Sandbox False Positive Thread

[BRANDONN2008]

Hello. I don't think there's a thread like this. If there is an easier way to let the developers know of false positives for the sandbox, please let me know, otherwise I think they could be posted here.

The first was on my neighbor's computer. I was uninstalling HP Games, and the sandbox tried to isolate EACH ONE, about 30.

The second was today on my computer. I was the uninstaller for NetBeans 6.9.1.

[Asyn]

What's a FP for a sandbox...
If your sig is right, update...!!!

[DavidR]

Exactly, what is an FP for the sandbox, since you are talking about the auto-sandbox, it isn't making a determination that what it is flagging is infected.

The file system shield (FSS) is the first avast shield to come across the executable file and depending on what is known about that file, is it digitally signed or in the avast persistent cache, what location is it in, also probably using the Emulation function in the FSS would pass that off to the auto-sandbox for action/response.

That may be to run it sandboxed or to allow it, of course you can change the Auto-Sandbox mode in the settings to Ask rather than Auto. That way anything passed to the sandbox lets you know the recommended action, which you can change and you can allow it and 'Remember my answer for this program' if you are confident that there is nothing wrong with it.

[BRANDONN2008]

Sorry I wasn't very clear. I mean that it is asking to isolate a safe application.

[doktornotor]

Sorry I wasn't very clear. I mean that it is asking to isolate a safe application.

Yes, and what is the problem? That's exactly what this feature is supposed to do. 

[PoP]

During the past 2 weeks the auto-sandbox has warned me
about 20 executables. All of them were safe applications
I've been using for years.
Don't you think it's disturbing ?
Ok you'll say I just have to make Avast remember
my last action for this file and it will execute it normally.
ERROR !!!! Yes, if you do so, Avast does not show the dialog
BUT It still takes 5 SECONDS to think about it before it
launches the exe !!!

The only way I have found to recover a fast launch is to
exclude the file from the whole real time system, just like
I do for a false positive.
See why there should be white sigs for the sandboxing system.

[doktornotor]

See why there should be white sigs for the sandboxing system.

Don't get me started with whitelists - see current Comodo fiasco with fraudulent MS/Google/Yahoo/Skype/Mozilla certificates. 

The feature in under development and it has been explained quite a couple of times how it works and what is the purpose, use http://forum.avast.com/index.php?action=search

Meanwhile, if you dislike it, disable it.

[igor]

BUT It still takes 5 SECONDS to think about it before it
launches the exe !!!

That, however, has nothing to do with the autosandboxing feature.
The executable is probably packed by some strange runtime packer - and the on-access scanner needs some time to unpack/emulate it.

[BRANDONN2008]

Sorry I wasn't very clear. I mean that it is asking to isolate a safe application.

Yes, and what is the problem? That's exactly what this feature is supposed to do. 

I must have misunderstood what the sandbox was supposed to do. I thought it was supposed to isolate applications displaying suspicious behavior, but not isolate legitimate ones. Since it doesn't have a whitelist I guess I understand.

[Lisandro]

Autosandbox detects suspicious files on access.
Sandbox runs specific (selected) applications on demand.