Upon reviewing the Security logs from a Endpoint Protection (SEP) client you found the following event information:
Event Description: Application has changed since the last time you opened it, process ID:4 Filename: C:\Windows\System32\ntoskrnl.exe. The change was allowed by profile --- Modules changed 1 ---- C:\Windows\System32\ntoskrnl.exe --- New modules: 0 ---
Attack Type: Executable file change accepted
Event Time: xx/xx/xxxx xx:xx:xx
Remote Host IP: xx.xxx.xxx.xx
Begin Time: xx/xx/xxxx xx:xx:xx
End Time: xx/xx/xxxx xx:xx:xx
Domain Name: Default
The ntoskrnl.exe has been changed, modified or updated. You may receive this alert if you have enabled Application Monitioring for your client group. You can configure the Endpoint Protection (SEP) client to detect and monitor any application that runs on the client computer and that is networked. Network applications send and receive traffic. The client detects whether an application's content changes.
An application's content changes for the following reasons:
A Trojan horse attacked the application.
The application was updated with a new version or an update.
If you suspect that a Trojan horse has attacked an application, you can use network application monitoring to configure the client to block the application. You can also configure the client to ask users whether to allow or block the application. Network application monitoring tracks an application's behavior in the Security Log. If an application's content is modified too frequently, it is likely that a Trojan horse attacked the application and the client computer is not safe. If an application's content is modified on an infrequent basis, it is likely that a patch was installed and the client computer is safe. You can use this information to create a firewall rule that allows or blocks an application. You can add applications to a list so that the client does not monitor them. You may want to exclude the applications that you think are safe from a Trojan horse attack, but that have frequent and automatic patch updates. You may want to disable network application monitoring if you are confident that the client computers receive adequate protection from Antivirus and Antispyware Protection. You may also want to minimize the number of notifications that ask users to allow or block a network application.
In some cases the event may occur for ntoskrnl.exe because it has been updated after Windows Update and similarly the same may occur for other applications like Microsoft Office, Adobe Acrobat reader, etc.