When Intrusion Prevention definitions update the following error may be logged in the client and the Windows Event Viewer Application log:
"Network Intrusion Prevention is not protecting machine because its driver was unloaded"
Shortly after this the following message is logged:
"Network Intrusion Prevention has been restored and enabled"
Network Intrusion Prevention is not protecting machine because its driver was unloaded
When Intrusion Prevention is updated it is normal for it's driver to be unloaded so it can switch over to the new definition set. This error is the result of a timing issue where a check takes place to see if the driver is loaded when it's in the midst of being reloaded. As this is a timing issue, it may only occur sometimes or only on some machines and not others.
This is expected functionality and this message can be safely ignored if it's being properly restored shortly afterwards, generally less than a minute but timing will depend upon system speed. This message should not appear as frequently in Symantec Endpoint Protection 14.0 as multiple checks are now done and must all fail before this will be logged.