Let me explain in a bit more detail what we're trying to do here.
First, a little bit of background information. We introduced the Autosandbox feature in v6 as a way to cope with suspicious programs. Traditionally, AV software had to make binary decisions: either call a file clean (and then let it run on users' machines) or call it infected (and deal with it, i.e. typically quarantine/delete the file). The autosandbox gave us the possibility to let the file run, but without risking that it would do any harm to the system. Therefore, it was a handy tool for our analysts who could relax the heuristic rules without risking too many "hard" false positives.
Now, in v7 (partly in this initial v7 build, and partly in the upcoming builds), we'd like to change this little bit in the following sense:
Instead of "automatically running apps inside the sandbox", we'd like to use the sandboxing subsystem to act more like an extension of the scanner. That is, when the engine isn't sure about a file, it would do the following:
1. Go ahead and run the app in the sandbox (with that "avast is analyzing a suspicious files" dialog; btw this dialog will be augmented with some additional information about the actual reason of why the file looks suspicious)
2. Let it run for a while - but not too long. Typically, kill it after 10-15 seconds (unless it dies on itself before that). While the app is running, collect all the details about what it's doing
3. After that, analyze the logs collected in step 2, and
a. If it's found malicious, present the user with the usual options like Move to Chest, Delete etc.
b. If the file isn't found malicious, present the user with options like "Continue launching the program", "Keep this program in the sandbox", "Cancel launching the program".
Also, in this step, give the user actually a way to VIEW the log so that power users can draw their own conclusions.
In my opinion, this is clear step forward and is really user friendly (much more than the v6 implementation). We may also leave the old v6-style mode there, but once the new system works as expected, I don't see any reason why anyone would actually want to switch to it.
I hope this helps.
Thanks
Vlk