Help: problem with Dragon Naturally Speaking DLL injection

[Guest]

[MKairys]

I've been running CFP 2.4.18 for a few months now and seem to have a stable (quiet ) set of application rules. Then for the first time since installing CFP I ran Dragon Naturally Speaking (version 9 Standard). I was immediately beseiged with popups of the form:

C:\Program Files\Nuance\NaturallySpeaking\Program\dgniedct.dll has loaded ... dgniedct.dll into C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE using a global hook which could be used by keyloggers to steal private information.

This occured four times for Outlook every time it did Send/Receive, even though I told it to remember the action every time. I quieted it down for Outlook by editing my application rule and checking Skip Advanced Security Checks, but it happened for other programs as well, and finally I had to turn off DLL injection checking just so I could get some work done.

Now, I have no idea what Dragon is trying to do here (I've asked in their support forum) but I would like to make Comodo happy, or at least quieter, without compromising my overall security. Suggestions please.

[Little Mac]

The Global Hook message, as you know, is part of CFP's Application Behavior Analysis; which in context, CFP cannot determine whether an action is a "safe" one or not.  It's sole job there is to alert you of an action that is similar to actions used by malware, which could result in that application contacting the internet.

This doesn't mean that Dragon is contacting the internet; it is probably because its voice recognition is integrating with applications that are connected (ie, Outlook).  It would be interesting to see what they say about its behavior in this respect.

A method I have used to stop some of the "false positive" ABA alerts is as follows:

Create a "block" rule in the application monitor for the offending application.

So in this case you would make a rule to block your *.exe (where the "*" is the name of the Dragon executable).  So it would look like this:

Application:  *.exe
Parent:  Skip
Action:  Block
Protocol:  TCP/UDP
Direction:  Out
Source:  Any
Destination:  Any
Miscellaneous:  (leave it blank).

Click OK.  Turn DLL Injection monitoring back on, OK.  Reboot.

That should help with that issue for that application.  Give it a whirl and let us know.

LM

[MKairys]

Thanks for your reply and your helpful suggestions.

In the Dragon forum I got this reply:

The DLL is necessary for NaturallySpeaking's Select-&-Say capability. If you are not familiar with Select-&-Say, search this forum for additional information but suffice it to say, you would be much better off having it.

If your Comodo 2.4 firewall doesn't include an option to allow this DLL to work without prompting you every time you use NaturallySpeaking then you need to get your money back on Comodo 2.4 because it's obviously not very well user-friendly.

... so I'm looking into getting a refund of my purchase price

Seriously, I did try making an application rule for natspeak.exe (since I didn't think I could make one for the dll) but I couldn't make it block since natspeak.exe wants to go out and check for updates (and who doesn't these days). So I gave it all the rope I could , including "skip advanced.." and so far CFP has been quiet.

I must say that I like CFP very much and am quite impressed in the functionality it includes, but it is rather too noisy for my taste and I seem to spend not a little time fiddling with rules to quiet it down. I would love to see more FAQ topics about how to, as you say, avoid false positives.

[Soyabeaner]

Here's your $0.00 money back.

These aren't necessarily false positives.  Legitimate programs have their own "hooking" of dll's into others.  CFP only alerts actions that it deems as suspicious (the potential possibility that malware can also do).  I'm sure you as well as us users will enjoy version 3 once HIPS is out as the architecture will be different (and hopefully less confusing).

[Little Mac]

Okay, creating the rule with "skip advanced..." will turn off ABA for that application only, which should eliminate the DLL Injection popups (and any other in that category) for that application/executable only.

Should the program in general have any other .exe's (each with their own .dll access), that's a different story.

So the main executable is used for updates?  There's not a separate executable for that?  That seems odd...

You know, until I used Comodo FW, I rarely saw a FW alert.  McAfee used to tell me that I was portscanned left & right (don't know how it determined that; I could never find out) while on dial-up.  TrendMicro only alerted me when a new application tried to access the internet directly.  ZA only told me it was stopping inbound stuff.  And so on...  I don't get too many alerts, really, any more, for CFP; it's really quite quiet.  There was a lot more activity at first, and a lot of the ABA-related ones.  I learned a lot about rules, and quieted things down.  I think it would've been fine if I didn't really do anything with the computer, except use MS products to browse and do email.  But using odd-ball programs and things...

All that said, Egemen (lead FW developer) has said that version 3 (which should reach public beta testing soon) should be a lot quieter; he says we shouldn't see very many (if any) of these ABA popups any more...

LM

[MKairys]

Thanks, I'll try not to spend it all in one place

Thanks also for the pointer to 3.0; I didn't realize I had joined up on the cusp of a new version. (I'm a glutton for betas )

[MKairys]

So the main executable is used for updates?  There's not a separate executable for that?  That seems odd...

Yes, I may be wrong about that. I'll look in the log (one of these days )

[Little Mac]

Ah, yes, "one of these days."  I'm familiar with that...

Well, you can do that.  Certainly let us know when you've used it with the "skip advanced" in place, to see if that resolves that (as far as a "work-around" goes).

And, if you are the glutton you say you are, keep an eye on the Beta Corner for http://forums.comodo.com/index.php/board,40.0.html the public testing release of version 3...

LM

[Tags:]