Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: BRANDONN2008 on March 24, 2011, 02:47:43 AM

Title: Sandbox False Positive Thread
Post by: BRANDONN2008 on March 24, 2011, 02:47:43 AM
Hello. I don't think there's a thread like this. If there is an easier way to let the developers know of false positives for the sandbox, please let me know, otherwise I think they could be posted here.

The first was on my neighbor's computer. I was uninstalling HP Games, and the sandbox tried to isolate EACH ONE, about 30.

The second was today on my computer. I was the uninstaller for NetBeans 6.9.1.
Title: Re: Sandbox False Positive Thread
Post by: Asyn on March 24, 2011, 02:56:47 AM
What's a FP for a sandbox...???
If your sig is right, update...!!! ;)
Title: Re: Sandbox False Positive Thread
Post by: DavidR on March 24, 2011, 03:20:40 AM
Exactly, what is an FP for the sandbox, since you are talking about the auto-sandbox, it isn't making a determination that what it is flagging is infected.

The file system shield (FSS) is the first avast shield to come across the executable file and depending on what is known about that file, is it digitally signed or in the avast persistent cache, what location is it in, also probably using the Emulation function in the FSS would pass that off to the auto-sandbox for action/response.

That may be to run it sandboxed or to allow it, of course you can change the Auto-Sandbox mode in the settings to Ask rather than Auto. That way anything passed to the sandbox lets you know the recommended action, which you can change and you can allow it and 'Remember my answer for this program' if you are confident that there is nothing wrong with it.
Title: Re: Sandbox False Positive Thread
Post by: BRANDONN2008 on March 24, 2011, 06:38:20 AM
Sorry I wasn't very clear. I mean that it is asking to isolate a safe application.
Title: Re: Sandbox False Positive Thread
Post by: doktornotor on March 24, 2011, 09:57:19 AM
Sorry I wasn't very clear. I mean that it is asking to isolate a safe application.

Yes, and what is the problem? That's exactly what this feature is supposed to do.  ??? ??? ???
Title: Re: Sandbox False Positive Thread
Post by: PoP on March 24, 2011, 11:17:27 AM
During the past 2 weeks the auto-sandbox has warned me
about 20 executables. All of them were safe applications
I've been using for years.
Don't you think it's disturbing ?
Ok you'll say I just have to make Avast remember
my last action for this file and it will execute it normally.
ERROR !!!! Yes, if you do so, Avast does not show the dialog
BUT It still takes 5 SECONDS to think about it before it
launches the exe !!!

The only way I have found to recover a fast launch is to
exclude the file from the whole real time system, just like
I do for a false positive.
See why there should be white sigs for the sandboxing system.
Title: Re: Sandbox False Positive Thread
Post by: doktornotor on March 24, 2011, 11:42:42 AM
See why there should be white sigs for the sandboxing system.

Don't get me started with whitelists - see current Comodo fiasco with fraudulent MS/Google/Yahoo/Skype/Mozilla certificates.  >:( :-X

The feature in under development and it has been explained quite a couple of times how it works and what is the purpose, use http://forum.avast.com/index.php?action=search

Meanwhile, if you dislike it, disable it.
Title: Re: Sandbox False Positive Thread
Post by: igor on March 24, 2011, 11:48:17 AM
BUT It still takes 5 SECONDS to think about it before it
launches the exe !!!

That, however, has nothing to do with the autosandboxing feature.
The executable is probably packed by some strange runtime packer - and the on-access scanner needs some time to unpack/emulate it.
Title: Re: Sandbox False Positive Thread
Post by: BRANDONN2008 on March 25, 2011, 01:58:05 AM
Sorry I wasn't very clear. I mean that it is asking to isolate a safe application.

Yes, and what is the problem? That's exactly what this feature is supposed to do.  ??? ??? ???

I must have misunderstood what the sandbox was supposed to do. I thought it was supposed to isolate applications displaying suspicious behavior, but not isolate legitimate ones. Since it doesn't have a whitelist I guess I understand.
Title: Re: Sandbox False Positive Thread
Post by: Lisandro on March 25, 2011, 02:01:18 AM
Autosandbox detects suspicious files on access.
Sandbox runs specific (selected) applications on demand.