Reading Time: 2 minutes

Windows Defender tool, the Microsoft AV solution, is the first antivirus that can run in a sandbox environment.

The recent development allows that an application executes in a safe environment that is isolated from the operating system and other applications. This means that, if the app is compromised it will not affect the overall system.

Since antivirus and anti-malware tools run with the highest level of privileges to scan all parts of a computer for malicious code, it has become a desired target for attackers.

For example, in the past, many vulnerabilities were discovered in popular antivirus solutions (i.e. ESET, Symantec, AVG, McAffee, Kaspersky, MalwareBytes) that could have been exploited to compromise the host.

In this way, Microsoft has decided to implement additional security measures introducing the sandbox mode to the Windows Defender.

According to experts, implementing sandboxing in Windows Defender was not simply due to the possible impact on the performance of the system.

“Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’ content parsers that could enable arbitrary code execution.” Microsoft said in a blog post.

“Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm.”

windows-defender-Microsoft

Popular Google Project Zero White hat hacker Tavis Ormandy praised Microsoft choice to gets Secure Sandbox Mode.

 

Windows Defender running on Windows 10, version 1703 or later, supports the sandbox mechanism, but users have to explicitly enable it.

“The ability to gradually deploy this feature was another important design goal. Because we would be enabling this on a wide range of hardware and software configurations, we aimed to have the ability at runtime to decide if and when the sandboxing is enabled. This means that the entire content scanning logic can work both in-proc and out-of-proc, and it can’t make any assumptions about running with high privileges.” continues Microsoft.

“Users can also force the sandboxing implementation to be enabled by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later.”

 

This feature is available when the following procedure is set up:

  1. RUN “CMD” as administrator.
  2. Type: “setx /M MP_FORCE_USE_SANDBOX 1” and then press ENTER
  3. Then restart your computer, that’s it