Avast Sandbox:- Is It Reliable?

Discussion in 'other anti-virus software' started by AvinashR, Jun 29, 2010.

Thread Status:
Not open for further replies.
  1. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi,

    I just want to ask from my Wilders mates, How reliable is Avast Sandbox? I am asking this because i have found/noticed something really bad... Anyways please do lemme know your experiences with Avast Sandbox...
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,736
    >> I am asking this because i have found/noticed something really bad...

    "bad" on that sandbox or "bad program"?

    i turned it off cause the issue with the floppy drive wasnt solved at least.
    Win/32bit i use sandboxie - but on 64bit the avast sandbox may help.
    the best way to find out yourself is to setup win+avast/sandbox on a vm
    and find the changes. maybe revo uninstaller can log outside the box.
     
  3. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    In my experience its BAD Sandbox...Worst as compared to CIS or others..

    I have executed the latest variant of TDSS/Alueron inside it, and to my surprise it passed it, and infected the system. :ninja: After that the same malicious file was executed inside SandboxIE and it didn't able to infect the system....So IMO its really bad to have this kind of sandbox.:ouch:
     
  4. Persian Boy

    Persian Boy Registered Member

    Joined:
    Sep 1, 2007
    Posts:
    44
    I have tried Avast sandbox in 64bit system and it did nothing. When I say it did did nothing I mean it. Do't try it against malware .

    Behavior Blocker is other things in Avast which is not working in 64bit maybe it does in 32bit. I don't know.

    Disinfection with Avast didn't work also both 64bit and 32bit.
     
  5. adam993

    adam993 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    203
    Location:
    Poland
    Avast sandbox is "dedicated" for a internet browsers. Of course is possible run executable files, but I'm not recommending run unknown *.exe, *.bat and *.com files in sandbox.
     
  6. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Then i am sure it won't able to protect Internet browsers too...I know that there are other shields also, but for a moment if we keep everything aside and talk directly about their Sandbox then IMO its really poor as compared to SandboxIE or CIS Sandbox. Practically and Theoretically no malicious item can by pass SandBoxIE but if we consider Avast then it can be bypassed. :ninja:
     
  7. mike21

    mike21 Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    416
    Also there were instances with sandboxed firefox and more than 10 tabs open, where firefox just crashed, when under sandboxie or just plain unsandboxed firefox can handle 20 tabs with ease. Avast sandbox not so stable atm.
     
  8. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Thanks for the sharing the information. They need to look into their Sandbox urgently, because i am sure that many of their users are using it and they all are vulnerable.
     
  9. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
  10. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    I heard that they do get angry very easily, if somebody point out their faults...Seriously, i had a bad experience with their team. I am sure somebody from Avast team will surely look into the matter...:p
     
  11. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    You "heard" that they get angry very easily? Like "how dare you report issues in our software"? C'mon...:)

    In any case, if you have a malware sample that you think bypasses the sandbox it would be useful to send it to the lab (or to me directly). BTW let me just say that you are wrong that the other sandboxes are impenetrable...
     
  12. iravgupta

    iravgupta Registered Member

    Joined:
    Dec 17, 2009
    Posts:
    605
    Yeah, given the state of digital security these days, the only impenetrable thing seems to be my angry GF.
     
  13. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hey hey..."How dare you talk like this with me" :D

    VLK, i have tested the latest version of TDL3/Aleuron. Not to be mentioned that it was detected by Avast in first attempt, but i have disabled the Real-time shield and ran it inside the Avast Sandbox, but to my surprise it was able to bypass it.

    I have again ran the same exe on a clean VM machine under SandboxIE and it was not able to bypass it. :rolleyes:

    I'll surely send you the sample but want to again inform you that it was detected by Avast, but to test the sandbox i have disabled the real-time shield.
     
  14. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Then change your gf, it will surely get penetrable.

    BTW do you know any malware which can penetrate/bypass SandboxIE or VMware Machines...If you have then do let all of us know. :rolleyes:
     
  15. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    BTW i was expecting this kind of comment from you. Can you please lemme know any kindda of example bro...:)
     
  16. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Make claim like this,I hope you can back it up.
     
  17. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    I was doing a slight research of this topic roughly last September, and at that time, it was relatively easy to come up with PoC code that bypassed SbIe. Not sure if these still work but my assumption is that it's still true that if you know what you are doing (i.e. creating these things to target the inherent weaknesses of the sandboxes, instead of executing malware samples as a black box) it is not hard to do it.

    I'm currently out of office but I'll try to find some time and show you something when I come back next week.

    Thanks
    Vlk

    PS Don't get me wrong, I'm not trying to put down SBIE in any way, all I'm saying is that there's no silver bullet, really.
     
  18. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    I'll be waiting for the same...I know that if we target a particular software then its quite possible that we can exploit its weakness...But its not the case we are discussing here... I am sure the author of TDSS didn't writeup his malware to bypass Avast Sandbox only...:rolleyes:
     
    Last edited: Jun 30, 2010
  19. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    While I don't have Avast's Internet security version, I'm using the free version with, you guessed it, SBIE. They work great together!
    Ice
     
  20. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Forgive my scepticism but I've read so many times about how this or that bypasses SBIE,yet it's extremely rare to find examples that stand up to scrutiny.
     
  21. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    I am also looking for a practical example...Because i haven't saw any kind of malware which can bypass SandboxIE...I am not praising SandboxIE or bashing Avast Sandbox, but what i want to tell you is truth.

    Any1 here can test their/Avast Sandbox with TDL3/Alureon samples, and you'll see that the samples can able to bypass it...Now, from last 4 months haven't they noticed it? Or they don't have such kind of information from their users?
     
  22. Matthijs5nl

    Matthijs5nl Guest

    I don't remember where, but I think I have ready something about TDL3/TDSS/Alureon and sandboxing and virtual machines. It doesn't even try to infect you when you use SandboxIE, and also it detects whether you are on a virtual machine or not.

    If it sees it can't infect it just deletes itself, and all traces.
     
  23. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Absolutely correct. But its not same with case of Avast Sandbox, whether it was not able to detect the Avast Sandbox and bypassed it:p
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    By targeted attacks any software can be penetrated, it needs no proof. But a sandbox being penetrated by common malware samples/ rootkits is pretty bad IMO.
     
  25. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Agree with you...Even its not the case with TDSS only, i have tried to run Trojan SpyEye inside the Avast Sandbox, and seriously it was able to bypass it...Now i have no words to say good about Avast, particularly about its so called "Process Virtualization" aka Sandbox
     
Loading...
Thread Status:
Not open for further replies.