Couple of quick points about V7

  1. As a program developer the Sandbox is a bit of a pain, it sticks all my exe’s in there, “we could not find anything but stuck it in the sandbox anyway” sort of thing Grr.
  2. V7 is starting very slowly on my Vista Box (W7 Machines are OK), the icon comes up witha red mark, and reports that no shields are running, doing the fix it thing get them working stright away otherwise it seems to sort itself out after a couple of minutes.

The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn’t had a definitive detection.

However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.

Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.

As an active developer, You can either set the AutoSandbox mode to Ask or disable it.

If FileRep is enabled on the machine, there would be a query [of the avast cloud database] for “file reputation data” which is factored into the decision to autosandbox, right? A freshly built exe that has never been reported to avast before would have no reputation information associated with it. I think I recall reading something that suggested a “no reputation information available” situation (and perhaps even a “not enough reputation information available”) situation is at this point not considered sufficient grounds for autosandboxing. Is the above consistent with your view of how things work?

I don’t know if the file rep is currently enabled on the system or only for web downloads.

Are you saying 1) you don’t know if the current release of avast 7 supports file rep queries on files if they aren’t being downloaded, 2) the current release of avast 7 does support that but it might not be enabled on the machine in question, 3) other (please explain)?

I think part of the question (attempt to pick your brain for confirmation) would stand regardless: extent to which no or low reputation data could trigger the autosandbox. For example, imagine a developer building a program and testing it on their avast 7 enabled platform. Everything works, no auto-sandbox (due to exclusions, FileRep being off, whatever). Then they upload it and the first (few) user(s) download the program. If no or little reputation data is sufficient to increase the chances of auto-sandboxing, they could or would run into something the developer didn’t which would be even more confusing to some.

BTW, I just thought of something. FileRep in general is supposed to track and weigh things including “the number of computers that have already opened it (prevalence)”. I think this requires something such as:

  1. The avast 7 program on a given computer keeps a record of files it has reported to avast’s database so that it doesn’t send multiple reports and throw the numbers off. This would be “broken” by disabling or clearing those records (if possible) or doing a clean re-install.

  2. The avast 7 program on a given computer adds metadata to the files it reports to avast’s database, marking them as having been reported so that it will know not report them again. Not all file systems support that though.

  3. The avast 7 program, when performing a FileRep query, sends file information along with an ID that uniquely identifies the computer and avast’s database factors that into the way it keeps track of prevalence. This would increase the privacy issues involved, especially if that ID incorporates licensing data that could be linked to purchasing records.

I’m not sure how avast is handling this “keeping track of the number of (unique?) computers that open the file” issue thus I would be interested in comments.

I thought that was pretty clear, I don’t know for sure as the beta and RC build led me to believe that was the case web downloads, but that it was intended to extend that to files on the system.

But no date or version/build was stated, so it is possible it is on the release version, but I haven’t seen any examples yet.

I’m an avast user not an avast developer, so I’m not privy to the decision process on exactly what is used to confirm this suspicion and have it run in the autosandbox for analysis.

FWIW, I thought that is what you meant but I wanted to be sure. I don’t know where they were, but I saw some messages that made me think it is already in public builds. You are far more active here than I, so I wanted to be certain of your belief. If I were running 7 I would test for signs that this is enabled.