Author Topic: Which files (executables) are started into the AutoSandbox  (Read 10837 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Which files (executables) are started into the AutoSandbox
« on: February 27, 2011, 10:25:21 PM »
Can it be done a comprehensive list of them?

I suppose the AutoSandbox is only related to executables.
I also suppose that infected files are first blocked by the antivirus (and not run autosandboxed).
I suppose there isn't a whitelist. Am I right?

1. Behavior Shield detects it as suspicious (heuristic/behavior analysis).
2. Files not digitally signed.
3. ...
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11761
    • AVAST Software
Re: Which files (executables) are started into the AutoSandbox
« Reply #1 on: February 27, 2011, 10:29:12 PM »
No, there's no list.
It's a heuristics inside of the virus database, changing potentially very often.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Which files (executables) are started into the AutoSandbox
« Reply #2 on: February 27, 2011, 10:40:33 PM »
What about number 2?
The best things in life are free.

Offline sded

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1718
  • Me llamo Ed
Re: Which files (executables) are started into the AutoSandbox
« Reply #3 on: February 27, 2011, 10:46:53 PM »
I have been running unsigned programs from flash drives as test cases but even then I find an occasional small .exe that doesn't ring up the AutoSandbox for some unknown reason. No AS reaction to the same files when run from the C: drive. Currports,  for example, http://www.nirsoft.net/utils/cports.html, doesn't seem to do anything that interests AS even from a flash drive.  There were some I saw on earlier versions, but as Igor says they were FPs and have been updated.  Done so well we get questions whether AS is even working.  ;)
Windows 7 x64HP-SP1-No UAC, Opera 11.51, Avast! Internet Security 6.0.128, Webroot SecureAnywhere latest beta, Windows FW off, MVPS HOSTS, SAS/MBAM offline, Macrium Reflect just in case ;)

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11761
    • AVAST Software
Re: Which files (executables) are started into the AutoSandbox
« Reply #4 on: February 27, 2011, 11:43:02 PM »
What about number 2? Probably, I'm not sure.
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Which files (executables) are started into the AutoSandbox
« Reply #5 on: February 28, 2011, 01:40:24 AM »
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.
If so, well, how is a file classified as suspicious then?
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11761
    • AVAST Software
Re: Which files (executables) are started into the AutoSandbox
« Reply #6 on: February 28, 2011, 01:52:02 AM »
A number of rules, formulas and methods that I'm really not going to try to explain (even if I knew them, which I don't) - because there is no simple explanation (and the stuff is being continuously tuned/extended).
So, the best answer, I'm afraid, is - "heuristics".

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Which files (executables) are started into the AutoSandbox
« Reply #7 on: February 28, 2011, 01:56:37 AM »
Heuristics... tested by the vps? by the Behavior Shield?
Who performs the tests on access?
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11761
    • AVAST Software
Re: Which files (executables) are started into the AutoSandbox
« Reply #8 on: February 28, 2011, 09:30:49 AM »
I'm not sure what you are asking about...
Who performs tests when starting an application? Well, the File System Shield does... and, as an auxiliary result of that scan, the information about the "autosandbox suspiciousness" is returned - and used. Note that the AutoSandbox settings are in the File System Shield settings.

The Behavior Shield isn't really part of this... because the decision on whether to (auto)sandbox the application or not has to be done in advance, before the application is really started - while the Behavior Shield monitors the behavior of the application when it's already running, i.e. later.

Offline danny96

  • Malware Fighter
  • Advanced Poster
  • **
  • Posts: 668
  • No-malware!
Re: Which files (executables) are started into the AutoSandbox
« Reply #9 on: February 28, 2011, 09:34:56 AM »
What about number 2? Probably, I'm not sure.
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.
I think that Number 2 is yes, because I tried to run unsigned app and avast! sandbox suggests to sandbox It.
Real-time protection and Firewall: COMODO Internet Security 12.0.0.6810 -- Additional Protection: Web Of Trust, Ublock, NoScript, Malwarebytes Premium, Avast! Online Security, Hitman Pro -- OS: Windows 10

Offline Sparxx

  • Sr. Member
  • ****
  • Posts: 339
  • www.romanism.ro
Re: Which files (executables) are started into the AutoSandbox
« Reply #10 on: February 28, 2011, 10:30:11 AM »
What about number 2? Probably, I'm not sure.
But actually, it's got nothing to do with number 1 - it's mostly, though probably not 100%, unrelated to the Behavior Shield.
I think that Number 2 is yes, because I tried to run unsigned app and avast! sandbox suggests to sandbox It.

Not necessary true, as it may sandbox one unsigned app. and not sandbox another one, also unsigned.
|| MB : Gigabyte GM880-UD2H || CPU : AMD Athlon II 620 || GPU : Sapphire Radeon R9 270X || RAM : 6 Gb DDR3 1600 ||  HDD : 250GB/500GB/1TB || OS  :Windows 8.1 Professional x64 || Avast IS 9 ||

Offline avoidz

  • Jr. Member
  • **
  • Posts: 54
Re: Which files (executables) are started into the AutoSandbox
« Reply #11 on: February 28, 2011, 01:39:57 PM »
Sandboxing flagged metapad - http://liquidninja.com/metapad/ - (which I've used without problem for years) under avast! version 6.

I can see how the sandbox mode might be useful, but if it does this frequently for a lot of executables, it could get to be like UAC on Vista.
« Last Edit: February 28, 2011, 01:42:52 PM by marfaw »
DESKTOP: Intel P4 2.4GHz, 1.5GB RAM, 500GB HDD, GeForce FX 5200, Windows XP Pro, avast! 7 Home, Sygate PF Pro | NOTEBOOK: XPS17 Intel i7-2630QM, 8GB RAM, 2x750GB HDD, GeForce GT 555M, Windows 7 64bit, McAfee IS

Offline Rednose

  • Pirate Party Member
  • Avast √úberevangelist
  • Massive Poster
  • *****
  • Posts: 3665
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: Which files (executables) are started into the AutoSandbox
« Reply #12 on: February 28, 2011, 01:57:38 PM »
Meaning that the current heuristics can't decide if the file is good or bad. But if you participate in the Avast! Community, Avast! uses this information to improve the heuristics, which will be provided through the VPS updates. The more users who adopt the AutoSandbox, the faster it will improve.

Greetz, Red.
OS: Win 10 / Debian / Tails / iOS
Real Time: Avast Premium Security
VPN: NordVPN ( NordLynx ) with Cybersec

Offline avoidz

  • Jr. Member
  • **
  • Posts: 54
Re: Which files (executables) are started into the AutoSandbox
« Reply #13 on: February 28, 2011, 03:18:32 PM »
Another issue with the Sandbox feature is it's going to create some problems for other users I support who have no knowledge of "sandboxing" and prefer invisible protection; just seeing the daily VPS update notification is enough for them. I'm anticipating calls relating to the pop-ups when programs are opened.

I could change the setting to Auto, but for unknown programs would the pop-up still appear?
« Last Edit: February 28, 2011, 03:20:33 PM by marfaw »
DESKTOP: Intel P4 2.4GHz, 1.5GB RAM, 500GB HDD, GeForce FX 5200, Windows XP Pro, avast! 7 Home, Sygate PF Pro | NOTEBOOK: XPS17 Intel i7-2630QM, 8GB RAM, 2x750GB HDD, GeForce GT 555M, Windows 7 64bit, McAfee IS

Offline Rednose

  • Pirate Party Member
  • Avast √úberevangelist
  • Massive Poster
  • *****
  • Posts: 3665
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: Which files (executables) are started into the AutoSandbox
« Reply #14 on: February 28, 2011, 03:43:55 PM »
You only get a small orange/grey pop-up, like the auto update etc. pop-up, that notifies you the application is sandboxed.

Greetz, Red.
OS: Win 10 / Debian / Tails / iOS
Real Time: Avast Premium Security
VPN: NordVPN ( NordLynx ) with Cybersec