Avast Autosandbox

[naren17]

Avast autosandbox is full virtualization, right?

 I tested Avast with default settings & when it finds the suspicious behvaiour it autosandbox the file & analyzes & after the analyzes completes it terminates the sandboxed app & give the option to sandbox or normal open nextime.

The prob is if you choose to select the app to open next time sandboxed, it again does the same thing & terminates the apps. So this means you can only open the app normally & not sandboxed, right? Then whats the benefit of full virtualization of Avast autosandbox?

[true indian]

It makes no difference.....if it again analyzes...it analyzes in sandbox[program runs in sandbox]...so u shouldnt worry.

[AntiVirusASeT]

autosandbox when set to auto mode is purely meant for Avast! to perform further analysis on suspicious files rather than for the user himself to make a personal verdict if the file is safe or not. thus the application will always be terminated after a few seconds.

however, when set to ask, u can than do ur own analysis on the file in question as Avast! will not terminate the application in the sandbox 

[naren17]

So whats the use of Sandbox if you cannot open & use any suspicious app in the sandbox?

If you cannot open & use any suspicious app in sandbox then its the same like threat detected & Avast can throw behaviour shield popup instead of autosandbox.

Autosandbox being the full virtualization, suspicious apps should open in it.

Do you mean if autosandbox is set to ask then the suspicious apps can be run in sandbox? So does this mean autosandbox set to ask, analysis is not performed?

[DavidR]

There is some misunderstanding about the autosandbox and the full sandbox feature in the paid versions Pro/AIS. See image, of the autosandbox options.

The autosandbox is essentially for testing and there is no option to open sandboxed for the autosandbox. So presumably you have Avast Pro or the Internet Security application ?

If so yes you can use the full sandbox feature, however, that may not stop it from being intercepted by the autosandbox, so essentially you would need to add that file to the autosandbox exclusions so it doesn't intercept it. That should then allow you to run it in the full sandbox.

[AntiVirusASeT]

yups the screenshot which DavidR provided is autosandbox in 'ask' mode.

suspicious apps (determined by Avast!, not by user) will cause the autosandbox to ask u with the options in the screenshot as shown.

yes, when set to 'ask' mode, the autosandbox will not terminate the suspicious app. u can run it in the autosandbox as long as u want.

in 'ask' mode, there will not be the 'analysis result' from Avast! autosandbox, only in 'auto' mode

[naren17]

David,

I am talking of Avast Free AutoSandbox.

And the screenshot you have attached is of AutoSandbox when set to ask, right? So what happens if I select the default open in sandbox, does the app opens in sandbox & can be used?

[naren17]

yups the screenshot which DavidR provided is autosandbox in 'ask' mode.

suspicious apps (determined by Avast!, not by user) will cause the autosandbox to ask u with the options in the screenshot as shown.

yes, when set to 'ask' mode, the autosandbox will not terminate the suspicious app. u can run it in the autosandbox as long as u want.

So why Avast chose a different approach for AutoSandbox in default settings i.e apps cannot run in AutoSandbox i.e apps are terminated?

[DavidR]

David,

I am talking of Avast Free AutoSandbox.

And the screenshot you have attached is of AutoSandbox when set to ask, right? So what happens if I select the default open in sandbox, does the app opens in sandbox & can be used?

Yes that is the autosandbox when set to Ask.
You can't elect to run an application in the autosandbox, it doesn't have that functionality, it is for analysis only.

If anything malicious were found it should report that or that there is insufficient information to confirm it is malicious, with that analysis don it shuts everything down. You them decide if you want to run it normally.

If you are looking for something more, e.g. the full sandbox feature then you would need to get either avast pro or Avast Internet Security (AIS).

[DavidR]

<snip>

So why Avast chose a different approach for AutoSandbox in default settings i.e apps cannot run in AutoSandbox i.e apps are terminated?

There is no different approach, when in Auto Mode the autosandbox would make the decision if it should be tested in the sandbox or not, in Ask Mode, it displays the screen I posted and you decide if it should be tested in the autosandbox or not.

But it will not run the application in the sandbox so that it can be used, for that you need the full Sandbox of the avast Pro/AIS versions.

[AntiVirusASeT]

@ DavidR: i tested out the autosandbox in 'ask' mode using autosandboxme tool by Avast.  it displays as in ur screenshot and allows the sandboxed app to run within the autosandbox without terminating it.

so i believe that when autosandbox is set to 'ask' mode, the user still cannot choose which application to be sandboxed as in all autosandbox modes (auto/ask), but the user can run the app (which Avast chooses to sandbox) indefinitely in the sandbox.

please correct if i am wrong 

[naren17]

@ DavidR: i tested out the autosandbox in 'ask' mode using autosandboxme tool by Avast.  it displays as in ur screenshot and allows the sandboxed app to run within the autosandbox without terminating it.

so i believe that when autosandbox is set to 'ask' mode, the user still cannot choose which application to be sandboxed as in all autosandbox modes (auto/ask), but the user can run the app (which Avast chooses to sandbox) indefinitely in the sandbox.

please correct if i am wrong 

This is the thing I wanna know.

As you mentioned, autosandbox in ask mode, apps can be run in sandbox & are not terminated.

autosandbox in default setting, apps cannot be run in sandbox & are terminated.

So whats the correct info?

[DavidR]

No I didn't say that apps can be run in sandbox and not terminated in Ask mode, all that Ask mode does is take away the decision if the app should be run/tested by the autosandbox, primarily so that the user can elect to run it outside of the autosandbox.

Anything in Ask Mode run in the sandbox will run virtualised (a Red Border round the Window), so any interactions made or changes, etc. will be lost as the sandbox is wiped when closed. You can't elect to always run this program sandboxed, but when you try to run it the autosandbox would butt in, if you have it set to Ask you can run it sandboxed or outside of it normally (that choice can be remembered), but it still runs through the analysis process.

The Auto Mode just elects to run it sandboxed to do its analysis, this displays a pop-up (see attached image) once it has analysed the program it will notify you of the finding, image2. If at this point you can select how the next execution is handled (sandboxed or normally),  but it still runs through the analysis process and the program terminated at the end of the analysis if you selected run sandboxed.

So in choosing Ask Mode, there appears to be an anomaly (which I believe wasn't intended to be in the free version) where it will actually run the program sandboxed - personally, even if it doesn't terminate an application there really is little point in running it sandboxed as when closed everything is history. Any interaction or changes made when running the application are lost. Where in the Full sandbox feature in the Pro and AIS have other settings for running programs like browsers sandboxed and still have some of the changes, etc. saved.

[Chim]

Okay, so how do I set this avast 7.0.1426 Sandbox to Ask Mode.
I can't even find any Sandbox Settings.

All I know is that now every time that I bring up PortableApps.com, the Sandbox pops up and I'm not even given a chance to select "Remember my selection for this App" or whatever the previous avast used to say.

[AntiVirusASeT]

u can select open normally on next open if ur using 'auto' mode

as for changing autosandbox to 'ask' mode, look at screenshot