Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Symantec Endpoint Protection 11.0.4202.75 blocked traffic for ntoskrnl.exe....HELP

Created: 06 Sep 2009 | 13 comments
I did a search and found a similar thread started back in March with no real solution.  All of the sudden I keep getting a "blocked traffic" popup message from Symantec Endpoint Protection 11 every couple of minutes or so.  I went ahead and did the bandaid for the annoyance by turning off the "notifications" under network threat protection.  When I look at the log it is associating the block with some firewall rule labeled GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_102.  I have no clue what that is or where it comes from as it isn't listed in any of the rules.  I'm running an unmanaged version so some of the "fixes" proposed by others don't seem to work, as they seem to be for managed clients.  Is there any solution to this?  It's very annoying and just came out of nowhwere.  Thanks fo any help.

Comments 13 CommentsJump to latest comment

Paul Mapacpac's picture

Hi Mikey what version of SEP are you using, better to upgrade to the latest version MPR4 MP2.

hemu's picture

check ur defult firewall rules..........

Things are EASY with File Sharing....... It makes easy for Viruses also...!!

Symantec SEP11 STS
Symantec SNAC 11 STS

hemu's picture

check NTP logs.....and find out wich rule of firewall bloacking IT.......

Things are EASY with File Sharing....... It makes easy for Viruses also...!!

Symantec SEP11 STS
Symantec SNAC 11 STS

Sapta's picture

Hi mikey,

you can try the following,

1) In the UI click View Logs.
2)Click on view logs corresponding to client management.
3)Click on security logs.
4)Here click the respective event notification that has occured and check from which ip it is blocking the traffic.

If it is a local ip in your lan then you should immediately disconnect that machine whose ip is shown over there and disconnect it from lan.

Also let us know the exact popup message that is showing in your notification area. If it is a "MS RPCSS Attack BO Detected" then you must check the disconnected machine from which the message is coming and deploy the MS08-067 patch of microsoft. you can get the MS patch from the following link.

www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

mikeynavy1976's picture

 Thanks to everyone who has responded.  The  popup notification basically is "Symantec Endpoint has blocked traffic from the following program: ntoskrnl.exe."  I'm in the military so I'm using the free DoD version of Endpoint Protection (see my original post for the version), which I thought was the most recent.  This is an "unmanaged" client so I haven't seen any options for group policies or anything like that.  When I go under "Network Threat Protection" and click "view logs" the following is the entry: 07-Sep-09 09:32:05 Blocked 10 Incoming UDP 192.168.1.104 00-19-7E-32-63-13 138 192.168.1.255 FF-FF-FF-FF-FF-FF 138 C:\Windows\system32\ntoskrnl.exe Michael McCain McCain-PC Default 1 07-Sep-09 09:31:04 07-Sep-09 09:31:04 GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP.  When I backtrace it it comes up with my girlfriend's computer on the LAN (IP 192.168.1.104).  Her laptop is hooked up via wireless.  She is also running SEP and all scans are negative.  Is there something else going on that I need to change?

 
Vikram Kumar-SAV to SEP's picture

 Ntoskrnl.exe--is the file used for file and print sharing..

So all the computers in the network poll on the UDP port 137 ,138 to find computers near them.
So even if you are not using the remote computer for file sharing you might get this pop-up.
Since on Unmanaged computer the option for Browse File and Print sharing on the Network in unchecked ( turned off )
So you might be getting this pop-up.
So what you can do is 
Open SEP Interface-Under Network Threat Protection -Options-Change Settings-Microsoft Windows Networking-All network Adapters--Check both the boxes below then one by select all the adapters and make sure both the boxes are checked for all you Network adapters in the drop-down..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Sapta's picture

 Hi mikey,
  
have you tried the microsoft patch that i mentioned earlier? It looks like this message that you are getting is from Intrusion Prevention System. So you can deploy the patch and check, it may be caused due to a microsoft vulnerability.

aziza's picture

I have similar problem. My network protection log shows that my unmanaged SEP11 blocks incoming direction, ethernet, address 0.0.0.0. What is the address 0.0.0.0?

lacc's picture

same problem as mikenavy, above, same situation (also running unmanaged version 11.0)  Tons of error messages, lots of entries in threat protection log.  I've installed the patch and followed other advice in this forum .. any more ideas on how to make this annoyance go away?  I'm not a super-technie person so simple replies are most useful!  Thanks---

obenourb's picture

These occur about every 10 seconds or so all the time and are outgoing.  Here is the log entry:

11/1/2009 10:01:57 AM Blocked 3 Outgoing ETHERNET 0.0.0.0 00-1A-A0-51-33-FE 0 0.0.0.0 33-33-00-01-00-02 0  firstname.lastname DOMAIN Default 1 11/1/2009 10:01:39 AM 11/1/2009 10:01:39 AM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_102

SEP version is 11.0.2000.1567 and is SEP configured as an unmanged client.

The computer is on a small home Windows domain behind a firewell connected to a cable modem.

A little research lead me to something to do with IPv6 but I couldn't figure out what is occurring and how to stop.  When I look at the ARP table the remote MAC does not appear (33-33-00-01-00-02)

Trevor KHS's picture

This is the information that I am getting from Symantec Endpoint Protection 11: traffic from ip address 172.16.87.2 (the server) has been blocked from 10/30/2009 AM to 10/30/2009 PM an unsolicited incoming ARP reply detected this is a kind of MAC spoofing that could consequently harm your computer. I have recently installed SPICE Network management software. What could be the problem. I have a network but it is only happening to a few computers. Did a virus scan on both computes and serve but nothing has changed.  

mandar14's picture

hi frnds....
i done everything mentioned about website blocking but still i am not able to block social networking sites.. made every setting in firewall as well as custom instrusion prevention but not getting the expected result.....

thanks