Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Lisandro on February 27, 2011, 10:25:21 PM

Title: Which files (executables) are started into the AutoSandbox
Post by: Lisandro on February 27, 2011, 10:25:21 PM
Can it be done a comprehensive list of them?

I suppose the AutoSandbox is only related to executables.
I also suppose that infected files are first blocked by the antivirus (and not run autosandboxed).
I suppose there isn't a whitelist. Am I right?

1. Behavior Shield detects it as suspicious (heuristic/behavior analysis).
2. Files not digitally signed.
3. ...
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: igor on February 27, 2011, 10:29:12 PM
No, there's no list.
It's a heuristics inside of the virus database, changing potentially very often.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Lisandro on February 27, 2011, 10:40:33 PM
What about number 2?
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: sded on February 27, 2011, 10:46:53 PM
I have been running unsigned programs from flash drives as test cases but even then I find an occasional small .exe that doesn't ring up the AutoSandbox for some unknown reason. No AS reaction to the same files when run from the C: drive. Currports,  for example, http://www.nirsoft.net/utils/cports.html, doesn't seem to do anything that interests AS even from a flash drive.  There were some I saw on earlier versions, but as Igor says they were FPs and have been updated.  Done so well we get questions whether AS is even working.  ;)
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: igor on February 27, 2011, 11:43:02 PM
What about number 2? Probably, I'm not sure.
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Lisandro on February 28, 2011, 01:40:24 AM
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.
If so, well, how is a file classified as suspicious then?
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: igor on February 28, 2011, 01:52:02 AM
A number of rules, formulas and methods that I'm really not going to try to explain (even if I knew them, which I don't) - because there is no simple explanation (and the stuff is being continuously tuned/extended).
So, the best answer, I'm afraid, is - "heuristics".
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Lisandro on February 28, 2011, 01:56:37 AM
Heuristics... tested by the vps? by the Behavior Shield?
Who performs the tests on access?
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: igor on February 28, 2011, 09:30:49 AM
I'm not sure what you are asking about...
Who performs tests when starting an application? Well, the File System Shield does... and, as an auxiliary result of that scan, the information about the "autosandbox suspiciousness" is returned - and used. Note that the AutoSandbox settings are in the File System Shield settings.

The Behavior Shield isn't really part of this... because the decision on whether to (auto)sandbox the application or not has to be done in advance, before the application is really started - while the Behavior Shield monitors the behavior of the application when it's already running, i.e. later.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: danny96 on February 28, 2011, 09:34:56 AM
What about number 2? Probably, I'm not sure.
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.
I think that Number 2 is yes, because I tried to run unsigned app and avast! sandbox suggests to sandbox It.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Sparxx on February 28, 2011, 10:30:11 AM
What about number 2? Probably, I'm not sure.
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.
I think that Number 2 is yes, because I tried to run unsigned app and avast! sandbox suggests to sandbox It.

Not necessary true, as it may sandbox one unsigned app. and not sandbox another one, also unsigned.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: avoidz on February 28, 2011, 01:39:57 PM
Sandboxing flagged metapad - http://liquidninja.com/metapad/ (http://liquidninja.com/metapad/) - (which I've used without problem for years) under avast! version 6.

I can see how the sandbox mode might be useful, but if it does this frequently for a lot of executables, it could get to be like UAC on Vista.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Rednose on February 28, 2011, 01:57:38 PM
Meaning that the current heuristics can't decide if the file is good or bad. But if you participate in the Avast! Community, Avast! uses this information to improve the heuristics, which will be provided through the VPS updates. The more users who adopt the AutoSandbox, the faster it will improve.

Greetz, Red.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: avoidz on February 28, 2011, 03:18:32 PM
Another issue with the Sandbox feature is it's going to create some problems for other users I support who have no knowledge of "sandboxing" and prefer invisible protection; just seeing the daily VPS update notification is enough for them. I'm anticipating calls relating to the pop-ups when programs are opened.

I could change the setting to Auto, but for unknown programs would the pop-up still appear?
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Rednose on February 28, 2011, 03:43:55 PM
You only get a small orange/grey pop-up, like the auto update etc. pop-up, that notifies you the application is sandboxed.

Greetz, Red.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: avoidz on March 01, 2011, 03:23:55 AM
Thanks, but this is the pop-up I was referring to:

(http://img263.imageshack.us/img263/5013/avast6sandbox.png)

This is what I think will cause some confusion, and what is similar to the UAC I mentioned.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: sded on March 01, 2011, 03:29:57 AM
This is the popup you get if you put it on auto-seems pretty straightforward.  Small, inLR corner.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Rednose on March 01, 2011, 03:36:38 AM
Thnx Ed :)

That is indeed the one I was referring too ;)

Greetz, Red.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Lisandro on March 01, 2011, 12:23:20 PM
I'm not sure what you are asking about...
Who performs tests when starting an application? Well, the File System Shield does... and, as an auxiliary result of that scan, the information about the "autosandbox suspiciousness" is returned - and used. Note that the AutoSandbox settings are in the File System Shield settings.

The Behavior Shield isn't really part of this... because the decision on whether to (auto)sandbox the application or not has to be done in advance, before the application is really started - while the Behavior Shield monitors the behavior of the application when it's already running, i.e. later.
Igor, thanks. That's what I was looking for.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: avoidz on March 01, 2011, 01:00:08 PM
This is the popup you get if you put it on auto-seems pretty straightforward.  Small, inLR corner.

Thanks for that. So when it's on Auto the alert is a small pop-up in the corner like a VPS update. Does Sandboxing an unknown (but harmless) program affect its performance, or is it negligible or what happens?
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Lisandro on March 01, 2011, 01:09:20 PM
Does Sandboxing an unknown (but harmless) program affect its performance, or is it negligible or what happens?
Well... it affects the program itself (what it can do, etc.) but, performance is not that much affected.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: avoidz on March 01, 2011, 01:52:56 PM
By participating in the avast! Community (via the Settings), does this add the programs marked as harmless to a central list and exclude them from the Sandbox in future updates? Or will I have to manually confirm each program as safe on other user's computers?
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Vlk on March 01, 2011, 02:03:30 PM
By participating in the avast! Community (via the Settings), does this add the programs marked as harmless to a central list and exclude them from the Sandbox in future updates? Or will I have to manually confirm each program as safe on other user's computers?

There's some logic behind the scenes that tries to optimize the algorithm so that it doesn't alert on files that are harmless (based on the files that we see trigger the autosandbox offer). On the other hand, this logic doesn't take the user's decision into account at all - users aren't usually very good at telling whether a given file is malware or not.

Thanks
Vlk
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Omid Farhang on March 01, 2011, 02:18:04 PM
So it's mean even with Auto-Sandbox feature yet there are no 'known clean' list in Database?
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Lisandro on March 02, 2011, 02:32:53 AM
So it's mean even with Auto-Sandbox feature yet there are no 'known clean' list in Database?
No, there isn't a clean list (it was already said by Igor).
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Omid Farhang on March 02, 2011, 10:43:38 AM
No, there isn't a clean list (it was already said by Igor).
:'(
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Lisandro on March 02, 2011, 12:36:26 PM
Why are you sad?
The whitelist approach has a lot of inconveniences...
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Omid Farhang on March 02, 2011, 01:11:12 PM
whitelist will avoid lots of FPs when updating heuristic (even with having it in highest level) and will avoid Auto-Sandbox alerts for harmless files and many other example, I don't know what will be 'inconveniences' by having a small database of common clean files...
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: avoidz on March 02, 2011, 01:36:47 PM
The Auto setting doesn't work for my usage. It Sandboxed dvbviewer.exe which is a harmless file (a DTV application), gave me the corner pop-up, but no way to un-Sandbox it — unless I manually add it to the exclusion list, which is going to be a pain to have to do to every program that ends up this way.

Sorry, this new feature is not for me.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Privateofcourse on March 02, 2011, 02:25:03 PM
I've also disabled it for this reason.

 
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: doktornotor on March 03, 2011, 09:10:09 PM
whitelist will avoid lots of FPs when updating heuristic (even with having it in highest level) and will avoid Auto-Sandbox alerts for harmless files and many other example, I don't know what will be 'inconveniences' by having a small database of common clean files...

Small? You'll get never-ending requests to get something whitelisted. You have to keep up with program updates. The are tons of Windows applications out there. In the end, you end up with huge database that slows this down horribly. You can go the other way round as well and whitelist the files based on their digital signatures. Most likely that will become useless in the same way the Comodo whitelist failed and actually became a vulnerability in CIS itself instead, after getting vendors of various questionable or straight out malicious software whitelisted.
Title: Re: Which files (executables) are started into the AutoSandbox
Post by: Lisandro on March 04, 2011, 02:36:30 AM
I don't know what will be 'inconveniences' by having a small database of common clean files...
If it is a really withelist, it won't be small.
If it is small, why would we have one.
Vlk's thoughts: http://forum.avast.com/index.php?topic=64382.msg546016#msg546016