AutoSandbox – Free Edition

General Topics
1

I am curious to know the result of each Sandbox treatment. As far as I have noticed it has gone into action 3 times since it was introduced to the Free edition.
The latest incident was a pdf.exe that it found suspicious, but this happened about 2 minutes after I had opened a PDF. Perhaps AutoSandbox treats suspicious programs trying to imitate trustworthy ones?
The other thing I would like to know is where can one monitor the results of sandbox actions? Is their a sort of quarantine report? If so how can I find it?

2

You could check the log file:
C:\ProgramData\AVAST Software\Avast\log\autosandbox.log, this is likely to be a hidden folder so you may need to change the explorer, tools, folder options if you haven’t done this already.

3

Thanks David,

The report is indeed there:

11.08.2011 19:11:06 Autosandbox candidate: C:\Program Files\Winamp\winampa.exe
[Source: http://download.nullsoft.com/winamp/client/winamp5621_full_emusic-7plus_all.exe http://www.winamp.com/media-player/all
87.248.217.254]
[Opened by: C:\Windows\Explorer.EXE]
→ Result: Sandboxing (because policy set to Auto).

11.08.2011 22:07:35 Autosandbox candidate: C:\Program Files\Winamp\winampa.exe
[Source: http://download.nullsoft.com/winamp/client/winamp5621_full_emusic-7plus_all.exe http://www.winamp.com/media-player/all
87.248.217.254]
[Opened by: C:\Windows\Explorer.EXE]
→ Result: Sandboxing (because policy set to Auto).

12.08.2011 08:07:31 Autosandbox candidate: C:\Program Files\Winamp\winampa.exe
[Source: http://download.nullsoft.com/winamp/client/winamp5621_full_emusic-7plus_all.exe http://www.winamp.com/media-player/all
87.248.217.254]
[Opened by: C:\Windows\Explorer.EXE]
→ Result: Sandboxing (because policy set to Auto).

12.08.2011 12:12:09 Autosandbox candidate: C:\Program Files\Winamp\winampa.exe
[Source: http://download.nullsoft.com/winamp/client/winamp5621_full_emusic-7plus_all.exe http://www.winamp.com/media-player/all
87.248.217.254]
[Opened by: C:\Windows\Explorer.EXE]
→ Result: Sandboxing (because policy set to Auto).

12.08.2011 16:04:23 Autosandbox candidate: C:\Program Files\Winamp\winampa.exe
[Source: http://download.nullsoft.com/winamp/client/winamp5621_full_emusic-7plus_all.exe http://www.winamp.com/media-player/all
87.248.217.254]
[Opened by: C:\Windows\Explorer.EXE]
→ Result: Sandboxing (because policy set to Auto).

12.08.2011 17:48:52 Autosandbox candidate: C:\Program Files\Google\Google Desktop Search\pdftotext.exe
[Source: ]
[Opened by: C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe]
→ Result: Sandboxing (because policy set to Auto).

12.08.2011 18:27:42 Autosandbox candidate: C:\Program Files\Winamp\winampa.exe
[Source: http://download.nullsoft.com/winamp/client/winamp5621_full_emusic-7plus_all.exe http://www.winamp.com/media-player/all
87.248.217.254]
[Opened by: C:\Windows\Explorer.EXE]
→ Result: Sandboxing (because policy set to Auto).

There were probably earlier instances but I believe such logs and reports are set by default to autodelete after 30 days.

The programs worked fine from the Sandbox, so I will leave it set to Auto. No reason not to.

4

You’re welcome.

5

DavidR

In the case of Nullsoft (Media player Winamp) in the example, perhaps “Winamp” tries to spy out your system to discover your media tastes or something and uses perpetually dangerous programs to do so. If so, kudos to Avast. Not sure sure about the “pdftotext.exe” though.

Any ideas?

6

Avast seems to be treating anything from Nullsoft as suspicious or even dangerous. This is probably because a group of malware authors starting using the nullsoft installer as part of their creations.

Quoted from Wikipedia:

Nullsoft Scriptable Install System (NSIS) is a script-driven Windows installation system with minimal overhead backed by Nullsoft, the creators of Winamp. NSIS has risen to popularity as a widely used alternative to commercial and proprietary products like InstallShield.
A widespread malware company named itself NSIS Media. NSIS Media and NSIS are not related by anything but name. A few users incorrectly allege that every installer built with NSIS contains this malware.

Apparently Avast is one of those making the incorrect assumption.

7

Sounds plausible!

8

This isn’t Mythbusters. Either avast! is making an incorrect assumption here or it isn’t.

9

I think it is because I’ve had it happen as well on something that was safe but used the nullsoft installer.

10

The problem is who is to determine safe and by what method.

The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn’t had a definitive detection.

However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.

Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.