Why is F-Secure monitoring keyboard and audio input?



I'm a happy user of F-Secure SAFE. Next to F-Secure I have another security monitor on my laptop and it notified me that F-Secure is montitoring keyboard and audio input. I can't think of a good reason why it should do that. Can you?





  • SimonSimon Posts: 2,661 Superuser
    Not sure about the audio input, but could it be monitoring the keyboard for signs of malicious keyloggers?
  • UkkoUkko Posts: 3,215 Superuser



    Sorry for my reply. I'm also only F-Secure user (their home solutions).


    Maybe it was too generic notification? Or if certain another application do that - but F-Secure hook such activity and analysing it? What is your another solution and does it with 'further' information what is marked as 'monitoring keyboard and audio input' term?


    For example, my experience about one of solutions was with 'notification' that browser did 'capture the screenshots' (monitor picture capturing) during use it.  What is potentially strange and kind of potential 'generic' description for somewhat safe action.

    And if it is not a 'security feature' -> I'm not sure how it works - but, for example, does keyboard input (like certain shortcut) can be used by F-Secure. For example, their own forms and Ctrl+C or Ctrl+V by user-> since it should be intercepted as valid input.

    With such situation -> your another security monitor should to notify about these situations too often and about different software - but maybe they do use something like 'whitelist/exclusions' where F-Secure is not excluded.



  • Thanks for you replies Simon and Ukko.


    Just to provide you a littel more details on what I found F-Secure SAFE is doing (love to add images here, just don't get how):

    The alerts I get are:

    "The application /usr/local/f-secure/browsingprotection/chrome/bootstrapnative.py attempted to enable the microphone, by calling the function "IOAudioEngineUserClient".


    "The script /usr/local/f-secure/browsingprotection/chrome/bootstrapnative.py attempted to monitor keystrokes, by calling the function "IOHIDParamUserClient".


    I'd love to learn why, functionally, F-Secure would need audio input and keyboard input for browserprotection.



  • UkkoUkko Posts: 3,215 Superuser



    Sounds that your experience with Mac platform. So, I'm not able to brief check such situation with my own tries.

    I think that, potentially, it is possible to ask about subject their direct Support Channels (chat as example):


    Of course, if there will be delay with response from F-Secure Mac Team under community. Like boost up situation.

    Just like my own unofficial feelings: does it was one-time? Or repeatedly?

    And does it was with certain situation like opening certain website (or entire random situation?).


    I think that if it is not pinned to something around 'bootstrapnative.py' directly (with unclear reasoned view) -> maybe such functions are not used for noted activities. Or such functions are called automatically by something else (as unintended action).


    Sounds strange indeed... but I think that there are quite many potential common and normal explanations. Good to read anything about from official F-Secure Teams.



  • LakshLaksh Posts: 4,444 Community Manager

    Hi tmbreuker,

    I did a quick check with the SAFE team. They mentioned that we do not monitor Key board or audio input. Also, We don't call IOHIDParamUserClient or IOAudioEngineUserClient as mentioned there.

    Can we know what is the security monitor you are using?

  • Thanks Laksh,


    I asked your support and they stated the same. The question still open is: 


    How come /usr/local/f-secure/browsingprotection/chrome/bootstrapnative.py is part of the F-Secure SAFE implementation for Mac OS?


    I'm using Cb Defense next to F-Secure SAFE.



  • LakshLaksh Posts: 4,444 Community Manager

    Hi @tmbreuker,


    Would it be possible if you can pass on the support contact for the particular security monitor product so that we can reach out to them to investigate this further?

This discussion has been closed.