Autosandbox: False Positive

system · August 26, 2011, 12:49pm

Hello,

With the current virus definitions (110826-0), GSmartControl V.0.8.6-2 triggers the Avast! Free Autosandbox.

It never happened before and I have been using GSmartControl in conjunction with Avast! for more than three years now. Obviously it’s a brand-new false positive.

Thank you and sorry for my English - Let me know if you need more info or details.

Regards,
T.

Windows XP Pro SP3
Avast! Free AV 6.0.1203
Online Armor Free 5.0.0.1097
GSmartControl 0.8.6-2: http://gsmartcontrol.berlios.de

DavidR · August 26, 2011, 12:55pm

Essentially it isn’t a Detection, so not a false positive.

The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn’t had a definitive detection.

However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.

Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.

system · August 26, 2011, 1:21pm

Hi DavidR,

I know how the Autosandbox works, thanks. I’ve been using Avast! since v.3.x, by the way.

I just wanted to report that this behaviour has started with the virus definition 110826-0 - as explained in details in my original post.

The same happened months ago with Erunt (http://www.larshederer.homepage.t-online.de/erunt) and it was “fixed” by a week or so.

In other words, I just wanted to let Avast! Team know about the GSmartControl/Autosandbox “issue”.

Kind regards,
T.

DavidR · August 26, 2011, 2:12pm

Well the virus definitions and engine updates can modify the behaviour, so things that weren’t previously picked up or suggested to run sandboxed could occur.

So when that does happen, I just select run normally and Remember the answer for this program (assuming it is good/clean). This I presume will also be filtered to avast via the CommunityIQ feature.

system · August 26, 2011, 3:23pm

I ticked “remember my decision” immediately, however I was not sure that also in this case (autosandbox → run normally) my decision would have been filtered to Avast! Team via CommunityIQ.

Thanks,
T.

DavidR · August 26, 2011, 3:32pm

I don’t know if it would (as an avast user like yourself), if you don’t check the remember the answer for this program option, then I would assume (dangerous I know) less weight would be applied to it even if it did get included in the CommunityIQ.

The reason I think that, is if you don’t check that option, it might be considered a one off run of that application/process, so less weight/importance might be correctly applied.

system · August 26, 2011, 3:49pm

Yeah, I think you’re right.
will see what happens…

Thanks again,
T.

system · September 3, 2011, 7:12pm

Hi David,

Just a quick note to let you know that this morning I removed GSmartControl from the Autosandbox’s exclusion list and then tried to run it. Problem solved. The program now runs normally without suggestions to run sandboxed.

Cheers,
T.

DavidR · September 3, 2011, 9:00pm

Glad to hear it, thanks for the feedback.

Autosandbox: False Positive

Announcements