Which files (executables) are started into the AutoSandbox

Can it be done a comprehensive list of them?

I suppose the AutoSandbox is only related to executables.
I also suppose that infected files are first blocked by the antivirus (and not run autosandboxed).
I suppose there isn’t a whitelist. Am I right?

  1. Behavior Shield detects it as suspicious (heuristic/behavior analysis).
  2. Files not digitally signed.

No, there’s no list.
It’s a heuristics inside of the virus database, changing potentially very often.

What about number 2?

I have been running unsigned programs from flash drives as test cases but even then I find an occasional small .exe that doesn’t ring up the AutoSandbox for some unknown reason. No AS reaction to the same files when run from the C: drive. Currports, for example, http://www.nirsoft.net/utils/cports.html, doesn’t seem to do anything that interests AS even from a flash drive. There were some I saw on earlier versions, but as Igor says they were FPs and have been updated. Done so well we get questions whether AS is even working. :wink:

What about number 2? Probably, I’m not sure.
But actually, it’s got nothing to do with number 1 - it’s mostly, though probably not 100%, unrelated to the Behavior Shield.

If so, well, how is a file classified as suspicious then?

A number of rules, formulas and methods that I’m really not going to try to explain (even if I knew them, which I don’t) - because there is no simple explanation (and the stuff is being continuously tuned/extended).
So, the best answer, I’m afraid, is - “heuristics”.

Heuristics… tested by the vps? by the Behavior Shield?
Who performs the tests on access?

I’m not sure what you are asking about…
Who performs tests when starting an application? Well, the File System Shield does… and, as an auxiliary result of that scan, the information about the “autosandbox suspiciousness” is returned - and used. Note that the AutoSandbox settings are in the File System Shield settings.

The Behavior Shield isn’t really part of this… because the decision on whether to (auto)sandbox the application or not has to be done in advance, before the application is really started - while the Behavior Shield monitors the behavior of the application when it’s already running, i.e. later.

I think that Number 2 is yes, because I tried to run unsigned app and avast! sandbox suggests to sandbox It.

Not necessary true, as it may sandbox one unsigned app. and not sandbox another one, also unsigned.

Sandboxing flagged metapad - http://liquidninja.com/metapad/ - (which I’ve used without problem for years) under avast! version 6.

I can see how the sandbox mode might be useful, but if it does this frequently for a lot of executables, it could get to be like UAC on Vista.

Meaning that the current heuristics can’t decide if the file is good or bad. But if you participate in the Avast! Community, Avast! uses this information to improve the heuristics, which will be provided through the VPS updates. The more users who adopt the AutoSandbox, the faster it will improve.

Greetz, Red.

Another issue with the Sandbox feature is it’s going to create some problems for other users I support who have no knowledge of “sandboxing” and prefer invisible protection; just seeing the daily VPS update notification is enough for them. I’m anticipating calls relating to the pop-ups when programs are opened.

I could change the setting to Auto, but for unknown programs would the pop-up still appear?

You only get a small orange/grey pop-up, like the auto update etc. pop-up, that notifies you the application is sandboxed.

Greetz, Red.

Thanks, but this is the pop-up I was referring to:

http://img263.imageshack.us/img263/5013/avast6sandbox.png

This is what I think will cause some confusion, and what is similar to the UAC I mentioned.

This is the popup you get if you put it on auto-seems pretty straightforward. Small, inLR corner.

Thnx Ed :slight_smile:

That is indeed the one I was referring too :wink:

Greetz, Red.

Igor, thanks. That’s what I was looking for.

Thanks for that. So when it’s on Auto the alert is a small pop-up in the corner like a VPS update. Does Sandboxing an unknown (but harmless) program affect its performance, or is it negligible or what happens?