What does this mean? If the application in question is googletalk, parented by explorer… what is bittorrent.exe doing in the details?
Date/Time :2006-06-20 21:05:27
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (googletalk.exe)
Application: C:\Program Files\Google\Google Talk\googletalk.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Remote: 0.0.0.0:http(80)
Details: C:\Program Files\BitTorrent\bittorrent.exe has modified the the User interface of C:\Program Files\Google\Google Talk\googletalk.exe by sending special Window messages…
Here is bittorrent doing something again…
Date/Time :2006-06-20 06:47:41
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (ashMaiSv.exe)
Application: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Remote: 142.161.130.98:pop-3(110)
Details: C:\Program Files\BitTorrent\bittorrent.exe has modified the the User interface of C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe by sending special Window messages…
… and here is one that swings the other way…
Date/Time :2006-06-18 23:22:37
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (bittorrent.exe)
Application: C:\Program Files\BitTorrent\bittorrent.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP In
Remote: 0.0.0.0:1586
Details: C:\WINDOWS\explorer.exe has modified the the User interface of C:\Program Files\BitTorrent\bittorrent.exe by sending special Window messages…
I don’t mind seeing these enties in my Activity Log, or popups… just would like to understand what they are trying to tell me about the activity on my system.
seems CPF 2.2.0.11 is less prone to give these messages i was receiving with the previous version. Still don’t understand what they were trying to tell me, but oh well.
I have waited for 2.2.0.11 release to reply your post. As you pointed out, those messages are more accurate right now.
Windows OS has a feature called message loops. When you move your mouse or click on a button or anything similar, those operations are represented as messages in windows.
If a process sends such a message to another process, and when the message is something that can modify a process’s behavior, CPF will raise such an alert.
To better understand this behavior, please try to run breakout leak test.
OK, I’m also starting to get used to some of the terms in CPF…
Application: The app/process trying to get access. Parent: The app/process that (originally) launched the Application Details: In this case shows the “source application” that is sending “messages” to the Application
… but in my 1st and 2nd log entries posted, why would bittorent be trying to communicate with either GoogleTalk or Avast Mail Service? What does this tell me about Bittorent, seems to be an “unsafe” action?
The 3rd log entry actually looks like it would be a “safe” action, as the parent application (explorer) that launched bittorent is trying to send it a “message”… yes?
Yes this type of case is safe. Especially when you double click a torrent file. When you have automatic approval of safe aplications, CPF even should not show such an alert.