Avast Sandbox:- Is It Reliable?

Discussion in 'other anti-virus software' started by AvinashR, Jun 29, 2010.

Thread Status:
Not open for further replies.
  1. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,530
    Location:
    St. Louis, MO
    How are you executing the malware? Downloading it, then right clicking it, then selecting "run virtualized" ? Or downloading it, then clicking "run" during the download? Are you running it from a particular folder? Just curious... It seems to work or according this this sample test video that a Avast forum member made (http://www.screencast.com/users/Glo...lt/media/d7162472-bd6a-4ef2-b7ed-36d174e16cf9 ). You should post your findings on the Avast forum and the steps to recreate the issue. It will only help users in the end.
     
    Last edited: Jul 1, 2010
  2. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    After downloading the samples and then selecting "Run Virtualized" ....
     
  3. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    Last edited: Jul 3, 2010
  4. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
  5. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    I feel Avast! Sandbox isn't really that good, but time will tell :rolleyes:
     
  6. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    Absolutely right..But i am still waiting for VLK, as he assured me that he'll show something to me when he'll be back to his office..
     
  7. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    I guess nobody from Avast would like to comment on this situation..I have asked VLK yesterday, but i guess he have not read my PM...Probably he ignored it...
     
  8. iravgupta

    iravgupta Registered Member

    Joined:
    Dec 17, 2009
    Posts:
    605
    Doesn't surprise me. I tried asking him about one of the comments he made on the Hitman Pro business model and he never chose to answer that ether. According to him the work being done by Hitman Pro is not morally correct. And this is coming from a person whose company has already licensed its engine to GDATA.
     
  9. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    LOL, it seems he is in defensive mode..Anyways, i hope that they'll soon look into their sandbox module. BTW i am very much surprised that nobody bashed their Sandbox, whereas we have saw that Comodo got a huge negative response when they introduced their half baked Sandbox ...
     
  10. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    well it culd be cuz nobody really uses the sandbox so they cant complain bout something they dont use. or it culd be since its not an automatic sandbox like comodo, people dont need to constantly have it in use so its less of a bother perhaps.
     
  11. guest

    guest Guest

    Comodo's automatic sandbox idea is very good. I like it. Because you are true. I never see anybody who using sandbox in real world. My girlfriend, friends, nobady use sandbox.

    Comodo's model is very good. There are many problematic situations but main idea is very good.
     
  12. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    Agree with you on Comodo's case. And i also love there brilliant idea...Even they solved their sandbox problem very fast..but about Avast i have no comments now...:blink:
     
  13. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    Agree with you, but don't you think they should look into the matter asap. Is it good to keep their suite with one flaw only because very less people are using their sandbox ...? I don't think so.

    What if 30% of of their paid users are using their inbuilt sandbox?
     
  14. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    621
    C'mon, it's a holiday week here :)

    Soo.... what do we have here.
    I tried running some of the PoC tests I used last year to circumvent sandboxie, and indeed, at least one of them does work even with the latest version of SBIE. It's not a rocket science, really; it is related to network access policies. Sandboxie (at least with the default settings) doesn't seem to limit network access at all - including localhost access. So you can simply write files outside of the sandbox by using localhost shares (e.g. admin shares), if you bypass the SMB (filesystem redirector) layer in Windows and implement it using raw network access (you can use e.g. a Win32 port of smbclient for this, or write something from scratch, that's not such a big deal as there is sample code on the Internet that you can use). BTW the same applies to service creation/manipulation etc.

    Now, again, I'm not saying that Sandboxie is bad (in fact, I really think it's a great product) but just trying to make you understand that there's nothing like 100% protection or 100% security.

    Regarding this post of yours:
    I couldn't agree more. We're taking this very seriously. Actually, we have already analyzed what the problem was and fixed it in the internal builds (i.e. it will be fixed in the next avast program update). But this doesn't contradict in any way with what I said, does it?


    Regarding the idea of auto-sandboxing all unknown programs (as implemented in Comodo IS). It is definitely not a bad idea, even though not really the direction we're heading. I still think that a finer-grain differentiation of what should, and what shouldn't be run in the sandbox is needed. In the upcoming avast 5.1, we will be implementing some of these ideas though.

    I strongly believe in the power of the community, so if anyone else has more malware samples that are believed to be able to circumvent the avast sandbox, he's more than welcome to submit them for us and help us more the product better.

    Thanks
    Vlk
     
  15. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    Can you please provide the same sample or report log of the same test? It would be great if you can provide the sample for self testing.. :)

    Agree with you, but here nobody said this that there is something like 100% protection...I guess nobody said this. Only we have raised our concern against Avast Sandbox.


    Great to hear this...that you have detected the problem and working on same.

    Not to be worry i'll surely keep my EYE on Avast Sandbox...:)
     
  16. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    actually... YOU did say that...

     
  17. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    Oops, What a blunder mistake i have done...:ninja:
     
  18. iravgupta

    iravgupta Registered Member

    Joined:
    Dec 17, 2009
    Posts:
    605
    grrrrrrr.....he still didn't answer my question :mad:
     
  19. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    621
    Sorry I really don't feel like providing anyone with code of any kind (I don't think that's something an employee of an AV company should do).

    Anyway, the problem was already acknowledged by tzuk (the author of Sandboxie) so I'm sure you'll believe me I know what I'm talking about.

    http://www.sandboxie.com/phpbb/viewtopic.php?t=8398


    Sorry but your question was way off-topic (if you are talking about HitmanPro). To make long story short, I simply think there's something wrong with the idea of building an AV company by piggybacking on other vendors' engines.


    Thanks
    Vlk
     
  20. iravgupta

    iravgupta Registered Member

    Joined:
    Dec 17, 2009
    Posts:
    605
    Ohhhh......I see...that means GDATA has been cheating this whole time telling the world that they have an avast! engine along with BitDefender. Coz clearly someone of your opinion would never license their engine to another company, right?
     
  21. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    621
    Wrong. Gdata has a standard redistribution deal, and of course, pays royalties.

    HitmanPro does not.

    BTW the word "cheating" is not adequate in this context as it implies something illegal. I don't have any reasons to assume that what they're doing is illegal (as they run the engines, presumably properly licensed, on their own servers) - although it is possible that setting up a service like this is in violation of the EULA of some of the products.

    Anyway, my comment on the avast forum (if that's what you're following up on) was just an expression of my personal opinion, you don't have to agree...;)
     
  22. iravgupta

    iravgupta Registered Member

    Joined:
    Dec 17, 2009
    Posts:
    605
    Thanks for following up vlk. And many more thanks for leading the development of a solid reliable app that has still not lost its focus from performance.
    I am sure if any of the vendors find their products being run in a disagreeable manner, they would take appropriate action.
    So true, and yet I am sorry to say that yes, I do not agree.
     
  23. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    Royalties? In Million or Billion Euros? Oh Come on ...

    Hitman Pro is a small company, running by 5 most professional guys, who wants to make computer world safe. Even they have very less consumer/customer database as compared to "Big Fishes", so we can imagine how much they are earning. And if companies were asked them to pay Royalties + License Fees + Bla Bla Bla in Million and Billion of Euros, then i am sure they cannot able to pay that much of ridiculous and unjustifiable amount.

    Anyways back to topic...Its good to see that Tzuk have been informed about your PoC, but i'll be glad if you can also look into your Sandbox issue...Here you have illustrated SandboxIE problem but you have not commented on your Sandbox issue. Even Avast Sandbox was passed by most common Rootkits and malwares ...and this has to be notified and corrected asap. Don't you think i am correct here..?:p
     
    Last edited: Jul 12, 2010
  24. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    621
    Oh come on... HitmanPro is a commercial software (not a charity), sold the usual way (subscription-based model). And since its intellectual property is vastly based on other people/companies hard work, it would be natural to assume that significant part of the revenue would be collected by the engine vendors. Which is not the case.

    Sorry but I don't think it's relevant to talk about how many people are involved in the company etc as it is irrelevant here. Today it's five people, a year from now it can be 500.

    Again, please let's stick with the topic of this thread.

    I think I have. Please see my reply #39.

    Thanks
    Vlk
     
  25. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,429
    Location:
    U.S.A.
    Removed Off Topic posts. Let's focus to the subject at hand and not get personal toward each other. Thanks!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.