Author Topic: Where did sandbox come from  (Read 8321 times)

0 Members and 1 Guest are viewing this topic.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Where did sandbox come from
« Reply #15 on: May 21, 2011, 07:25:19 PM »
In my opinion, autosandbox warning box is shown for a lot of applications very often and I think heuristic is too strict. Unfortunately, vlk & other viruslab guys do this on purpose (marketing).

Marketing? I'm not sure what you mean here, i.e. how would it help avast (in any way) if the autosandbox popups were too frequent (or inaccurate).
 
The algorithm is being fine-tuned continuously, and also, before a new heuristics method is added, we also test it quite extensively (i.e. once we implement the algorithm, we deploy it to the user base, but instead of popping up the autosandbox offer we just report about the samples so that we can check what they are and whether the detection is accurate.

On the other hand, I'd like to add an easier way to report autosandbox false positives (i.e give users a simple way to report FPs directly from the offer dialog).

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

MAG

  • Guest
Re: Where did sandbox come from
« Reply #16 on: May 21, 2011, 07:32:12 PM »
In my opinion, autosandbox warning box is shown for a lot of applications very often and I think heuristic is too strict. Unfortunately, vlk & other viruslab guys do this on purpose (marketing).

Marketing? I'm not sure what you mean here,

pk can explain what he meant, but as a reader I assumed he meant improved detection rate in independent tests.

I'm not sure if an unnecessaryuser prompt is counted as a FP in those tests or not though - ie if there's a downside)

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re: Where did sandbox come from
« Reply #17 on: May 21, 2011, 07:46:46 PM »
Well, as for me I'd like to see popups only for very suspicious applications. When such application will be executed in sandbox, tiny popup on right side of screen should notify user that app was executed in sandbox. When it terminates itself, another popup should tell user how many operations were suspicious/blocked and show user-friendly information report.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86654
  • No support PMs thanks
Re: Where did sandbox come from
« Reply #18 on: May 21, 2011, 08:09:51 PM »
<snip>
The algorithm is being fine-tuned continuously, and also, before a new heuristics method is added, we also test it quite extensively (i.e. once we implement the algorithm, we deploy it to the user base, but instead of popping up the autosandbox offer we just report about the samples so that we can check what they are and whether the detection is accurate.

On the other hand, I'd like to add an easier way to report autosandbox false positives (i.e give users a simple way to report FPs directly from the offer dialog).

Isn't this really were the avast ComminityIQ should come in, for every alert/notification of the autosandbox, shouldn't that information be passed up the CommunityIQ chain ?

Diving slightly off topic, but still on the FP and CommunityIQ theme, anti-rootkit suspicious alerts have been on the rise with a number of FPs reported in the topics. This too is an area that it needs to be easier for users to report possible FPs. Currently that is non-existent and I don't know what happens in relation to the CommunityIQ and suspicious anti-rootkit pop-ups ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86654
  • No support PMs thanks
Re: Where did sandbox come from
« Reply #19 on: May 21, 2011, 08:13:30 PM »
Well, as for me I'd like to see popups only for very suspicious applications. When such application will be executed in sandbox, tiny popup on right side of screen should notify user that app was executed in sandbox. When it terminates itself, another popup should tell user how many operations were suspicious/blocked and show user-friendly information report.

Whilst that would be good, up to a point.

But the problem is that the user isn't aware that what happens in the autosandbox is lost at the end of the autosandbox session (part of the OPs irate post). Any installation as such isn't happening in the real environment and the user wonders why his program hasn't installed.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76181
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Where did sandbox come from
« Reply #20 on: May 21, 2011, 08:13:42 PM »
Isn't this really were the avast ComminityIQ should come in, for every alert/notification of the autosandbox, shouldn't that information be passed up the CommunityIQ chain ?

Good question..!
I also thought it would/should do that...???
W8.1 [x64] - Avast PremSec 22.6.7355.BC [UI.713] - Firefox ESR 91.10 [NS/uBO/PB] - Thunderbird 91.10
Avast-Tools: Secure Browser 102.1 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Jack 1000

  • Guest
Re: Where did sandbox come from
« Reply #21 on: May 21, 2011, 08:51:14 PM »
Interesting. I'm not seeing all that much popups. So far the only problematic stuff were Adobe Flash based games on Steam (like Machinarium or Windosill). Those usually trigger Auto Sandbox dialog. But if you think of it, Flash content running in browser and executed through Steam. I'd be suspicious as well.
But certainly this requires refinement over time to make less popups when not needed like you pk suggested.

I have seen one pop up with Version 6, and Virus Total had 1/40 listed for this file.  I wasn't sure about it, so I sent it to the lab.  A few weeks later, I scanned the file from the Chest and it came up clean.  When I opened it, Avast told me it was going to be sandboxed. (Have my setting set to Auto.)

I was grateful for this, because the lab probably thought the file MIGHT be safe.  (I sent the Virus Total Report too), but just to be sure, they sandboxed it.

Let's say that a file is restricted in the sandbox.  Can certain parts of the program or file not run because it is sandboxed?  If you sandbox a program, especially in Avast Pro or IS, does the sandboxed program get installed to the Add/Remove Programs List?  Or does the program not do that, because of it being virtualized?  I know everything goes away when the program is closed.

Now that we have a good discussion here, we should keep this topic open.

Jack

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76181
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Where did sandbox come from
« Reply #22 on: May 21, 2011, 08:58:10 PM »
Jack, are you talking about ASB or SB or are you mixing these two..??
The last replies were all related to the ASB. ;)
W8.1 [x64] - Avast PremSec 22.6.7355.BC [UI.713] - Firefox ESR 91.10 [NS/uBO/PB] - Thunderbird 91.10
Avast-Tools: Secure Browser 102.1 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Nesivos

  • Guest
Re: Where did sandbox come from
« Reply #23 on: May 21, 2011, 09:15:29 PM »
In my opinion, autosandbox warning box is shown for a lot of applications very often and I think heuristic is too strict. Unfortunately, vlk & other viruslab guys do this on purpose (marketing). I'd like to see autosnx box only when avast is really not sure about the application which is going to be executed. I'm sure, most our avast free users (where autosnx feature is included) don't have a clue what's the sandbox and how it works. They just need silent antivirus, running in background and without additional configuration - showing annoying popups don't really help.

AutoSandbox wanted me to sandbox "RadioSure".   So I checked it out on "Virustotal" and they agreed.  So now I run RadioSure Virtualized.

Avast knows the truth! :)

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76181
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Where did sandbox come from
« Reply #24 on: May 21, 2011, 09:24:00 PM »
AutoSandbox wanted me to sandbox "RadioSure". So I checked it out on "Virustotal" and they agreed.  So now I run RadioSure Virtualized.

How did VT agree..???
If it is malware don't run it at all..!!!
W8.1 [x64] - Avast PremSec 22.6.7355.BC [UI.713] - Firefox ESR 91.10 [NS/uBO/PB] - Thunderbird 91.10
Avast-Tools: Secure Browser 102.1 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Nesivos

  • Guest
Re: Where did sandbox come from
« Reply #25 on: May 21, 2011, 09:32:58 PM »
AutoSandbox wanted me to sandbox "RadioSure". So I checked it out on "Virustotal" and they agreed.  So now I run RadioSure Virtualized.

How did VT agree..???
If it is malware don't run it at all..!!!


found something called potential malware or some such thing.

Besides the music options are too great not to take the small risk.  I had actually used it for years before I had the Avast Sandboxing feature and have never had a problem to my knowledge ??? that resulted from it.

How can you not love 1 Club.FM Bar Rockin' Blues :) :)  That station cooks bigtime

Gargamel360

  • Guest
Re: Where did sandbox come from
« Reply #26 on: May 21, 2011, 09:35:10 PM »
How did VT agree..???
If it is malware don't run it at all..!!!
LOL, +1




Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76181
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Where did sandbox come from
« Reply #27 on: May 21, 2011, 09:44:57 PM »
found something called potential malware or some such thing.
Besides the music options are too great not to take the small risk. 

:o ::) ;D :( :-X 8)
W8.1 [x64] - Avast PremSec 22.6.7355.BC [UI.713] - Firefox ESR 91.10 [NS/uBO/PB] - Thunderbird 91.10
Avast-Tools: Secure Browser 102.1 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Jack 1000

  • Guest
Re: Where did sandbox come from
« Reply #28 on: May 21, 2011, 10:28:44 PM »
Jack, are you talking about ASB or SB or are you mixing these two..??
The last replies were all related to the ASB. ;)


Well,

For my story, I only have Avast 6 Free, so I mean the SB. (Regular Sandbox)  Sorry for the confusion!

I can try to explain:

In Avast Free: Any program that Avast determines to be suspicious can run in the Sandbox.  Users can select "Ask" (default), "Auto", or "Off."  The program or file is isolated from the system/user so it cannot harm anything when in the sandbox.  In the Free version, only files/programs deemed by Avast to be suspicious get flagged for the Sandbox.

In Avast Pro/Internet Security: (Paid Versions) I understand that you have the same prompts, but an added feature is that you can right-click in the content menu or in settings and manually choose to run ANY program or file in the Sandbox.  I think you can also change Avast settings to sandbox everything you open, over-riding manual control.  The "Open Everything" in sandbox may strain your computer RAM and other resources because of the amount of checking and security integration that Avast has to do.  Some critics say that sandboxing everything is a little too paranoid, but its there in the paid versions of Avast if you want it.

I understand there is also a program called Sandboxie, that I think is free to try, and $30 to buy.  It's like the paid version of Avast where anything any everything could run in a virtulized environment.  I am happy with the free version of Avast and I also use WOT and Virus Total to help guide me away from suspicious sites and files.

Jack

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76181
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Where did sandbox come from
« Reply #29 on: May 22, 2011, 08:54:37 AM »
I only have Avast 6 Free, so I mean the SB. (Regular Sandbox)

No, you mean the AutoSandbox (ASB)..!! ;)
W8.1 [x64] - Avast PremSec 22.6.7355.BC [UI.713] - Firefox ESR 91.10 [NS/uBO/PB] - Thunderbird 91.10
Avast-Tools: Secure Browser 102.1 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0