Malwarebytes reports outgoing connections AFTER Qbittorrent closed

[Remo]

I had been seeding several files overnight and then closed Qbittorrent this morning. After I closed it (File/Exit) I began getting warnings from Malwarebytes Anti-malware that it had blocked an outgoing connection attempt and listed Qbittorrent as the program involved. I verified in task manager that the program was no longer running but I continued to receive an almost constant stream of warnings from Malwarebytes. I didn't track the IPs that were listed, the ones it was attempting to connect to, but I know there were many different ones. After several minutes of this I rebooted, which stopped the activity.

Any ideas on why this was happening?

Edit: Forgot to mention I'm on Win 7 x64, Qbittorrent 3.1.9

[sledgehammer_999]

Does the path to qbittorrent.exe match the actual path of qbittorrent.exe?
Are you sure that those aren't INCOMING connections?

[Remo]

Thanks for the reply!

I didn't verify the paths, I'll do that if it happens again. Let's assume for the moment that I have just one copy of Qbittorrent, the one I used to seed and the one Malwarebytes is listing are the same.

I do know that the connections were outgoing. An incoming connection being blocked wouldn't bother me, not unexpected I'd get some of those once I shutdown the program.

I just found the logs for Malwarebytes (didn't think to look for them before). I'm going to pull it into Excel and do a little analysis (incoming vs outgoing, IP's involved, etc) I'll post the results.

[Remo]

After going over the Malwarebytes (MB) logfile this is what I found:

There were outgoing connections that I saw after QB was closed, but there were also incoming connections from the same IP block that were being blocked. So both in and out but it was the outgoing ones that caught my attention.

Malwarebytes had apparently been blocking these all along. It's not unusual to get popups from MB while seeding or downloading. What's unusual of course is their continuing after I closed QB.

A Whois on the IPs in question show them being in Ukraine, Moldova and Romania. So I expect MB was correct to block them. There were a variety of IPs but just in three different blocks, 89.28.xxx.xxx as an example.

[ciaobaby]

Other peers and trackers do not know that you have closed down your client so they just have to keep checking and your system has to keep sending a "not known at this address" reply.

[Remo]

That makes sense except for one thing. In that situation I expect it would be a system response, the "not known at this address" reply. But I have OUTGOING connections being blocked and the program generating the outgoing message is Qbittorrent. Qbittorrent however has been shut down, Task Manager, Resource Monitor and Process Explorer all agree, no instance of the program running.

[sledgehammer_999]

Maybe there was a minor delay before malwarebytes report it to the user and qbt process disappearing in the meantime? (while you opened the various managers to locate if qbt was running).
qbt when closing sends out info to the trackers to say "hey guys I am leaving the swarm. reason closing app". And to other connected peers trying to gracefully close the connections.

[ciaobaby]

and the program generating the outgoing message is Qbittorrent.

Not quite, you have Malwarebytes reporting that it 'thinks' the connection was initiated by qBitTorrent, which is not always the same thing as it actually being so.

[Remo]

Sledgehammer_999:

The popups from Malwarebytes continued for at least 5 minutes so it's not a timing issue. I had plenty of time to get all of them open, and even captured several screenshots of messages from MB with Process Explorer in the background showing no QB running.

ciaobaby:

Point taken. I've considered that but I don't know how I can check it. I tried capturing packets but nothing related showed, none of the IPs or ports being used per MB. Perhaps MB is blocking it before it gets to the network interface where the packets are captured. I could test that by shutting down MB the next time it happens, see what a packet capture gets then. I'd be concerned about compromising my machine though. 

[sledgehammer_999]

Do the MB alerts have timestamps? Do they alert popups stack or wait for the previous popup to hide before showing...
Anyway I truely don't know how it is possible for a process to not run and still report traffic...