Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

traffic blocked from ntoskrnl.exe

Created: 04 Mar 2009 • Updated: 23 Sep 2010 | 13 comments

First of, I can see from a simple google search that this question was answered many times on the old forum.   But trying to read any of the old messages forced me to jump through 30 minutes of hoops to join this "improved" forum.

More to the point:

I have installed SEP11 M4 on a new HP Netbook, running XP Home Edition with SP3.   Now I receive the following warning:

Traffic has been blocked from this application: NTOSKRNL.EXE.

I have seen on other message boards that people merely add that file to the central exceptions list.

Adding NTOSKRNL.EXE to the exceptions list sounds like a very bad idea, considering that just about any malware could call the kernel to do its dirty work.

How does one fix this problem?

Why does this problem even exist on a 4th release of SEP 11?

Comments 13 CommentsJump to latest comment

jeffwichman's picture

You're right you do not want to create an exception for that rule unless you are 100% sure on why it is being blocked.

This really isn't a "problem"... it is likely protecting you as the software was designed too.

I would suggest getting a bit more detail in order to make an informed decision.  Open the SEP client and look at the logs for the Network Threat Protection.  Either the IDS or firewall blocked the traffic.  If you can post the information from the log we can determine why this was being blocked.  

Personally I see a large number of alerts like this from the IDS... every one of them was legit. 

corby's picture

This is for our CEO and she wants this netbook today.   My fix is to uninstall SEP11 and return to SAV10 and install Windows Defender.

I don't have time to screw with this.   It's a brand new, out of the box, netbook and I have removed all the pre-installed crapware.   A 4th release product shouldn't have this kind of issue.

Corby

RAJP's picture

That "error" message has been there since the firewall was Sygate and it is still completely misleading.

Click on Network Threat Protection - Options - Change Settings

Click on the Intrusion Prevention tab

Un-check Display Intrusion Prevention Notifications and  OK everything.

What's happening is someone is trying to connect by NetBIOS to the laptop and the @@#$% error message makes it seem like a process on your computer is trying to get out. You can test this by simply trying to do a \\ceo-laptop\c$ from another computer before and after you uncheck the box.

Ray

Serengeti's picture

"Un-check Display Intrusion Prevention Notifications and  OK everything"
Unfortunately that does not suppress the notifications. At least definitely not on a W7 MR5 client.
Nobody wants those popups as they provide no useful information. Looking into this with Symantec to see if it can be fixed.

ShadowsPapa's picture

Frankly, I find that SEP is doing the right thing - and I don't see any alerts on the computers themselves, just in the logs here in the console, and email alerts if I so choose.
It's protecting some of our more mobile folks who use their own ISP to VPN in, and another who sits at a COLLEGE CAMPUS office and VPNs in - thank goodness HE is running SEP! Evern seen the sort of traffic that goes around on a campus?
Scary.............
I'd never exclude that, in all liklihood, SEP is doing a good job and doing the right thing. (and I'd not take shortcuts on the boss's computer - I'd tell 'em tuff - you need this protection and if I'm responsible for it, this is what it gets, until you say i'm no longer responsible for protection of our computers."

Serengeti's picture

The product needs to leave the customer with the choice. One size does not fit all. Regardless of whether notifications are good or not, the option to disable them does not work properly. If an admin chooses no notifications, then there should be no notifications. Unfortunately this looks like a bug. Our Symantec support friends are trying to reproduce on x64 W7 with MR5, which is where we have seen it.

MIXIT's picture

Corby,

I understand the pressure from a management figure (your CEO) and what that does to the decision making process.  In this case you fell back to a known product that you feel you can rely on not to hassle her.  But I think a different approach needs to be made, and it's not too late for you to make it I think. 

Obviously giving this person attitude isn't going to get you anywhere, but I know from the way your posts are worded that even though you're frustrated with the situation you're not going to assert yourself directly without having a good argument to back it up. 

So in my opinion, you can probably say that after further research you've concluded that you will need to put SEP back on there after all.  This accomplishes two things, it shows your CEO you're actively investigating security concerns - and second, it teaches this CEO (because they do need to be taught) that it is not acceptable to always go with the older version.  You'll never get budgetary approval for new products if the CEO has the mindset that it's ok to stick with older software, especially security software.  Further, will future versions have to be investigated to ensure they don't contain annoying popups?  If they do, what then?  You can't base your product decisions on a CEO's inability to cope with popups, it has to be on the merits of the solution they provide and this has to be the primary impetus behind all decisions - everything else is secondary.  The trick is now tho ensure everything else STAYS secondary.  When the CEO stomps her feet in protest, you need to be prepared to deal with that without compromising your primary objective which is to stay on top of the security game. 

So you have to seek ways to get things done despite these secondary distractions.  For example, if you were to find documentation that shows that SEP can prevent more problems than SAV10 + Defender combined, then you have your backing in case it ever comes down to a debate about why SEP is more important to have.  If your CEO believes that it's a battle between a more effective product and just some popups, she'll hopefully be smart enough to realize security is more important. 

My advice is to approach her with confidence and firmness, but not brashness, and I think any CEO would agree on the merits of security vs. convenience.  Then, you can tell her you found a settings that disables the popups.  Show it to her, and if it DOESN'T work, then you can play the blame game on Symantec and contact support and go through all the motions so your CEO is further impressed with your diligence. 

Or, you can create a regular maintenance schedule, like monthly or quarterly, with her laptop and take that opportunity to sit down with it and get SEP back on there, then explain afterwards why you did it.  But in my opinion, most CEO's will respect you more for the direct approach rather than powering on their laptop one day to find SEP back on there, without explanation. 

You know your situation best of course and my black & white approach obviously isn't going to be right on the mark, but hopefully it helps to have a 3rd person perspective a bit. 

FWIW: 
On my XP systems the problem was easy enough to reproduce (Start > Run, type \\machinename\c$, KVM over to the other box and sure enough there was the little "traffic blocked" message).  And I tested turning off the notifications and that works fine as well.  AGain though, XP here.  I hate Vista and I haven't yet gotten around to W7 testing but soon enough I'm sure I will.  My SEP version is 11.0.780.1109 on all systems.  Since she can't do anything useful about the IPS events anyway, might as well turn off the notification function.  You can review the logs yourself during whatever opportunity you have to get ahold of her laptop (without her hanging over your shoulder, unless she's hot of course). 

Mak Cheetah's picture

I'm facing the same problem, Symantec keeps on blocking "ntoskrnl.exe". I checked with the file properties compared it with an newly installed XP.
I found out, that the creation date in my system was changed from 2004 to 2009, and the file size increased from 2.04MB to 2.07 MB.

I might suppose, this is some kind of virus.

Grant_Hall's picture

 My ntoskrnl.exe on Windows 7 is 3.71 MB. The sudden increase in size seems slightly suspicious but it very well could be an update from Microsoft. If you feel more comfortable please submit the file to Symantec for testing. You can also use some popular online scanning tools that combine Symantec as well as other antivirus engines to scan a file. One such website is http://www.virustotal.com/. If you continue to have further trouble I would ask that you make a new thread on the subject since this one is very old and will most likely be ignored by most in the community.

Cheers
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

Grant_Hall's picture

 Also you can monitor ntoskrnl.exe as a suspicious process using this guide http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/0955a189fe3001268025757d00412193?OpenDocument. This is also a fairly good indicator of whether or not the process is malicious.

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

MIXIT's picture

Thanks Grant for that link, very helpful. 

What I find unusual about this issue is that I can't perceive any actual prevention of anything from happening.  Admittedly I have no idea what ntoskrnl does exactly, other than being the kernel of course, so I'm not sure what portion of system functionality is being blocked. 

Anybody know what's being blocked?  All functions, resource sharing etc. are working fine but as I said I'm not sure what the exe itself actually does over the network. 

jigarp83's picture

Hi i gone through that process and here is the log
this error message comes every 10 minutes

See attached file...

AttachmentSize
3.txt 513.49 KB
Grant_Hall's picture

Hi

Please try not to post on very old threads. It doesn't help answer your questions because most in the community will ignore it. If you are having an issue with ntoskrnl.exe please create a new thread and describe your problem. The more details the better.

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )