Auto-sandbox in XP

Can anyone confirm that the auto-sandbox in the free version works in XP? I have seen no alerts even when running things that others have said will give them alerts.

I was just examining the .ini file for the filesystem shield and there is nothing in it about the sandboxing. I have it turned on in the options. Should there be an entry in the .ini file? There is for all of the other options as far as I can tell.
[Common]
ActionOnPackedFile=onlyfile
OverwriteReport=0
PUPAction=trezor iffailed delete
PerformActionOnStartup=1
Report=TXT
ReportName=*
ReportRecords=Infected;HardErrors
ScanFullFiles=0
ScanPUP=0
ScanPackers=EXE;WinExec;Drop;Streams
ShowAppliedActionNotification=1
SuspiciousAction=trezor iffailed delete
TaskSensitivity=80
UseCodeEmulation=1
VirusAction=trezor iffailed delete
ProviderEnabled=1
[FileSystem]
ScanAutorun=1
ScanDLLOnLoad=1
ScanDiskette=1
ScanExceptions=?:\PageFile.sys;\System.da?;\User.da?;.fon;.txt;.log;.ini;\Bootstat.dat;\firefox\profiles*sessionstore*.js
ScanOnExecute=1
ScanOnOpenAllFiles=0
ScanOnOpenCustomExtensions=0
ScanOnOpenDocuments=1
ScanOnWriteAllFiles=0
ScanOnWriteCustomExtensions=0
ScanOnWriteDefault=1
ScanScriptsOnExecute=1
SkipSystemDlls=1
UsePersistentCache=1
UseTransientCache=1

I have tried several small utilities in both win7 starter and XP Pro and I haven’t had any response on any of them, so I can’t say if it is working in one and not the other.

As far as an entry in the ini file goes, default options tend not to be in the ini file, so if you were to disable auto-sandbox, that may place an entry which you could see and then enable the sandbox again.

I can run OTL.exe on XP and no alert.

While running it on Windows 7 I receive an alert. See attached

I found the entry for the sandboxing. It’s in the Avast5.ini file, not in the FileSystemShield.ini. It does say it’s enabled.

Aha, so it is working differently in XP.

Gee it seems that aswMBR doesn’t work on this system either. This is what I got when running it just to see what it did.

aswMBR version 0.9.2 Copyright(c) 2011 avast! Software
Run date: 2011-02-25 20:20:47

15:20:47.046 OS Version: Windows 5.1.2600 Service Pack 3
15:20:47.046 Number of processors: 1 586 0x2402
15:20:47.046 ComputerName: HP5215 UserName: Donald
15:20:47.703 Initialize success
15:20:57.593 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
15:20:57.593 Disk 0 Vendor: Size: 0MB BusType: 0
15:20:57.687 Disk 0 MBR read error
15:20:57.687 Disk 0 MBR scan
15:20:57.687 Disk 0 MBR hidden
15:20:57.687 Disk 0 trace - called modules:
15:20:57.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:20:57.703 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a57bab8]
15:20:57.703 3 CLASSPNP.SYS[ba108fd7] → nt!IofCallDriver → \Device\00000074[0x8a523440]
15:20:57.703 5 ACPI.sys[b9f7f620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x8a522d98]
15:20:57.703 Scan finished successfully

I have one program that alerted the AutoSandbox, which is set to Ask. It’s a trusted program for my HP 7310 AIO printer. I excluded it from being sandboxed by selecting run normally. It shows in the autosandbox log.

In XP? I don’t even have an autosandbox.log file anywhere on my system.

I don’t think the autosandbox.log is created until the first alert. All I see in mine are multiple entries listing the program I excluded and stating that it was sandboxed due to my exclusion. The log is in a subdirectory under All Users\Application Data.

Dch48.

Running XP Pro Spk3. C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\Log >> autosanbox.log

http://i1201.photobucket.com/albums/bb360/iroc9555/SandBox-1.jpg

It is working in mine.

Interesting. I will say that after the clean install of v6, I was not told to reboot. It just said Avast! was running and protecting my system. When I went into the GUI and looked in Additional Protection / AutoSandbox, it said the feature would not be available until after a restart. It has not given any alerts or created a log file yet.

No I wasn’t prompted to reboot either - odd.

I can confirm that there’s a little problem in the Windows XP implementation of the AutoSandbox. It is offered less often than it’s supposed to (and also compared to Vista/W7, where it works correctly).

This bug has already been fixed in the internal branch, and will be part of the next program update.

Thanks
Vlk

@ Vlk,

By program update, you mean the next version update…correct? I just need clarification. Thank you.

Yes, most probably.

+1
‘Program update’ always refers to the main program. :wink:
asyn

Thanks Vlk. At my age it’s always good to know that you weren’t imagining things. ;D

Just another report on how the auto-sandbox is not functioning correctly in XP. Last night I got my first alert from the sandbox. It was for a game called F.E.A.R. and it alerted me about the main .exe for the game called, strangely enough, fear.exe . This would have been okay except for one thing. It only alerted on the third execution of the file. The first two times I started up the game from scratch, there was no alert. This is a serious flaw since if it did that with a malicious file, only being alerted on the third execution would be far too late obviously.

The fixed version needs to be pushed out ASAP in my opinion.

I’ve just encountered a similar problem this afternoon with a program that was previously working just fine. Now, every time I boot up the program, Avast indicates it may be a problem and recommends opening it in Sandbox.

I’ve run a full scan on my computer and I’ve run a scan on the program folder and Avast doesn’t find anything.

In the several years I’ve been using the Free version of Avast, this is the first problem I’ve run into.


XP PRO SP3
Avast 6.0.1

You can select/elect to Run normally and check the Remember my answer box.