Endpoint Encryption

 View Only

  • 1.  Traffic has been blocked from this application (ntoskrnl .exe) SEP11

    Posted Aug 13, 2010 12:10 PM
    major irritation that seems linked to the SEP firewall
    on both XP (x86) and Windows 7 (x64) with SEP11 MP3 and RU5 respectively we frequently get this annoying popup when the location changes.
    Can be reproduced pretty reliably.

    Turning off intrustion prevention notifications notifications does not help.
    If there is no firewall policy assigned, the popup does not appear, which means the cause is not IPS or locations on their own. It seems to be teh application of a set of firewall rules causes the popup.

    We have seen this since about a year now, which is when we first started using the SEP firewall.

    Other contributors have seen it for even longer. Please see this closed discussion:
    http://www.symantec.com/connect/forums/nt-kernel-amp-system-ntoskrnlexe-blocking-message-repeatedly-appearing

    IS THERE HOPE? Possibly - RU6 MP2 includes a fix for this. Testing will show if this popup is banished by the fix or not.

    There have also been suggestions about modifying firewall rules, but not sure if anyone has a trick to do this without unintended side effects such as blocking desired traffic or allowing undesired traffic.


  • 2.  RE: Traffic has been blocked from this application (ntoskrnl .exe) SEP11

    Posted Aug 13, 2010 12:58 PM
    I remember a similar case ; you mentioned this happens when location changes?
    You clients are in server mode or mixed mode?


  • 3.  RE: Traffic has been blocked from this application (ntoskrnl .exe) SEP11

    Posted Aug 16, 2010 09:46 AM
    Hi Rafeeq

    clients are in server mode with IP notifications turned off.

    We have 3 locations (Default, LAN and VPN).

    It has just happened now on my XP desktop which is always on the Ethernet LAN with no other network connections
    1. assigned new firewall policies in the SEP console to the Default and VPN locations of my TEST client group
    2. updated policy on the SEP client
    3. Location changed to Default (oops! This is another problem we have using DNS Lookup as the criteria, but not the main point here . . .)
    4. location changed back to LAN (10 sec later)
    5. ntoskrnl popup appears


  • 4.  RE: Traffic has been blocked from this application (ntoskrnl .exe) SEP11

    Posted Aug 17, 2010 08:29 PM

    I am fighting this one as well. SEP 11.0.6.550. 4000 clients. Has to do with udp ports 137, 138. Very annoying to users. The only fix at this point is to uninstall and reinstall SEP. This needs to be fixed.



  • 5.  RE: Traffic has been blocked from this application (ntoskrnl .exe) SEP11
    Best Answer

    Posted Feb 02, 2011 07:46 AM

    RU6 MP2 includes a fix for this. Our tests so far have shown this gets rid of the annoying unwanted popup for this particular traffic event. Note that when upgrading from a version pre-RU6a, you need to patch rather than install the RU6 MP2 MSI over the old version.

    Symantec Endpoint Protection firewall notifications are no longer displayed when notifications are disabled

    Fix ID: 2038728

    Symptom: When switching locations quickly, the application blocking notification will display, even though the notification should be suppressed by policy.

    Solution: The location tracking code was modified to correctly suppress the notification.