The sandbox can be forced enabled by all Windows users

Oct 26, 2018 20:05 GMT  ·  By

Windows Defender Antivirus can now run inside a sandbox on Windows 10, version 1703 or later, making it the first anti-malware solution for Windows capable of such a feat. 

By placing Windows Defender Antivirus inside a sandbox, Microsoft has made it very hard for malware developers to obtain access to critical system modules seeing that while being sandboxed programs are entirely isolated from the rest of the system, having extremely limited access to both memory and disk resources.

Enabling a restricted process execution environment for running Windows Defender Antivirus is a decision taken by Microsoft after receiving a lot of feedback from security researchers who marked the high privileged antivirus solution as a high-risk attack vector.

Windows Defender Antivirus uses high privileges to be able to continuously monitor and defeat malicious attacks, which makes it the perfect target for attackers who want a simple way to trigger a privilege escalation condition.

By implementing support for running in a sandbox in Windows' default antivirus solution, Microsoft wants to make sure that any bad actors who manage to exploit Windows Defender Antivirus vulnerabilities to set off arbitrary code execution conditions will not be able to execute malicious tools using high privileges.

"Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm," said Microsoft.

Windows Defender Antivirus' sandbox will prevent attackers from using exploits to compromise the OS

Moreover, "This is part of Microsoft’s continued investment to stay ahead of attackers through security innovations. Windows Defender Antivirus and the rest of the Windows Defender ATP stack now integrate with other security components of Microsoft 365 to form Microsoft Threat Protection."

Even though Microsoft is only rolling out the Windows Defender Antivirus sandbox feature for Windows insiders, all other Windows 10 users can enable it on their computers as long as they're willing to start up the Command Prompt using Administrator privileges and to type the following command:


setx /M MP_FORCE_USE_SANDBOX 1
Besides the new sandbox feature, Microsoft also implemented a host of other measures to make sure that Windows users are protected from potential security attacks, ranging from network and exploit protection to hardware-based isolation and controlled folder access.