Video Screencast Help

SEP blocking traffic from NTOSKRNL?

Created: 20 Nov 2007 • Updated: 21 May 2010 | 13 comments
DarkHorseSki's picture

"Traffic has been blocked from this application: NT Kernel & System (ntoskrnl.exe)" is the message I have started to receive, continually, today.  What could be prompting this behavior?  Why wouldn't this part of the OS be simply protected but given free reign to run?

Comments 13 CommentsJump to latest comment

JohnL's picture
Hello,
 
Did you include Network Threat Protection as part of the feature set you installed? If so, you'll want to disable the firewall policy if you have not modified it to your environment.
 
Hope this helps.
DarkHorseSki's picture

The problem is that this only occurs at one of my clients.  This does not happen on my home network nor at several other locations.  What possibly could be happening from the outside to cause this behavior which SEP thinks is happening in the base OS kernel?

Vikram Kumar-SAV to SEP's picture
Have tried creating a firewall rule to allow the ntoskrnl.exe?
You might be getting this pop-up when anybody on your network is trying access files on your computer on port 138 or 139.
 Check the Logs in the Symantec Endpoint Protection's Console ? You might get some more information in the logs.
 



Message Edited by SAV to SEP on 11-21-2007 07:20 PM

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

DarkHorseSki's picture

I have checked the logs and they give me no information.

I note that another person posted about this same topic recently, this is definitely behavior that should not be occuring.  Either there is a real problem and the message we are getting is bad, or this is a false positive that should not be reported.  I don't wish to just give the .exe in question free reign, if there is a problem, but maybe somebody can tell me exactly what to filter for in order to debug this more accurately.

Vikram Kumar-SAV to SEP's picture
The Network threat protection component of SEP 11.0 is from Sygate and this error message was a known issue that sygate was still working on.So i think even Symantec hasn' fixed the issue yet.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Vikram Kumar-SAV to SEP's picture
Open the endpoint protection select View Logs then in the Network Threat Protection select Traffic logs.
There you must have some entries for blocked port remote and local 137 and 138 for ntoskrnl.exe.
These ports are used for Windows file and printer sharing.
But the only thing even I am not sure is the connection between ntoskrnl.exe and file and printer sharing.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

DarkHorseSki's picture

Upon further review, this message happens when the firewall properly blocks access to TCP port 139.  I'm fine with the blocking (as I do not share from this box) however I am not fine with the constant alerting for this particular attack.  I am even less fine with the actual message.  The message should be smart enough to report that the firewall blocked an attempt to access local file and print sharing.

L-ski

Whats Wrong With My PC's picture

Has anyone considered the possibility of a worm? The same day that I started receving this message I also got a strange pop up saying that windows will restart in one minuete(no count down timer). I didn't click any buttons on it. I right clicked on the task bar and closed it, but my system still restarted. I've only had that happen twice within 3 weeks, but to me it seems kinda similar to blaster worm.

kamgol's picture

This seems rather odd to me that it's been going on for over 2 years and Symantec has not posted any solution to this! I have just upgraded to SEP 11 MR4 (unmanaged), and I still get these messages. I've had this issue since MR1.

 

There must be a way to disable these messages from popping up over and over again. I get at least 30 - 40 of these messages per day. In fact, I just got one while composing this post.

 

SYMANTEC SUPPORT - PLEASE PROVIDE A SOLUTION FOR THIS!

 

Thanks.

Citlali's picture

Its intrusion prevention blocking something.  What its blocking will depend on the SID that is reported in the logs.  Go to View Logs > Client Management > Security Logs.

OvidiuS's picture

I had the same problem yesterday and (in my case at least) it seems that this was caused by a definitions update bug. More specifically - after update, "Share my files and printers with others in the network" checkbox was unchecked for local network adapters (on "all network adapters" may appear grey-checked if you have multiple adapters). After enabling "Share my files..." (on Network Threat Protection Settings --> Microsoft Windows Networking) for local network adapters everything returned to normal.

(using SEP v.11.0.4000.2295)

tomm's picture

In SEPM go to Client - Policies tab
Under 'Location-Independent Policies and Settings' click on 'network application monitoring',
in here add ntoskrnl.exe to the 'unmonitored application list'