HUGE bug in CFW (latest 6 version): keyboard access detection

and I’m the first to spot it, WTF? _

btw this bug also present in version 5 of firewall, so it probably been there all along


with that kinda sensitivity, there’s no use activating it in HIPS settings unless you want bogus alarm all the time

for the whole story, I basically set HIPS to paranoid mode (I had no choice cause Comodo’s local “safelist” is hidden now, no one knows where it is and this is kinda suspicious IMO)

paranoid mode is a pain to setup but at least we know everything that’s going on

then I noticed - just an example - Comodo tells me that Firefox’s plugincontainer.exe is asking for keyboard access?

why would such an app require keyboard access? that app doesn’t even have user interaction ???

I know Comodo’s HIPS is not supposed to be an AI (unlike Malwarebytes or Emsisoft’s Intrusion Detection Systems) but if it keeps telling me that everything is a keylogger (even when these apps CLEARLY dont need keyboard) then what’s the point in having that option in HIPS?

so my question is, are they gonna fix this?

It’s not telling you everything is a keylogger. It’s simply alerting you that an application is trying to access the keyboard directly. This is done by many applications for keyboard shortcut functionality. In the case of Flash Plugin want access I have no idea why. I don’t trust Flash so I would simply block it from keyboard access.

Edit :

for the whole story, I basically set HIPS to paranoid mode (I had no choice cause Comodo's local "safelist" is hidden now, no one knows where it is and this is kinda suspicious IMO)

Was this safelist ever visible ?

I dont trust flash either but its necessary to watch videos on tube & all that

I blocked keyboard access for the plugincontainer.exe & so far no problems, but the question still remain: WHY it telling me it want keyboard access?

so thats clearly a big bug & it aint the first such example, it also told me that ipoint.exe (MS intellipoint’s mouse app) wants keyboard access. and plenty other examples that dont make sense, lost count now

so until that bug’s fixed, better switch off keyboard setting in HIPS, to many false positives make it useless

It’s not a bug. Direct keyboard access is necessary to certain applications for keyboard shortcuts to work. Therefore it has to access the keyboard. You can block access to any application but don’t expect keyboard shotcuts to work.

but in this case just about any app out there can ask for legit keyboard access

so its like impossible for user to tell difference between keylogger & legit app???

Paranoid mode is not meant for ordinary users. Only activate it if you have a very detailed understanding of how programs work, which permissions they need, which they don’t, etc…

Otherwise it can become very confusing, like what you’re seeing.

It’s not the product to blame it’s the user. If you can’t tell the difference you are not an advanced user and should not use paranoid level it’s simple as that.

so its ok to block everything from keyboard access? (except disk utilities & word processing)
at least that sounds safe cause except for these examples nothing else really needs keyboard access so any othr app is prolly malware

besides its impossible to tell a keylogger anyway, no one can (else someone would of said how, by now)

yeah but Ive no choice, cause local safelist is hidden now so we cant trust it no more

anyway you know a plugincontainer.exe (which is in safelist, which means Comodo folks should know how it works) needs keyboard access?

It’s your call. That’s the idea behind paranoid level that you should know such things already. I don’t want to recommend anything because it might create issues on your system. But if you trust the application grant access if you don’t block that’s as simple as I can put it.

alrite but then how do you folks tell difference between keylogger & legit app that ask for keyboard? ???

Your risk assessment, source, check on the file also any ‘suspicious behavior’ which is not ‘normal’ for the file but sure it’s always a risk anyway. Once again advanced user. In your case I would disable paranoid level and work around in a safe mode (Disable TVL, etc) and trust Comodo more after all you don’t want to spend all your time thinking about security which will affect your work with the PC.

is there a way to see if a file “ask for keyboard access AND send keyboard input to the net”? cause then thatd really help to tell

(I guess what I asking is does Comodo’s HIPS also have some sort of AI which can analyze how a file acts & if its doing a series of things that all add up to something suspicious. I know this sounds like futuristic tech but maybe thats possible even today, dunno)

Well my point about “suspicious behavior which is not normal for the file” was that keyloggers won’t just require keyboard access they will create firewall alert connection (send keyboard info to remote server via some port) and some even will try to modify your system where they should ‘not go’ (HIPS alert) that’s where the alert bells should be going off. That’s the way to tell. Also if you can get the file itself always use: (20MB limit to test any suspicious behavior against AI in that file).

Unfortunately we are not collecting 5.x reports any more

I’ll move this to D+ help if you don’t mind

Best wishes