Video Screencast Help

SEP11 miraculously blocking inbound traffic

Created: 27 Nov 2012 | 5 comments

Hi everybody

This might be somewhat obvious to some, but I actually don't seem to find the reason. Searching the KB and community didn't come up with really helpful stuff.

So I am so keen to ask ...

Here's a description of the configuration:

I got two locations - External and Internal (Basel).
External has got a full policy set attached to, while Internal does not have a FW-policy. You can see this in the screenshot below:

The locations get determined by IP-address and DNS-lookups. Whereas a client with 10.1.X.X and successful lookup is located in the "Internal" network.
Well - I got internal clients blocking incoming traffic on ports 137, 139 and 445 - Which does not make any sense to me. Because:

  1. The affected client(s) are located in the "Internal" network
  2. There is no FW-policy attached to the "Internal" network
  3. I am not aware that the IP-policy would block this kind of traffic

Below there's a screenshot of one blocking-event.

Now - *What* is actually causing this and *how* to get this fixed?

I am thankful for hints :)

Feel free to ask further questions.

Comments 5 CommentsJump to latest comment

flutti's picture

Hi, we're currently using SEP11 RU5. I am very aware that this is not a recent version.
How can it be that the above described issue did not appear over the past years?

We've already SEP12 backend in place, but we will not migrate current XP clients to SEP12, since the SEP12 infrastructure is only used with W7.

Ashish-Sharma's picture

HI,

May be this issue will be resolved after upgrade old sep client .

Try to upgrade issued sep client and check

Thanks In Advance

Ashish Sharma

flutti's picture

Well ... Since this is not really realistic in our environment (freezed due to federal certification), there is only one thing left:

Which component is causing the issue? As far as I see the Firewall is causing this. Is this correct?
The question is WHY? This component has no policy and is still blocking traffic? How on earth is this possible?

Ashish-Sharma's picture

HI,

Have you check this comments

Ntoskrnl.exe--is the file used for file and print sharing..

So all the computers in the network poll on the UDP port 137 ,138 to find computers near them.
So even if you are not using the remote computer for file sharing you might get this pop-up.
Since on Unmanaged computer the option for Browse File and Print sharing on the Network in unchecked ( turned off )
So you might be getting this pop-up.
So what you can do is 
Open SEP Interface-Under Network Threat Protection -Options-Change Settings-Microsoft Windows Networking-All network Adapters--Check both the boxes below then one by select all the adapters and make sure both the boxes are checked for all you Network adapters in the drop-down..
 

Checked this forums.

https://www-secure.symantec.com/connect/forums/symantec-endpoint-protection-110420275-blocked-traffic-ntoskrnlexehelp

https://www-secure.symantec.com/connect/forums/nt-kernel-amp-system-ntoskrnlexe-blocking-message-repeatedly-appearing

Thanks In Advance

Ashish Sharma