Print

Previous

Next

What you should do

Because of the nature of the actions that cause a High-rated Suspicious Behavior alert to appear, it’s safest to click Deny in the alert pop‑up. If you’re not sure, click the More Info button in the alert box. This submits your alert information (for example, the name of the program and the activity it was trying to perform) to SmartDefense Advisor, which then displays a Web page with information about the alert and the behavior. Use the SmartDefense Advisor information to help you decide whether to allow or deny the action.

Be aware, however, that some legitimate programs perform behavior of this kind as part of normal program functioning. If you trust the program requesting permission, then it may be safe to allow this behavior. In such cases, denying the behavior may result in interrupted program activity.

The table below provides some information you can use to determine how to respond to High‑rated Suspicious Behavior alerts when they appear. The information listed here is for your reference only. Bear in mind that few legitimate programs need to perform the actions listed below.

Detected Behavior

What this means

Recommendation

Transmission of DDE (Dynamic Data Exchange) input

Program is trying to send DDE input to another program, which could allow the program to gain Internet access or to leak information.

This behavior is often used to open URLs in Internet Explorer. If the application performing the behavior is known and trusted, it is probably safe to allow the behavior. Otherwise, click Deny.

Sending Windows messages

A program is trying to send a message to another program.

A program could be trying to force the another program to perform certain functions. Unless you are installing software that needs to communicate with another program, you should deny this action.

A program is trying to kill another program.

A program is trying to terminate another program

A program could be trying to kill a trusted program. Unless you have just used Task Manager to end a program or process, or have just installed software that requires a reboot of your computer, you should deny this action.

Invoking open process/thread

A program is trying to control another program. It is legitimate for system applications to do this.

Unless the program performing the behavior is trusted, you should deny this action.

Monitoring keyboard and mouse input

A program is attempting to monitor your keyboard strokes and mouse input.

Unless you are running a specialized program that needs to monitor this activity in order to function, such as narration software, you should deny this action.

Remote control of keyboard and mouse input

A program is attempting to remotely control your keyboard and mouse.

Unless you are running remote-access software, such as PC Anywhere or VNC, you should deny this action.

Installation of driver

A program is attempting to load a driver. Loading a driver allows a program to do anything it wants on your computer.

Unless you are installing anti-virus, anti-spyware, firewall, VPN, or other system tools, you should deny this action.

Modification of physical memory

A program may be attempting to modify or read information owned by another program.

Unless you are running gaming, video, or system utility software, you should deny this action.

Injection of code into a program or system service

A program is attempting to inject code into another program, which can be used to disable the program or service.

Unless you are running highly specialized software to change the appearance or behavior of a program, you should deny this action.

Modifying network parameters

A program is attempting to change your network settings, possibly to re-route you to dangerous Web sites and monitor your Web traffic.

Unless you are running TCP/IP tuning software, you should deny this action.

Launching an unknown or bad program from a good one

A program is attempting to modify another program.

Unless a program you are using has a reason to open another program (such as a Word document with a link to a browser, or an IM program with links to other programs) you should deny this action.

Accessing system registry

The process is trying to modify registry settings.

This behavior is usually blocked automatically. If you have program controlApplication Controling set to Manual mode, deny this action.

Deletion of a run key

A program was trying to delete a run key entry.

If the program was set to launch on start-up but was canceled, it will delete the run key. In other cases, you should deny this action.

Modification of Telecom Italia security software program

A program is trying to modify the Telecom Italia security software program, possibly to prevent it from running, or performing product updates.

Unless you are upgrading the Telecom Italia security software client, deny this action.

High-rated suspicious behavior guide

Note-Telecom Italia security software security software will remember your setting and apply it automatically when the program attempts another similar action. If SmartDefense Advisor is set to Auto, your setting will remain effective unless SmartDefense Advisor comes out with a different setting, or until you change the setting manually in the Programs panel.

See Also

ID Lock alert

 
©2011 Check Point Software Technologies Ltd. All rights reserved. Some features are only in premium products