I suppose the AutoSandbox is only related to executables.
I also suppose that infected files are first blocked by the antivirus (and not run autosandboxed).
I suppose there isn’t a whitelist. Am I right?
Behavior Shield detects it as suspicious (heuristic/behavior analysis).
I have been running unsigned programs from flash drives as test cases but even then I find an occasional small .exe that doesn’t ring up the AutoSandbox for some unknown reason. No AS reaction to the same files when run from the C: drive. Currports, for example, http://www.nirsoft.net/utils/cports.html, doesn’t seem to do anything that interests AS even from a flash drive. There were some I saw on earlier versions, but as Igor says they were FPs and have been updated. Done so well we get questions whether AS is even working.
What about number 2? Probably, I’m not sure.
But actually, it’s got nothing to do with number 1 - it’s mostly, though probably not 100%, unrelated to the Behavior Shield.
A number of rules, formulas and methods that I’m really not going to try to explain (even if I knew them, which I don’t) - because there is no simple explanation (and the stuff is being continuously tuned/extended).
So, the best answer, I’m afraid, is - “heuristics”.
I’m not sure what you are asking about…
Who performs tests when starting an application? Well, the File System Shield does… and, as an auxiliary result of that scan, the information about the “autosandbox suspiciousness” is returned - and used. Note that the AutoSandbox settings are in the File System Shield settings.
The Behavior Shield isn’t really part of this… because the decision on whether to (auto)sandbox the application or not has to be done in advance, before the application is really started - while the Behavior Shield monitors the behavior of the application when it’s already running, i.e. later.
Meaning that the current heuristics can’t decide if the file is good or bad. But if you participate in the Avast! Community, Avast! uses this information to improve the heuristics, which will be provided through the VPS updates. The more users who adopt the AutoSandbox, the faster it will improve.
Another issue with the Sandbox feature is it’s going to create some problems for other users I support who have no knowledge of “sandboxing” and prefer invisible protection; just seeing the daily VPS update notification is enough for them. I’m anticipating calls relating to the pop-ups when programs are opened.
I could change the setting to Auto, but for unknown programs would the pop-up still appear?
Thanks for that. So when it’s on Auto the alert is a small pop-up in the corner like a VPS update. Does Sandboxing an unknown (but harmless) program affect its performance, or is it negligible or what happens?