Do I let my "NT Kernel System access the network"? My Sygate firewall needs to know.
The full message reads, "NT Kernel System has changed since the last time you used it. This could happen if you have updated it recently. Click Detail to see more information. Do you want to allow it to access the network?"
I use Chinese (Taiwan) WinXP. Thanks for any suggestions you may have.
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$2 Answers
I have searched for this extensively, and have found many references to Sygate specifically blocking access of ntoskrnl.exe, but almost exclusively Sygate. One review of the product mentioned that filesharing was blocked when they allowed it to block the file, and was re-enabled when they allowed it:
http://www.pcw.co.uk/personal-computer-world/software/2043598/sygate-personal-firewall
So if you are sharing files or printers on your home network, this could happen as a result.
Also: Sygate itself was bought out by Symantec, sometime in the 2005-2006 timeframe. Because of this, some Sygate info is no longer available. I used the Wayback Machine to locate a reference to the Sygate forums talking about this issue (as far back as 2005). The reference is here:
http://web.archive.org/web/20050527195904/http://forums.sygate.com/vb/showthread.php?threadid=12989
Be patient, takes a while to load. One of the posters said this:
"To tie it together a little better:
All modern operating systems (and many apps for that matter) have a highly modularized design architecture in order to make it easier to design, impliment, and maintain.
As a result, there needs to be a process which provides for overall execution control and resource allocation.
In operating systems, the role is provided by the "kernel". All MS operating systems have an executeable or dll for this.
One of the reasons (there are others) you periodically see the "kernel" get blocked in Windows, is that since 98 came out, MS has increasingly tied internet based functionality into all aspects of the operating system.
What happens in many cases, is you will have been running an application which makes use of some native Windows internet functionality, and then have moved on to something else. When the app closes out, it releases its links to the various modules it was using and Windows returns the freed resources to the "general" pool.
However, There is one last thing which needs to happen which is to properly shutdown the TCP connection which was established. If the the originating app doesn't handle this itself or has exited before the connection is shut down completely, the kernel takes over the role of monitoring for the "handshake" traffic from the port reset, since the allocated socket can't be left "abandoned".
You can see this in operation using a tool like Netmon for example (you will see a dying connection shown in the "time wait" state). If the timeout expires the connection will close at your end, regardless if the expected reponse was received.
At this point, if there is no firewall, the kernel would send a "reset/ack" packet back to inform the sender the connection is closed. If you have blocked the kernel, you get the popup, and no response is sent back.
Another possibility, again due to the tight integration of internet functionality, is if traffic (both internal or external) arrives which the running apps don't know what to do with, it will be directed back to the kernel to try and figure out what's going on, which can lead to popups depending on the circumstances.
As Jarmo has suggested, since MS Networking housekeeping traffic is handled by the kernel, it is possible to have the kernel get blocked, even if you have explicitly allowed it as an "app", due to a violation of one of the security options (NetBIOS protection for example), or an advanced rule due the order of processing in SPF.
HTH,
Alinator"
So the ntoskrnl.exe sometimes does some cleanup of session traffic, so it *does* have a reason to occasionally access the network.
Between one of the reasons, it seems likely that this is just a normal aberration of Sygate, and not an infected file, particularly since it was so prevalent for Sygate in that timeframe. I would run a full scan with up-to-date definitions, and if it came out clean, I wouldn't worry about it any more. The couple of viruses that have affected ntoskrnl.exe in the past are so old that they should be detected by any decent virus scanner.
I wish I could give you a more definitive answer, but if it were my machine, I wouldn't sweat it if it scans clean. As to why it could have changed, Windows updates have done that in the past (regarding ntoskrnl.exe).
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$
I would, since it's a good idea anyway, run a full virus scan using a couple products. If you have anti-virus software already, you can supplement it with a scan using AVG Anti-virus (http://free.avg.com/) or ClamWin (http://www.clamwin.com) both of which are free versions. You should also probably run separate scans for malware/adware. I still use Spyboot Search and Destroy, and there are other free products out there that will also work. Running different products is important, because no one has 100% effectiveness in scanning or combating every piece of malware. If two products both individually have 95% efficiency, collectively they top 99%.
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$
Thanks. I haven't knowingly upgraded anything. I run AVG regularly and it hasn't found any viruses, trojans etc. I will run AdAware which is something I haven't done in a while, and check out those links you provided.
I run Vista all patches SEP, SpyDoctor, and am paranoid. STILL since last Saturday, I also now get that dialog box when I reboot. I say no but then find it running anyway in Task Manager called system but listed in description as NT Kernel & Service. Furthermore, it stops using the CPU only when I turn off the wireless. It will not let me stop the process. The basic file is listed as being created Jun 8, 2010, but modified August 29, 2010. The only thing I did differently was install an Amazon-subordinate company program called Mobipocket for ebooks.
a) I do have a full image dating back to april....should I simply restore?
b) I was planning on upgrading to Win7. Will that replace the ntoskrnl.exe or otherwise change it so that the malware (if that is what I have) does not operate?
c) This machine is 18mos old and I had NO problems at all until I got two BSODs mid February while playing EQII. Now it will not play EQII for longer than 45 minutes before a BSOD occurs. I am not sure it is related but these are the only oddities associated with an otherwise sterling Dell laptop.
thanks if you are checking this site. I have spent hours on this, using Malware Malbytes, etc to find out if I am pawned....no luck. They find nothing but the dialog box keeps popping up. Cheers C
Wow, such a detailed response. Thank you for that. OK, I'm going to take the plunge and let it access the network. I have done a recent scan with AVG and my computer is apparently clean. Here goes....
It would have been nice if Symantec had kept an archive of the Sygate site. If you are still concerned with it, keep in mind that ntoskrnl.exe is affected by several updates, including service packs. Changing to a multiprocessor setup might cause it to change. Using certain boot managers will modify it. Using some utilities that modify bootup graphics can modify it, and some MS updates and hotfixes have changed it.
Also keep in mind that it has at least a few functions that it performs that can trigger network access, so that there are legitimate situations in which you would see exactly the behavior you describe.
If you haven't used any 3rd-party stuff that would modify ntoskrnl.exe, you can check the file properties (file size, version, and date) and I'll try and find out if those are valid numbers for the file. You can find some version descriptions on Microsoft's site.