Author Topic: AutoSandbox = a tax on developers  (Read 6720 times)

0 Members and 1 Guest are viewing this topic.

chrisnash

  • Guest
AutoSandbox = a tax on developers
« on: November 25, 2012, 07:08:29 PM »
Dear Avast,

I am a developer of award-winning music software, which I distribute on a not-for-profit basis. Recently, I learnt that my program, reViSiT, originally a plugin (.dll) but also now available as a standalone program (.exe), is automatically sandboxed by your AV software - the reason given is "The file prevalence/reputation is low." In other words, it is not popular enough to be allowed to run. This is unacceptable.

Searching your forums, two workarounds have been proposed, each with issues for developers:

1) The user manually allows the program to run.

The default "Auto" AutoSandbox mode means that the program is terminated as, or even before, the user can click the "Continue" button. Worse still, the user is able to interact with the program for 10-15 seconds before it is abruptly terminated. The "Ask" mode is not much better - intervening to tell the user that the program is "suspicious" and "potentially harmful", even before it has run. In either case, the user not only gets the impression that the software is malware, but must jump through hoops simply to run it - not to mention users who might attribute the termination to a fault of the software, rather than to Avast.

Presumably, once the software becomes more popular, the reputation goes up. But perhaps you've forgotten what it's like for a small developer to introduce a new product: how important that first impression is; how the first few seconds and minutes of interaction will determine whether users stay interested or not. I have spent hours and hours refining the installation process to be as seamless as possible, only to have your software make that absolutely worthless.

Bottomline: Many users will abandon the software, rather than risk "malware"; or be otherwise disinclined to manually authorise it. The very presence of AutoSandbox makes it harder for programs to build a reputation.

2) The developer signs their executable with a code signing certificate.

On the face of it, this seems quite reasonable - and I'm more than happy to sign my name on my program. I'm very proud of it. I want people to know who made it. I even want people to know who to turn to when they have problems.

But, of course, it's not that simple. Someone else has to sign that certificate. A Certificate Authority, specifically one trusted by services like Avast. This costs money, potentially a lot. Here's some examples:

Thawte - $299/year.
Verisign - $499/year.
Comodo - $199/year.

Supposedly, there are a couple of more affordable routes (but not really):

* Intel's AppUp programme generously offers a "free" Comodo certificate - but good luck getting past Comodo's validation process and abysmal customer service if you're not a (paying?) business customer. As an individual, I repeatedly receive requests from Comodo for validation documents I do not have (and keep telling them I don't have).
* CACert offers certificates signed by other (already trusted) developers. However, many browsers (e.g. Chrome), systems (e.g. Windows) and services do not themselves trust CACert certificates (as Chrome ironically warns you when you try to log into the secure part of the CACert website).
* StartSSL is a young firm that only charges for the verification process, not the certificates, and will verify your identity for only $59.90. However, while this enables you to sign your executable, you can't timestamp it, which means that when your certificate expires, any program signed with it (even if released while the certificate was valid) is no longer certified. And if you then renew your certificate, you'll need to re-sign, re-release and redistribute old versions of your software for users to carry on using it. To enable time-stamping on StartSSL certificates, you need to pay for Extended Validation (an EXTRA $140 = $199 total). They're probably still cheaper than their competitors, and the customer service also appears better, but it's still an expense many developers can't afford.

Bottomline: Developers must pay to lift the Avast embargo on their software. Is it not enough that developers spend hours (years, in this case) developing software only to give it away? I now have to pay to permit others to use it?

---

Unless there's a solution I've missed, your AutoSandbox feature will kill small, independent developers. All newly-released unsigned (yet legitimate) software will appear as malware. This is a False Positive of epic proportions. I urge you to reconsider this feature, the language it uses, have it default to disabled, and instead adopt an "innocent until proven malware" approach.

I look forward to Avast's reply, but I would also urge all developers (and affected users) to post here with your own experiences, comments and opinions.

Yours faithfully,
Chris Nash
Developer
http://revisit.info

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: AutoSandbox = a tax on developers
« Reply #1 on: November 25, 2012, 07:31:20 PM »
Quote
This is a False Positive of epic proportions.
i would not call suspicious a false positive as it is not detected as anything yet.......thats why it is suspicious   ;)

some sandbox info here   https://blog.avast.com/2012/03/20/autosandbox-why-are-you-annoying-me/

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48818
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: AutoSandbox = a tax on developers
« Reply #2 on: November 25, 2012, 07:41:21 PM »
I don't know why you're picking on avast! when Microsoft enters the picture before avast! ever get's it's opportunity:



« Last Edit: November 25, 2012, 07:44:41 PM by bob3160 »
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

TheHulk

  • Guest
Re: AutoSandbox = a tax on developers
« Reply #3 on: November 25, 2012, 08:12:41 PM »
Same here the sandbox has really messed up my laptop because of crashes.

so I have to clean install and replace It with AVG or MSE

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48818
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: AutoSandbox = a tax on developers
« Reply #4 on: November 25, 2012, 08:25:03 PM »
Same here the sandbox has really messed up my laptop because of crashes.

so I have to clean install and replace It with AVG or MSE
Sounds like you've got something else going on in your computer since the sandbox isn't going to mess up your computer.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

chrisnash

  • Guest
Re: AutoSandbox = a tax on developers
« Reply #5 on: November 25, 2012, 08:57:48 PM »
Pondus:

"Suspicious" is the equivalent of a "false positive" when Avast only needs a "suspicion" to act; to interfere with the running of a legitimate program. Moreover, when a "suspicion" is based on "no information" it has no basis - it is an unfounded suspicion. It is the very definition of paranoia to suspect someone or something without evidence.

bob3160:

Thanks for bringing that to my attention. I was not aware of the issue with SmartScreen in Windows 8. Many browsers have guarded against downloading .exe files for a long time, which is why v1.6 and before were also available in .zip format. However, the latest version of my software uses Windows Installer (.msi), which (at least in IE9) SmartScreen does not appear to interfere with. How does Windows 8 behave with v1.7 of my software?

I don't know if it should be important to my argument - whether developers are forced to create a Windows Installer or forced to buy a certificate - but time is something small developers have a lot more of than money, so if they can satisfy SmartScreen without paying for the privilege, it's likely to irk less people. (I also believe that just because a large firm makes a questionable decision, it shouldn't prevent people from questioning subsequent, similar moves by others. Indeed, they should better know how such decisions will be received.)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: AutoSandbox = a tax on developers
« Reply #6 on: November 25, 2012, 10:49:28 PM »
Quote
It is the very definition of paranoia to suspect someone or something without evidence.
yepp, with the amount of malware that is found everyday i guess it is sandbox first and ask later...
what are those saying that got infected by a new file....and sandbox did not ask


Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6699
  • Trust only what you test yourself!
Re: AutoSandbox = a tax on developers
« Reply #7 on: November 25, 2012, 11:24:21 PM »
Any user has the option to set the autosandbox to "ask".
The fact that something is blocked/sandboxed is testimony to its effectiveness.  :)
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34051
  • malware fighter
Re: AutoSandbox = a tax on developers
« Reply #8 on: November 25, 2012, 11:46:15 PM »
Hi chrisnash,

Yes those are the disadvantages for small developers and open software developers as such. That is why an anti-malware whitelisting policy should be maintained, where the reliable and trusted software could be given a clean bill of health and the malicious or reverse engineered (pirated & fraudulent or malvertised) versions would be halted. That is an ideal situation in an ideal world and protecting your software from malcreants has also become a burden of the modern software developer.
Do not think we do not consider your situation.
A clean bill from this tool could be helpful to assist a report: http://www.backgroundtask.eu/Applications/FTR1_Index.php
If you are a developer and have some software that needs clearing from PUP or riskware detection contact virusATavast.com and file a report.

polonus
« Last Edit: November 25, 2012, 11:48:19 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

chrisnash

  • Guest
Re: AutoSandbox = a tax on developers
« Reply #9 on: November 26, 2012, 04:30:50 AM »
Para-noid:

Many users will not go near the "ask" setting (whether because of fear, laziness or ignorance), and if you'll read my post, the "Ask" mode is itself not exactly flattering to unknown programs.

Your second statement is more worrying though. It's tantamount to saying that the mere act of interring someone is testimony to the effectiveness of a justice system - and, in this case, one that accuses and sentences based on the lack of any reputation and total absence of evidence. Very Kafkaesque. By the same token, a system that blocked everything you ever tried to run would also be effective, but how useful? And if indiscriminately blocking programs is what you're after, why use Avast, when Malware will work just fine?

Polonus:

Thank you for your response. It's very useful to know about FTR - I have now run it on several of my most recently-released installers and programs. Some are "Safe" and the others "Low Risk" (presumably due to the lack of information). Whether a result of my scan or not, Avast does not appear to complain about the most recent public version of reViSiT Standard (v1.7.3) when run as an .exe. It still complains about the Professional Edition, which is less widespread. It would be very useful to know more about any steps to improve reputations that do not include paying for certification.

Does Avast FileRep use the FTR database? If so, does any other software?
Are there other similar whitelist databases and tools used by other virus killers I should be aware of?
Is there a resource for developers where we can learn more about the proper procedures and best practices for releasing shareware?
(Avast's page about AutoSandboxing annoyances has little information for developers.)

Agics' efforts are laudable, but the process is very much a black box. Their Hash Scan, for example, told me my system was at "Medium Risk", but absolutely nothing else - not even which processes or programs warranted such a score. How established / well-used are their products?

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48818
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: AutoSandbox = a tax on developers
« Reply #10 on: November 26, 2012, 01:46:00 PM »
Your latest version isn't being sandboxed nor is it being stopped by MS.
If a version is falsely reported as suspicious and winds up being sandboxed,
you an always report it to Avast so it can be excluded:
http://www.avast.com/contact-form.php?loadStyles
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet