Autosandbox blocking too many programs.

[jvidal]

Hi everyone. I don't know if anybody else is experiencing this, but since about a week ago or so, avast tries to sandbox about 50% of the programs I run, it is getting EXTREMELY ANNOYING. Perfectly legit progs are now labeled "suspicious" by the sandbox, because the "file prevalence/reputation is low". Who decides the file reputation or prevalence? There's something VERY WRONG here.
What the hell happened?

[jvidal]

Additionally, Avast is prompting to run a program in the sandbox, EVEN IF I HAD ALREADY ADDED IT TO THE EXCLUSIONS list.
Major malfunction.

[jvidal]

Another reason for sandboxing is "static analysis finds the file suspicious".
For example: Teracopy is found suspcious, which is totally bogus.
There's something absolutely wrong with the sandbox.
Other legit programs labeled "suspcious" include:
Winrar (also the installer for it)
Damn NFO Viewer
10 talismans (exe and .rwg file)
Codestuff starter. (this might be acceptable, since starter modifies the registry/services/etc)
Several program installers/uninstallers
and several more I don't recall now.

[AntiVirusASeT]

file reputation/ prevalence is based on how often is the program in question being used by the majority of Avast user base.

if u run programs which are not commonly used by average users, be prepared to see many autosandboxing. it is done as such to protect users from potentially fresh malware (zero day)

however, it will also mean a huge increase in fp (in the sense that it sandboxes them) until the program is opened enough times by sufficient number of avast users for its behaviour to be analysed and tipping the overall analysis of the program that it is likely to be safe, thereby releasing it from be autosandboxed in the future.

there are 4 things u can do, either manually adding all programmes that triggered the autosandbox, or, run the program which triggers autosandbox and select ' open normally', or, set autosandbox to 'ask' so that programmes do not get sandboxed automatically, or, turn off autosandbox feature.

as far as i know, avast does not whitelist any programs which cause autosandbox to be triggered.

as for still prompting to run in sandbox inspite of adding to exclusions list, i cannot reproduce it on my side.

u might want to provide ur system specs, the program ur trying to exclude from autosandbox for avast developers to reproduce
meanwhile, do try a repair through avast uninstaller to see if that solves ur problem.

do note that during the weekends, avast team are generally not around on the forums, please be patient till next week.

edit 1: static analysis trigger is something u should take note...it is a more 'serious alert' compared to reputation trigger as this is based on heuristics

unless ur sure that the program is safe, do not release that program from sandbox.

[Lisandro]

Who decides the file reputation or prevalence?

The file itself. It's date, how it is spread in the world... It's not an human decision, it's an automated process based on criteria.
Autosandobox is doing very good its job adding proactive detection to avast!, protecting us against 0-day malware.

[jvidal]

It might do a good job against 0-day malware, but at the cost of being very annoying when running perfectly legit programs, which I have been using for years, without them being sandboxed. Only now avast wants to sandbox 'em. Version 7 seems a lot more picky...
Like I said, why is teracopy.exe found "suspicious" by static analysis?? scanning it with avast doesn't show anything (clean).
Damn NFO viewer is one example of a file that was already added to the sandbox exclusions and still every time I run it, avast prompts me if I want to sandbox it or run it normally (I ALWAYS set the autosandbox mode to "ask", the other mode (auto) is even more annoying and has led to BSODS in the past). When the sandbox is set to "auto" and it analyzes a file, no matter what you select, the next time, it analyzes it again, completely ignoring what you selected last time, that's why I set it to "ask". Plus, it might close your program unexpectedly even after it has opened...I'm really disliking this new sandbox. Previous versions were a lot better.

[Lisandro]

It might do a good job against 0-day malware, but at the cost of being very annoying when running perfectly legit programs, which I have been using for years, without them being sandboxed. Only now avast wants to sandbox 'em. Version 7 seems a lot more picky...

Just disable the Autosandboxing then... Or configure it a little bit less aggressive.

the other mode (auto) is even more annoying and has led to BSODS in the past

Hmmm... not sure it can be that dangerous.

When the sandbox is set to "auto" and it analyzes a file, no matter what you select, the next time, it analyzes it again, completely ignoring what you selected last time

Well... What do you want? That the resident shields keep track of all files in your computer, take the checksum (MD5) of it and compare?
It would take even more time. The files must be analyzed all the time: what if a malware is posing as the real application?

[jvidal]

About that last point. What's the idea of excluding a file if you're gonna be asked about it again next time??

Another one: I just installed Furmark and the sandbox said that "static analysis... bla bla"
I insist: what the hell is wrong with the SB, that now it finds almost ALL files suspicious for one reason or another(low prevalence or static analysis). I repeat: this is NOT NORMAL, there's s/thing wrong.
bye!

[MikeBCda]

My personal "solution" for this, as I'd noted in another thread, was to untick the insufficient-data (or however it's worded) item in the settings.  That way I won't be bothered by the sandbox when I'm running stuff I've had for years and which is antique enough (e.g., ancient versions of Graphic Workshop and dBase) that I doubt there's wide enough usage to get included in the database in the foreseeable future.

And the security-related triggers are still active.

[DavidR]

Do you mean 'The file prevalence/reputation is low' as that is potentially the one that is likely to tray 0-day malware.

As much of a pain in the ass that this might be in the early days of your use, set the AutoSandbox Mode to Ask and for programs that you have had for some time and are sure they aren't malware, have it Run Normally and select the 'Remember my answer for this program.'

With my settings at the default and choosing that set of actions, I haven't had the autosandbox intercept those already excluded.

So for me it didn't take that long for old programs that I use that were intercepted to be built up in the exclusions. I don't know if in doing this that it would subsequently be fed back (via the CommunityIQ function) to avast. This may then add to a programs prevalence and reputation to the benefit of all avast users.

[Nesivos]

File Behavior

TERACOPY.EXE has been seen to perform the following behavior:

    The Process is polymorphic and can change its structure
    The Process is packed and/or encrypted using a software packing process
    This process creates other processes on disk
    This Process Deletes Other Processes From Disk
    Executes Processes stored in Temporary Folders
    Executes a Process
    Reads your outlook address book
    Writes to another Process's Virtual Memory (Process Hijacking)
    Adds a Link in the Start Menu
    Violates Prevx File Security Settings
    Registers a Dynamic Link Library File

TERACOPY.EXE has been the subject of the following behavior:

    Executed as a Process
    Created as a process on disk
    Deleted as a process from disk
    Changes to the file command map within the registry
    Has code inserted into its Virtual Memory space by other programs
    Terminated as a Process
    Executed by Internet Explorer
    Added as a Registry auto start to load Program on Boot up

http://www.prevx.com/filenames/2852839623737587884-X1/TERACOPY.EXE.html

Based upon the above it might be prudent to run it in the sandbox.

[Lisandro]

Based upon the above it might be prudent to run it in the sandbox.

Well... As far I know and used, TeraCopy is a clean program. The "problematic" behavior is that it substitutes Windows copy/paste function.
If I'm wrong, I beg avast! virus analysts post very quickly here...

[idacbadger]

I'm having a similar problem. ImageMagick's convert.exe is repeatedly run in a sandbox, despite autosandboxing being disabled and the exec listed under exclusions (multiple times apparently). Seems to be some kind of bug, or the feedback to the user could be improved.

[AntiVirusASeT]

make sure it is listed under autosandbox exclusions, not other shield exclusions.

if that does not work, it is likely to be something wrong with ur avast install.

please do a repair on avast via control panel -> (add/remove programs for windows xp OR programs and features for windows 7) -> select repair -> reboot ur computer.

if this does not work, please do a complete uninstall & reinstall of avast.

1. Download a fresh Avast! 7 package from http://www.avast.com/free-antivirus-download (to reduce chance of corrupted install)
2. uninstalling Avast! the normal way with windows
3. run Avast! uninstall utility http://www.avast.com/uninstall-utility (please do it in SAFE MODE!   )
4. run the uninstall utility 1st time, one for Avast! 7
5. reboot and go into safe mode once more, 2nd time for Avast! 6 (this is IF u have updated to Avast! 7 from Avast! 6)
6. reboot again, this time to normal windows mode
7. install the fresh package

do report back

[DavidR]

I'm having a similar problem. ImageMagick's convert.exe is repeatedly run in a sandbox, despite autosandboxing being disabled and the exec listed under exclusions (multiple times apparently). Seems to be some kind of bug, or the feedback to the user could be improved.

If the autosandbox is disabled as you say then it isn't the autosandbox, but possibly another shield (behavior shield). If you can post a screenshot of the avast alert/notification window, see image examples of autosandbox pop-ups (click to expand).

So are you saying that despite the autosandbox being disabled you still get autosandbox windows recommending it be run in the sandbox ?
If so I would try an avast repair (as suggested) before you try a clean reinstall.