Block Hook: MSCTF.dll - how to allow this?

Hi all,

D+ seems to Block Hook attempts of the component %windir%\system32\MSCTF.dll

I want for all applications to be allowed to hook it.

1. MSCTF.dll is covered by My Protected Files / Important Files (by pattern %windir%\system32*)
2. I cannot find a rule which prevents hooking of Important Files
3. I cannot find an entry for Important Files or MSCTF.dll which protects it from hooking by other applications
D+ is set to Clean Mode.

Still, hooking of this compoment gets blocked. Is there something I’ve overseen?
Can anyone list all rules of the CPF default ruleset which cover MSCTF.dll ?

regards, tom

(edit: some typos)


CFP 3.0.25.378 x32, Win XP Home 2002 SP2, Avast Home 4.8.1201 (at time of this post)
custom mode, advanced settings changed
Intel Pentium M x86.6.13 - 1.6GHz

Bump, Any solution guys?

Hi nomads voice,

Try this—>Defence+/Advanced/Computer security policy.

Find the entry “All applications”, highlight it and choose “Edit”.Now access rights/Modify next to Windows/Winevent hooks.You should get a new window Allowed/Blocked Hooks,in the Allowed section click on “Add” and then browse to MSCTF.dll.Move it accross and then APPLY to close all windows.
Also make sure it`s not in the Blocked section,if it is remove it.

Matty

ps: What is actually getting blocked,what does it say in the log?

Matty… many thanks.

The entry has been there already (it’s part of the default ruleset that comes with installation I think).
Curiously I deleted it and then added it again. This may have helped since now I’m getting “Installed Hook” messages instead of the previous “Block Hook”.

MSCTF is a Microsoft service which is hooked by many applications, so I got a block-message with almost every application.

However, some questions.

1. The existing entry was lower-case while the true filename is upper-case. Does CFP make a difference?
2. If I have a ruleset for an application does the “all applications” also apply?
3. The manual doesn’t tell, so I guessed: top most rules have higher priority than bottom most?

I didn’t find any clue in the manuals at first glance. If these are indeed missing, please add.

Thanks again. I could have found out by myself but wasn’t smart enough :slight_smile:

Edit: to save you time, there’s another post that possibly matches questions 2.+3. → https://forums.comodo.com/empty-t24819.0.html

Update.

This only worked for one time. After rebooting the same issues appeared.

I seem to have a general problem with D+
When D+ is enabled while starting up it gives an odd behaviour where the MSCTF thing is only one of them.
When D+ is disabled at start up but being enabled after startup manually then most things work fine.

So the question is:
why is D+ having difficulties while startup when enabled?

Shall this be treated as bug?

I think it might be worth putting it in Bug Reports :wink:

Josh

I have the same issue, been having it with Comodo Firewall Pro v3 also, still in Comodo Internet Security v3.5.
See the screenshot.
The “Windows/WinEvent Hooks” Defense+ parts for firefox.exe is set to “Ask”.
So far, both the allowed and blocked part for that section are empty.
Manually putting the …\msctf.dll file in the “Allowed Hooks” in Defense+ for the firefox.exe has no effect, makes sense.

[attachment deleted by admin]

For me, it looks like I’ve solved the "Block Hook: MSCTF.dll " problem in my logs, missing it since a couple of days since I adjusted something.
In Defense+'s Advanced click on Computer Security Policy and select the application, in my case firefox and doubleclick it. In the Application System Activity Control I have Protection Settings enabled, all 4 enabled on Yes. Here is also a Windows/WinEvent Hooks which is where to add msctf.dll and make the alert in the log go away, the alert for which no popup is given. One should get a visible alert.