Microsoft lets Windows Defender run partly in sandbox
Microsoft allows some of Windows Defender to run in a sandbox, which should improve the security of the OS. Placing Defender in the sandbox by default will be available to Windows Insiders first.
According to Microsoft, Windows Defender is the first complete antivirus package that can run in a sandbox and it “raises the bar” for security. The software company is bringing the change to Windows Insiders, but whoever runs version 1703 of Windows 10 or later versions can also force it with the environmental variable ‘M MP_FORCE_USE_SANDBOX 1’ that can be placed by means of setx. On Insiders versions of Windows, it is enabled by default.
Microsoft claims that sandboxing the security component was difficult, mainly because performance can suffer significantly depending on the implementation. According to the company, feedback showed that there was a need for this. Security packs run with elevated privileges to perform deep scans on all components, but this also makes them favored targets of malicious parties. A sandbox should prevent them from causing damage in an attack outside that application.
To this end, Microsoft has divided the functionality of Defender into properties that require absolute privilege and parts that do not and can therefore be sandboxed. In addition, the interaction between the two resulting parts had to be minimized and both parts had to be prevented from taking up too much resources.
Both the privileged part and the sandboxed processes must have access to malware signatures and other metadata, but Microsoft wanted to avoid duplication of that data. Ultimately, the company opted for a model in which data is placed in memory-mapped files, which are read-only at runtime. Finally, Microsoft needed to prevent a successful attack on the sandbox from allowing malware to abuse a disinfection procedure with higher privileges.
The deployment test is an example of the advantage Microsoft has of integrating its security suite into Windows. According to Kaspersky, Microsoft has abused this position in the past by thwarting competing anti-malware packages and favoring its own av suite. Kaspersky withdrew the objections last year after Microsoft made changes.
The sandboxed content process MsMpEngCP.exe runs alongside antimalware service MsMpEng.exe