Endpoint Protection

 View Only
  • 1.  Traffic has been blocked from NTOSKRNL.EXE

    Posted Aug 20, 2014 04:44 AM

    Hello. I'm a Symantec Endpoint Protection user. Recently, I frequently receive pop-up messages saying that  "Traffic has been blocked from NTOSKRNL.EXE". It is really annoying and I want to figure out the reason before I edit the rules. I don't want to make my system unsafe.

    message2.png

    The ip is not traceable. 

     

    My SEP version is 12.3.4.4.

     



  • 2.  RE: Traffic has been blocked from NTOSKRNL.EXE



  • 3.  RE: Traffic has been blocked from NTOSKRNL.EXE

    Trusted Advisor
    Posted Aug 20, 2014 07:15 AM

    If this is a recognised program you company uses try submitting it to symantec using the link below where they will check it and add it to their whitlist. Once added they will try and get the alert removed from their next set of definitions

    https://submit.symantec.com/whitelist/ 

    If it's trying to reach anywhere malicious symantec will even send you a report of where it is trying to contact. 



  • 4.  RE: Traffic has been blocked from NTOSKRNL.EXE

    Posted Aug 20, 2014 07:51 AM

    This is blocking IPv6 traffic. If you don't use IPv6, you can turn it off, see here:

    http://support.microsoft.com/kb/929852



  • 5.  RE: Traffic has been blocked from NTOSKRNL.EXE

    Posted Aug 20, 2014 09:46 AM

    We were experiencing a similar problem.  It is due to Symantec’s partial support of IPv6; you cannot specify any type of range for IPv6 so you cannot distinguish between local and remote network traffic sad  I had to change some of the rules to allow All Hosts for things like ICMP and LLMR.  I was ok in doing this as I have a fierwall device blocking all that from the outside.  It was just my internal computers causing the popups.

    I noticed issues with connecting to some Google Services if I completely disabled IPv6. You might try the option that tells windows computers to prefer the IPv4 address rather than disabling it all together.  The instructions are in the same KB article that .Brian recommended.

    Hope this helps  



  • 6.  RE: Traffic has been blocked from NTOSKRNL.EXE

    Posted Aug 20, 2014 07:08 PM

    I don't know which program is using it. That's the problem.



  • 7.  RE: Traffic has been blocked from NTOSKRNL.EXE

    Posted Aug 20, 2014 07:09 PM

    I have seen this post before. But it cannot help me solve the problem. And I don't know how to see the SID.



  • 8.  RE: Traffic has been blocked from NTOSKRNL.EXE

    Posted Aug 20, 2014 07:13 PM

    Thanks. This seems to be the issue.



  • 9.  RE: Traffic has been blocked from NTOSKRNL.EXE

    Posted Aug 20, 2014 07:15 PM

    Thank you. I will try to block IPv6 to see what will happen.