Symantec Endpoint Protection (SEP) generates a message which reads:

"[APPLICATION] has changed since the last time you used it.

Name: [APPLICATION]

Application: [FILE NAME]

Do you want to allow it access to the network?"

Where [APPLICATION] is an application on the computer and [FILE NAME] is the executable file for that application.

Example information provided by the Details button:

The executable has changed since the last time you used C:\WINDOWS\system32\ntoskrnl.exe
File Version: 5.1.2600.5657
File Description: NT Kernel & System
File Path: C:\WINDOWS\system32\ntoskrnl.exe
Digital Signature:
Process ID: 0x4 (Hexadecimal) 4 (Decimal)

The Network Application Monitoring feature of SEP generates this message when the file attributes such as version number or file hash has changed since last use.

Most commonly, this occurs after an update to the application or to the operating system.

If you have not recently updated the application or operating system, you should investigate the cause of the file change to ensure that it has not been modified for malicious reasons.

There are two possible solutions to this issue. Please see below to which solution fits your situation.

Solution 1

If the client is a managed client, check in the Symantec Endpoint Protection Manager to see if the Client User Interface Settings is in SERVER CONTROL, CLIENT CONTROL or MIXED mode.  To check this setting see this link.

If the client is in SERVER CONTROL mode, skip Solution 1 and proceed to Solution 2.

If the client is in CLIENT CONTROL MODE or MIXED CONTROL MODE this warning can occur because Symantec Endpoint Protection clients operate in "Dual Policy" mode.  In dual policy mode the default.dat local client policy is loaded along side the Symantec Endpoint Protection Manager  issued policy’s you have defined.  The default.dat policy contains non-editable stand-alone policy settings that may ‘trigger ahead’ of the Symantec Endpoint Protection Manager issued policies and you may see this warning.

The only solution to prevent this version of the message is to switch the client into SERVER CONTROL mode and thus disallowing the default.dat to load.

Solution 2

To exclude specific files from Network Application Monitoring:

1. Log in to the Symantec Endpoint Protection Manager (SEPM) console.
2. In the left pane, click Clients, and then, in the middle pane, click the group that you want to modify.
3. In the right pane, on the Policies tab, click Network Application Monitoring.
4. In the Network Application Monitoring for. . . window, under Unmonitored Application List, click Add.
   • Note: If you have Application Learning enabled, you can click Add From to search for the application in the data gathered by Application Learning.
5. In the Add Unmonitored Application dialog box, in the File Name text box, type the name of the application.
6. In the Description text box, type a description of the application.
7. Click OK.
8. In the Network Application Monitoring for. . . window, review the list to ensure that your application appears, and then click OK.

SEP no longer monitors the application or generates messages if it is updated or changed.