AutoSandbox Test Tool for avast!

Discussion in 'other anti-virus software' started by hayc59, Apr 20, 2011.

Thread Status:
Not open for further replies.
  1. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,133
    Location:
    R.I.P. Roger(roddy32)
    Hi guys,

    In case anyone is interested, here's a test tool that you can be used to test the avast! autosandbox feature.
    It's a tiny program that creates a file in the root of disk C:\ and in the registry Run key.
    Avast should trigger the autosandbox feature on this file, so you can test whether the feature is working as expected (in the latest version 6.0.1091, it should work on all supported OSes). If the file is not autosandboxed, there may be some problem
    .
    Thanks
    Vlk

    Download and Comments
    http://forum.avast.com/index.php?topic=76650.0
     
  2. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,713
    Location:
    Kolkata, India
    great..!! thanks....:thumb:
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I don't have avast on my computers any longer, but ran the autosandboxme.exe file to see what happens.
    It was fun watching OA pop up, then Vipre, then Sandboxie.
    There was even an unknown publisher pop up from Internet Explorer.
    Layers on. :)
     
  4. Avast

    Avast Registered Member

    Joined:
    Feb 12, 2011
    Posts:
    6
    Thank you. ;)
     
  5. Superman20

    Superman20 Registered Member

    Joined:
    Dec 24, 2007
    Posts:
    39
    is this feature enabled for windows 7 x64?
     
  6. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    330
    Comodo automatically sandboxed it and it couldn't create txt file in c, of course :isay:
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ hayc59

    Thanks :thumb: Nice little test

    As it's not only applicable to Avast, it might get more deserved attention in here - https://www.wilderssecurity.com/forumdisplay.php?f=35

    Had to uncheck this protection before it could do Anything

    hi-1.gif

    pg1.gif

    then retry and allow it through ProcessGuard, then

    mod.gif

    z1.gif

    2.gif

    Doing it over again, if i did the Uncheck but disallowed the .exe with PG etc, i still got the .txt file in C/ ! but no text inside it ? There was when i allowed everything originally, as expected, along with the Autorun. I didn't get the Autorun though the second time.
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Interesting, you can test more than just Avast with it. My SRP didn't even allow it to run, at first.
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Yes :)
     
  10. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    Test tool sandboxed by Avast 6.0 quickly. :cool:

    Opened it sandboxed with SandboxIE also; it does the changes:
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It gives an error on my XP SP2, however sandboxed by CIS.
     

    Attached Files:

  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ aigle

    Hi, CIS only sandboxed the .exe, if you actually allow it to run ;) then you can see if anything happens, or not ?

    Don't know why you got the error on XP/SP2 ? as that's what i tested it on !
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I will try n see again what happens.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It,s what I get.
     

    Attached Files:

  15. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
  16. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Which is as expected. The autosandboxme.exe executable was meant sort of like "Eicar" for the avast autosandbox feature (irrespective of what the payload is). I.e. it's not really the payload, it's the binary itself.

    It was created so that people can make sure the AutoSandbox feature is operation on their computers. Mainly because in the older version of avast (6.0.1000), there were some bugs that prevented the autosandbox from kicking in in some cases.

    Thanks
    Vlk
     
  17. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I feel so safe with Sandboxie installed.
     
  18. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    Ok I understand, thanks.

    On what actions does the sandbox consider a suspecious application? I've created files in the windir and auto-start.. I personally consider that to be suspicious. The BB does catch the auto start though :thumb: .
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I don,t understand at all. Sandboxtest.exe does the same as done by autosandbox.exe then why it,s not sandboxed by Avast? Thanks

    BTW what is the trigger for avast to sandbox an executable?

    Thanks
     
  20. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Uh. Because the sandbox feature is NOT supposed to prevent creating files on your filesystem for everything you run, nor it is supposed to prevent creating registry keys for everything you run. Would render your computer unusable. It is just a TEST TOOL. Go Google EICAR test file -> same thing.
     
  21. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    From what I gather, Like EICAR - avast is meant to recognize the avast sandbox test file. I think in this case it's application specific, It would be nice though as you said to know what the triggers are..

    I could be wrong though, just my thoughts on the matter
     
  22. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    The triggers cannot be easily explained. They have the whole heuristics engine behind their back, and are being tweaked pretty much every day. There's tens of characteristics that are taken into account, including the results from the code emulator, context in which the module is activated, its origin etc.


    Thanks
    Vlk
     
    Last edited: Apr 24, 2011
  23. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    CommunityIQ could also help here by using how known is the file. But i'm sure they are aleardy using this or something similar.
     
Loading...
Thread Status:
Not open for further replies.