Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

March 20th, 2012

AutoSandbox – why are you annoying me?

Does this situation seem familiar? I have just downloaded an awesome application which should contain thousands of new desktop pictures. The site name is www.bestsoftwareforever.com and wow, it must be pretty good. So, I run it and then this avast! AutoSandbox popup appears. Oh guys, why are you annoying me? I know what I am doing.

In few seconds, the AutoSandbox scan ends and another message appears: “This file appears to be malware”. Oh @$#%%, what is this application about? Probably it is a fake application which would harm my private data stored on the hard drive. Luckily, avast! and the AutoSandbox feature saved me this time.

The scope of behavior for AutoSandbox has been expanded for the new avast! 7.
The new AutoSandbox is now able to scan and analyze the behavior of selected files. In addition, this feature is connected to the FileRep cloud feature which identifies new files for additional analysis. So now we are able to warn you even before we have had the opportunity to examine this malware in our Virus Lab. This is a marked difference from the previous avast! 6 which was limited to only sandboxing suspicious files.
It also happens that the AutoSandbox toaster appears for programs which you are pretty sure are not infected. And in many cases, this can be intensely irritating: especially if you are a vendor of the application and you don’t want it to be marked as a potentially harmful program. In avast! 7, there is a new option to disable AutoSandbox. This might be useful for software developers when, for example, their internal application builds are being AutoSandboxed as low-reputation files.

Several reasons why we activate the AutoSandbox:

  • Static analysis finds the file suspicious

Static analyses checks file content and looks for suspicious strings in file headers similar in virus definitions. Main static analysis reasons are:

  • Application is not signed

It’s not mandatory to have a signed application, but signed software is statistically less likely to be harmful.

  • Use of executable file encryption/compression

App writers and installers(self extracts) like executable compression/encryption because it makes reverse engineering more difficult. But, it is also used by malware to hide from antivirus scanners. A compressed/encrypted file without a digital signature is doubly suspect.

  • The file prevalence/reputation is low

All new unknown files are potentially dangerous. Whenever they have become widespread, there will not be a reason to AutoSandbox them anymore.

  • The file origin/source is suspicious

Freewebs and some file distribution servers have a reputation for paying less attention to the quality and origin of their software than official distribution servers. This is a long-run issue of reputation and income management.

  • The file is executed from a remote/removable media

Running an application from the USB drive may cause the AutoSandbox dialogue box to appear –but the same app from your local hard drive may not. That is because many harmful apps are spread through removable media, increasing the odds of potential danger.

  • Generic heuristics/suspicious context
  • Invalid digital signatures
  • Suspicious file names
  • And there are more…

The guiding principle is that we secure your computer not only from known viruses/malware but also from viruses/malware which have not yet been uncovered.
So, the next time if you see an AutoSandbox popup appearing for your new application, read the message carefully. If you are not sure, run the app first in the AutoSandbox to prevent potential damage.

Categories: Uncategorized Tags:
  1. rstanton
    March 21st, 2012 at 21:52 | #1

    Hi Michal, while I like the idea of this feature, as a founder of a small software company this feature has caused us a lot of support headaches. Can you provide more insight into this feature and specifically how this aspect works:

    “The file prevalence/reputation is low
    All new unknown files are potentially dangerous. Whenever they have become widespread, there will not be a reason to AutoSandbox them anymore.”

    How long does it take to increase the reputation? Is there any way to accelerate the process?

    Thank you

    • michal-vanek
      March 22nd, 2012 at 15:28 | #2

      Hi,

      you can accelerate the process if you digitally sign the files.

      thanks,
      Michal

  2. darrenmyatt
    March 23rd, 2012 at 16:04 | #3

    @rstanton
    I’m in the same boat. I strongly disagree with the principle of blanket sandboxing without requesting authorisation from the user first, as errors caused by sandboxing will be blamed on the application itself by the average user.

    For example, when this feature was first added, my machine immediately blue-screened several times while running the current release build of my indie game. It took me quite a few restarts to notice the Avast window momentarily pop up in the bottom right, as the first thing the game does is open a fullscreen DirectX surface. If my game had already undergone a small release, then these fatal errors would have been blamed on me rather than Avast, which I feel is highly unacceptable.

    As a solution (as I’m sure there are a fair number of other small developers being screwed over by this), I would propose always handling the “file prevalence/reputation is low” case with the standard confirmation dialog, and NOT AutoSandboxing. As it is, Avast seems to inappropriately equate “this file is quite new” with “this file contains virus-like code”, when the levels of risk are obviously very different.

  3. namp venku
    March 23rd, 2012 at 16:05 | #4

    excellent

  4. March 24th, 2012 at 10:27 | #5

    i had to disable and go back to the prompting version it due to problems with steam (valve’s game distribution system) timing out and closing the application while autosandbox does its thing. Is there anyway to mark an application launcher as safe/excepted? i.e. if steam is attempting to launch tru.exe autosandbox would normally try to scan tru.exe causing steam to thing the game has crashed and terminate the process but if i could add steam.exe to an exception list i could have auto sandbox protect the rest of my computer and the user prompt for anything launched by steam

  5. March 24th, 2012 at 10:31 | #6

    @hhaddow
    nvm i found it and i hadn’t disabled it i had actually switched it to ask mode

  6. gbswales
    March 24th, 2012 at 18:07 | #7

    Not all the files that get picked up incorrectly are “new” files – one example I have found is the quite old free version of Fast Stone capture – until I changed settings this prompted to run in sandbox. It took me quite a while to force avast to allow it to run normally. Unfortunately this company decided to make newer versions for profit which is why I use the old installation file.

    Annoyances aside I like Avast and the sandbox *especially the on demand sandbox -very useful for running files which cant be properly scanned because of passwords on zip or rar files. I am not so sure that auto sandbox is really necessary or maybe it could be an option.

    I think to keep everyone happy the best way would be for the install programme to explain how the sandbox works, explain about the false positive possibilities, and then give the user the choice between auto and user choice.

    As far as software producers are concerned I would have thought it incumbent on them to have a few virtual test machines so they can test their products with the major virus and malware tools before release. The problem comes with private developers and free ware. I am an avid consumer of anything free but I would usually choose to run new software in a sandbox first to make sure it is ok and then to install it again on the main system outside the sandbox.

    Is there some way that the sandbox could be made to run suspiscious software in the box and then scan after it is run – if nothing is found it could then have a pop up which says the software is OK and that user should re-install it outside the sandbox (with it being auto allowed by sandbox next time

  7. rppkn
    March 25th, 2012 at 02:27 | #8

    This new version of AutoSandbox pisses me off! I’m developing a installer with Inno Setup, and everytime I run the compiled installer, Avast puts it in Sandbox. The problem is, everytime the installer is executed, it generates a new file in Temp folder, making it impossible to whitelist it. I have to disable Avast to run the installer, and this pisses me off.

    Put a digital sign in it is not an alternative to me. Please, Avast developers, show us another solution.

  8. jymm
    March 25th, 2012 at 14:04 | #9

    I agree, the auto sandbox can be a problem. I also switched to ask. The auto sandbox stopped me from uninstalling already installed programs. It has also stopped me from using already installed programs. I am glad to use it if I am not sure of a program, but is coming up every time I try to open an already installed program is a pain. Still I love Avast and am not about to change programs.

  9. scottg
    March 25th, 2012 at 17:55 | #10

    It isn’t so much the audible notification that bothers me, but the bloody l-o-o-n-g dwell time of the visual notification, which, with the new Android section, now overlays a significant portion of my active screen, making it and its UI control elements unavailable to me!

    This is not only incredibly annoying, it is a markedly irritating hit on my productivity! I’m not a gamer; I use my system to make a living, and I am NOT happy with the length of time that this notification robs me of control of my system. How do I set that dwell time to, say, 2 or 3 seconds?

  10. scottg
    March 25th, 2012 at 19:39 | #11

    Sorry for the above; thought I was responding to the “Music to Our Ears” post. Still, though it’s OT for this topic, anyone know how to adjust that bloody dwell time for the “auto-update” notification popup? ;-)

  11. michal-vanek
    March 26th, 2012 at 10:50 | #12

    @gbswales

    Lifecycle of malware apps is generaly few days, thats why we prefer to autosandbox all files with low reputation. Unfortunately some old applications which have not been reported to us previously are also autosandbox. If you are a developer you can disable autosandboxing files with a low reputation.

    If you want to install new software to sandbox just switch autosandbox mode to ask.

  12. michal-vanek
    March 26th, 2012 at 10:52 | #13

    @rppkn

    If you are a developer go to autosandbox expert settings and disable autosandboxing files with a low reputation.

  13. michal-vanek
    March 26th, 2012 at 10:55 | #14

    @scottg
    Turn on silent/gaming mode in the Expert settings.

  14. March 26th, 2012 at 17:23 | #15

    @michal-vanek
    It’s not about being able to disable autosandboxing as a developer, it’s about what’s going to happen during the initial release phase when your application is running on the computers of users with Avast installed (and default options).

    Honestly, I cannot see what auto-sandboxing brings over the user prompt version: in some applications (such as games) it is very easy to miss the autosandbox pop-up, meaning the average user (who probably doesn’t even know this feature exists) is going to be confused as to why the program isn’t functioning properly. I also have doubts about the current quality of the underlying database when popular applications such as Octave trigger the ‘low rep’ warning.

    For that matter, the message “The file prevalence/reputation is low” is unpleasantly ambiguous, too – the ‘reputation is low’ part could easily be interpreted as meaning that this application has been actively marked as malware, when it has not. I feel it would be much better to say something like “Avast Cloud does not yet have a reputation for this file – caution is advised if from an untrusted source.”

    I’ve always been a fan of Avast, and recommended it to a lot of friends, but I myst admit that the design choices on Autosandbox have left me a little mystified.

    • michal-vanek
      March 28th, 2012 at 16:51 | #16

      During initial release phase there might appear conflicts but autosandbox and filerep are developed to accommodate very fast for this situation. Unfortunately there is known issue, if autosandbox popup appears during installation it causes failure of installation. This will be fixed in the next program update.

      It is a good hint about the file/low reputation description. It should be more clear and descriptive.
      thanks,

  15. anotherdeveloper
    March 29th, 2012 at 06:26 | #17

    I’m using a different application, but it does the same thing. Just turn off the autosandbox or go crazy. I will just use the sandbox for apps I’m not too sure about.

    rppkn :
    This new version of AutoSandbox pisses me off! I’m developing a installer with Inno Setup, and everytime I run the compiled installer, Avast puts it in Sandbox. The problem is, everytime the installer is executed, it generates a new file in Temp folder, making it impossible to whitelist it. I have to disable Avast to run the installer, and this pisses me off.
    Put a digital sign in it is not an alternative to me. Please, Avast developers, show us another solution.

  16. Colin.G
    March 30th, 2012 at 21:18 | #18

    michal-vanek :
    Hi,
    you can accelerate the process if you digitally sign the files.
    thanks,
    Michal

    I’m a hobby developer who also happens to have a few hundred people who use my programs, I can’t afford that.

  17. teoavast
    April 1st, 2012 at 22:26 | #19

    michal-vanek :
    Hi,
    you can accelerate the process if you digitally sign the files.
    thanks,
    Michal

    Tja.. So from now on everything I put together in Delphi when testing a component, or whatever I do needs to be signed if I wanna do anything like testing?
    Not to mention distribution of my software to customers who use Avast?

    I noticed that everything I download from Internet and install runs fine. But my own sofware (I’m software developer) that is not under program files is run in the sandbox?

    Maybe I’m the stupid prick here but I would say that if the sandbox is used to run files from unknown origin, first of all the file should be scanned for a virus. I would accept an initial run in the sandbox IF THE FILE IS EXECUTED at all. But with the latest version, it is not.

    Why not run the file in the sandbox initially (but RUN THE THING) and if it’s clean, restart it outside the sanbox? That would make the sanbox truly automatic. And keep my blood pressure in range.

    If this is the future with AVAST: this is my last version of the software.

    Teo

  18. michal-vanek
    April 2nd, 2012 at 15:17 | #20

    @teoavast
    Autosandbox is used to reveal new viruses before we have a chance to add them to VPS as new virus definitions.

    You write – Why not run the file in the sandbox initially (but RUN THE THING) and if it’s clean, restart it outside the sanbox?
    Yes, we plan something similar for the next release. It should solve all these troubles.

  19. devel
    April 3rd, 2012 at 16:14 | #21

    I have uninstalled about 7-8 avast on my clients PC, because of the sandbox thing. I don’t think that was smart move from avast side.

  20. mmesser314
    April 14th, 2012 at 17:49 | #22

    I am a user. For my viewpoint, the problem is the reverse of what software vendors are seeing. I see Avast raising false alarms, and not being as trustworthy as I would like.

    I have only seen the AutoSandbox pop up a few times. But it has always been when I run an application that I am fairly sure is safe.

    Avast gives me contradictory advice: It tells me the program is suspicious, there isn’t enough evidence to identify it as malware, but I should still use extreme caution, and only run it in the sandbox. It makes me worry enough to want to check it out, but it is hard to find anything useful. “Static analysis finds the file suspicious” isn’t very informative. This blog is the first helpful thing I found.

    I appreciate having this feature. Someday it will save me some trouble. But it would be nice if you could tone down the wording. The alarm should let me know what this blog told me.
    - Avast autosandboxes applications when it finds any indication of malware.
    - It is common to autosandbox an application that is safe.
    - If you know this application is safe, tell Avast to let it run normally next time.
    - If you have doubts, tell Avast to run it in the sandbox next time.


    Also, it would be good to make something like this blog immediately accessible in the Avast help. When I pop up the Avast UI, I find links to a FAQ, the forums, and for downloading a manual. I didn’t find anything in the FAQ or on the forum. I haven’t tried the manual yet. Users never do.

    Perhaps you could add a help button to the AutoSandbox dialog. It should address these two issues:
    - What is this dialog all about?
    - How do I know if the app I want to run is safe?

  21. mmesser314
    April 14th, 2012 at 23:08 | #23

    @mmesser314

    I looked again. I see I missed the obvious Help button, and the controls for the AutoSandbox in the menu. Also I downloaded the manual. The descriptions in help and the manual are pretty much what I would ask for.

    But I stand by what I said. I still think it would be an improvement to add a Help button to the Auto-Sandbox dialog and to tone down the wording of the dialog. The tones of help and the manual are much better.

    A table of contents in the manual would be nice. Then I wouldn’t have to read to p 20 to find Auto-Sandbox.

    I see I can set Auto-Sandbox to ask before opening a program in the sandbox. And it asks more calmly. This sounds like the option for me. I understand why this is not the default setting – It would be annoying to loose your work when you try to save.

  22. Tech
    April 17th, 2012 at 14:58 | #24

    Congratulations for the Autosandbox movement.
    The proactive protection we’re achieving is already being noticed in the AV-Comparatives Real World Tests (http://chart.av-comparatives.org/chart2.php).

    Thanks. And also thanks for allowing customization (like making exceptions for the ones who develop programs).

Comments are closed.