Sandbox - Settings

Most of the following are visual settings that help distinguish between normal applications and virtualized applications.

• Show borders around the windows: customize a border for virtualized windows, or select a tab (enabled by default) that labels the window with the "Avast Sandbox" heading. This helps you to better differentiate between the virtualized windows and your normal desktop if you have several applications running.
• Show tags in the titles of windows: adds the "@" symbol to the taskbar tabs and window titles of apps running in Sandbox. This helps you to know which applications are running in Sandbox if you have several full-screen applications open. Note: This setting is visible on taskbar tabs only if you have enabled labels on taskbar buttons in Windows preferences.
• Integrate into the right-click context menu: displays the following options in the context menu when you right-click an application icon in Windows:
  • Run in Sandbox: starts the application in Sandbox one time only.
  • Always run in Sandbox: adds the application to a list of Virtualized processes in Sandbox settings. The next time you double-click the application's icon in Windows, the application automatically starts in Sandbox.
  After you configure applications to always run in Sandbox, the following options appear in the context menu when you right-click an application icon in Windows:
  • Run outside of Sandbox: starts the application in its normal state one time only.
  • Always run outside of Sandbox: removes the application from the list of Virtualized processes in Sandbox settings.
  Note: By default, menu integration is enabled for all users and can be restricted to Administrators only using the drop-down menu.

The following settings concern how applications are virtualized in your system and are intended for advanced users.

• Isolate window/class namespace: allows you to run an application window or dialog isolated from the system and from other sandboxes, which enables you to run the same application multiple times.
• Isolate inter-process communication objects: allows background processes used by running applications for data exchange operations, to run isolated from the system and from other sandboxes. This enables the same background processes to run multiple times.
• Override the maximum copy filesize limit: allows you to specify the size of files that applications can duplicate for further modifications while run in Sandbox. If a Sandboxed application rejects a file, enable this setting to change the preset 51 MB limit. You can set the location for modified files in Sandbox storage settings.
• Assign memory/cpu/time restrictions: applies limits to ensure that while using Sandbox your main system resources are available to run other applications.
• Drop administrative rights: removes administrative rights for applications run in Sandbox to prevent applications from accessing restricted system components.

Sandbox storage is a file space completely isolated from the rest of your system and other sandboxes.

When you run an application in Sandbox, all necessary files are always copied to Sandbox storage where they can be modified as needed without affecting the original files. Any new files created during virtualization are also saved to Sandbox storage.

By default, Sandbox storage is created in the same drive as the original file. If there is insufficient space on the pre-selected drive or you encounter disk performance issues, you may need to select a different drive from the dropdown menu or browse for another location.

Note: All modified and newly created files are deleted when you close your Sandboxed application.

Optimize virtualization and storage settings for browsers run in Sandbox.

Save trusted downloaded files: saves files downloaded while browsing the web inside the virtualized window onto your normal PC. This only applies to download processes which are identified as safe. If you untick this box, downloaded files are deleted when you close the Sandboxed browser.

Exclusions: excludes your personalized data in web browsers from being deleted when you close Sandbox. Tick each box according to your preferences, or tick All settings and components to exclude all listed components plus browser extensions and add-ons.

Maintenance: allows you to manage storage settings.

• Tick Cache web browser files to save only virtualized files for web browsers which improves the browser's performance in Sandbox.
• Select delete contents to delete cached contents, or tick Automatically cleanup sandbox storage and specify how often cached contents are deleted.

The Virtualized processes screen is useful when you want to regularly run questionable applications in Sandbox. You can configure Sandbox to always virtualize a specific application or several applications contained within a folder.

To add an application, type the its location manually into the text box or click Browse and select a file (.exe), then click OK. Alternatively, you can right-click the application's icon in Windows and select Always run in Sandbox from the context menu.

To add a folder containing several applications:

1. Click the down arrow next to Virtualized folders to expand the section.
2. Click Browse and tick the box next to the folder you want to virtualize, then click OK.

To add another item to the list, click Add. To remove an item, click the relevant row, then click Delete.

File and folder locations can include wildcard characters ? and *. The asterisk replaces zero or more characters, and the question mark replaces a single character. For example:

• To run all executable files in Sandbox, type *.exe into the text box.
• To run in Sandbox all files in a folders labeled in a certain way on any of your hard drives, include ?:\ in front of the path, for instance ?:\example\* .

Note: If Avast marks a file as suspicious after scanning but you need to regularly use the file, we recommend that you exclude the file from Settings ▸ General ▸ Exclusions, and then add the file to Virtualized processes to be automatically started in Sandbox each time its run.

Harmful applications running in Sandbox can attempt to capture sensitive data copied to the virtualized environment. To prevent malware from accessing this data, a list of common system locations is Blocked by default. Tick Allowed next to any file or program that you want to access during virtualization.

Under the section User-defined locations, you can Add your own locations to set the same Blocked/Allowed parameters. Type the folder location manually into the text box or click Browse, tick the relevant folder, then click OK.

To add another location to the list, click Add. To remove a location, click the relevant row, then click Delete.

All files acquired during a Sandbox session are deleted when you close the sandboxed application. If you want to keep certain files, you can save them to a folder specified on the Exclusions screen. We recommend to use caution when saving files from sandboxed applications to excluded locations. If the application running in Sandbox is malicious, saving a file to a location on your PC could be harmful.

To exclude a folder from sandboxing:

1. Type the folder location manually into the text box or click Browse, tick the relevant folder, then click OK.
2. Start sandboxed applications again for changes to take effect.

The folder which you specify in exclusions can now be used to save files from sandboxed applications permanently on your PC.

To add another folder to the list, click Add. To remove a folder, click the relevant row, then click Delete.

Note: Folder locations can include wildcard characters ? and *. The asterisk replaces zero or more characters, and the question mark replaces a single character. For example:

• To exclude a folder and its sub-folders, add \* to the end of the folder name, for instance C:\example\* .
• To exclude all folders labeled in a certain way on any of your hard drives, include ?:\ in front of the path, for instance ?:\example\* .

Configure which applications are able to access the Internet when run in Sandbox.

• Allow all applications running in Sandbox to access the Internet.
• Block all applications running in Sandbox, including web browsers, from accessing the Internet.
• Allow certain applications running in Sandbox to access the Internet:
  • Tick Web browsers to allow all sandboxed web browsers to access the Internet.
  • To allow an additional application to access the Internet from Sandbox, type its location manually into the text box or click Browse, tick the relevant folder, then click OK. To add another application to the list, click Add. To remove an application, click the relevant row, then click Delete.

Specify whether you want Sandbox to produce reports of the virtualized applications. When troubleshooting issues with Avast Support representatives, you may be requested to provide a report file.

To generate automatic Sandbox reports, follow these steps:

1. Tick Generate report file.
2. Manage the following settings:
   • File type: by default, all reports are generated in XML format.
   • Sort by: select to organize Sandbox activities by timestamp or by each category listed in Reported activities.
   • Delete logs older than: set a number of days after which logs are deleted.
3. Click OK.

All components in Reported activities are selected by default. We do not recommend changing the default settings unless asked to do so by Avast Support representatives.

The report file is saved in one of the following locations:

• Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista - C:\ProgramData\Avast Software\Avast\report
• Windows XP - C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\report