I downloaded a program called vReveal, a video enhancement package, but every time I try to run it I get a warning from Avast recommending that I run it in the Sandbox because it might pose a risk. According to vReveal it is a known issue. Just makes me a bit nervous nevertheless.
Has anyone else had experience with this, good or bad? Thx.
Upload suspicious file(s) to VirusTotal to have the file(s) scanned by 40+ antiviruses. When you have the results, copy and paste the url for us to look at.
The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn’t had a definitive detection.
However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.
Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.
TotalScan does not work. No matter what I try it won’t let me upload anything. Nothing that is clickable on that page results in anything. MetaScan reported no threat. Neither did Avast, which only deepens the mystery as to why it recommends me to open it in the Sandbox.
Jotti gives me these results: http://virusscan.jotti.org/en/scanresult/ae383ed49bc08a5b0eb816794bf90d7fb2624e98 Only two report something and I still have to look into them.
UPDATE: I went to VirusTotal directly, without clicking on the link in the original message and managed to upload there. Results are here:
http://www.virustotal.com/file-scan/report.html?id=53be1a1c631aaa8db50ed26be1a8c920f8002f5dffccc9f501bb6cc3b08bb139-1325525206
According to ClamAV it found a specific virus. The other one is heuristic and is likely a false positive.
The sandbox option was offered as the file was downloaded from the net
This is a safety net for you in case something downloads whilst you are not looking
That is incorrect. The file was already downloaded and installed without any issues. The message comes up when I try to execute the program.
In that case something within the programme was changed that Avast was not happy with
See my earlier comments to Donovansrb10. I ran the external scans and only ClamAV claims it found something specific. Avast detected nothing either, not on my computer, nor on VirusTotal and Jotti. Why it insists on the Sandbox is therefore still a mystery
It would be a combination of things that end up with the recommendation (remember that is all that it is) to run it sandboxed, the file isn’t signed, etc. etc. as I mentioned above.
The other thing is that the heuristic, emulation and behavioural rule set/s are also updated along with the virus signatures. So it isn’t unusual to find a file that was previously unmolested comes in for a bit of questioning.
Bear in mind that the file system shield would alert if it was considered infected. So any hits in VirusTotal, may indicate a good early detection of recent malware not yet in the avast virus database. Or since virustotal can’t run the same heuristic/emulation tests so you won’t get the same results as on your own system, e.g. recommendation to run sandboxed.
Select the file → right click → properties → unblocked?
Hmmm…
It seams the new VirusTotal still has some bugs. :-
Well, I’m glad you could get it to work on the old VirusTotal.
As the others said, the sandbox is a feature that allows you to run ‘questionable’ files in a safe environment.
I also recommended to run it in the sandbox, just to be safe.