Question about AutoSandbox in v6.0.1000

[MHJ]

Hi,

i am using the latest version 6.0.1000 of avast Free Edition and want to know, if the AutoSandbox is making it's decisions based on behaivor only or also based on some sort of whitelists that are included in the virus-db updates?

i am using the latest version of Gene6 FTP Server Professional (http://www.g6ftpserver.com/en/home) and the AutoSandbox asks me if i want to load it in Sandbox or normal mode, which i find very annoying, even though i can just add it to the exception list and start it normally. i would rather use the auto mode on the sandbox so i don't get bothered every time and let potential harmful programs run temporaly sandboxed, send it to avast av-labs automatically and in the next db-update (after the program was cleared from being harmful), the program gets recognized and removed from sandbox mode.

is this already the case or will it be implemented in the future?

[Lisandro]

Behavior, not withelists at all.
Corrections are done by virus definitions update.
Not all the files are uploaded and analyzed and it is avast, not the user, who controls which files will be uploaded.

[DavidR]

@ MHJ
Are you not checking the Remember my answer for this program, see image ?
That should effectively be setting an exclusion.

I have the auto-sandbox set to Ask and it has that 'Remember my answer for this program' in the alert screen, and clicking that option in the alert adds the entry to the auto-sandbox exclusions, see example image2.

[sded]

AutoSandbox is actually controlled by File System Shield, per discussion by Igor at http://forum.avast.com/index.php?topic=72517.msg604738#msg604738

[MHJ]

@ MHJ
Are you not checking the Remember my answer for this program, see image ?
That should effectively be setting an exclusion.

I have the auto-sandbox set to Ask and it has that 'Remember my answer for this program' in the alert screen, and clicking that option in the alert adds the entry to the auto-sandbox exclusions, see example image2.

yes i have, but i simply don't like it. Maybe it's just me but i don't feel more secure with a sandbox now. that's why i disabled it completly. why would the sandbox even react to a ftp server that is around already for so many years? i can't see a reason for that. if it reacts to every application that leaves a port open, what ftp servers usually do , many people will have a sandbox alert due to nothing bad, aka for no reason.

i think that the sandbox with it's current limitations is really a useless feature because now there will be millions of unneeded warnings floating around to like millions of users just because they use a ftp server. that's just producing unwanted hysteria.

my point is even if i add this ftp server to the exception list, what sense does it have if i switch ftp servers in the future and every time i do that or something similar there's a sandbox alert again? it simply doesn't make me feel more secure.

[doktornotor]

yes i have, but i simply don't like it. Maybe it's just me but i don't feel more secure with a sandbox now. that's why i disabled it completly. why would the sandbox even react to a ftp server that is around already for so many years? i can't see a reason for that. if it reacts to every application that leaves a port open, what ftp servers usually do , many people will have a sandbox alert due to nothing bad, aka for no reason.

IIRC, even Windows firewall reacts if you run an application that behaves like a server for the first time. Installing servers is not something users do on their desktop boxes all the time. Other than that, read the article I have linked.

[DavidR]

<snip>
yes i have, but i simply don't like it. Maybe it's just me but i don't feel more secure with a sandbox now. that's why i disabled it completly. why would the sandbox even react to a ftp server that is around already for so many years? i can't see a reason for that. if it reacts to every application that leaves a port open, what ftp servers usually do , many people will have a sandbox alert due to nothing bad, aka for no reason.

Something that has been around for years doesn't really make that much difference as I'm shure there is no parameter as to how long a program has been around, if it is even known. If the file was digitally signed (probably not if it has been around for years) then that would possibly be one criteria to suggest the sandbox along with others. We don't know if it leaving a port open or not would be one of the parameters considered.

i think that the sandbox with it's current limitations is really a useless feature because now there will be millions of unneeded warnings floating around to like millions of users just because they use a ftp server. that's just producing unwanted hysteria.

That is the whole reason why you should keep it enabled and use the remember my answer in conjunction with fact you want it run normally, as that information is likely to be transmitted using the avast Community function if you have it enabled.

my point is even if i add this ftp server to the exception list, what sense does it have if i switch ftp servers in the future and every time i do that or something similar there's a sandbox alert again? it simply doesn't make me feel more secure.

If everyone abandoned the auto-sandbox who would the myriad of different applications out there be recognised.

With it disabled the day that you actually need it, then it isn't there to provide that extra security.

[MHJ]

That is the whole reason why you should keep it enabled and use the remember my answer in conjunction with fact you want it run normally, as that information is likely to be transmitted using the avast Community function if you have it enabled.

ok thanks for this answer because that is a good reason to use it then, and basicly what i was asking in the first place.

threat is fine to get closed now

[DavidR]

You're welcome.