Sandbox Avast 6 re Wordfast (WF) and Trados translators’ software.
There was an interesting thread on Sandbox about one year ago which is presumably dead by now, so I thought I would start a new one to get feedback.
Having used Trados, a software tool for translators, I was comfortable with the prospect of trying out the similar Wordfast - www.wordfast.net , both of which which rely on two files - Terminology Glossaries and Terminology Memories - which are collected to record terminology on specific translation subject areas and suited the the individual preferences of different customers. The customer would often send the appropriate Trados or Wordfast TGs and TMs for each job. I am sure some of you are familiar with such software.
I was advised initially that Wordfast would not work with Open Office and to use MSO Word 2010. Then I was told by the prospective employer that this was no good and that they all used MSO Word 2007 (which is no longer available of course), i.e. that neither WF nor Trados worked with MSO Word 2010 – which I thought was highly unlikely.
To try to be brief:
after some time experimenting (I am not much of a techie but logical enough to follow it in my own time) I noticed warnings about Google opening .pdf files and that these were automatically being placed in the Sandbox. I thought “good old Sandbox”; being too busy concentrating on the texts it took a while to even think it possible that there could be a connection with this recently installed software (WF) and its interplay with Word 2010 and Avast AV, so I disabled the Sandbox – and the WF started to work, the TGs and TMs started doing their jobs more or less, which as all translators would know, makes a vital difference to speed and accuracy.
I asked people who work in IT – they had no idea except to say that WF must be weird which I thought unlikely for such a popular software.
I would have addressed this forum earlier (as you generally have the answers) had I known that the issue may have concerned Avast, but was distracted initially by the question of compatibility between WF and MSO 2010. Evidence suggests that Sandbox is the culprit.
Well my first suggestion would be to use the latest version of avast, 6.0.1289 as there would be little value in trying to resolve this if it isn’t also an issue on avast6. But I suspect it would also be if it is the autosandbox that is involved.
The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn’t had a definitive detection.
However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.
Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program (see image example). Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.
Check the autosandbox.log file to see if the application executable was intercepted by the autosandbox function.
AutoSandBox.log Location:
XP - C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\autosandbox.log
Vista, Win7 - C:\ProgramData\AVAST Software\Avast\log\autosandbox.log
So the culprit may well be the person sat at the computer not reading the details of the notification ;D
Thanks DavidR, you are right I had not checked the enabled AutoSandbox (it was set to Auto so I did not see the details of the notification ;D) settings via the FSS to allow “Ask” re pdftotext.exe - the supposed culprit.
I will allow it in future rather than disabling Sandbox.
I wonder why Avast considers pdftotext.exe suspect. At first it occurred to me that it activated in response to the extraction of a trial translation zipped documents which had to be unzipped twice to get at the TMs and TGs I mentioned - nothing to do with .pdfs as such - unless they were among the other glossaries (just PDFs not intended for WF) or even that the TM/TG .txt files were originally in PDF format that triggered it, but again why should this widely used pdftotext.exe executable from Google Desktop suspicious and be sandboxed?
Again read my previous replies for circumstances in which it might be considered suspect.
However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.
These are areas which I believe would be checked and I’m sure there are likely to be more. The idea being to try to prevent zero day malware, etc. which would otherwise get past the file system shield and other shields being allowed to run without further checks. It is another level in the overall protection.
It really has nothing to do with pdfs as such, it doesn’t react to just the act of extraction, but the other program has to be initiated/run and it is the act of running that triggers the on-access scan of the file system shield and subsequently the autosandbox.
Widely used, means nothing to me and probably not to avast either as I would say unless it is a very well known and digitally signed piece of software it wouldn’t get whitelisted as such.
“FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.”
So it was the initiator of the “pdftotext.exe” rather than the “pdftotext.exe” itself (which I assumed to have something to do with the Adobe company, perhaps wrongly). The zipped file contained all manner of files and digital signatures which would have come out as I extracted the files (the original file being downloaed from a compayn website as a test run file based on a real customer of the company that sent me the test translation.
No the initiator isn’t the issue but could be a factor, it calls the program and the fact that the pdftotext.exe is going to be run, causes avast to scan the file before it is allowed to run.
That is the purpose of resident, on-access scanners, to ensure a file is clean before it is allowed to run.
So I rather doubt that the pdftotext.exe file is digitally signed, plus probably because it isn’t being initiated from windows explorer or a shortcut, etc. Again these are my beast guesses on how these things are meant to work as an avast user like yourself, I don’t work for avast.
No, it has nothing to do with that just the method it was initiated and, it is hardly something steered on to your system, didn’t you install it as presumably you want to convert pdf format to text. It may well be a part of another application were you have the option to convert from pdf to text, but you didn’t say how this may have been initiated I can’t comment on that ?
Given your previous comments, in this case I would say that the autosandbox was doing a good job as you don’t appear to know where this pdftotext.exe file came from.
Threatfire hasn’t been update in some time so as a security application it really needs to be in constant development.
Again read my comments in my first reply, the autosandbox is just another level in the avast application.
DavidR. Thank you for your perseverance. You may have hit on the answer with your last post. This warning started since I installed MSO 2010 almost a month ago. Perhaps it contains a program that converts PDF to text.
I have googled pdftotext.exe - “The real work of extracting the text and images from P D F files in the P D F Converter is done by pdftotext.exe and pdfimages.exe,” http://www.jsware.net/jsware/pdfconv.php5 but I did not download any such program.
That is the problem, many programs come with features/functions included that use another process/application, etc. and this really is where the autosandbox comes into its own as an extra step before allowing it to run.
So essentially the only knowledge you would have of this is, presumably you were intending to actually convert a pdf to text (or part of a pdf to text) and that is what initiated the pdftotext file ?
“presumably you were intending to actually convert a pdf to text to text) and that is what initiated the pdftotext file ?”
No, at no stage have attempted to convert a PDF (or part of a pdf) to text , even unintentionally.
The reason I opened this thread - returning to my first post, was that disabling AutoSandbox Avast allowed Wordfast to open and install the TMs and TGs which are large .txt files, which Wordfast uses in conjunction with Word to call up the terms acceptable to the particular translation job.
It may be that these files have been converted by the company from a glossary previously in PDF to .txt using a more advanced version of Adobe (I only have the free Adobe Reader 9 which does not have such a function.)
Unfortunately I’m not familiar with any of these programs (Wordfast, TMs or TGs) so I don’t know what impact blocking that file would have. But it seems crazy that it would block the whole program rather than just lose the ability to convert a pdf to text feature.
So the decision has to be yours as to whether you add the pdftotext.exe to the autosandbox exclusions.
To help you with that decision:
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page.
Remember as I said the File System Shield isn’t alerting on this file, the above is a further confirmation, so that you can make your decision.
“lose the ability to convert a pdf to text feature”
the Translation Memory and Translations glossaries are already in .txt format, so it was not a question of converting.
I will run Virus Total as you recommend on Drive C and report back.
The pdftotext.exe comes from Google Desktop. Virus Total flagged it 4 times as follows: see screenshot - which didn’t load - do you recommend deleting it or perhaps quaranting it with SAS (which flagged in in list below)?
Whilst pdftotext.exe is detected 4 times, the detections in themselves aren’t conclusive:
PUA.Packed.PECompact-1 - This one is having a moan about the fact that it is a packed file - which in itself is no indication it is malicious as not all PECompact files (many .exe files are packed in this way), though generally I would have though it is used to install a program.
Suspicious and Heuristic detections are more prone to false positive, plus the heuristic detection is another concern about it being packed.
The Trojan.Dropper/Gen is a generic (the Gen bit at the end) detections are also more prone to false positive.
So unfortunately nothing conclusive.
What I can’t get my head round is, if pdftotext.exe is a part of the google desktop, how is it involved with Wordfast (my only knowledge of what that does comes from a google search http://en.wikipedia.org/wiki/Wordfast), if it is a part of the google desktop. What and why is it called in a translation service/application.
So can you take me through this step by step of what you are doing and at what point the pdftotext.exe is launched and intercepted by the autosandbox ?
If you have never used this program, then I would seriously consider uninstalling/removing it from the google desktop. The problem being if this file not being run as you have mentioned has an impack on the Wordfast software and that I really can’t understand.
In my panic to get Wordfast (central to doing the potential translation jobs) I am overlooking how I, as you suspect, jumped to a wild conclusion in thinking that pdftotext.exe had anything to do with the Wordfast to Word interface, or indeed with the downloading and unpacking of the ZIP files.
Now I step back -after following our thread - what happened was: these Sandbox alerts (winampa.exe was another - so I de-installed Winamp) drew my attention to Sandbox, therefore I disabled it to see if it had anything to do with the Wordfast/MSO 2010 interplay.
Hey presto, WF started offering phrases shaded in the appropriate colours that represent near or 100% matches to the translation of a given segment of the job(drawing from the lexicon in the TMs - this is how software Trados operates too).
At any rate it certainly seemed to me that WF started giving me its input as a result of disabling Sandbox (forget pdf.exe or winampa.exe).
The comment of a local IT man who has his own business “that Wordfast must be weird if it is compatible with MSO 2007 and not 2010”. I agree, but the potential employer tell me that they only use 2007 for both WF and Trados for that reason.