Author Topic: Autosandbox request to developers (Read 3406 times)

Tgell · « **on:** February 27, 2012, 05:38:34 PM »

I really like the autosandbox feature in avast! 6 but after reading the problems with portable apps and other files like explorer.exe being sandboxed with no input from the user, I will not be installing version 7 until it at least has an ask function. Why was ask removed? Please reinstate it or is it impossible because of the new code? If a person removes autosandbox from avast 7, how much does this affect detection of malware?

Thank you.

Asyn · « **Reply #1 on:** February 27, 2012, 05:41:55 PM »

Quote from: Tgell on February 27, 2012, 05:38:34 PM

I will not be installing version 7 until it at least has an ask function.

It has that, I'm using it.

BTIsaac · « **Reply #2 on:** February 27, 2012, 06:21:09 PM »

Or you could, you know, install version 7 and disable autosandbox.

FlyingRobot · « **Reply #3 on:** February 27, 2012, 08:34:50 PM »

Perhaps the OP saw the messages about the ask feature going to be removed in future builds? Such as: http://forum.avast.com/index.php?topic=93866.msg747953#msg747953 ?

buffy_92 · « **Reply #4 on:** February 27, 2012, 09:54:03 PM »

i have the same problem:(

Tgell · « **Reply #5 on:** February 27, 2012, 11:37:09 PM »

Quote from: FlyingRobot on February 27, 2012, 08:34:50 PM

Perhaps the OP saw the messages about the ask feature going to be removed in future builds? Such as: http://forum.avast.com/index.php?topic=93866.msg747953#msg747953 ?

Yes, that is what I am worried about, ask going away. I guess I will have to disable autosandbox. Wish they would keep ask.

Vlk · « **Reply #6 on:** February 27, 2012, 11:53:36 PM »

Let me explain in a bit more detail what we're trying to do here.

First, a little bit of background information. We introduced the Autosandbox feature in v6 as a way to cope with suspicious programs. Traditionally, AV software had to make binary decisions: either call a file clean (and then let it run on users' machines) or call it infected (and deal with it, i.e. typically quarantine/delete the file). The autosandbox gave us the possibility to let the file run, but without risking that it would do any harm to the system. Therefore, it was a handy tool for our analysts who could relax the heuristic rules without risking too many "hard" false positives.

Now, in v7 (partly in this initial v7 build, and partly in the upcoming builds), we'd like to change this little bit in the following sense:

Instead of "automatically running apps inside the sandbox", we'd like to use the sandboxing subsystem to act more like an extension of the scanner. That is, when the engine isn't sure about a file, it would do the following:
1. Go ahead and run the app in the sandbox (with that "avast is analyzing a suspicious files" dialog; btw this dialog will be augmented with some additional information about the actual reason of why the file looks suspicious)
2. Let it run for a while - but not too long. Typically, kill it after 10-15 seconds (unless it dies on itself before that). While the app is running, collect all the details about what it's doing
3. After that, analyze the logs collected in step 2, and
a. If it's found malicious, present the user with the usual options like Move to Chest, Delete etc.
b. If the file isn't found malicious, present the user with options like "Continue launching the program", "Keep this program in the sandbox", "Cancel launching the program".
Also, in this step, give the user actually a way to VIEW the log so that power users can draw their own conclusions.

In my opinion, this is clear step forward and is really user friendly (much more than the v6 implementation). We may also leave the old v6-style mode there, but once the new system works as expected, I don't see any reason why anyone would actually want to switch to it.

I hope this helps.

Thanks
Vlk

Lisandro · « **Reply #7 on:** February 28, 2012, 12:05:00 AM »

Seems good, a good balance for common and advanced users and a way to decide.

Tgell · « **Reply #8 on:** February 28, 2012, 12:07:28 AM »

Thank you for the clarification Vlk.

Charyb-0 · « **Reply #9 on:** February 28, 2012, 12:24:49 AM »

With Filerep, AutoSandbox, streaming updates, regular def. updates, and WebShield, it sounds tough to penetrate. Once it is fine tuned, I hope to never hear of another person, using avast, with a rogue antivirus install on their computer. Not to mention many all of the other nasties.

The more detailed the sandbox warning and log the better.

FlyingRobot · « **Reply #10 on:** February 28, 2012, 12:59:11 AM »

What are the risks of allowing the (upcoming) autosandbox... what can it break? I rarely get the ask, and right now I can only remember seeing it in response to manually launching a downloaded standalone program. I suspect there are no risks there, so that is actually the only type of scenario where I allow the autosandbox. However, if I were asked about some component of a sophisticated already installed or installing program, I would disallow the autosandboxing in order to minimize the chances that it would hose the application, install, or system (I'm generally more worried about that than malware). This is why ask appeals to me, although I'm clearly not knowledgeable enough to know how to apply it in the best way.

If the new autosandbox will continue to be a component that can be enabled or disabled, how does one make that decision?

Author Topic: Autosandbox request to developers (Read 3406 times)

Tgell

Autosandbox request to developers

Asyn

Re: Autosandbox request to developers

BTIsaac

Re: Autosandbox request to developers

FlyingRobot

Re: Autosandbox request to developers

buffy_92

Re: Autosandbox request to developers

Tgell

Re: Autosandbox request to developers

Vlk

Re: Autosandbox request to developers

Lisandro

Re: Autosandbox request to developers

Tgell

Re: Autosandbox request to developers

Charyb-0

Re: Autosandbox request to developers

FlyingRobot

Re: Autosandbox request to developers