Author Topic: Sandbox warning: RarExtLoader.exe  (Read 12419 times)

0 Members and 1 Guest are viewing this topic.

Offline Hubbaman

  • Jr. Member
  • **
  • Posts: 47
Re: Sandbox warning: RarExtLoader.exe
« Reply #15 on: June 09, 2011, 03:19:52 PM »
I think I'll wait just a little while and see if anything else comes up here, and if it doesn't, I'll probably tell autosandbox to ignore it.

I'm still considering... As it would be really inconvenient for me at the moment to do something drastic like a complete Windows reinstall, what would you consider the safest way to deal with this?

1. Uninstall WinRAR 3.61 Multi.
2. Tell autasandbox to always open RarExtLoader.exe in sandbox.
3. Tell autosandbox to always open RarExtLoader.exe normally.
4. Tell autosandbox to always block RarExtLoader.exe (provided that doesn't cause problems elsewhere).

Thanks.


Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84921
  • No support PMs thanks
Re: Sandbox warning: RarExtLoader.exe
« Reply #16 on: June 09, 2011, 04:11:15 PM »
The first thing that I would do when you are at that computer is what Igor (a senior avast developer) suggested, upload the file.

Upload the zip file to the ftp server ftp://ftp.avast.com/incoming:
Give the zip file you are uploading a unique name (e.g. Hubbaman_winrarloader.zip, etc), so they can identify it. It might not be a bad idea to create a text file (readme.txt) with any relevant information, avast topic URL, user name, etc. etc. in the zip file.

- Using Internet Explorer, Connect to the link and drag the file into the Right pane and drop it, that starts the upload, you don't have read access to this folder.

Or

Upload it using the Run command-line in Windows: Windows Key + R (to get the run box), copy and paste this
Code: [Select]
explorer ftp://ftp.avast.com/incoming and drag the file into the window, from another explorer window.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline ArnD

  • Newbie
  • *
  • Posts: 3
Re: Sandbox warning: RarExtLoader.exe
« Reply #17 on: June 09, 2011, 07:06:30 PM »
Uh... I don't know why but everything works fine right now... The problem is that I haven't even checked if Avast had updated or something... Just started the machine, read your comments, was about to zip the suspicious file and noticed that I can copy/cut/paste files, click right button without having the sandbox pop up  :o

Offline Tetsuo

  • Poster
  • *
  • Posts: 594
Re: Sandbox warning: RarExtLoader.exe
« Reply #18 on: June 09, 2011, 08:29:20 PM »
Uh... I don't know why but everything works fine right now... The problem is that I haven't even checked if Avast had updated or something...

Hi,

In the past few days ERUNT v1.1j became suddenly an "autosandbox candidate". So I immediately added it to the exclusion's list.

However, I just discovered that ERUNT is no more an "autosandbox candidate". I think everything is back to normal thanks to some of the recent virus-def updates (probably this morning updates).

I thought you may want to know it.

Cheers,
T.

Win XP PRO SP3
Avast Free AV 6.0.1125


Offline Nesivos

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1352
  • Artists Rendering of New Pauley Pavilion @ UCLA
Re: Sandbox warning: RarExtLoader.exe
« Reply #19 on: June 09, 2011, 10:17:06 PM »
The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn't had a definitive detection. Which is also why you didn't find any hits on VirusTotal.

However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.

Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean.

Edit attached missing image.

It is possible that WinRaR 3.6 has a digital signature that has expired given that 4.x is the latest release and that that is causing autosandbox to flag it.
OS: W7-SP1, Security: AIS 7, SAS Pro, WinPatrol Plus Network:2 Dell 570MT x64 1 Dell 660 Desktop with 8GB RAM Default Browser & Email: Firefox & Thunderbird latest Betas

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84921
  • No support PMs thanks
Re: Sandbox warning: RarExtLoader.exe
« Reply #20 on: June 09, 2011, 11:03:35 PM »
I don't think that avast goes to the degree of checking for expired signatures. A digital signature would remain valid if the file wasn't modified. If the file were modified the digital signature wouldn't pass validation/checksum, etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11796
    • AVAST Software
Re: Sandbox warning: RarExtLoader.exe
« Reply #21 on: June 09, 2011, 11:23:22 PM »
A digital signature would remain valid if the file wasn't modified.

That's not fully true - only if countersigned by a timestamping certificate, otherwise the signature really becomes invalid if the signing certificate expires.
(not saying it has anything to do with this thread though).

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11796
    • AVAST Software
Re: Sandbox warning: RarExtLoader.exe
« Reply #22 on: June 10, 2011, 12:11:16 PM »
Guys, we'd really need that file in question - can anybody upload it? It's certainly not a problem if there will be more of them uploaded...

Offline iroc9555

  • CCS, Vzla.
  • Avast Überevangelist
  • Starting Graphoman
  • *****
  • Posts: 7460
  • No soporte por PM.
Re: Sandbox warning: RarExtLoader.exe
« Reply #23 on: June 10, 2011, 04:39:17 PM »
igor.

I run WinRAR 3.80, but it does not say "Multi" and I do not have the problem mentioned above. I could send you the file though. If you need it.
Hernan.
Dim 9200. C2D E6600; 2.40GHz. 4GB DDR2RAM. XP Pro_86. Spk3. IE8 & FF41. Avast FREE 2015. CIS 5.12(FW/D+). MBAM Premium. MCShield. WinPatrol +. SpywareBlasterOpenDNS. uBlock. WOT. Sandboxie

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11796
    • AVAST Software
Re: Sandbox warning: RarExtLoader.exe
« Reply #24 on: June 10, 2011, 04:40:27 PM »
It's not really important what the version is or what the name says - we're interested in the files that caused the popup yesterday (even if it disappeared today).

Offline iroc9555

  • CCS, Vzla.
  • Avast Überevangelist
  • Starting Graphoman
  • *****
  • Posts: 7460
  • No soporte por PM.
Re: Sandbox warning: RarExtLoader.exe
« Reply #25 on: June 10, 2011, 05:02:06 PM »
igor.

Sent already. Name: RarExtLoader.exe
Hernan.
Dim 9200. C2D E6600; 2.40GHz. 4GB DDR2RAM. XP Pro_86. Spk3. IE8 & FF41. Avast FREE 2015. CIS 5.12(FW/D+). MBAM Premium. MCShield. WinPatrol +. SpywareBlasterOpenDNS. uBlock. WOT. Sandboxie

Offline Hubbaman

  • Jr. Member
  • **
  • Posts: 47
Re: Sandbox warning: RarExtLoader.exe
« Reply #26 on: June 14, 2011, 01:32:11 AM »
I just uploaded my file. Sorry I couldn't do this earlier, I have been on a trip and didn't have the opportunity.

Autosandbox is no longer triggered by this on my computer either.

Hope you find out what this was/is all about.  :)

Offline Hubbaman

  • Jr. Member
  • **
  • Posts: 47
Re: Sandbox warning: RarExtLoader.exe
« Reply #27 on: June 26, 2011, 08:52:26 PM »
Since neither Avast nor Autosandbox warns about this file anymore, can I consider it to be safe?

Offline iroc9555

  • CCS, Vzla.
  • Avast Überevangelist
  • Starting Graphoman
  • *****
  • Posts: 7460
  • No soporte por PM.
Re: Sandbox warning: RarExtLoader.exe
« Reply #28 on: June 26, 2011, 10:22:24 PM »
Hubbaman.

RarExtLoader.exe is a valid file of WinRAR. If you installed RAR from a safe place, and is not using a crack or keygen, no problem, and it is located in %RootSystem%\Program Files\WinRAR; However, if located some other place or under WINDOWS or WINDOWS\System32\, could be an infection.

Regards
Hernan.
Dim 9200. C2D E6600; 2.40GHz. 4GB DDR2RAM. XP Pro_86. Spk3. IE8 & FF41. Avast FREE 2015. CIS 5.12(FW/D+). MBAM Premium. MCShield. WinPatrol +. SpywareBlasterOpenDNS. uBlock. WOT. Sandboxie