Hi everyone. I don’t know if anybody else is experiencing this, but since about a week ago or so, avast tries to sandbox about 50% of the programs I run, it is getting EXTREMELY ANNOYING. Perfectly legit progs are now labeled “suspicious” by the sandbox, because the “file prevalence/reputation is low”. Who decides the file reputation or prevalence? There’s something VERY WRONG here.
What the hell happened???
Additionally, Avast is prompting to run a program in the sandbox, EVEN IF I HAD ALREADY ADDED IT TO THE EXCLUSIONS list.
Major malfunction.
Another reason for sandboxing is “static analysis finds the file suspicious”.
For example: Teracopy is found suspcious, which is totally bogus.
There’s something absolutely wrong with the sandbox.
Other legit programs labeled “suspcious” include:
Winrar (also the installer for it)
Damn NFO Viewer
10 talismans (exe and .rwg file)
Codestuff starter. (this might be acceptable, since starter modifies the registry/services/etc)
Several program installers/uninstallers
and several more I don’t recall now.
file reputation/ prevalence is based on how often is the program in question being used by the majority of Avast user base.
if u run programs which are not commonly used by average users, be prepared to see many autosandboxing. it is done as such to protect users from potentially fresh malware (zero day)
however, it will also mean a huge increase in fp (in the sense that it sandboxes them) until the program is opened enough times by sufficient number of avast users for its behaviour to be analysed and tipping the overall analysis of the program that it is likely to be safe, thereby releasing it from be autosandboxed in the future.
there are 4 things u can do, either manually adding all programmes that triggered the autosandbox, or, run the program which triggers autosandbox and select ’ open normally’, or, set autosandbox to ‘ask’ so that programmes do not get sandboxed automatically, or, turn off autosandbox feature.
as far as i know, avast does not whitelist any programs which cause autosandbox to be triggered.
as for still prompting to run in sandbox inspite of adding to exclusions list, i cannot reproduce it on my side.
u might want to provide ur system specs, the program ur trying to exclude from autosandbox for avast developers to reproduce
meanwhile, do try a repair through avast uninstaller to see if that solves ur problem.
do note that during the weekends, avast team are generally not around on the forums, please be patient till next week.
edit 1: static analysis trigger is something u should take note…it is a more ‘serious alert’ compared to reputation trigger as this is based on heuristics
unless ur sure that the program is safe, do not release that program from sandbox.
The file itself. It’s date, how it is spread in the world… It’s not an human decision, it’s an automated process based on criteria.
Autosandobox is doing very good its job adding proactive detection to avast!, protecting us against 0-day malware.
It might do a good job against 0-day malware, but at the cost of being very annoying when running perfectly legit programs, which I have been using for years, without them being sandboxed. Only now avast wants to sandbox 'em. Version 7 seems a lot more picky…
Like I said, why is teracopy.exe found “suspicious” by static analysis?? scanning it with avast doesn’t show anything (clean).
Damn NFO viewer is one example of a file that was already added to the sandbox exclusions and still every time I run it, avast prompts me if I want to sandbox it or run it normally (I ALWAYS set the autosandbox mode to “ask”, the other mode (auto) is even more annoying and has led to BSODS in the past). When the sandbox is set to “auto” and it analyzes a file, no matter what you select, the next time, it analyzes it again, completely ignoring what you selected last time, that’s why I set it to “ask”. Plus, it might close your program unexpectedly even after it has opened…I’m really disliking this new sandbox. Previous versions were a lot better.
Just disable the Autosandboxing then… Or configure it a little bit less aggressive.
Hmmm… not sure it can be that dangerous.
Well… What do you want? That the resident shields keep track of all files in your computer, take the checksum (MD5) of it and compare?
It would take even more time. The files must be analyzed all the time: what if a malware is posing as the real application?
About that last point. What’s the idea of excluding a file if you’re gonna be asked about it again next time???
Another one: I just installed Furmark and the sandbox said that “static analysis… bla bla”
I insist: what the hell is wrong with the SB, that now it finds almost ALL files suspicious for one reason or another(low prevalence or static analysis). I repeat: this is NOT NORMAL, there’s s/thing wrong.
bye!
My personal “solution” for this, as I’d noted in another thread, was to untick the insufficient-data (or however it’s worded) item in the settings. That way I won’t be bothered by the sandbox when I’m running stuff I’ve had for years and which is antique enough (e.g., ancient versions of Graphic Workshop and dBase) that I doubt there’s wide enough usage to get included in the database in the foreseeable future.
And the security-related triggers are still active.
Do you mean ‘The file prevalence/reputation is low’ as that is potentially the one that is likely to tray 0-day malware.
As much of a pain in the ass that this might be in the early days of your use, set the AutoSandbox Mode to Ask and for programs that you have had for some time and are sure they aren’t malware, have it Run Normally and select the ‘Remember my answer for this program.’
With my settings at the default and choosing that set of actions, I haven’t had the autosandbox intercept those already excluded.
So for me it didn’t take that long for old programs that I use that were intercepted to be built up in the exclusions. I don’t know if in doing this that it would subsequently be fed back (via the CommunityIQ function) to avast. This may then add to a programs prevalence and reputation to the benefit of all avast users.
File BehaviorTERACOPY.EXE has been seen to perform the following behavior:
The Process is polymorphic and can change its structure The Process is packed and/or encrypted using a software packing process This process creates other processes on disk This Process Deletes Other Processes From Disk Executes Processes stored in Temporary Folders Executes a Process Reads your outlook address book Writes to another Process's Virtual Memory (Process Hijacking) Adds a Link in the Start Menu Violates Prevx File Security Settings Registers a Dynamic Link Library File
TERACOPY.EXE has been the subject of the following behavior:
Executed as a Process Created as a process on disk Deleted as a process from disk Changes to the file command map within the registry Has code inserted into its Virtual Memory space by other programs Terminated as a Process Executed by Internet Explorer Added as a Registry auto start to load Program on Boot up</blockquote>
http://www.prevx.com/filenames/2852839623737587884-X1/TERACOPY.EXE.html
Based upon the above it might be prudent to run it in the sandbox.
Well… As far I know and used, TeraCopy is a clean program. The “problematic” behavior is that it substitutes Windows copy/paste function.
If I’m wrong, I beg avast! virus analysts post very quickly here…
I’m having a similar problem. ImageMagick’s convert.exe is repeatedly run in a sandbox, despite autosandboxing being disabled and the exec listed under exclusions (multiple times apparently). Seems to be some kind of bug, or the feedback to the user could be improved.
make sure it is listed under autosandbox exclusions, not other shield exclusions.
if that does not work, it is likely to be something wrong with ur avast install.
please do a repair on avast via control panel → (add/remove programs for windows xp OR programs and features for windows 7) → select repair → reboot ur computer.
if this does not work, please do a complete uninstall & reinstall of avast.
- Download a fresh Avast! 7 package from http://www.avast.com/free-antivirus-download (to reduce chance of corrupted install)
- uninstalling Avast! the normal way with windows
- run Avast! uninstall utility http://www.avast.com/uninstall-utility (please do it in SAFE MODE! )
- run the uninstall utility 1st time, one for Avast! 7
- reboot and go into safe mode once more, 2nd time for Avast! 6 (this is IF u have updated to Avast! 7 from Avast! 6)
- reboot again, this time to normal windows mode
- install the fresh package
do report back
If the autosandbox is disabled as you say then it isn’t the autosandbox, but possibly another shield (behavior shield). If you can post a screenshot of the avast alert/notification window, see image examples of autosandbox pop-ups (click to expand).
So are you saying that despite the autosandbox being disabled you still get autosandbox windows recommending it be run in the sandbox ?
If so I would try an avast repair (as suggested) before you try a clean reinstall.
Hi, many thanks for the responses/suggestions. I’ve only had time to do the repair at the moment, will try the full uninstall/reinstall later and let you know what happens. Here is a screenshot of the notification message and autosandbox settings tab:
If I had enabled the sandbox and scrolled down you would see the path to convert.exe listed several times under “Files that will be excluded…”. I’m running a local web server and on some pages (containing images generated by convert.exe) I get up to 15 of the notification boxes popping up.
Strange, very strange, that it is working when it is meant to be disabled.
However, our alert/notification image shows an alert which would normally be shown if the autosandbox set on Auto mode, yet prior to your disabling it, the autosandbox was set to Ask, weird.
So I think the clean reinstall is the next option.
If as you say you are running a local web server and you were getting multiple entries for convert.exe, it the .…\ part of the path C:\Program Files (x86).…\convert.exe (in your image, attached below) was always changing, then you could use a wildcard in place of the … part, e.g. C:\Program Files (x86)*\convert.exe.
I managed to uninstall according to instructions above from AntiVirusASeT, rebooting into safe mode etc, before reinstalling. After another reboot to allow the sandbox virtualization to work problem seems to be fixed (default settings with Autosandbox set to ‘Auto’). Thanks for the assistance with this.
You’re welcome, though I though the default setting for the AutoSandbox mode was Ask. If not I would suggest setting it that way as it gives you more interactive control over what is going on. Of course that would more notification/recommendation screens, if you are happy with the activity no problem. Personally I prefer the extra control.