:-\ I have spf pro and lately it keeps blocking my ntoskrnl.exe from broadcasting out ON SOME OCCASIONS. It allows outgoing with udp on ports 137 and 138 and then allows incoming responses, and then four or five minutes later I get a message that it was blocked outgoing with same protocol, same port (sometimes it will be blocked on both ports). SPF official forum has same question asked with no responses and I have checked everything, tried configing advanced rules to allow it, tried just blocking the app to get rid of the message and no matter what I do, I still get the message every few minutes. Beautiful firewall but I would like to fix this problem.

Any suggestions?

Hi Bf !
I blocked NTOSKRNL.EXE when using Sygate with no ill effects.

Go here and search for ntoskrnl.exe....

http://www.dslreports.com/information/siteguide

Sorry, I couldn't get the link to work properly !




regards,
bill :)

Are you sure this is a problem just with your firewall...what you are describing leads me to think you system has been compromised. May I ask if you have a current AT product or AV product running on your system?

And could you telll me what OS your are running at this time?

I could be way off the mark here..but i am concerned about the blended threats that are out on the internet right now..and althought this is an old virus/worm..it sure looks interesting for what you are experiencing right now.
W32/Bolzano Virus


http://www.mycert.org.my/virus-info/bolzano.htm


Win32.Bolzano family
http://www.zdnet.de/itsupport/virencenter/dict/virus/virus3157-wc.html

http://www.symantec.com/avcenter/venc/data/w32.bolzano.html

Primrose,
very good point !! :)
thanks,
bill

When taking into consideration DDOS and attacks going on now..I would also draw your attention to these links....


THIS ONE IS NOT IN ENGLISH BUT IT CONCERNS ntoskrnl.exe


udp/137 activity may be tied to scrsvr.exe malware
Name: PE_Funlove.4099
Type: Infector of Win32 archives Alias: W32/Funlove, So large W32/Flcss: 4,099 bytes This one is a virus that infects EXE, SCR, and archives OCX of 32 bits, in the local computer and if its PC is connected to a network, to any PC connected to that network, to which you have reading access. If Windows NT 4,0 with Service Pack 3 or 4 is being executed, the virus will change NTLDR and NTOSKRNL.EXE to give access without restrictions to all the users. Asegúrese to recover all the archives if you one is infected by this virus.



http://www.dslreports.com/forum/remark,4571484~root=security,1~mode=flat

_______________________________

Currently port 445 is a problem also see here:
Microsoft Directory service
I did not make a big deal on your port 445 but if you are interested about more of what is out there......
http://www.dslreports.com/forum/remark,4307676~root=security,1~mode=flat


_______________________

And here is an old warning from Sygate.

Sygate Security Alert

Windows XP default install with TCP 445 open

Description:

TCP/UPD port 445 (used for filesharing and is opened by ntoskrnl.exe) is open by default on a freshly installed XP box. The attack is serious since it work remotely and can make the CPU usage 100% in less than 20 Seconds.

Impact:

Remote DOS attacks with SYN Flag. Make CPU usage 100%

Sygate Recommendations:

Sygate SSE and SPF Security Agents will block all ports and protocols exposed to the internet by ntoskrnl.exe. DOS attacks aimed at port 445 including SYN floods are denied with no adverse affect to Windows XP. Thanks to www.safehack.com for the disclosure of this serious exploit.
http://soho.sygate.com/alerts/XP_default_TCP445_open.htm

Whenever I install a new firewall, the first rules I make are to block ports 135-139, TCP and UDP in and out.
I have never come across anybody that said they needed to allow traffic on those ports.
I don't know whats going on with SPF, but I would hope it blocked those ports by default and I don't understand why it would be allowing anything out, let alone in on those ports. I too would suspect foul play.
I also think that anytime a firewall does something inconsistantly, you have a problem. A rule is a rule is a rule.

Primrose - thank you for those links. This ntoskrnl.exe thing is still driving me bats trying to figure it out.

but i noticed something the other night when i was trying to understand my router's set up and how Sygate Personal Firewall talks with it (ooh confusing)...if i go through my Control Panel --->Network and Internet Connections --->Network Connections, and under the "Other Places", i click my mouse just once on the "My Network Places" (it is blank; i don't have my pc's networked together).....then if i check Sygate's log i see about 30 lines of outgoing, with Destination Port 137 and 138, Source Port 137 and 138 (all blocked) and from WINDOWS\System32\ntoskrnl.exe. The Source IP is my pc's...and the Destination IP is exactly the same except for the last 3 numbers (i'm thinking my pc is talking to my router and the router isn't answering back because Sygate is blocking the outgoing conversation)

i just thought it strange that all it took was me clicking my mouse on those words in "My Network Places" to trigger all those outgoing lines in Sygate's log.

sidenote: i did watched my router's log over this past week to see if i was getting any on port 137 from outside, but not a one.....odd?

snap

*opps...sorry Bfarber, i meant to add that Sygate was blocking ntoskrnl.exe every time that i could see...but i still put it on block with the red line going through it...just in case. ;)