Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: vsub on July 09, 2012, 01:37:10 PM
-
Doing thorough scan by settings avast to be as paranoid as possible doesn't get any results(that I have some virus,spyware and so on)
But when I enable the sandbox feature,avast start to suspect almost everything,even programs that I use for more than 3 years on which avast never say anything about them when I start them with sandbox feature disabled.
I have to add almost every program that I use to the exclude list...the sandbox feature is mostly annoying than actually of any use(at least to me)
All shield are set to be as paranoid as possible
-
Autosandbox covers files which are not enough to raise alerts by normal scan but seems suspicious, so this behavior is normal.
However "suspect almost everything" is a bit strange, isn't your software your original, or stored on removable media?
-
Autosandbox covers files which are not enough to raise alerts by normal scan but seems suspicious, so this behavior is normal.
Like I said,I'm not doing "normal" scan,I'm doing as thorough as possible scan...boot time scan also don't say that I have a malware
However "suspect almost everything" is a bit strange, isn't your software your original, or stored on removable media?
Not sure what you mean,all of the programs are in the Program Files folder.
Sometimes the sandbox don't don't say anything about some program while starting it,other time without changing anything the sandbox suspect it
-
Like I said,I'm not doing "normal" scan,I'm doing as thorough as possible scan...boot time scan also don't say that I have a malware
Did you change the Avast settings from default? Are you doing a Custom scan?
-
Did you change the Avast settings from default? Are you doing a Custom scan?
Yes almost all of the avast settings are changed for maximum protection(except to test whole file and all type of packers from the real time file shield...that will overkill)
I'm using the "Scan from Windows Explorer" and that option is set to
Scan - Scan All Files
Sensitivity - High,code emulation,test the whole file,pup,follow links
Packers - All Packers
Actions - All actions are set to Repair=>Move to Chest=>No Action
Performance - Scan Priority set to High and both options below disabled
And nothing is excluded.
As you can see,there is nothing else that can be enabled for even better scan.
The boot time scan is set to scan all drives,high sensitivity,scan for pup and to unpack archives.
After all that,still nothing but the sandbox continue to suspect my programs
-
I'm going to let others comment. I think you're settings are too high. Remember, Avast is scanning and working in the background all the time. Most users do a Quick scan weekly, and a Full scan monthly or every few weeks, with a Boot scan only if a problems occurs. But everyone's machine is different and user's have their own preference.
Refresh my memory, what other security software do you have (on-demand and resident)?
So I will let others comment on what they think of your settings.
-
It's not that high,the PC still work fine(fast)...I'm using it that way since I started to use avast(since 4.?).
I'm not doing weekly\monthly scans because I know what I'm doing on the pc...if I have a malware of some kind,there is no way I wouldn't notest if the pc is working even tinny bit different.
I know every single file that is autostarted with the windows for what it is
I use only avast for protection...and the windows firewall(if you call that protection).
The browsing protection mostly comes from the FF add-on NoScripts and some other system modification...can't remember when was the last time my pc was infected with something
-
How about adding MBAM? What is your OS? I'm sorry for asking, but I help so many that I don't remember.
It would also help to add your Profile to your Signature, that way people like me won't have to ask. :-[
-
I've never used such programs and I don't like installing programs that I don't really need.
I'm using Windows XP SP2
FF13 with tons of add-ons,and a lot of settings for protection.
Windows Firewall
I also have CCleaner but that program is useless or I just don't have the problems that program is searching for...I don't save browser cache to the hdd so my protection is increased.
About the signature...don't know what should I write there :p,I don't really care about those so I rarely use them in any forum
-
Everyone has their own opinion, and you already know mine from our previous thread, and I respect yours. I'm due to sign off now, but I'm sure someone else will be along to assist you. Thank you. :)
-
I'm using Windows XP SP2
32 bit..??
-
Yes 32bit
-
Yes 32bit
Please update to SP3.
-
Just curious...what exactly that have to do with how sandbox should suspecting programs if as thorough as possible scan don't find anything
-
You find some sandbox info in avast blog....
You say you know every file in your comp......so why do you sett avast to paranoia level
-
Well,I know them but I also download new files and since it's not slowing down my pc,why shouldn't I set it that way.
I turn off the sandbox feature because of this problem...when I want sandbox,I'll either use my virtual pc which is set to not remember any changes when I turn it of or just rut the program in Sandboxie
-
Just curious...what exactly that have to do with how sandbox should suspecting programs if as thorough as possible scan don't find anything
Well, if your OS has unfixed holes, no AV can protect you and any troubleshooting is useless.
-
I guess more than 6 years without any kind of malware problems is not enough proof that I don't need SP3
-
I guess more than 6 years without any kind of malware problems is not enough proof that I don't need SP3
Well, I won't discuss this with you, as it's up to you anyway. Good luck.
-
So in the end,no answer why sandbox work that way...I guess it will continue to stay off
-
So in the end,no answer why sandbox work that way...I guess it will continue to stay off
"normal scan" means FileSystem Sheild, Windows Explorer Scan etc. , and even if these scans find nothing, autosandbox could find something suspicious and sandbox these applications.
Why I ask about your applications origin is because Autosandbox is linked to FileRep cloud database, and if FileRep database does not have enough data about them, then autosandbox will kick in. So if your application are custom-made, they probably get sandboxed only due to that.
Autosandbox will also kick in if the files are executed from removable drive (USB sticks etc.).
-
@ vsub
You need to understand that the AutoSandbox works in a different way to the other Shields as it is essentially trying to find new malware that would otherwise not be detected by conventional virus definitions.
####
The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn't had a definitive detection.
However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox. See image giving reasons why the autosandbox may intervene
~~~~
Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.
So if you have lots of obscure uncommon applications you will get autosandbox interventions - you should set the autosandbox mode to Ask, that way you can select run normally and remember - it won't take long before those regularly used programs are excluded from autosandbox intervention.
-
I tough it could be that but Cloud Service=>Reputation Service is disabled and I have this problem since the Sandbox feature appeared in Avast 6(filerep is since avast 7)
Edit:
The sandbox mode is set to ask
Static analysis... - scanning the file...isn't it the same as enabling from FS code emulation and scan on execute
The file prevalence\reputation - fire rep service is disabled...I don't need this,I know what I'm downloading.
The file origin/sorce is susspicion - well is it susspicions to run it from program files or the windows folder(run it from where the program is installed)
The file is executed from remote/removavle media - everything is from my hdd and I don't run any progams from USB
Generic heuristic/suspicios content - FS and custom scan have those set to High and they don't say anything
-
Static analysis... - scanning the file...isn't it the same as enabling from FS code emulation and scan on execute
The file prevalence\reputation - fire rep service is disabled...I don't need this,I know what I'm downloading.
The file origin/sorce is susspicion - well is it susspicions to run it from program files or the windows folder(run it from where the program is installed)
The file is executed from remote/removavle media - everything is from my hdd and I don't run any progams from USB
Generic heuristic/suspicios content - FS and custom scan have those set to High and they don't say anything
Even File System Shield does not show any alert, there could be some detections inside, just not reached to minimum alert level.
Once alert level reaches to "Sandbox" level applications will be sandboxed, but level does not reaches to "Detection" level no File System Shiled alert appears.
(High alert level)
Malicious (alert appears, moved to chest etc.)
---(maximum heuristics level)
Suspicious (get sandboxed, no alert)
---
Innocent (no sandbox, no alert)
(Low alert level)
-
About sandbox
https://blog.avast.com/2012/03/20/autosandbox-why-are-you-annoying-me/
-
@ vsub
You say you have all shields set to as paranoid as possible (when your OS is vulnerable by being out of date), yet here you are essentially wanting to disable elements of the autosandbox function. I can't understand that.
Also it appears that you have a preconceived opinion of the autosandbox and despite what others have said or tried to explain what the autosandbox does/how it works you still hold to that opinion, so I'm not sure why you asked the question or are we all missing something here.
So for me also, I will bow out on this one.
-
I want to use the sandbox but suspecting almost every program that I try to run at random is both annoying and weird.
Will you still have it enabled if it works that way to you?
First nothing and then suddenly,it is suspicious or the other way around.
What's the point of it if I have to add to the exclude list every program that I use.
Sometimes it wont say anything,other time it will suspect my programs after restarting windows or rerun them again...without changing anything or updating the virus database
Just an example...tell me what this program have that avast suspect it
http://shii.org/tclock/
The virustotal result is 0/42
-
I want to use the sandbox but suspecting almost every program that I try to run at random is both annoying and weird.
Will you still have it enabled if it works that way to you?
That's exactly where the problems start, as nobody here uses XP SP2. ::)
-
I guess more than 6 years without any kind of malware problems is not enough proof that I don't need SP3
Actually, no. There's just too many vulnerability patches included in SP3. See
List of fixes that are included in Windows XP Service Pack 3 http://support.microsoft.com/kb/946480 (http://support.microsoft.com/kb/946480). Beyond that, you are also missing all the vulnerability patches that have been released by Microsoft to Automatic updates on July 10, 2008 since then. WinXP SP2 is a veritable sieve of an OS compared to a fully updated WinXP SP3, which by the way is still being supported with security patches. No OS is completely free of security risks, but there is no reason to stay with an OS with so many known vulnerabilities.
-
Vsub,
see old post#7 here
http://forums.zonealarm.com/showthread.php?t=72599
Tclockx is safe, but since uses DDE Avast's caution is warranted IMO.
-
I have discussed the issue of upgrading the OP's OS in a previous thread: http://forum.avast.com/index.php?topic=100457.0 (http://forum.avast.com/index.php?topic=100457.0) but he wanted to stay with SP2. That is why I made my comment earlier in this thread because I knew his opinion. I agree with what everyone else is saying here -> the OP is more vulnerable to malware with an outdated OS and should update it...but it is his machine. However I also do not understand why he wants his other settings set to paranoid level with an outdated OS either.
vsub, we help many users and it seems to all of us trying to help you that it is more important to upgrade your OS at this point. You might want to consider this. We are just trying to help you.
-
However I also do not understand why he wants his other settings set to paranoid level with an outdated OS either.
And I don't understand that thinking too.
Why shouldn't I set all settings on such level,why they exist if you don't need them if you have the newest SP.
Are you saying that I should lower the protection avast is giving me if I install the SP3...with that thinking,why do I need antivirus software.
Since I'm using outdated OS,I should be enabling all settings,not the other way around.
I won't be using the sandbox anyway...it's slowing down starting of the programs way too much(along with suspecting everything at random)
-
Like I politely said before in the other thread, this is your machine and you can do what ever you wish to do with it that you want.
-
However I also do not understand why he wants his other settings set to paranoid level with an outdated OS either.
And I don't understand that thinking too.
Why shouldn't I set all settings on such level,why they exist if you don't need them if you have the newest SP.
Are you saying that I should lower the protection avast is giving me if I install the SP3...with that thinking,why do I need antivirus software.
Since I'm using outdated OS,I should be enabling all settings,not the other way around.
I won't be using the sandbox anyway...it's slowing down starting of the programs way too much(along with suspecting everything at random)
First, I can understand a person that knows that they are running a highly vulnerable OS would want to go to extreme measures to protect it. IOW, I can see your point about the high settings in Avast. However, setting them all to paranoid will also potentially cause more false positives (as it would with most AVs), and as there is some interaction between shields may cause the AutoSandbox to be far more active.
Running an extremely vulnerable OS leads to the logic (rightly so) of needing extreme protection, which leads to more alerts and blocking of programs running. It's a downward spiral.
However, as SafeSurf said, it is your system. You can do as you wish, and it won't affect the rest of us in the least.
-
I would also suggest the OP does the update to XP SP3 .. the only time this can be an issue
is with some older computers running an AMD CPU .. the benefits of SP3 and the fact that
Microsoft will be ending support for XP are reasons enough to be up to the latest security patches.
I also run XP Pro on my computer and it is fully up to date.