Endpoint Protection Small Business Edition

 View Only

  • 1.  NT Kernal System Has Changed Message

    Posted Jan 09, 2013 10:27 PM

    I recently updated my Windows 7 Enterprise . I now get this message

    NT Kernal System has changed since the last time you used it

    C:\Windows\system32\ntoskrnl.exe

    I select no to not allow it. This is being detected by Symantic Software

    I use Symantic Endpoint Protection Small Business Edition version 12.0.122.192

     

    After reading some posts on the internet it appears that this is common issue after updating Windows.

    Is there any solution to this or should I just select yes and allow the change or continue to select no?

    I went into the Network Threat Protection logs and did find this block. I have no idea what it means and shows up many times

    1/9/2013 10:14:23 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-01-00-02    0    0.0.0.0    00-1F-D0-81-4C-F2    0    C:\Windows\system32\DRIVERS\rspndr.sys    Tony    Tony-PC    Default    1    1/9/2013 10:13:22 PM    1/9/2013 10:13:22 PM    GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_102    

    I also find this in the same log a number of times:

    1/9/2013 10:22:33 PM    Allowed    10    Outgoing    UDP    192.168.0.255    FF-FF-FF-FF-FF-FF    138    192.168.0.104    00-1F-D0-81-4C-F2    138    C:\Windows\system32\DRIVERS\rspndr.sys    Tony    Tony-PC    Default    1    1/9/2013 10:22:16 PM    1/9/2013 10:22:16 PM    GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP    
    1/9/2013 10:22:33 PM    Allowed    10    Incoming    UDP    192.168.0.100    00-19-21-EF-5E-13    138    192.168.0.255    FF-FF-FF-FF-FF-FF    138    C:\Windows\system32\ntoskrnl.exe    Tony    Tony-PC    Default    1    1/9/2013 10:21:32 PM    1/9/2013 10:21:32 PM    GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP    

     

    Any help would be appreciated


     



  • 2.  RE: NT Kernal System Has Changed Message
    Best Answer

    Posted Jan 09, 2013 10:30 PM

    It looks to be IPv6 rule which is blocked by default in 12.1. You can allow this if you want. Otherwise you can just turn off IPv6 in Windows 7. It's really up to you but this should not be malicious.

    How to disable IP version 6 or its specific components in Windows

    http://support.microsoft.com/kb/929852



  • 3.  RE: NT Kernal System Has Changed Message

    Posted Jan 09, 2013 10:30 PM

    HI,

    Are you using unmanaged sep client ?



  • 4.  RE: NT Kernal System Has Changed Message

    Trusted Advisor
    Posted Jan 10, 2013 07:45 AM

    Hello,

    Check this Thread with similar Issue - 

    https://www-secure.symantec.com/connect/forums/network-threat-protection-ntoskrnlexe-new

    https://www-secure.symantec.com/connect/forums/network-threat-protection-9

     

    Looks like a Network Application Monitoring message.

    Check if - 

    Clients > Policies > Location-independant Policies and Settings: Network Application Monitoring > Enable network application monitoring

    is turned on. If yes, turn it off or change "When an application change is detected" to "Allow and log".

    But you should only do that if you are sure that the alert was really a false positive.

    Hope that helps!!