avast! AutoSandbox is the most impressive advancement in antivirus in years. Gone is the prompt asking to run in sandbox (version 5 and 6 would drive you crazy). The addition of the cloud services module adds a highly mature white listing / black listing database that now includes tens of millions of files. AutoSandbox learns from every user, everyday! With 180 million users, this database is the most extensive of its type in the world. After white listing, unknown code is analyzed for other variables, including file reputation, file origin, URL source, file signature, and code analysis. If at any stage the file is deeded safe, it is automatically executed. Polymorphic code (rogueware infector) is many times impossible to detect in these 1st stages. The proprietary file packer (encryptor) is embedded at the end of the code. So the initial scan has nothing to go on until this point. If the packer is known, then the Sandbox will decrypt the file using the appropriate decompression algorithm. If the file is still not judged safe, or it uses an unknown packer (many virus writers will author their own packers) then the file is executed in the sandbox. As this code executes, it is halted at multiple intervals for structural checks, undergoing analysis for viral characteristics and behavior i.e. "start, run" or writing to the registry. At any time the code is confirmed as malicious, it is moved directly to the virus chest. Under full analysis, the user will see "This code is being analyzed" for a maximum of 15 seconds. If at any time the code is deemed safe, it is allowed to fully execute by choosing "run file normally". This type of code analysis will change antivirus software as we know it!
J.R. Guthrie