AutoSandbox Test Tool for avast!

Hi guys,

In case anyone is interested, here's a test tool that you can be used to test the avast! autosandbox feature.
It's a tiny program that creates a file in the root of disk C:\ and in the registry Run key.
Avast should trigger the autosandbox feature on this file, so you can test whether the feature is working as expected (in the latest version 6.0.1091, it should work on all supported OSes). If the file is not autosandboxed, there may be some problem.
Thanks
Vlk

Download and Comments
http://forum.avast.com/index.php?topic=76650.0

 

great..!! thanks....

 

I don't have avast on my computers any longer, but ran the autosandboxme.exe file to see what happens.
It was fun watching OA pop up, then Vipre, then Sandboxie.
There was even an unknown publisher pop up from Internet Explorer.
Layers on.

 

Thank you.

 

is this feature enabled for windows 7 x64?

 

Comodo automatically sandboxed it and it couldn't create txt file in c, of course

 

@ hayc59

Thanks Nice little test

As it's not only applicable to Avast, it might get more deserved attention in here - https://www.wilderssecurity.com/forumdisplay.php?f=35

Had to uncheck this protection before it could do Anything





then retry and allow it through ProcessGuard, then







Doing it over again, if i did the Uncheck but disallowed the .exe with PG etc, i still got the .txt file in C/ ! but no text inside it ? There was when i allowed everything originally, as expected, along with the Autorun. I didn't get the Autorun though the second time.

 

Interesting, you can test more than just Avast with it. My SRP didn't even allow it to run, at first.

 

Yes

 

Test tool sandboxed by Avast 6.0 quickly.

Opened it sandboxed with SandboxIE also; it does the changes:

 

It gives an error on my XP SP2, however sandboxed by CIS.

 

@ aigle

Hi, CIS only sandboxed the .exe, if you actually allow it to run then you can see if anything happens, or not ?

Don't know why you got the error on XP/SP2 ? as that's what i tested it on !

 

I will try n see again what happens.

 

It,s what I get.

 

Hmm, I wrote the same sort of thing in python;
Create .txt file in the root drive
Create auto-run registry entry

Avast didn't Sandbox?

Source:
http://pastebin.com/rFfWdpFL
Download:
http://www.mediafire.com/?14xdigqhw5qv98v

P.S Apologize on the file size, I only know Python\Java

 

Which is as expected. The autosandboxme.exe executable was meant sort of like "Eicar" for the avast autosandbox feature (irrespective of what the payload is). I.e. it's not really the payload, it's the binary itself.

It was created so that people can make sure the AutoSandbox feature is operation on their computers. Mainly because in the older version of avast (6.0.1000), there were some bugs that prevented the autosandbox from kicking in in some cases.

Thanks
Vlk

 

I feel so safe with Sandboxie installed.

 

Ok I understand, thanks.

On what actions does the sandbox consider a suspecious application? I've created files in the windir and auto-start.. I personally consider that to be suspicious. The BB does catch the auto start though .

 

I don,t understand at all. Sandboxtest.exe does the same as done by autosandbox.exe then why it,s not sandboxed by Avast? Thanks

BTW what is the trigger for avast to sandbox an executable?

Thanks

 

Uh. Because the sandbox feature is NOT supposed to prevent creating files on your filesystem for everything you run, nor it is supposed to prevent creating registry keys for everything you run. Would render your computer unusable. It is just a TEST TOOL. Go Google EICAR test file -> same thing.

 

From what I gather, Like EICAR - avast is meant to recognize the avast sandbox test file. I think in this case it's application specific, It would be nice though as you said to know what the triggers are..

I could be wrong though, just my thoughts on the matter

 

The triggers cannot be easily explained. They have the whole heuristics engine behind their back, and are being tweaked pretty much every day. There's tens of characteristics that are taken into account, including the results from the code emulator, context in which the module is activated, its origin etc.


Thanks
Vlk

 

CommunityIQ could also help here by using how known is the file. But i'm sure they are aleardy using this or something similar.