Auto-sandbox in Behavior Module messed up real bad

[branco]

As a request from a friend, I created for her a program to rename some files based on a given criteria.

This program worked for ages flawlessly (it was a simple program) until the day it met Avast's behavior module.

The module was installed when my friend allowed Avast to update itself. My friend, mind you, is a complete iliterate when it comes to computers, but if the anti-virus -- which I recommended, silly me -- warns about a new version, she dutifully applies the upgrade.

Now my program, which she runs daily, seems to be working normally. It shows the list of new files it is creating as usual. Everything seems as normal, except for that little message in the right hand corner about something called sandbox but the message dismisses itself after a few seconds, and my friend pays little attention to it. After all, everything seems to be operating without glitches.

Days passed and there comes a time when my friend needs to get to one of the files she renamed earlier with my program. To her dismay, nothing was saved. At least two weeks worth of files were simply lost. To make things worse, the files that needed being renamed daily are overwriten the next day, that's the reason she needed then renamed.

It turns out Avast was running my program in a sand box for days. No one told it to do that. It was its predefined behavior. It didn't block the program and presented an option as other versions did. It didn't flashed yellow as it does sometimes. It simply showed a green popup in the right hand corner while the program was already running!!

Why, why, why did you do that, Avast??? If you were going to run the program in a sandbox, why didn't you please block it first? You costed me a really dear friendship. My friend thinks that my application made her lose many days of precious, important, unrecoverable data.

I used to recommend Avast everywhere, because it didn't try to take hold of the system and had well defined behavior, unlike AVG or (gasp) Norton, but now I feel Avast is taking the same route as those other anti-viruses that think they own your computer.

Damn you, behavior module!

[avast@@dvantage77.com]

Dear Branco,

The necessity of the AutoSandbox is that, this is the only point of protection that stands between encrypted Polymorphic infection and the user.  All rare code will AutoSandbox. All polymorphic code is rare.

And yes, end users do not know how to deal with this issue.  The next generation, AutoSandbox version 7.3, will no longer have this issue, but it is an evolutionary process.

Here's how I deal with this issue for my clients.  2 different solutions can occur here:

1) You can manually add the program to the AutoSandbox exclusion

2) Or you can have AutoSandbox add it for you.

Option 1: right click avast icon in taskbar, open avast user interface, under realtime shilds, file system shield, expert settings, AutoSandbox, and add the file to the the "files that will be excluded" input box.

Option 2:  set AutoSandbox to "ask", after evaluation, it will ask, to run normally, or run in sandbox.  When you choose to run normally, it will auto add the exclusion for you.  I have my system configured for "ask", and it adds the exclusion for me.

I hope this helps, I know it will not return the files.  The next version will automate this procedure further. AutoSandbox .3 will be in a program update in about 2 weeks or so.

[NoelC]

Just to add 2 cents...  One option is to disable that feature of Avast, and instead teach users to do less risky things with their systems to offset the additional risk.  Avast is a safety net, but no one should rely only on a safety net.  Better not to fall in the first place!

In our case here at my company, as we do software development our custom tools, which end up in different folders depending on what project is being worked on, were triggering the auto-sandbox behavior, and that was unacceptable for us even with it set to "Ask", so we unchecked the box for [  ] The file prevalence/reputation is low.  All the other protections are still in place, and we are not likely to run unknown code because we practice safe computing in general, so the added risk is smaller than the benefit.

Thanks for the tip that the Auto-Sandbox behavior is changing, avast@ advantage77.com.  I will remember to re-enable the functionality after the next program update to see if it's more compatible with our needs.

-Noel

[avast@@dvantage77.com]

Give the engineers 2 weeks, and AutoSandbox should be able to provide the necessary protection, without interuption to proprietary applications.  Again, without AutoSandbox, the expectation becomes infection from polymorphic code.  This is the only mechanism today to protect from this type of vulnerability.  So it becomes a 2 edged sword! And I understand you frustration!

[NoelC]

The words "expectation" and "only mechanism today to protect" seem to me to be awfully strong.

With multiple systems online since avast! was first invented, in active use every day, we have never had avast! report that it has protected us from polymorphic code (nor find an infection after the fact), which implies our setting our browsers not to run ActiveX at all except from trusted sites, not installing every "toolbar" and running every game or "cool app" available, and in general understanding how computers and malware work and practicing discipline in computer/internet use are VERY effective primary strategies, pushing avast! to the appropriate role of "safety net".

I realize not everyone is equipped to be educated on how computers work at this level, nor can we expect everyone to always practice disciplined computer use, but I think telling folks to "expect" an infection just sounds extreme.

-Noel

[avast@@dvantage77.com]

I had made it a policy to disable AutoSandbox due to customers having to answer questions.  The negative side effect of my actions became an increase in Rogueware infections, so I now consider that my decision was not in the best interest of my clients.

The top 15 antivirus companies only stop 70% of "unknown" infections (av-comparitives).  That is because 30% of this unknown code is Polymorphic, encrypted infection that can only be analyzed by executing.  So, you either execute the code in a virtual environment, or you are infected. I see AutoSandbox as a necessity to prevent this type of infection. 

AutoSandbox 7.3 should alleviate these issues.