Do autosandbox and BB shield really work?

[gautam7]

Hi friends, Here is the thing i have never got any pop up from autosandbox other than a single case where it flagged KM player as suspicious ans as i don't use KM player much so i uninstalled it. I generally install lots of software ( mostly from cnet and all free) but never even once get an warning. So today i downloaded a patch from torrent. This patch is flagged as malware by 25 scanner in VT. But not by avast. But what surprised me most is when i tried to install in virual mode of ruternil system safe, still there is no warning from autosandbox stating its suspicious. After installation and use of about 1 hr i did not get any warning from avast BB shield. What went wrong? Can anybody explain something as Avast autosandbox and BB shield is supposed to warn against unknown threat.

http://www.virustotal.com/file-scan/report.html?id=d2e894996c1567e95123a22d76bfcdae94861365b537aa901717732e218b9d0a-1307112917

[yongsua]

Was it probably a potentially unwanted program?Correct me if I am wrong.Anyway,please submit the sample with a zip file to virus@avast.com

[gautam7]

Its a patch for internet download manager. Ok if you say i can send it to avast lab. I am not complaining avast does not pick it up, its normal. My question is why avast's Autosandbox and BB shield had not pick it up as potential threat.

Edit: well gmail is refusing to send the file. Can i somehow move the file manually to chest so that i can send it to lab.

[Lisandro]

Good to know why it is not picked up by the heuristics and behavior blocker...
If we can't have a more aggressive detection we will be infected by zero-day malware more frequently.

[yongsua]

Good to know why it is not picked up by the heuristics and behavior blocker...
If we can't have a more aggressive detection we will be infected by zero-day malware more frequently.

And that's why Avast! did not participate the recent retrospective test from AV-C?

[yongsua]

Can i somehow move the file manually to chest so that i can send it to lab.

Hi,gautam.It is impossible to manually move the file that is not flag by Avast! as a malware to the chest.Correct me if I am wrong.

[gautam7]

If we can't have a more aggressive detection we will be infected by zero-day malware more frequently.

My point exactly and its even not like zero day malware since half the scanner of VT detects it. Also MBAM and Hitman pro detects it.

[gautam7]

Ok here is more these three patch also does not trigger avast Autosandbox and BB shield. Directly scanned with PUP on does not detect. The third one is a bit tough only 2 scanner of VT detect ( MBAM also don't detect it) but still it should trigger Autosandbox or BB IMO. Moreover OA HIPS did warn me by multiple pop up.

http://www.virustotal.com/file-scan/report.html?id=1f8787aa05ceb44d33f93e60cf9a0ac44cee4945f9c837fe7df4c24193ff35f9-1307181478
http://www.virustotal.com/file-scan/report.html?id=7ea538e078f00bed40d8ba689977f6dd2d0395e0ebbf332c85d47fb8f2df3430-1307182615
http://www.virustotal.com/file-scan/report.html?id=f7341796570effc81c125f7cad4269ecb9f34066601d8ce4b58595398ffd2a40-1307182145

This is unbelievable. Can some senior member forward this info to avast team so that they can have a look at what is going wrong.

PS: after that i downloaded the autosandbox tool and when i run i, i did get auutosandbox warning from avast and it had the red border. 

[gautam7]

Hi everyone can i post the link to this thread in the thread started by pk " Sandbox/ safezone- feature requests" so that the avast team look to the problem (or issues) of autosandbox or would that be considered as violation of some forum rule?

Thanks

[gautam7]

First sign of autosandbox with this file
http://virusscan.jotti.org/en/scanresult/e636211a798c38685f2b790dd33af036f306dbb6

No joy with these two file Still no autosandbox or BB shield
http://virusscan.jotti.org/en/scanresult/f1f413d51dcc5cbf8af45dd8efbf1a6cf3cec2cf
http://virusscan.jotti.org/en/scanresult/764f1ab403254ca033c9a3947bb881e4824887c4

[oldduke]

Mine certainly seems to.  I get this screen about every 30 seconds or so with the message, "C:\Program Files\Google\Google Desktop Search\pdftotext.exe".  It is always the same and I do not know why.  But it's driving me crazy with it's constant repetition.

[gautam7]

Mine certainly seems to.  I get this screen about every 30 seconds or so with the message, "C:\Program Files\Google\Google Desktop Search\pdftotext.exe".  It is always the same and I do not know why.  But it's driving me crazy with it's constant repetition.

Hi oldduke welcome to the forum you can add the process as trusted in the expert seting under file system scan.

Click real time shield> file system shield > expert setting> autosandbox > add > then add the process.

Or when next time you got the pop up try run normally and click remember my dissision

[Ashish Singh]

Can i somehow move the file manually to chest so that i can send it to lab.

Hi,gautam.It is impossible to manually move the file that is not flag by Avast! as a malware to the chest.Correct me if I am wrong.

No dear, its possible to manually add a genuine file to chest if you think its suspicious.
Go to chest-->Right click on the right hand side area of GUI select add--> Browse for the file you want to add in the chest click ok and its done.
Now right click on that file in the chest and select submit for analysis/virus lab(not sure)

Regards
Ashish Singh

[yongsua]

Can i somehow move the file manually to chest so that i can send it to lab.

Hi,gautam.It is impossible to manually move the file that is not flag by Avast! as a malware to the chest.Correct me if I am wrong.

No dear, its possible to manually add a genuine file to chest if you think its suspicious.
Go to chest-->Right click on the right hand side area of GUI select add--> Browse for the file you want to add in the chest click ok and its done.
Now right click on that file in the chest and select submit for analysis/virus lab(not sure)

Regards
Ashish Singh

How idio am I.

[gautam7]

Thanks Ashish and don't feel bad yongsua after all we learn every day.  I am interested if avast team respond to this topic.