You are Opening an App that may be Unsafe....

I’ve noticed the past couple of days that I’m getting a lot of these messages from Avast! on winXP X64 startup. Most of the time it points to Microsoft IntelliType Pro (itype.exe) that is attempting to open a exe. I ran a full scans with Avast!(latest program/updates, SuperAntiSpyware, and Malwarebytes, and other than a couple of tracker, which I deleted, nothing was found.

I reset to the default setting in Avast!, uninstalled Intellitype (using Revo Uninstaller Pro) and later downloaded a fresh copy of Intellitype – still have the problem.

If I suspend itype.exe, I don’t get as many warnings.

Also, if I go to properties and select the screen saver tab, I get the warning that points to one of the .exe screen savers, one I haven’t opened in quite a while that I made myself. The selected screen save is the one I use, which is “Blank.”

Not sure what to try next. Anyone ever have this type of problem?

Not many people are running winXP X64

Using Revo Uninstaller Pro to modify your system could be hazardous to its health.

OK lets get down to the serious points.

Which avast shield is it that is reporting that “You are Opening an App that may be Unsafe…” ?

Behavior Shield or the Autosandbox ?
I suspect the autosandbox, if it isn’t digitally signed and its location and or what is launching it, etc. See image of an autosandbox notification.

If it is this you can change the action to open normally and check the Remember my answer for this program.

This assumes you are happy that it is in fact clean:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

Hi David,

Yes, it’s the autosandbox. But if I select “open normally” and “remember setting”, the next time I reboot, same thing.

Funny thing is, I always get sam2.exe flagged as trying to be opened by itype. Sam2 is the Serious Sam 2 game, which I’ve had on thei computer for a couple years. I installed it on another computer and then brought it over on a flash drive and did a binary compare and both were the same. If I double click it to run the program, I don’t get an error. If I boot, I get the “itype trying to open… sam2.exe” (and other exe files.

As I mentioned, this just started a few days ago. I haven’t added any new programs – just seems like Avast! is suddenly seeing something it doesn’t like.

The Virus Total scan showed two positives out of 41 (below)

Sam2.exe
Submission date:
2011-05-01 23:04:46 (UTC)
Current status:
finished
Result:
2/ 41 (4.9%)

VT Community

Norman 6.07.07 2011.05.01 W32/Obfuscated.M!genr

Rising 23.55.04.03 2011.04.29 Suspicious

Since it scanned with Avast 4 & 5, and not 6, it may be something in the latest definitions. In fact, when I went to upload the file for scanning, Avast! threw out the message with “Firefox 4 is trying to open…”

So it looks like a false positive with Avast! 6?

Well I don’t use either itype or serious sam, so I wonder if there is a similar block on sam2.exe ?
Also see http://www.file.net/process/itype.exe.html for some general info on itype.exe.

Check out this file:
C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast[b]log[/b]\autosandbox.log using notepad and see if there are any other entries.

It would also be worth checking this file also:
C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast[b]report[/b]\BehaviorShield.txt and see if there are any other associated entries

I also don’t see the relationship between itype.exe and sam2.exe, e.g. why it needs to open it.

itype.exe is a process belonging to Microsoft Intellitype Pro keyboard software. Disabling or enabling it is down to user preference.

Non-system processes like itype.exe originate from software you installed on your system. As most applications store data in your system’s registry, it is likely that your registry has suffered fragmentation and accumulated harmful errors. It is recommended that you

Do you actually have one of those keyboards ?

So as the second paragraph mentions it might be installed by another application, perhaps serious sam, so the actual location of the itype.exe file might help determine if it is the system version or one installed/used by a third party application.

Hi David,

Yes, I have a Microsoft 4000 keyboard and have used itype for a few years with no problem. And as I mentioned in my last post, when I uploaded sam2.exe to use the online virus checker, it identified Firefox (instead of itype) as the opening program.

Here’s a list of files that Avast had problems with itype trying to open (from the autosandbox.log file):
splinter_cell_v1.2b_us_ca.exe
SpringValleyPets&Animals.exe
TeraCopy.exe
TextAloudMP3.exe
UVMapPro.exe
VideoBuilder.exe
vp3.exe
wallmast.exe
WaveMax.exe
ac.exe
Desert_1.scr
Sam2.exe
CuteReminder.exe
Audiotranscoder.exe
balabolka.exe

There are several hundred files listed for the past three days. I have been using these files for at least one year and many for several. I’m thinking itype may scan files that can be assigned to the configurable keys on the Microsoft keyboards. I currently do not have any of the programs in the above list assigned to to my keyboard.

I think that itype.exe must be using some sort of hooking (a bit like a key logger).

You could try and exclude \itype.exe in the File System Shield (FSS), Expert settings, Exclusions, Copy and paste the full path into the window. The reason I suggest that is because the FSS is what starts the ball rolling in this.

I too think that there must have been something change in a definitions update as it is a bit strange for the activity to start like this.

I will try and draw some attention to this topic for it to be looked at by one of the avast team.

Thanks!

Yes, I suspended itype and I quit getting the Avast message, but as mentioned, if I try to upload or scan one of those files, Avast jumps in with the same message. So I suspect it’s not a problem with itype, just shows up more with it for whatever reason.

I just went back and looked at my autosandbox.log file and of the several hundred entries, there were only two or three per day, usually terracopy.exe and cutereminder.exe. But starting April 25, 2011, I started getting many, many entries, mostly exe tried to be opened by itype.

I keep my Avast defintions on auto but program updates on “tell me when one’s available.” So maybe 4/25 would be significant?

No problem, hopefully we will get some response (and hopefully resolution) about why it is being pinged.

Have you any idea what this itype.exe is meant to be doing, probably easier to say what functions you don’t have when it is suspended ?

Hi jafTwo,

please, what avast version do you have?

There is should be nothing wrong with file itype.exe. You are using Win XP64b, autosandbox and also sandbox are not supported there. Autosnx pop up window is the avast! issue. Please, can you disable autosnx in avast ui?(open avast ui | realtime shields | file system shield | expert settings | autosnx). Now the autosnx should be disabled.

I will check if there are other problems on other OS types with file itype.exe.

thanks a lot for reporting the problem,
Michal

Thanks for you input Michal.

My keyboard has 5 buttons that I can assign to executable applications. There also several buttons , like “Web/Home, Search, Mail, and Calculator” that are preset but can be reassigned.

I’m not sure why it has to scan my computer as it seems to be doing (according to the Avast! messages.) It may have done that all the time and I just wasn’t aware. I don’t see any options other than the key assignments, key repeat speed, etc. Just the standard stuff.

Michal, my Avast Version
Program version: 6.0.1091
Virus definitions versions: 110502-0

I’m going to add itype to the trusted processes via the expert settings and see what happens.

Rebooting now …

Okay, setting itype as trusted seems to work. No new log entries.

Yesterday, when I uploaded sam2.exe to Virus Total, Avast popped up the "attempting to open … " message and identified (correctly) the Firefox was attempting the open. Today, it did not. I guess I should take itype out of the trusted area and see what happens. Maybe the latest virus definitions have changed things.

I suggest you do as suggested by Michal (one of the avast developers and whom I asked to look at this) and disable the autosandbox for now as he believes there is some incompatibility issue with Win XP 64bit and as such unsupported for now.

Okay, I disabled autosandbox and will do a few reboots.

I don’t know if it’s my system or what, but it seems I have to reboot twice to get everything running. Twice now I rebooted and only had the sound and safely remove hardware icons on the taskbar. Another reboot and it’s back to normal. I’ll see on this reboot what happens.

Well, it booted up fine – first try. Autosandbox disabled.

Thanks for all the help!

You’re welcome.