Author Topic: Auto-Sandbox is acting crazy  (Read 7497 times)

0 Members and 1 Guest are viewing this topic.

newhere

  • Guest
Auto-Sandbox is acting crazy
« on: May 04, 2012, 02:42:31 PM »
Not only it tries to sandbox my 3planesoft screensavers (FP), when I compile and run a project (.exe) in devC++ it will always try to autosandbox the projects, which cause them to not work as expected.
Execluding every single project from auto-sandbox is annoying and if someone could look at the auto-sandbox and check why does it happen like that it will be great.
P.S:
Tested on empty .exe files as well, Auto-sandbox detects every project.exe and try to sandbox it, i even removed the reference to System in the source code, detects win and console projects without a difference.
« Last Edit: May 04, 2012, 02:44:10 PM by newhere »

Offline AntiVirusASeT

  • Poster
  • *
  • Posts: 462
Re: Auto-Sandbox is acting crazy
« Reply #1 on: May 04, 2012, 02:51:41 PM »
this will provide u with more info: http://www.avast.com/pr-avast-software-detection-is-faster-when-filerep-knows-all-the-clean-files

also see the screenshot on the criteria s avast autosandbox uses to make decisions on what apps to sandbox.

since ur a developer, u might wanna check the reason stated for autosandbox (eg. 'The file prevalence/reputation is low')
workarounds are to: 1. change autosandbox mode from 'auto' to 'ask'
                                  2. uncheck the offending reason (note that u will lose protection against that reason)
                                  3. turn off autosandbox (not recommended, but if it is too annoying, u might want to do that)

edit 1: u can/should select 'open normally next time' when the autosandbox pops up. u can also manually add all projects to autosandbox's exclusions so that they will not be sandboxed at all.
 
« Last Edit: May 04, 2012, 03:01:50 PM by AntiVirusASeT »

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Auto-Sandbox is acting crazy
« Reply #2 on: May 04, 2012, 02:56:48 PM »
Not only it tries to sandbox my 3planesoft screensavers (FP), when I compile and run a project (.exe) in devC++ it will always try to autosandbox the projects, which cause them to not work as expected.
Execluding every single project from auto-sandbox is annoying and if someone could look at the auto-sandbox and check why does it happen like that it will be great.
P.S:
Tested on empty .exe files as well, Auto-sandbox detects every project.exe and try to sandbox it, i even removed the reference to System in the source code, detects win and console projects without a difference.
If you know the file to be clean, simply select the following the next time you see the request to run it in a sandbox:
Run regularly and check remember my answer.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

newhere

  • Guest
Re: Auto-Sandbox is acting crazy
« Reply #3 on: May 04, 2012, 03:24:29 PM »
#1
I forgot to mention that everything was under Sandboxie, I installed devcpp over a private sandbox and and ran it from there, so i dont need avast auto-sandbox to interfere.
#2
I think that Avast should fix this issue instead of offering to execlude it, my auto-sandbox is detecting so many fp like my camera driver, which i just press ignore, my screensaver that i must exclude, and now this, where's the end?

and this is the reason it gets sandboxed:
The file prevalence/reputation is low

EDIT:
ok i think i know why it's happening (found it on google):
AntiVirusASeT
file reputation/ prevalence is based on how often is the program in question being used by the majority of Avast user base.

if u run programs which are not commonly used by average users, be prepared to see many autosandboxing

---------------------
and i obviously created a new .exe so avast finds a new executable that was running for the first time, so that's why it happens.
and yet, when i uploaded project.exe (which was clean- only the base code without nothing else), 2-3 Antiviruses said its Malware:Gen and one even said possible trojan, but all these AV were from unknown companies, i.e: Norman antivirus and stuff like that..

and i know its 100% FP because i created the empty .exe files.
« Last Edit: May 04, 2012, 03:35:59 PM by newhere »

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Auto-Sandbox is acting crazy
« Reply #4 on: May 04, 2012, 03:45:36 PM »
Norman AV is hardly an unknown company.   :o
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

newhere

  • Guest
Re: Auto-Sandbox is acting crazy
« Reply #5 on: May 04, 2012, 03:51:34 PM »
Norman AV is hardly an unknown company.   :o
I only cared about one thing, why does avast try to sandbox all my projects, now its clear to me.

im still wondering how could Norman or other wierd antivirus companies detect a clean c++ code, i just started a new project, compiled and uploaded it to virustotal.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Auto-Sandbox is acting crazy
« Reply #6 on: May 04, 2012, 03:51:56 PM »
Why fix something which isn't broken, it is adding another layer of defence to give more protection against zero day malware. The file prevalence/reputation rankings will go up as more people select the Open Normally and Remember my answer for this program.

So having done that as and when files are pinged by the autosandbox, it shouldn't take long before your common files are excluded. This should hopefully benefit other avast users as more and more people make the same decisions, which is passed anonymously via the CommunityIQ feature (if you participate) and added to the database.

You should also have the AutoSandbox Mode set to Ask rather than Auto; of course you could always disable the autosandbox (not recommended) or uncheck 'the file prevalence/reputation is low' option (the lessor of the two).

####
Essentially they aren't FPs but recommendations, which you can elect to ignore:
The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn't had a definitive detection.

However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.

Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline AntiVirusASeT

  • Poster
  • *
  • Posts: 462
Re: Auto-Sandbox is acting crazy
« Reply #7 on: May 04, 2012, 03:53:48 PM »
yes, if u create new apps, it is highly likely that avast will autosandbox it due to the reasons u stated. (this is the nature of avast autosandbox)

avast is known not to game the filerep system. avast does not whitelist apps developers create.

the only thing u can do is to wait for the app to be of sufficient prevalence/reputation apart from adding digital signature to ur apps (which helps in speeding up the process in filerep system)

note: i do not know how much digitally signing ur apps will help in the process but it is one of the criteria s.

newhere

  • Guest
Re: Auto-Sandbox is acting crazy
« Reply #8 on: May 04, 2012, 03:57:26 PM »
Why fix something which isn't broken, it is adding another layer of defence to give more protection against zero day malware. The file prevalence/reputation rankings will go up as more people select the Open Normally and Remember my answer for this program.

So having done that as and when files are pinged by the autosandbox, it shouldn't take long before your common files are excluded. This should hopefully benefit other avast users as more and more people make the same decisions, which is passed anonymously via the CommunityIQ feature (if you participate) and added to the database.

You should also have the AutoSandbox Mode set to Ask rather than Auto; of course you could always disable the autosandbox (not recommended) or uncheck 'the file prevalence/reputation is low' option (the lessor of the two).

####
Essentially they aren't FPs but recommendations, which you can elect to ignore:
The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn't had a definitive detection.

However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.

Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.
You haven't seen my last reply.
I found out that the auto-sandbox wanted to sandbox my project because it was an unknown .exe , it said it was due to low reputation.

newhere

  • Guest
Re: Auto-Sandbox is acting crazy
« Reply #9 on: May 04, 2012, 04:00:00 PM »
yes, if u create new apps, it is highly likely that avast will autosandbox it due to the reasons u stated. (this is the nature of avast autosandbox)

avast is known not to game the filerep system. avast does not whitelist apps developers create.

the only thing u can do is to wait for the app to be of sufficient prevalence/reputation apart from adding digital signature to ur apps (which helps in speeding up the process in filerep system)

note: i do not know how much digitally signing ur apps will help in the process but it is one of the criteria s.
I know its'nt Avast related but does anyone know why a clean devcpp project is recognised by Norman (WTF?!) Antivirus and 1-2 more like that wierd antivirus, as a malware gen? one even stated it was a possible trojan- Virustotal.

But antiviruses like AVG,AVAST,AVIRA,NOD32,KASPERSKY  and stuff like that (The big companies) didn't...

Offline AntiVirusASeT

  • Poster
  • *
  • Posts: 462
Re: Auto-Sandbox is acting crazy
« Reply #10 on: May 04, 2012, 04:11:02 PM »
well, any antivirus could at any point detect false positives on one program, even if it is really not malicious.

report to norman or whatever antiviruses of the false positive.

eg. norman fp reporting: http://www.norman.com/support/fp/en

newhere

  • Guest
Re: Auto-Sandbox is acting crazy
« Reply #11 on: May 04, 2012, 05:25:59 PM »
well, any antivirus could at any point detect false positives on one program, even if it is really not malicious.

report to norman or whatever antiviruses of the false positive.

eg. norman fp reporting: http://www.norman.com/support/fp/en
thank you very much :)

ShadowCaster

  • Guest
Re: Auto-Sandbox is acting crazy
« Reply #12 on: May 08, 2012, 03:55:41 PM »
I had similar problem as OP, all of the apps created with Visual Studio were auto sandboxed, but I found what caused that:
Visual studio by default in Assembly Info set Microsoft as the company that created the software, and as it's not actually signed by Microsoft, Avast might be detecting that as a try to mislead someone.
Changing the company name to something else fixed this issue.