[Solved] Autosandbox false positive: LibreOffice 3.6.6 (two components)

Avast Free Antivirus / Premium Security
1

Hello,

Just wanted to report some recent Autosandbox (Avast! Free AV 8.0.1483) false positive:

Two LibreOffice 3.6.6 components: Base & Math.

Best regards

EDIT: just in case, Autosandbox is set to Ask (yeah…)

2

Problem solved. Thank you, Avast! people.

Regards

3

Was it an actual detection or just an Auto Sandbox trigger?

4

Autosandbox is set to “Ask”, so it’s hard to tell for me. This happens quite often with brand-new versions of both Base and Math - basically, the file prevalence is low.
Anyway, as in the past, the issue was solved quite soon.

By the way, on the new Avast! website I cannot find the link for reporting false positive…

EDIT: info added

5

You can report FPs here: http://www.avast.com/contact-form.php

6

Thanks a lot, good guy Asyn :smiley:

7

You’re welcome. :slight_smile:

8

If it’s triggered by AutoSandbox but not detected by it then it’s not a FP … Just let it analyse and then press “continue execution”.

9

It’s solved already…!! :wink:

10

He said that already but i still don’t see it as an issue. Issue would be if Auto Sandbox would falsely detect and quarantine it. Otherwise it’s no different than usual heuristics that do exactly the same thing even on LibreOffice files. Exceptt hat AV doesn’t tell you that its doing that. It just does it in the background.

11

Again, Autosandbox is set to Ask (i.e., it cannot falsely quarantine it without user permission). The file’s prevalence was low. That’s it.

Thanks again, now let’s check other more important open threads.

12

Actually thats not entirely true. The quarantine process is automatic, you just decide what to even Auto Sandbox and what not. Unless they changed the behavior lately…

13

Autosandbox log:

Autosandbox candidate:
C:\Programmi\LibreOffice 3.6\program\smath.exe
[Source: local://*C:\WINDOWS\system32\msiexec.exe ]
[Opened by: C:\WINDOWS\Explorer.EXE]
[Reason: 0x00020000]
Result: Not sandboxing (based on user’s decision).

The point is that those programs were signed and common and should have not been sandboxed in any way. In fact they (Avast!) immediately corrected the issue, that probably was caused by low file’s prevalence.

EDIT: info added

PS - Listen, I have a life and yesterday evening I only reported an autosandbox FP that was fixed quite soon. So I guess it’s time to stop this now…

14

Like i’m not allowed to ask anything about it… ???

15

I just wanted to say that having provided all the relevant information on my end, I’d prefer not to monitor this “closed” thread any more.

Have a nice weekend