Threat Intelligence

20 March 2012

AutoSandbox - why are you annoying me?

Does this situation seem familiar? I have just downloaded an awesome application which should contain thousands of new desktop pictures. The site name is and wow, it must be pretty good. So, I run it and then this avast! AutoSandbox popup appears. Oh guys, why are you annoying me? I know what I am doing.

In few seconds, the AutoSandbox scan ends and another message appears: “This file appears to be malware”. Oh @$#%%, what is this application about? Probably it is a fake application which would harm my private data stored on the hard drive. Luckily, avast! and the AutoSandbox feature saved me this time.

The scope of behavior for AutoSandbox has been expanded for the new avast! 7.
The new AutoSandbox is now able to scan and analyze the behavior of selected files. In addition, this feature is connected to the FileRep cloud feature which identifies new files for additional analysis. So now we are able to warn you even before we have had the opportunity to examine this malware in our Virus Lab. This is a marked difference from the previous avast! 6 which was limited to only sandboxing suspicious files.
It also happens that the AutoSandbox toaster appears for programs which you are pretty sure are not infected. And in many cases, this can be intensely irritating: especially if you are a vendor of the application and you don’t want it to be marked as a potentially harmful program. In avast! 7, there is a new option to disable AutoSandbox. This might be useful for software developers when, for example, their internal application builds are being AutoSandboxed as low-reputation files.

Several reasons why we activate the AutoSandbox:

  • Static analysis finds the file suspicious

Static analyses checks file content and looks for suspicious strings in file headers similar in virus definitions. Main static analysis reasons are:

  • Application is not signed

It’s not mandatory to have a signed application, but signed software is statistically less likely to be harmful.

  • Use of executable file encryption/compression

App writers and installers(self extracts) like executable compression/encryption because it makes reverse engineering more difficult. But, it is also used by malware to hide from antivirus scanners. A compressed/encrypted file without a digital signature is doubly suspect.

  • The file prevalence/reputation is low

All new unknown files are potentially dangerous. Whenever they have become widespread, there will not be a reason to AutoSandbox them anymore.

  • The file origin/source is suspicious

Freewebs and some file distribution servers have a reputation for paying less attention to the quality and origin of their software than official distribution servers. This is a long-run issue of reputation and income management.

  • The file is executed from a remote/removable media

Running an application from the USB drive may cause the AutoSandbox dialogue box to appear –but the same app from your local hard drive may not. That is because many harmful apps are spread through removable media, increasing the odds of potential danger.

  • Generic heuristics/suspicious context
  • Invalid digital signatures
  • Suspicious file names
  • And there are more…

The guiding principle is that we secure your computer not only from known viruses/malware but also from viruses/malware which have not yet been uncovered.
So, the next time if you see an AutoSandbox popup appearing for your new application, read the message carefully. If you are not sure, run the app first in the AutoSandbox to prevent potential damage.