2 Replies Latest reply on Apr 26, 2011 10:23 AM by kink80

    Lots of traffic logged from NTOSKRNL.EXE

    kink80

      Is it normal to see a constant stream of the following log entries in the HIPS 7.0.0.1159 event.log?

       

       

      Time:    4/25/2011 1:09:16 PM

      Event Type:   Traffic

      IP Address:   192.168.122.206

      Sniffer CAP:  

      Rule ID:   -1

      Protocol:   17

      Local IP Address:  192.168.123.255

      Local Port:   137

      Remote IP Address:  192.168.122.206

      Remote Port:   53446

      Inbound:   True

      Permit:    False

      Process ID:   4

      Path:    C:\WINDOWS\SYSTEM32\NTOSKRNL.EXE

      Quarantine:   False

        • 1. Re: Lots of traffic logged from NTOSKRNL.EXE
          Kary Tankink

          It's just blocked network traffic for ntoskrnl.exe.  Not exactly sure why ntoskrnl.exe needs Netbios traffic, but if this impeading system functionality, then you'll need to create a rule for it.  If not, ignore it.

           

          If you have the "Log all blocked" option enabled in the HIPS Client UI, then any blocked traffic will get logged.  Disable the "Log all blocked" if you don't want all blocked traffic to be logged to the Activity log (you can still create Block rules that LOG traffic to the Activity Log, if needed).  The logged firewall traffic is not sent to ePO, it's only logged locally to the HIPS Activity Log.

          • 2. Re: Lots of traffic logged from NTOSKRNL.EXE
            kink80

            Thanks for the reply. The user of this machine was concerned that it may be infected with malware or a virus that sends e-mail out from their Outlook mailbox. After running a full VSE scan of the HDD and finding nothing I figured I would check the HIPS log just to see if anything was going on there.