With this new development, Windows Defender Antivirus becomes the first complete antivirus solution to have this capability and continues to lead the industry in raising the bar for security.
Enable sandboxing for Windows Defender
Running Windows Defender in a sandbox is supported on Windows 10, v1703 or later. You can enable the sandboxing implementation by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the computer. Execute the following command in an elevated command prompt: Having done this, restart your computer.
Why Sandboxing is important from a security viewpoint
The anti-virus was primarily designed with the objective of providing all-round security by inspecting the whole system for malicious content and artifacts and counter threats in real-time. So, it was essential to run the program with high privileges. This made it a potential candidate for attacks (especially the vulnerabilities existing in Windows Defender Antivirus’s content parsers that could trigger arbitrary code execution). Running Windows Defender within a sandbox makes escalation of privilege much more difficult and raises the cost for attackers. Also, running Windows Defender Antivirus in such a safe, isolated environment restricts entry of the malicious code, should there be any event of misfortune or system compromise. However, all these actions have a direct bearing on the performance. So, to ensure that performance doesn’t degrade, Microsoft adopted a novel approach. It aims to minimize the number of interactions between the sandbox and the privileged process. The company has also developed a model that hosts the most protection data in memory-mapped files that are read-only at runtime. The action ensures that there’s no overhead. Plus, the protection data is hosted into multiple processes. It proves beneficial during instances where both the privileged process and the sandbox process are required to get access to signatures and other detection and remediation metadata. Lastly, it is essential to note that the sandbox process shouldn’t trigger inspection operations by itself. Also, every inspection should not trigger additional scans. The compliance with this rule requires having complete control over the capabilities of the sandbox strategy. Low-privilege escalation in Windows Defender Antivirus sandboxing strategy offers the perfect way to implement strong guarantees and allow fine-grained control. The new development intends to spark a change in the world of technology and make innovation a part of Microsoft’s DNA.