cancel
Showing results for 
Search instead for 
Did you mean: 
kink80
Level 12

Lots of traffic logged from NTOSKRNL.EXE

Jump to solution

Is it normal to see a constant stream of the following log entries in the HIPS 7.0.0.1159 event.log?

Time:    4/25/2011 1:09:16 PM

Event Type:   Traffic

IP Address:   192.168.122.206

Sniffer CAP:  

Rule ID:   -1

Protocol:   17

Local IP Address:  192.168.123.255

Local Port:   137

Remote IP Address:  192.168.122.206

Remote Port:   53446

Inbound:   True

Permit:    False

Process ID:   4

Path:    C:\WINDOWS\SYSTEM32\NTOSKRNL.EXE

Quarantine:   False

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Lots of traffic logged from NTOSKRNL.EXE

Jump to solution

It's just blocked network traffic for ntoskrnl.exe.  Not exactly sure why ntoskrnl.exe needs Netbios traffic, but if this impeading system functionality, then you'll need to create a rule for it.  If not, ignore it.

If you have the "Log all blocked" option enabled in the HIPS Client UI, then any blocked traffic will get logged.  Disable the "Log all blocked" if you don't want all blocked traffic to be logged to the Activity log (you can still create Block rules that LOG traffic to the Activity Log, if needed).  The logged firewall traffic is not sent to ePO, it's only logged locally to the HIPS Activity Log.

0 Kudos
2 Replies
McAfee Employee

Re: Lots of traffic logged from NTOSKRNL.EXE

Jump to solution

It's just blocked network traffic for ntoskrnl.exe.  Not exactly sure why ntoskrnl.exe needs Netbios traffic, but if this impeading system functionality, then you'll need to create a rule for it.  If not, ignore it.

If you have the "Log all blocked" option enabled in the HIPS Client UI, then any blocked traffic will get logged.  Disable the "Log all blocked" if you don't want all blocked traffic to be logged to the Activity log (you can still create Block rules that LOG traffic to the Activity Log, if needed).  The logged firewall traffic is not sent to ePO, it's only logged locally to the HIPS Activity Log.

0 Kudos
kink80
Level 12

Re: Lots of traffic logged from NTOSKRNL.EXE

Jump to solution

Thanks for the reply. The user of this machine was concerned that it may be infected with malware or a virus that sends e-mail out from their Outlook mailbox. After running a full VSE scan of the HDD and finding nothing I figured I would check the HIPS log just to see if anything was going on there.

0 Kudos