Avast Virtualization Info Needed

[MossyRock]

I just ran Sophos anti-rootkit and it shows 294 hidden files that are associated with Avast's virtualization ("## aswsnx"), but I'm seeing paths related to apps that I've NEVER run in the sandbox - apps such as Thunderbird and Open Office.  The only app that I've run virtualized is Firefox.

1) What is causing this?
2) How are these files managed?  Do they clean up on their own, do I need to intervene, or should they remain (and why?)

In the Avast console/controls, clicking the "Delete Contents" button under "Web Browsers: Store files in special storage in the sandbox" had no effect on these files, which is understandable since these apps are not web browsers.

There is precious little information on the internal workings of this feature, and should be better documented.

Thanks.

[Asyn]

I just ran Sophos anti-rootkit...

Why not ask the developers of this tool...??
I had a similar request short time ago, but I don't know about this software...
asyn

[MossyRock]

Thanks.  If you're referring to Sophos, I don't see how they would have much, if any, insight into this.  I just submitted a ticket to Avast Support.

[pk]

@MossyRock,

1) are all Thunderbird/OpenOffice paths in "## aswsnx" prefixed with webStorage? [e.g. ##aswSnx private storage\webStorage\...] (If yes, then those paths were created in your web browser process and it's ok). If they're under "rXX" prefix (e.g. "## aswsnx private storage\r27\...) then Thunderbird/OpenOffice processes were not executed within webbrowser (and these folders are deleted automatically after reboot, or when these processes are terminated).

2) if you execute an application in the sandbox then it'll be created under \rXX folder and these folders are deleted automatiicaly when these processes will be terminated or after reboot. The content of web browsers executed in the sandbox are not deleted automatically, you must do that from GUI - the purpose of this feature is in app start speedup.

[MossyRock]

Peter,

Thank you for the clarification.  Yes, they were prefixed with "webStorage" but were not deleted by the GUI -> Process Virtualization > Parameters > Web Browsers > delete contents button.  I discovered that it took a reboot for these files to be cleaned up, after unchecking "Store files in special storage in the sandbox (contents will not be automatically deleted)".

I think I now understand how Thunderbird and Open Office items got into the mix - if I click an email link (in Thunderbird email) or a link in a document (in Open Office) and it launches Firefox, which runs virtualized, then they would appear in ##aswSnx private storage\webStorage files as Thunderbird or Open Office items.  Is this correct?

[swarnava]

Virtualized files are stored on the same volume as original ones would be. If sandboxed app changes e.g. c:\windows\kernel32.dll, this request is monitored and redirected into our virtualized storage (current name is: \## aswSnx private storage\...) and this folder is hidden from users by default (only app with kernel driver can get its name). We hide that folder, because we don't want to let users to modify/delete something in that folder, because sandbox internal logic might be little messed up. The folder is cleanup automatically when the virtualized process terminates itself (and during computer reboot - for sure). Apps are not sandboxed if they're executed from the network or some devices other then physical disks (usb should be supported, i'm not really sure now).

avast sandbox virtualizes registry keys/values (storage is under: HKCU/__aswSnx private storage) and it's blocked partially, named objects (i.e. events/mutexes/...) are virtualized as well (you can use sysinternal's viewer: winobj.exe to see them).

[pk]

Thank you for the clarification.  Yes, they were prefixed with "webStorage" but were not deleted by the GUI -> Process Virtualization > Parameters > Web Browsers > delete contents button.  I discovered that it took a reboot for these files to be cleaned up, after unchecking "Store files in special storage in the sandbox (contents will not be automatically deleted)".

"Delete content" button may postpone cleaning if it's not safe at the moment (e.g. your web browser is still running and it's still using files from the sandbox storage). In this case, webStorage cleanup will be started with next reboot.

I think I now understand how Thunderbird and Open Office items got into the mix - if I click an email link (in Thunderbird email) or a link in a document (in Open Office) and it launches Firefox, which runs virtualized, then they would appear in ##aswSnx private storage\webStorage files as Thunderbird or Open Office items.  Is this correct?

yes

[MossyRock]

Swarnava and Peter,

Thank you for the additional information and clarifications.  I wish Avast would update their help files to fully explain how the virtualization/sandbox feature works to avoid forum posts like this which wastes your time.

[schmidthouse]

When running in PV mode everything is quite abit slower on both my PC's. Is this directly related to the size of the RAM?

[pk]

schmidthouse:

When running in PV mode everything is quite abit slower on both my PC's. Is this directly related to the size of the RAM? Smiley

not at all, everything cannot be slower - maximum only app which was executed in the sandbox, other apps (not running in sandbox) are ignored. If a virtualized app seems to be slow, please let me know (app name, OS, when exactly). You can try to run the app in the sandbox, outside sandbox and compare. Thanks.