Avast manual Sandbox (AVIS) not sandboxing some programs (Sandbox issues).

Avast Free Antivirus / Premium Security
1

Hi All,

Having purchased AVIS 6 a few days ago I have noticed a few instances where the sandbox has not been working as expected.
To make things clear, for the purpose of this I have enabled both the tags in titles and borders around windows options to show when a program is being run via the sandbox.

The first of which, is with Notepad2.
When you run the installer it uses a registry modification which replaces Notepad.exe with Notepad2.exe.

This is where the problem comes in - if you go to Start → All Programs → Accessories → Notepad → Right click → Run in sandbox (or Always run in sandbox) it attempts to execute Notepad.exe in the sandbox.

The issue here is Notepad2.exe located at C:\Program Files\Notepad2\Notepad2.exe (in my case) is run instead - resulting in the program not actually being sandboxed.

On top is the window that I attempted to sandbox via the start menu (not sandboxed), underneath is the program executed manually by going to the folder and using the Run in sandbox option (sandboxed).

Now this is a fairly odd case, so it’s reasonable that it had not been thought of/did not work as intended.
If you go to the Notepad2 folder and select the Always run in sandbox option, it then works as intended if you access it via the start menu.

http://f.cl.ly/items/3u0h2R0i2q3z3d0m0a32/Sandbox1.png

The second issue, which is somewhat more concerning from a security point of view is that the sandbox does not appear to work for .net applications.

For example - Paint.net is an application I regularly make use of and you are not able to start it in the sandbox.

http://f.cl.ly/items/1z0q3o3a1f1L2W2q3S0b/Paintdotnet.png

Another .net program I occasionally use is Modio - this does not work in the sandbox either.

If I was relying on the Sandbox as a security feature I would be rather concerned about this - especially considering a considerable amount of the trojans/virus I see now (from security research I do in my spare time) are written using the .net framework.

2

Whilst I don’t have the full sandbox, I would imaging that your .net framework applications won’t work directly as .net framework isn’t running in the sandbox and the point of the sandbox is to isolate the application.

Or there are no settings in the sandbox that allow direct access, such as for browsers were you can allow access to bookmarks, download location, etc. But I don’t see anything for other applications that require another application in order to run in the Help Center of avastUI.

3

I am pretty sure that’s likely the issue here too.

The thing is, if avast want a feature such as this to be taken seriously then (in my opinion at least) they need to go back and re-think it a bit and make sure it works in common situations.
The .net framework is widely used now, I am sure at least in part due to the fact that it’s pre-installed on Operating Systems such as Windows 7.

It’s all well and good saying “here’s a sandbox, run the programs you are not sure are safe in it” but what happens if I tried to run a .net program in it that was malicious? The computer would have been infected, because as you said - it was not isolated.

Another well known Sandboxing program (Sandboxie) has no problems with .net applications at all on the other hand.
Also, Sandboxie does not have the Notepad2 problem I mentioned in the first post either.

http://f.cl.ly/items/1i0M1o1e3u0h1L1H1H33/Sandboxie.png

Edit: This topic is all meant as constructive criticism, rather than as a complaint, so please do not take it as one - I just thought it would be useful to point out the shortcomings of the current system that I noticed :slight_smile:

4

I would suggest that you use this to submit a Technical issues request about this inability to run applications that require .net inside the sandbox.

However, I would imaging it would be a massive task to have .net framework run inside the sandbox as it would also need to identify why .net version is required by the program and load it. I wouldn’t think they would want to have the sandbox running with .net before you actually want to run the sandbox and if there was a need for .net.

5

Do you think it would be best to sumbmit it via that or support.avast.com? Either way, I’ll write up something and let them know at some point over the weekend (assuming they do not just see this topic first).

6

Personally I thing the Technical issues submission will get it considered for possible inclusion in the future.

Were I don’t think a support ticket will help if it isn’t something that is already included/supported, e.g. you have a problem with an existing function that should work.

7

Well, we can ask Petr ( the Sandbox Developer ). If you want I can email him :slight_smile:

Greetz, Red.

8

It certainly won’t hurt going direct, as has been mentioned .net is a creeping plague, one that I’m losing the battle. Even my sodding anti-spam MailWasher Pro 2011 uses .net 3.5.

I hate it when what is a small program requires me to install hundreds of MB of .net.

9

Ok, I will email Petr with a link to this topic :slight_smile: But as he is returning today ( Saturday ) from a trip to the USA, please be a little patient for an answer :wink:

Greetz, Red.

10

Thanks.

11

That would be fantastic, thanks :slight_smile:

12

Petr appreciates direct feedback. I have already emailed him :slight_smile:

Greetz, Red.

13

My guess:

When you go to Run—Accessories—Notepad it does not link to the version of Notepad that you are thinking it does.

It is linking to another Notepad file.

This happens once in a while with Windows

Bottom line is that I think you have multiple versions of Notepad causing the problem because when you run it from wherever the icon is pointing to another directory. So you sandboxed one Notepad and when you went to run Notepad you thought you were running the version of Notepad that you sandboxed. However the Notepad icon that you ran Notepad from was linked to another version of Notepad that you did not sandbox, hence Notepad not running sandboxed when you thought it should.

14

Actually, no - it’s intended behaviour from the registry modification. In effect what it does is whenever “notepad.exe” is called is execute Notepad2.exe (in the relevant folder) instead.
Of course avast! does not know this is going to happen, and so unless it is programmed to look at that value it’s not going to work (with the exception of if you manually go to the Notepad2 install directory, right click it and choose Always run in sandbox).

This part is not even particularly important as I know Notepad2 is safe to use (I actually built a custom version of it myself from the Source) - the .net issue is important however - the only reason I brought the Notepad2 thing up is simply because I was looking for ways where the Sandbox is not behaving as expected.