM server as managed, actually helped, and removed the incidents from logs. No settings were changed, and no exclusionlists were necessary. But it helped. No clue as of why though...

 

Cheers