Video Screencast Help

Traffic has been blocked from this application (ntoskrnl .exe) SEP11

Created: 13 Aug 2010 • Updated: 07 Oct 2011 | 4 comments
This issue has been solved. See solution.

major irritation that seems linked to the SEP firewall
on both XP (x86) and Windows 7 (x64) with SEP11 MP3 and RU5 respectively we frequently get this annoying popup when the location changes.
Can be reproduced pretty reliably.

Turning off intrustion prevention notifications notifications does not help.
If there is no firewall policy assigned, the popup does not appear, which means the cause is not IPS or locations on their own. It seems to be teh application of a set of firewall rules causes the popup.

We have seen this since about a year now, which is when we first started using the SEP firewall.

Other contributors have seen it for even longer. Please see this closed discussion:
http://www.symantec.com/connect/forums/nt-kernel-amp-system-ntoskrnlexe-blocking-message-repeatedly-appearing

IS THERE HOPE? Possibly - RU6 MP2 includes a fix for this. Testing will show if this popup is banished by the fix or not.

There have also been suggestions about modifying firewall rules, but not sure if anyone has a trick to do this without unintended side effects such as blocking desired traffic or allowing undesired traffic.

Comments 4 CommentsJump to latest comment

Rafeeq's picture

I remember a similar case ; you mentioned this happens when location changes?
You clients are in server mode or mixed mode?

Serengeti's picture

Hi Rafeeq

clients are in server mode with IP notifications turned off.

We have 3 locations (Default, LAN and VPN).

It has just happened now on my XP desktop which is always on the Ethernet LAN with no other network connections
1. assigned new firewall policies in the SEP console to the Default and VPN locations of my TEST client group
2. updated policy on the SEP client
3. Location changed to Default (oops! This is another problem we have using DNS Lookup as the criteria, but not the main point here . . .)
4. location changed back to LAN (10 sec later)
5. ntoskrnl popup appears

khaskins82's picture

I am fighting this one as well. SEP 11.0.6.550. 4000 clients. Has to do with udp ports 137, 138. Very annoying to users. The only fix at this point is to uninstall and reinstall SEP. This needs to be fixed.

Serengeti's picture

RU6 MP2 includes a fix for this. Our tests so far have shown this gets rid of the annoying unwanted popup for this particular traffic event. Note that when upgrading from a version pre-RU6a, you need to patch rather than install the RU6 MP2 MSI over the old version.

Symantec Endpoint Protection firewall notifications are no longer displayed when notifications are disabled

Fix ID: 2038728

Symptom: When switching locations quickly, the application blocking notification will display, even though the notification should be suppressed by policy.

Solution: The location tracking code was modified to correctly suppress the notification.

SOLUTION