Windows Defender Antivirus can now run in a sandbox

[Nightwalker]

Windows Defender Antivirus has hit a new milestone: the built-in antivirus capabilities on Windows can now run within a sandbox. With this new development, Windows Defender Antivirus becomes the first complete antivirus solution to have this capability and continues to lead the industry in raising the bar for security.​

​

Putting Windows Defender Antivirus in a restrictive process execution environment is a direct result of feedback that we received from the security industry and the research community. It was a complex undertaking: we had to carefully study the implications of such an enhancement on performance and functionality. More importantly, we had to identify high-risk areas and make sure that sandboxing did not adversely affect the level of security we have been providing.​

​

While it was a tall order, we knew it was the right investment and the next step in our innovation journey. It is available to Windows Insiders today. We encourage researchers and partners to try and examine this feature and give us feedback, so we can fine-tune performance, functionality, and security before we make it broadly available.​

More info:
Windows Defender Antivirus can now run in a sandbox - Microsoft Secure

That's impressive, really, kudos to Microsoft.

 

[509322]

That's impressive, really, kudos to Microsoft.

Microsoft didn't come up with this... it was negligent in the design of Windows Defender in the first place. Security researchers attacked Windows Defender, compromised it, pwned the system, and reported the exploit to Microsoft. Most notably Tavis Ormandy from Google's Project Zero. And Tavis told them they need to sandbox MsMpEng.exe. Researchers working for Microsoft verified and found additional ways.

"Microsoft says it started working on porting Windows Defender to a sandbox environment after "security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus's content parsers that could enable arbitrary code execution."

The most infamous of these researchers is Google's Tavis Ormandy, who identified several of these types of vulnerabilities, including one that he labeled "crazy bad.""

 

[mellowtones242]

This is the same thing Comodo has been doing for years right?

 

[oldschool]

This was an informative post as well > Microsoft didn’t sandbox Windows Defender, so I did.

 

[Eddie Morra]

Google Project Zero are probably going to make Microsoft very busy for the next few months.

 

[509322]

This was an informative post as well > Microsoft didn’t sandbox Windows Defender, so I did.

You gotta love this last sentence:

"Rather than taking Project Zero’s approach to the problem by continually pointing out the symptoms of this inherent flaw, let’s bring Windows Defender back to the future."

Wut ?

Google Project Zero takes a pro-user stance. Please explain how pointing stuff out and throwing it in Microsoft's face - there's something wrong with that ? Oh, wait... I see. Let's do the work for Microsoft.

Wut ?

OK... Tavis and his crew can code it for Microsoft and then submit a bill. If I were Tavis, I'd make sure it was a really fat and greasy bill.

Oh, gee,... too late. Someone did it for free.

 

[509322]

This is the same thing Comodo has been doing for years right?

Not exactly.

 

[shmu26]

This is the same thing Comodo has been doing for years right?

Comodo puts into a sandboxed environment the unrecognized files that you run. The new WD feature does not do that. It runs WD itself in a sandboxed environment, making it harder for malware to neutralize WD, or worse, to hijack WD and thus gain system level privileges.

 

[Eddie Morra]

Comodo's sandbox is based on hardware-assisted technology which is integrated into the CPU (e.g. both Intel and AMD have their own versions). This allows Comodo to provide a hyper-visor implementation. Comodo's sandbox is based on virtualisation technology.

The recently implemented sandbox for Windows Defender is not leveraging hardware-assisted technology for virtualisation. It's a normal, software-level sandbox container implementation. This means that the sandboxed process is not truly "isolated" from the host environment - the sandbox container simply limits privileges and prevents various things from being allowed (e.g. prevention of anything which violates the enabled exploit mitigation's or exhibits behaviour which is being intentionally blocked through other means), essentially.

The original article provides a simple description of how the sandbox container for Windows Defender works.

The content processes, which run with low privileges, also aggressively leverage all available mitigation policies to reduce the attack surface. They enable and prevent runtime changes for modern exploit mitigation techniques such as Data Execution Prevention (DEP), Address space layout randomization (ASLR), and Control Flow Guard (CFG). They also disable Win32K system calls and all extensibility points, as well as enforce that only signed and trusted code is loaded. More mitigation policies will be introduced in the future, alongside other techniques that aim to reduce even further the risk of compromise, such as multiple sandbox processes with random assignment, more aggressive recycling of sandbox processes without a predictable schedule, runtime analysis of the sandbox behavior, and others.

Due to this, you will not need to have certain hardware which supports virtualization (and if you do have sufficient hardware, the virtualization features will not need to be enabled via the BIOS) to use the Windows Defender sandboxing feature.

 

[oldschool]

Comodo's sandbox is based on hardware-assisted technology which is integrated into the CPU (e.g. both Intel and AMD have their own versions). This allows Comodo to provide a hyper-visor implementation. Comodo's sandbox is based on virtualisation technology.

The recently implemented sandbox for Windows Defender is not leveraging hardware-assisted technology for virtualisation. It's a normal, software-level sandbox container implementation. This means that the sandboxed process is not truly "isolated" from the host environment - the sandbox container simply limits privileges and prevents various things from being allowed (e.g. prevention of anything which violates the enabled exploit mitigation's or exhibits behaviour which is being intentionally blocked through other means), essentially.

The original article provides a simple description of how the sandbox container for Windows Defender works.




Due to this, you will not need to have certain hardware which supports virtualization (and if you do have sufficient hardware, the virtualization features will not need to be enabled via the BIOS) to use the Windows Defender sandboxing feature.

Right. I believe the article also says that this was done to make the feature available to older machines, like my Lenovo i3, which has no virtualization capability.

 

[Nightwalker]

In layman terms, this WD's Sandbox isnt to protect the system against malware isolating it (like Comodo) neither to create a virtual machine to analyze its behavior (like ESET) , it is to protect Windows Defender itself against exploitation.

This technology is all about limiting the risk surface, so in case of a vulnerability, the attacker shouldnt be able to wreak havock will all system privileges.

Antivirus sandboxed is a really big deal and have huge security benefits, I am anxious too see how Windows Defender will envolve next year ...

 

[shmu26]

I enabled it, and I don't see a hit in system performance.

 

[Deleted member 178]

Useful for those using barebone Win10 security. For those like us who add 3rd party softs, it isn't mandatory.

 

[DeepWeb]

I have tried this again and it's still not working on my device, checked the environmental variable, disabled all group policy configs for Windows Defender. Process Explorer does not show the process in AppContainer, rather System and another child process does not reveal how it's running lol. Have they integrated the sandbox into Windows 10 yet?

 

[oldschool]

I have tried this again and it's still not working on my device, checked the environmental variable, disabled all group policy configs for Windows Defender. Process Explorer does not show the process in AppContainer, rather System and another child process does not reveal how it's running lol. Have they integrated the sandbox into Windows 10 yet?

You don't see MsMpEngCP in PE? Like this?

 

[DeepWeb]

You don't see MsMpEngCP in PE? Like this?

View attachment 223355

Nvm Windows 10 just died on me. Restoring a backup. Something was off lol

 

[blueblackwow65]

Is it possible to run WD and disable the windows firewall and run a third party firewall with WD?

 

[Azure]

Is it possible to run WD and disable the windows firewall and run a third party firewall with WD?

You shouldn't need to disable it. Just install the firewall.

 

[shmu26]

If your 3rd party firewall is Comodo, you need to disable Windows firewall manually, or live with both.

 

[blueblackwow65]

Just wondering if WD will run with 3rd party firewalls and windows firewall is off, just curious.