RE: HeffeD's Setup
From the help file (
The Sandboxing and Scanning Process) it appears that this is what happens:
Code:
file.exe --> antivirus and heuristics -->/--> auto-sandbox --> user clicks do not sandbox again --> Trusted files --> user opens the file again.
\--> unrecognized files --> cloud (whitelist/blacklist + CIMA (might take some time to get results back)
What happens next? I know this is a theoretical question since real malware might trigger HIPS pop-ups, even if sandboxed, asking for admin privileges, for example. The user might reconsider and Block it.
Also the halp file states:
Automatically sandboxed applications cannot be viewed or modified in the interface. Applications that were automatically sandboxed can only be removed if they become recognized as 'safe' by CIS
But I see files automatically jumping to trusted after clicking do not sandbox again. I doubt that a hash exists since I created the file and I doubt that CIMA has time to analyze it since the process idles for 5 min. Anyway even with the cloud feature turned off or without Internet access the file gets into trusted list.
Again, this is
not a typical behavior of real malware. But since I've now enabled the sandbox (mainly used Defense+ before) I started noticing its behavior and I am also looking for a setup.
The easy recommended (at least in my opinion) solution: Close the auto-sandboxed program and upload it to VirusTotal.com