Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Lisandro on February 27, 2011, 10:25:21 PM
-
Can it be done a comprehensive list of them?
I suppose the AutoSandbox is only related to executables.
I also suppose that infected files are first blocked by the antivirus (and not run autosandboxed).
I suppose there isn't a whitelist. Am I right?
1. Behavior Shield detects it as suspicious (heuristic/behavior analysis).
2. Files not digitally signed.
3. ...
-
No, there's no list.
It's a heuristics inside of the virus database, changing potentially very often.
-
What about number 2?
-
I have been running unsigned programs from flash drives as test cases but even then I find an occasional small .exe that doesn't ring up the AutoSandbox for some unknown reason. No AS reaction to the same files when run from the C: drive. Currports, for example, http://www.nirsoft.net/utils/cports.html, doesn't seem to do anything that interests AS even from a flash drive. There were some I saw on earlier versions, but as Igor says they were FPs and have been updated. Done so well we get questions whether AS is even working. ;)
-
What about number 2? Probably, I'm not sure.
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.
-
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.
If so, well, how is a file classified as suspicious then?
-
A number of rules, formulas and methods that I'm really not going to try to explain (even if I knew them, which I don't) - because there is no simple explanation (and the stuff is being continuously tuned/extended).
So, the best answer, I'm afraid, is - "heuristics".
-
Heuristics... tested by the vps? by the Behavior Shield?
Who performs the tests on access?
-
I'm not sure what you are asking about...
Who performs tests when starting an application? Well, the File System Shield does... and, as an auxiliary result of that scan, the information about the "autosandbox suspiciousness" is returned - and used. Note that the AutoSandbox settings are in the File System Shield settings.
The Behavior Shield isn't really part of this... because the decision on whether to (auto)sandbox the application or not has to be done in advance, before the application is really started - while the Behavior Shield monitors the behavior of the application when it's already running, i.e. later.
-
What about number 2? Probably, I'm not sure.
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.
I think that Number 2 is yes, because I tried to run unsigned app and avast! sandbox suggests to sandbox It.
-
What about number 2? Probably, I'm not sure.
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.
I think that Number 2 is yes, because I tried to run unsigned app and avast! sandbox suggests to sandbox It.
Not necessary true, as it may sandbox one unsigned app. and not sandbox another one, also unsigned.
-
Sandboxing flagged metapad - http://liquidninja.com/metapad/ (http://liquidninja.com/metapad/) - (which I've used without problem for years) under avast! version 6.
I can see how the sandbox mode might be useful, but if it does this frequently for a lot of executables, it could get to be like UAC on Vista.
-
Meaning that the current heuristics can't decide if the file is good or bad. But if you participate in the Avast! Community, Avast! uses this information to improve the heuristics, which will be provided through the VPS updates. The more users who adopt the AutoSandbox, the faster it will improve.
Greetz, Red.
-
Another issue with the Sandbox feature is it's going to create some problems for other users I support who have no knowledge of "sandboxing" and prefer invisible protection; just seeing the daily VPS update notification is enough for them. I'm anticipating calls relating to the pop-ups when programs are opened.
I could change the setting to Auto, but for unknown programs would the pop-up still appear?
-
You only get a small orange/grey pop-up, like the auto update etc. pop-up, that notifies you the application is sandboxed.
Greetz, Red.
-
Thanks, but this is the pop-up I was referring to:
(http://img263.imageshack.us/img263/5013/avast6sandbox.png)
This is what I think will cause some confusion, and what is similar to the UAC I mentioned.
-
This is the popup you get if you put it on auto-seems pretty straightforward. Small, inLR corner.
-
Thnx Ed :)
That is indeed the one I was referring too ;)
Greetz, Red.
-
I'm not sure what you are asking about...
Who performs tests when starting an application? Well, the File System Shield does... and, as an auxiliary result of that scan, the information about the "autosandbox suspiciousness" is returned - and used. Note that the AutoSandbox settings are in the File System Shield settings.
The Behavior Shield isn't really part of this... because the decision on whether to (auto)sandbox the application or not has to be done in advance, before the application is really started - while the Behavior Shield monitors the behavior of the application when it's already running, i.e. later.
Igor, thanks. That's what I was looking for.
-
This is the popup you get if you put it on auto-seems pretty straightforward. Small, inLR corner.
Thanks for that. So when it's on Auto the alert is a small pop-up in the corner like a VPS update. Does Sandboxing an unknown (but harmless) program affect its performance, or is it negligible or what happens?
-
Does Sandboxing an unknown (but harmless) program affect its performance, or is it negligible or what happens?
Well... it affects the program itself (what it can do, etc.) but, performance is not that much affected.
-
By participating in the avast! Community (via the Settings), does this add the programs marked as harmless to a central list and exclude them from the Sandbox in future updates? Or will I have to manually confirm each program as safe on other user's computers?
-
By participating in the avast! Community (via the Settings), does this add the programs marked as harmless to a central list and exclude them from the Sandbox in future updates? Or will I have to manually confirm each program as safe on other user's computers?
There's some logic behind the scenes that tries to optimize the algorithm so that it doesn't alert on files that are harmless (based on the files that we see trigger the autosandbox offer). On the other hand, this logic doesn't take the user's decision into account at all - users aren't usually very good at telling whether a given file is malware or not.
Thanks
Vlk
-
So it's mean even with Auto-Sandbox feature yet there are no 'known clean' list in Database?
-
So it's mean even with Auto-Sandbox feature yet there are no 'known clean' list in Database?
No, there isn't a clean list (it was already said by Igor).
-
No, there isn't a clean list (it was already said by Igor).
:'(
-
Why are you sad?
The whitelist approach has a lot of inconveniences...
-
whitelist will avoid lots of FPs when updating heuristic (even with having it in highest level) and will avoid Auto-Sandbox alerts for harmless files and many other example, I don't know what will be 'inconveniences' by having a small database of common clean files...
-
The Auto setting doesn't work for my usage. It Sandboxed dvbviewer.exe which is a harmless file (a DTV application), gave me the corner pop-up, but no way to un-Sandbox it — unless I manually add it to the exclusion list, which is going to be a pain to have to do to every program that ends up this way.
Sorry, this new feature is not for me.
-
I've also disabled it for this reason.
-
whitelist will avoid lots of FPs when updating heuristic (even with having it in highest level) and will avoid Auto-Sandbox alerts for harmless files and many other example, I don't know what will be 'inconveniences' by having a small database of common clean files...
Small? You'll get never-ending requests to get something whitelisted. You have to keep up with program updates. The are tons of Windows applications out there. In the end, you end up with huge database that slows this down horribly. You can go the other way round as well and whitelist the files based on their digital signatures. Most likely that will become useless in the same way the Comodo whitelist failed and actually became a vulnerability in CIS itself instead, after getting vendors of various questionable or straight out malicious software whitelisted.
-
I don't know what will be 'inconveniences' by having a small database of common clean files...
If it is a really withelist, it won't be small.
If it is small, why would we have one.
Vlk's thoughts: http://forum.avast.com/index.php?topic=64382.msg546016#msg546016