What exactly is isolated?
All file-system changes done by a sandboxed application are virtualized (these modified files are stored in the hidden folder in root: "\## aswSnx private storage"). The folder can be visible if you set HideTarget=0 in "%avast data folder%\snx_lconfig.xml" file. File changes are cached in memory, so any unapproved file modifications in this hidden folder may lead to "undefined" state. I think these attempts are also blocked by our driver (not sure right now). All registry changes are also virtualized (see "HKEY_CURRENT_USERS\__aswSnx private storage" hive), all named objects (events, sections, ...) are virtualized (download winobj.zip to see Windows Object Manager namespaces), in-process communication (LPC/ALPC) is virtualized. Process/Thread/... modifications are blocked or limited. Windows names/classes/SCM/WinHooks will be virtualized in next version.
Avast sandbox uses pre-defined exceptions for the most browsers (see snx_gconfig.xml), i.e. bookmarks/cookies/history are excluded automatically from the virtualization and everything you'll download (by standard way, e.g. by using SaveAs dialogs, ...) are also excluded. However, every file which would be saved by malware is virtualized. We plan to add more options into expert settings in upcoming versions.
Reply With Quote
