Endpoint Protection

Hey guys, I just upgraded my clients to SEP 11 MR5 and I am still recieveing the constant firewall notifications that warn me that NT Kernal is being blocked. Any solutuions yet.?

In other words, the traffic from NTOSKernel is being blocked because it matches some IPS attack signature.

This is not generally a problem with the product, but is usually an indication that there is something unwanted and undetected running on the machine.

The computer at the IP address in the balloon message by the system clock needs to be investigated further.

This could be triggered by either TruScan or Network Threat Protection.

How to add a TruScan exception:

Open Symantec Endpoint Protection
Select Change Settings in the left pane
Click the Configure Settings button across from Centralized Exceptions
In the User-Defined Exceptions tab, select Add...
Select TruScan Proactive threat Scan Exception
Browse to  C:\WINDOWS\system32\
Select ntoskrnl.exe
Choose the desired action from the Action drop down menu
Note: For testing purposes choose "Log only"
Click Add
Close the Centralized Exceptions window.



If the TruScan exception does not resolve the issue, test by adding a Firewall rule



How to add a Firewall rule:

Open Symantec Endpoint Protection
Click the Options button across from Network Threat Protection
Select Configure Firewall Rules...
Click Add...
Type in a rule name
Under Action select Allow this traffic
Click the Applications tab
Click Browse...
Navigate to  C:\WINDOWS\system32\
Select ntoskrnl.exe
Click Open
Click OK
Highlight the rule in the list
Click the up arrow button to move the rule to the top of the list
Click OK

*****************************************************************************************************************************************

You may try this as well :

1.Login into your Symantec Endpoint Protection Manager.
2.Click on Policies - Intrusion Prevention - edit your Intrusion Prevention policy
3.Click on Settings
4.Tick the "Enable excluded hosts" option and click on the Excluded Hosts button to add your ip address (or a range of ip address, alternatively you could also use the subnet option).

Many people are having this issue. Is there no solution for this annoying notification?

I have found the solution. I have created a firewall policy that allows ntoskrnl.exe.

I have SEP11 MR5 running on my Dell D620 laptop (XP SP3) at home and every single time I open up my Macbooks  (10.4.11 and 10.5.8) I get the same notification!!
If my mac's are sleeping or off - I never receive any error. Ever!
Do you OR are you guys running on a network (or VLAN) with Macs? This is one reason why it is happening.
NOW - do I know what the Macbook(S) are trying to do? Not exactly, still working on that.  I'm thinking that the Mac's are trying to communicate with the Windows box (somehow). Maybe trying to see who is the Master browser on that network...  (i don't know, pulling stuff out of the air...).

What do you guys think??
-B

So now the question is why hasnt End Point found the potentialy dangerous file and dealt with it?

Hello Everyone,

ntoskrnl.exe is a critical process in the boot-up cycle of your computer although should never appear in WinTasks whilst under normal circumstances Note: ntoskrnl.exe can be altered by the w32.bolzano and variants. If this process appears in WinTasks, please update your virus definitions immediately.

Source: http://www.processlibrary.com/directory/files/ntoskrnl/

Regards,