Traffic being blocked by Symantec Endpoint Protection

Forums › Desktop computing › Traffic being blocked by Symantec Endpoint Protection

Jazzrome

8 posts

Wannabe Geek

#94511 13-Dec-2011 06:19

Since installing a new Wireless Router I am constantly getting the message “traffic has been blocked from this application: (ntskrnl.exe)” with Symantec Endpoint Protection. I have 4 computers on my home network and i am only having the problem on one computer
Here is the log file after the message

12/12/2011 10:16:48 AM Blocked 10 Incoming UDP 192.168.0.1 84-C9-B2-60-AD-B2 4097 192.168.0.104 00-21-5C-61-B3-73 137 C:\WINDOWS\system32\ntoskrnl.exe Jerome GTS-LAPTOP Default 1 12/12/2011 10:15:46 AM 12/12/2011 10:15:46 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

1 | 2

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#557269 13-Dec-2011 08:07

Are you using a PC supplied by your employer? Symantec Endpoint Protection is not usually a consumer level software, and rules are created by the administrator.

If you are not licensed to use Symantec Endpoint Protection, better uninstall and either go with Symantec Norton, or even the Microsoft Security Essentials (free).

Jazzrome

8 posts

Wannabe Geek

#557324 13-Dec-2011 10:19

I purchased the software myself. So yes it is legal and their isn't any law that i know of that states i can't use it if i own it. So if you don;t have a suggestion for me about my specific problem please don't bother to reply, Thanks

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#557327 13-Dec-2011 10:20

I'm sorry, but that's rude and uncalled for. No one said it's illegal.

It's called "troubleshooting". People will try to help you, but no one has access to your PC, so we need to establish something to start with. But if you are rude like this I can see you won't get much help here.

jaymz

1133 posts

Uber Geek

#557341 13-Dec-2011 10:53

freitasm: I'm sorry, but that's rude and uncalled for. No one said it's illegal.

It's called "troubleshooting". People will try to help you, but no one has access to your PC, so we need to establish something to start with. But if you are rude like this I can see you won't get much help here.

^^ This. SEP (Symantec Endpoint Protection) is most commonly used in corporate environments, so it was a perfectly legitimate question.

Anyway, back on topic.

Are you experiencing any issues with programs not connecting to the internet? The pop up is an alert to let you know that the firewall part of the AV has blocked a process from accessing the internet.

If you are not seeing any ill effects of the alert you can disable the alerts in SEP:
I pulled these steps from here:http://www.symantec.com/connect/forums/nt-kernel-amp-system-ntoskrnlexe-blocking-message-repeatedly-appearing

sep manager
clients
select your group
click the policies tab
expand the section location specific settings (insert your location name here):
edit the client user interface control settings (we are using mixed control)
under mixed control, select customize
at the very bottom, under show/hide intrusion prevention notifications, set to server control
select the client user interface settings tab
uncheck the box to display intrustion prevention notifications

Try that and see how you get on.

Jazzrome

8 posts

Wannabe Geek

#557369 13-Dec-2011 11:36

First off my email was not intended to be rude it just felt like I was being attacked for using a piece of software that I own. For that I will apologize. I have used both programs you mention and I am not impressed with either this is why I retained my license to Symantec Endpoint Protection. Thank you for your reply but I have Symantec installed on 5 computers and I do not have a server installed in my home network because of the added administration required for a server. All instances of Symantec are installed as unmanaged clients. The information you sent me looks like it pertains to a managed client install. I also have not seen any problems with this computer connecting to the internet other than after a while the wireless card will disconnect form the network if I am not using the computer. This was not happening before I installed the new wireless router and this is the only system that this is happening on. If this information helps or if there is anything else I can try please let me know. And I do appreciate your help. Thanks

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#557372 13-Dec-2011 11:46

As for the WiFi disconnecting with the new router, it could be completely unrelated. It could be that your laptop has the option for turning off WiFi after some inactivity period (check on hardware adapter configuration), or it could be interference from other networks, microwave over, cordless phones, cordless mouse/keyboard...

jaymz

1133 posts

Uber Geek

#557381 13-Dec-2011 12:09

Jazzrome: First off my email was not intended to be rude it just felt like I was being attacked for using a piece of software that I own. For that I will apologize. I have used both programs you mention and I am not impressed with either this is why I retained my license to Symantec Endpoint Protection. Thank you for your reply but I have Symantec installed on 5 computers and I do not have a server installed in my home network because of the added administration required for a server. All instances of Symantec are installed as unmanaged clients. The information you sent me looks like it pertains to a managed client install. I also have not seen any problems with this computer connecting to the internet other than after a while the wireless card will disconnect form the network if I am not using the computer. This was not happening before I installed the new wireless router and this is the only system that this is happening on. If this information helps or if there is anything else I can try please let me know. And I do appreciate your help. Thanks

Once we get the issue with the popup fixed, then we can look at the issues with wireless.

Try creating a rule in the firewall to allow the program through, or disable SEP entirely and test the wireless. That will tell you if the problem is with SEP or something else.

Open the Network Threat Protection options and see Application Settings. All of the blocked and allowed applications are shown there. From there you should be able to create a rule to allow the program/file through.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Jazzrome

8 posts

Wannabe Geek

#557550 13-Dec-2011 17:57

Thanks for looking at my issue but i will have to try your suggestion when i get back in town Have a family emergency that came up and will be leaving town in a few hours. Will reply once i have had a chance to try out your suggestions. Thanks again Jazzrome

symthomas

4 posts

Wannabe Geek

Trusted

Symantec

#557673 14-Dec-2011 03:34

Hello,

Can I ask what version of Symantec Endpoint are you running? There was an issue with UDP flood attack false positives in RU6 that was resolved in RU6 MP2.

Resolved a UDP flood attack false positiveFix ID: 2058022Symptom: After upgrading to Symantec Endpoint Protection 11.0 RU6, the client detects a UDP flood attack.Solution: The UDP flood detection thresholds were modified to reduce the occurrence of false positive flood attacks.

http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US

Please keep me posted on your issue.

Best,
Thomas

Jazzrome

8 posts

Wannabe Geek

#558525 16-Dec-2011 04:13

Sorry for not replying earlier but was out of town for a few days.The version I am using is 11.0.4202.75. I did take the computer to a friends house this morning and connected to his wireless network and I did not have the problem there. The problem on happens on this computer when I am connected to my home wireless network.

symthomas

4 posts

Wannabe Geek

Trusted

Symantec

#558526 16-Dec-2011 04:28

What router and firmware version are you running on? I still recommend you upgrade off that old version. There have been hundreds of fixes since MR4 MP2 was released. The current build available its RU7 MP1.

http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US

Best,
Thomas

Jazzrome

8 posts

Wannabe Geek

#558529 16-Dec-2011 05:32

Thanks for the link and suggestion. I am downloading the latest version now. (11.7 MP1) Will try it after work today and let you know if it solved my problem. I am using a DLink Dir-655 Hardware version: B1 Firmware Version 2.04NA.

Jazzrome

8 posts

Wannabe Geek

#558873 17-Dec-2011 04:15

Install the latest version of Symantec endpoint protection and it did not fix the problem. Aso took the computer to another friends house and got the same problem but I got traffic from every wireless device in his house not just his router as in my location so not sure what to do at this point

symthomas

4 posts

Wannabe Geek

Trusted

Symantec

#558874 17-Dec-2011 04:48

Does this happen when using a wired connection? Is this an unmanaged client install? What features of SEP are installed? For testing purposes, you might try adding an "Allow All" rule at the top of your firewall policy. Test and see if the issue goes away.

Jazzrome

8 posts

Wannabe Geek

#558905 17-Dec-2011 08:49

Problem Solved. After an exhaustive search on Symantec's web site found and old thread that suggested that this was a known problem and that you had to patch version 11 because the upgrade process would not work. But the patch no longer exists on their web site. I used Symantec clean wipe to complete remove Version 11 and did a clean install of the latest version. So far the pop-ups have stopped.
Thanks to all for your help.

1 | 2