High-rated Suspicious Behavior alert
A High-rated Suspicious Behavior alert informs you that a program on your computer is attempting activity that could be dangerous.
Examples of such behaviors include:
- attempts to access a disk without going through the file system. This behavior is used by malicious software to get around file protection by changing raw data on your disk.
- behavior that may cause programs or your operating system to stop functioning normally
- behaviors that indicates spyware is trying to monitor your activity
If you click Allow, the program is allowed to perform the activity. If you click Deny, the program is prevented from performing the activity and is given Restricted, access which means that all future suspicious behavior will be denied.
Why these alerts occur
These alerts occur when a program or component on your computer was detected trying to hijack a process or program on your computer, to alter default settings on your computer or one of its programs, or access a file without going through the standard protected file system.
What you should do
Because of the nature of the actions that cause a High-rated Suspicious Behavior alert to appear, it's safest to click Deny in the alert pop-up. If you're not sure, click the More Info button in the alert box. This submits your alert information (for example, the name of the program and the activity it was trying to perform) to SmartDefense Advisor, which then displays a Web page with information about the alert and the behavior. Use the SmartDefense Advisor information to help you decide whether to allow or deny the action.
Be aware, however, that some legitimate programs perform behavior of this kind as part of normal program functioning. If you trust the program requesting permission, then it may be safe to allow this behavior. In such cases, denying the behavior may result in interrupted program activity.
The table below provides some information you can use to determine how to respond to High-rated Suspicious Behavior alerts when they appear. The information listed here is for your reference only. Bear in mind that few legitimate programs need to perform the actions listed below.
|
Detected Behavior
|
What this means
|
Recommendation
|
|---|---|---|
|
Transmission of DDE
(Dynamic Data Exchange)
input
|
Program is trying to send
DDE input to another program,
which could allow the
program to gain Internet
access or to leak information.
|
This behavior is often used
to open URLs in Internet
Explorer. If the application
performing the behavior is
known and trusted, it is
probably safe to allow the
behavior. Otherwise, click
Deny.
|
|
Sending Windows messages
|
A program is trying to send a
message to another program.
|
A program could be trying
to force the another program
to perform certain
functions. Unless you are
installing software that
needs to communicate with
another program, you
should deny this action.
|
|
A program is trying to kill
another program.
|
A program is trying to terminate
another program
|
A program could be trying
to kill a trusted program.
Unless you have just used
Task Manager to end a program
or process, or have
just installed software that
requires a reboot of your
computer, you should deny
this action.
|
|
Invoking open process/thread
|
A program is trying to control
another program. It is legitimate
for system applications
to do this.
|
Unless the program performing
the behavior is
trusted, you should deny
this action.
|
|
Monitoring keyboard and
mouse input
|
A program is attempting to
monitor your keyboard strokes
and mouse input.
|
Unless you are running a
specialized program that
needs to monitor this activity
in order to function,
such as narration software,
you should deny this action.
|
|
Remote control of keyboard
and mouse input
|
A program is attempting to
remotely control your keyboard
and mouse.
|
Unless you are running
remote-access software,
such as PC Anywhere or
VNC, you should deny this
action.
|
|
Installation of driver
|
A program is attempting to
load a driver. Loading a driver
allows a program to do anything
it wants on your computer.
|
Unless you are installing
anti-virus, anti-spyware,
firewall, VPN, or other system
tools, you should deny
this action.
|
|
Modification of physical
memory
|
A program may be attempting
to modify or read information
owned by another program.
|
Unless you are running
gaming, video, or system
utility software, you should
deny this action.
|
|
Injection of code into a program
or system service
|
A program is attempting to
inject code into another program,
which can be used to
disable the program or service.
|
Unless you are running
highly specialized software
to change the appearance
or behavior of a program,
you should deny this action.
|
|
Modifying network parameters
|
A program is attempting to
change your network settings,
possibly to re-route you to
dangerous Web sites and
monitor your Web traffic.
|
Unless you are running
TCP/IP tuning software, you
should deny this action.
|
|
Launching an unknown or
bad program from a good one
|
A program is attempting to
modify another program.
|
Unless a program you are
using has a reason to open
another program (such as a
Word document with a link
to a browser, or an IM program
with links to other
programs) you should deny
this action.
|
|
Accessing system registry
|
The process is trying to modify
registry settings.
|
This behavior is usually
blocked automatically. If
you have program control
set to Manual mode, deny
this action.
|
|
Deletion of a run key
|
A program was trying to
delete a run key entry.
|
If the program was set to
launch on start-up but was
cancelled, it will delete the
run key. In other cases, you
should deny this action.
|
|
Modification of ZoneAlarm
program
|
A program is trying to modify
the ZoneAlarm program, possibly
to prevent it from running,
or performing product
updates.
|
Unless you are upgrading
the ZoneAlarm client, deny
this action.
|
.
