malware sandboxed then blocked

Hi all,

I noticed the following behaviour (I’m running 5.8 beta) which appears to me somehow dangerous :
If I try to run some malware, the file is

  1. sanboxed as an unrecognized file
  2. blocked by the antivirus

The problem is that you might (as I did), at stage 1, click “automatically” (because I often do that for files that I know safe) on “Don’t isolate again” which results in making the file trusted!
Then the next time you run the file…
So I was wondering if this could be changed, that is to say we wouldn’t get a sanbox alert when a file is blocked by the antivirus, avoiding the danger of possibly making it trusted.
By the way, maybe it’s a good idea to quarantine automatically threats found by the resident instead of blocking them.
What do you think?

You can change the behavior from Block to Quarantine if you wish. Antivirus → Scanner Settings → Real Time Scanning.

As for the issue of accidentally trusting the wrong file, all I can say is that it would be a good idea to read the alert before clicking on anything. Answering any alert incorrectly could compromise the security of your system.

What I wanted to say is that when the antivirus blocks a file, the sandbox alert is useless, in my opinion…

If a file is sandboxed, then blocked by the AV, how is the sandbox supposed to know it should suppress an alert?

So why the file wouldn’t be blocked before being sandboxed (and thus not be sandboxed at all)?

It is in the timing of things. See Unknown Files: The Sand-boxing and Scanning Processes for reference.

The file was probably caught by the cloud as described in Sandbox and Cloud Scanning Part 2. This takes place after the file got sandboxed.

I always liked the previous autosandbox alert. Where it was simple for average users & option for experts. The alert use to say “There is nothing you have to do” which was good for average users & More Options was there on the alert wherein “Dont Isolate & Hide This Alert” were there which was good for expert users.