Windows Defender is the first antivirus solution that can run in a sandbox

Pierluigi Paganini October 30, 2018

Windows Defender, the Windows built-in anti-malware tool, implemented the ability to run in a secure sandbox mode.

The mechanisms allow detonating an application in a safe environment that is isolated from the operating system and other applications. This means that even if the application is compromised it will not affect the overall system if it hasn’t implemented sandbox escaping mechanisms.

Since antivirus and anti-malware tools run with the highest level of privileges to scan all parts of a computer for malicious code, it has become a desired target for attackers.

This is probably the first case of a sandbox mechanism implemented for an antivirus solution that aims at protecting the Windows systems if it is compromised.

In the past, several vulnerabilities were discovered in popular antivirus solutions (i.e. ESET, Symantec, AVG, McAffee, Kaspersky, MalwareBytes) that could have been exploited to compromise the host.

Microsoft has decided to implement additional security measures introducing the sandbox mode to the Windows Defender.

Experts pointed out that implementing sandboxing in Windows Defender was not simply due to the possible impact on the performance of the system.

“Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’ content parsers that could enable arbitrary code execution.” Microsoft said in a blog post.

“Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm.”

Popular Google Project Zero White hat hacker Tavis Ormandy praised Microsoft choice to gets Secure Sandbox Mode.

Currently, the Windows Defender running on Windows 10, version 1703 or later, supports the sandbox mechanism, but users have to explicitly enable it.

“The ability to gradually deploy this feature was another important design goal. Because we would be enabling this on a wide range of hardware and software configurations, we aimed to have the ability at runtime to decide if and when the sandboxing is enabled. This means that the entire content scanning logic can work both in-proc and out-of-proc, and it can’t make any assumptions about running with high privileges.” continues Microsoft.

“Users can also force the sandboxing implementation to be enabled by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later.”

To enable the feature use the following procedure:

  1. RUN “CMD” as administrator.
  2. Type: “setx /M MP_FORCE_USE_SANDBOX 1” and then press ENTER
  3. Then restart your computer, that’s it
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Windows Defender, sandbox)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment