Avast Sandbox:- Is It Reliable?

Hi,

I just want to ask from my Wilders mates, How reliable is Avast Sandbox? I am asking this because i have found/noticed something really bad... Anyways please do lemme know your experiences with Avast Sandbox...

 

>> I am asking this because i have found/noticed something really bad...

"bad" on that sandbox or "bad program"?

i turned it off cause the issue with the floppy drive wasnt solved at least.
Win/32bit i use sandboxie - but on 64bit the avast sandbox may help.
the best way to find out yourself is to setup win+avast/sandbox on a vm
and find the changes. maybe revo uninstaller can log outside the box.

 

In my experience its BAD Sandbox...Worst as compared to CIS or others..

I have executed the latest variant of TDSS/Alueron inside it, and to my surprise it passed it, and infected the system. After that the same malicious file was executed inside SandboxIE and it didn't able to infect the system....So IMO its really bad to have this kind of sandbox.

 

I have tried Avast sandbox in 64bit system and it did nothing. When I say it did did nothing I mean it. Do't try it against malware .

Behavior Blocker is other things in Avast which is not working in 64bit maybe it does in 32bit. I don't know.

Disinfection with Avast didn't work also both 64bit and 32bit.

 

Avast sandbox is "dedicated" for a internet browsers. Of course is possible run executable files, but I'm not recommending run unknown *.exe, *.bat and *.com files in sandbox.

 

Then i am sure it won't able to protect Internet browsers too...I know that there are other shields also, but for a moment if we keep everything aside and talk directly about their Sandbox then IMO its really poor as compared to SandboxIE or CIS Sandbox. Practically and Theoretically no malicious item can by pass SandBoxIE but if we consider Avast then it can be bypassed.

 

Also there were instances with sandboxed firefox and more than 10 tabs open, where firefox just crashed, when under sandboxie or just plain unsandboxed firefox can handle 20 tabs with ease. Avast sandbox not so stable atm.

 

Thanks for the sharing the information. They need to look into their Sandbox urgently, because i am sure that many of their users are using it and they all are vulnerable.

 

Maybe you could let pk know about your milege with the sandbox.

http://forum.avast.com/index.php?topic=57347.msg483820#msg483820

 

I heard that they do get angry very easily, if somebody point out their faults...Seriously, i had a bad experience with their team. I am sure somebody from Avast team will surely look into the matter...

 

You "heard" that they get angry very easily? Like "how dare you report issues in our software"? C'mon...

In any case, if you have a malware sample that you think bypasses the sandbox it would be useful to send it to the lab (or to me directly). BTW let me just say that you are wrong that the other sandboxes are impenetrable...

 

Yeah, given the state of digital security these days, the only impenetrable thing seems to be my angry GF.

 

Hey hey..."How dare you talk like this with me"

VLK, i have tested the latest version of TDL3/Aleuron. Not to be mentioned that it was detected by Avast in first attempt, but i have disabled the Real-time shield and ran it inside the Avast Sandbox, but to my surprise it was able to bypass it.

I have again ran the same exe on a clean VM machine under SandboxIE and it was not able to bypass it.

I'll surely send you the sample but want to again inform you that it was detected by Avast, but to test the sandbox i have disabled the real-time shield.

 

Then change your gf, it will surely get penetrable.

BTW do you know any malware which can penetrate/bypass SandboxIE or VMware Machines...If you have then do let all of us know.

 

BTW i was expecting this kind of comment from you. Can you please lemme know any kindda of example bro...

 

Make claim like this,I hope you can back it up.

 

I was doing a slight research of this topic roughly last September, and at that time, it was relatively easy to come up with PoC code that bypassed SbIe. Not sure if these still work but my assumption is that it's still true that if you know what you are doing (i.e. creating these things to target the inherent weaknesses of the sandboxes, instead of executing malware samples as a black box) it is not hard to do it.

I'm currently out of office but I'll try to find some time and show you something when I come back next week.

Thanks
Vlk

PS Don't get me wrong, I'm not trying to put down SBIE in any way, all I'm saying is that there's no silver bullet, really.

 

I'll be waiting for the same...I know that if we target a particular software then its quite possible that we can exploit its weakness...But its not the case we are discussing here... I am sure the author of TDSS didn't writeup his malware to bypass Avast Sandbox only...

 

While I don't have Avast's Internet security version, I'm using the free version with, you guessed it, SBIE. They work great together!
Ice

 

Forgive my scepticism but I've read so many times about how this or that bypasses SBIE,yet it's extremely rare to find examples that stand up to scrutiny.

 

I am also looking for a practical example...Because i haven't saw any kind of malware which can bypass SandboxIE...I am not praising SandboxIE or bashing Avast Sandbox, but what i want to tell you is truth.

Any1 here can test their/Avast Sandbox with TDL3/Alureon samples, and you'll see that the samples can able to bypass it...Now, from last 4 months haven't they noticed it? Or they don't have such kind of information from their users?

 

I don't remember where, but I think I have ready something about TDL3/TDSS/Alureon and sandboxing and virtual machines. It doesn't even try to infect you when you use SandboxIE, and also it detects whether you are on a virtual machine or not.

If it sees it can't infect it just deletes itself, and all traces.

 

Absolutely correct. But its not same with case of Avast Sandbox, whether it was not able to detect the Avast Sandbox and bypassed it

 

By targeted attacks any software can be penetrated, it needs no proof. But a sandbox being penetrated by common malware samples/ rootkits is pretty bad IMO.

 

Agree with you...Even its not the case with TDSS only, i have tried to run Trojan SpyEye inside the Avast Sandbox, and seriously it was able to bypass it...Now i have no words to say good about Avast, particularly about its so called "Process Virtualization" aka Sandbox