AutoSandbox Test Tool

[lil marlau]

I don't have the autosandbox tool installed yet. I tried to install it and got an "malicious warning" from Avast and it closed. I guess it's just a bug with the new version. I will try again in a couple of days.

[bob3160]

I don't have the autosandbox tool installed yet. I tried to install it and got an "malicious warning" from Avast and it closed. I guess it's just a bug with the new version. I will try again in a couple of days.

It's a part of avast! not a separate program

[lil marlau]

That's what I'm saying. A bug. Doesn't recognize itself.

[decroft]

Don't need to test it, sandbox sucks.  On  auto it doesn't trust  Word, Access, Excel, and runs them in  the sandbox.  I'm surpirsed it lets the operating system run.   What a joke, idea is good, but implementation is poor. 

[Dch48]

A word of advice. If you use the avast! gadget, turn it off now. It causes glitches in the auto sandbox. In particular it prevents things from being excluded properly When you tell avast to run the program normally the next time it's supposed to add that program to the sandbox exclusions but if the gadget is running, it doesn't work. It puts a meaningless entry in the exclusions list instead of the actual file. With the gadget turned off,  the exclusion is added  and works properly.

[aklaren]

I like the sanbox feature, but don't quite understand why the sandbox is terminated after the analysis determines that there is NOT enough evidence to mark the file as malware. I would expect it to continue running unless there is ENOUGH evidence to mark it as malware. This means that legitimate processes are terminated when Avast! is unsure.

Also, does Avast! considder all programs that are run directly from the Internet as suspicous or does it look at certain suspicious instructions? I have built a program that a.o. READS the system registry and optionally WRITES the data to a file, but would like it to pass/skip the Avast! analysis (the program is digitally signed with a COMODO code signing certicate). Is there any documentation on this? Thanks.

[DavidR]

There is no point in it continuing to run as it is in a virtual environment, when the sandbox closes all within it would be lost depending on what that application in the sandbox does.

[aklaren]

Thanx for the quick reply. In our case, and I think in many other cases, it does make sense to continue. Why don't you leave it up to the user to decide to continue or stop? Now the application is terminated and the non-technical user will not know what to do and because of the strong warning given, he/she will think our application is malware. BTW: selecting "sandbox" will terminate the application each time (we use the online MS ClickOnce mechanism in IE). 

[Dch48]

In the latest R2 build the ask option of the auto sandbox has been reverted to it's original behavior.  If you set the sandbox to ask, it will then give you a window with the option to run the app either sandboxed or normally. If you tell it to run normally and check off to remember the answer, it will never be sandboxed again.  I'm sure this will be the behavior in the final release of v7 R2. You don't even see the analysis windows and the app does not terminate even if run in the sandbox.

[aklaren]

I updated from 7.0.1407 to the R2 beta 7.0.1414 to try it out, but it looks like the default sandbox option is "auto". That would mean that by default, our application is sandboxed and terminated after 10-15 secs, leaving the user the option to open it next time either in the sandbox (recommended) or normally. The average and the cautious user will use the default, but then each time the analysis is done and the application is terminated. Why?

If I change the autosandbox option to "ask" and tell it to run in the sandbox all works fine. So to use our application (and other similar apps), every Avast! user must either allow it to run normally next time and start our application again or a) first find the autosandbox configuration setting b) change it to "ask", c) run the application and d) confirm that they want to run it in the sandbox. This is quite cumbersome and virtually impossible to explain to beginners (large part of our users).

I would like to suggest that the sandbox is ONLY terminated if the analysis finds ENOUGH evidence that the application is malware. Otherwise, explain to the user that the application is being run in a sandbox and changes are not saved and ask if they want to continue. So e.g. change the OK button to a Yes/No/RunNormally button (with the default to Yes) and change the combobox to a checkbox to remember this choice. This makes much more sense.

In the R2 beta it now shows that the reason for the sandbox is that "The file prevalence/reputation is low". Since our application is initially local and updated frequently, this will usually be the case. But it is signed with a trusted COMODO code signing certificate. Again, is there any further documentation on this?

[aklaren]

In the absence of any further replies , I have done some more testing on v7.0.1426 and it looks like the sandbox is NOT activated in our production environment (anymore?), but only in development and test environments (which are in a subdirectory of the main URL). All environments use the exact same source code (incl a code signing signature), the only difference being the version number: 1.5.0.0 for production vs 1.5.0.1 and 1.5.0.2 for the dev/test environment (as ClickOnce applications in different environments cannot share the exact same version).

I am not sure if the sandbox WAS activated previously in the production environment or only in the dev/test ones. Or could it be that the prevalence/reputation of the 1.5.0.0 version is now "acceptable"? But that would mean that a next version will have the same problem again.

I understand and I "second" the sandbox mechanism, only I do not fully understand why and how it sees some applications as potentially risky and what we can do about it. And as I said earlier, I don't agree to the sandbox being terminated if not enough evidence is found to mark the file as malware.

Can anybody shine some light on this for me please?

[Akash1]

Great tool. Only avast was able to react to it. None of the other auto sandboxing soft or other antivirus. Eg:- Norton , Comodo auto sandbox

[draz]

I do not speak English
hola soy draz y ya que vi esta tool me dio animo para investigar sobre el Sandbox y pues esto pude lograr
miren ustedes mi video en youtube http://www.youtube.com/watch?v=BM0X1MGUZkc&feature=youtu.be espero bueno comentario y si pueden en ESPAÑOL MEJOR saludos !!!

[Salabim]

EDIT: This post should be in the regular forum since it is related to the auto-sandbox-on-suspicious feature of the regular Avast 7 program.

running PS3 Media Server ( http://www.ps3mediaserver.org/ ) gives me a "suspicious" popup, and no matter if i choose "run sandboxed" or "run normal" the program is started in a buggy environment, the loaded module javaw.exe even gives me a BSOD afterwards.

Please fix your sandboxing issues, or don't try to incorporate one at all.

I had to uninstall Avast and go back to good old Panda Cloud AV for it to work normally.

[true indian]

EDIT 2: had to turn off comodo D+ and sandbox...to trigger avast sandbox.

figured out...my COMODO was on blocked..moved to restricted...kept everything on and now CIS and avast both jump on the file correctly