Firefox and Opera asking for direct keyboard access.. do I have a keylogger?

[Guest]

[Memnock]

I just installed Comodo Firewall Pro 3 and when I opened up Firefox or Opera, one of the alerts I received is that these applications requested "direct keyboard access".   I did not recieve this message when using IE.  Is this normal for Firefox and Opera or do I have a keylogger?

I've scanned my PC with Nod32 and Ewido and nothing was detected.  I'm running Vista Ultimate 64bit. 

Any information welcome.  Thanks.

 This Issue Is Resolved- 3xist.

[Vettetech]

There is a new feature now with Firefox 3.0 and its called virtual keyboard so that warning is normal.

[Vettetech]

I am pretty sure of this.

[3xist]

There is a new feature now with Firefox 3.0 and its called virtual keyboard so that warning is normal.

Never heard of it? Unless it's part of the malware protection...

[Memnock]

Hmm. now I've gotten this alert with several applications when I launch them, including Nero.  Why would any of these need direct keyboard access?

[Vettetech]

Sorry I remember something about KAV09 having a virtual keyboard. But every program out there now uses keyboard short cuts including Firefox,Winamp,Nero. You can browse the internet using Firefox and only a keyboard.

[kail]

Correct me if I'm wrong.. but, doesn't anything that you actually type into or use the keyboard with need direct access to the.. erm.. keyboard?

[Vettetech]

Exactly....................

[gibran]

Correct me if I'm wrong.. but, doesn't anything that you actually type into or use the keyboard with need direct access to the.. erm.. keyboard?

Maybe. I wasn't able to understand what specifically trigger that alert but even if you disable direct keyboard access right for ,eg. notepad, it still possible to type text (please test this to sort out the chance there is something wrong with my setup   ).

According to Anti-Keylogger Tester v3.0 direct keyboard access is at least required for GetKeyState,GetAsyncKeyState,GetKeyboardState,GetRawInputData APIs but CFP may trap also other APIs as well.

Those APIs are not malicious by themseves but they could be used for keyloggin purposes.
Opera, Firefox and other applications (even IE on my PC) trigger Direct keyboard alerts, maybe a totally different API is involved.
Such alerts alerts doesn't look relevant enough to guess the app has a keyogging purpose.

IMHO some alerts means that an app has "chances" to be used for keylogging purposes.

If you run Anti-Keylogger Tester v3.0 and deny direct screen access at startup you'll see that the splashscreen will not be displayed correctly.
The corresponding APIs needed for such feature could also be used also to grab a screenshoot (screenshot2 test).

In such cases I guess that the answer to these alerts can be only based on the trust abiut the legitimate purpose of such programs.
Only a RE professional could be able to find out if a program is really malicious.

IMHO it won't hurt to test more restrictive policies to find out if a software really need some access rights.

I really hope that something like a behavioural fingerprinting standard could be used in future.

[kail]

With this alert, I think you should only be concerned if something unexpected appears.. unknown or unusual EXE/DLL requesting keyboard access.

Notepad: Difficult to test.. I can't get CFP to prompt for it at all. Even if I turn trusted vendors off, remove the existing rule & switch Defense to Paranoid Mode. Also tried WordPad to no avail. No keyboard prompts here.

[gibran]

With this alert, I think you should only be concerned if something unexpected appears.. unknown or unusual EXE/DLL requesting keyboard access.

Notepad: Difficult to test.. I can't get CFP to prompt for it at all. Even if I turn trusted vendors off, remove the existing rule & switch Defense to Paranoid Mode. Also tried WordPad to no avail. No keyboard prompts here.

Maybe my setup cause this but I'm not able to find a way to sort this out. The only application I guess could trigger this are Logitech setpoint or windows advanced text services.

Anyway I guess the OP could test if disabling direct keyboard access in opera prevent him for typing text or using keyboard shortcuts.

[kail]

Ah.. now that's possible. If you have a keyboard with special keys that has the obligatory special software, then its "hooks" into other applications might be triggering the alert. I have a standard keyboard & mouse plugged into a hardware KVM switch that is connected to 3 systems (including the monitor). There is no special software & it's transparent to Windows.

[Vettetech]

I have a Logitech G15 USB keyboard and I have gottin alerts like this.

[gibran]

Ah.. now that's possible. If you have a keyboard with special keys that has the obligatory special software, then its "hooks" into other applications might be triggering the alert. I have a standard keyboard & mouse plugged into a hardware KVM switch that is connected to 3 systems (including the monitor). There is no special software & it's transparent to Windows.

Guess so. Other apps that come to mind are ATI Catalyst Control Center or Nvidia nView desktop Manager. I recently uninstalled my AV to test some CFP behaviours so I don't plan to do a mass uninstall to track down the culprit.
Anyway having an app to place a globalhook without even a notice in those apps is really bothersome. It would have been nice to know what to check beforehand

[frogger]

i got these alerts to i have a special kyb a Microsoft natural ergonomic keyboard 4000 i think this is what triggered these for me and it has special keys for internet shortcuts and favorites and the like.

[Tags:]