Microsoft test sandbox for Windows Defender

Microsoft adds an important update to Windows Defender in the form of a sandbox mode. This is currently being tested in certain Insider-builds.

The sandbox mode significantly increases the security of Windows Defender. Microsoft decided to implement the feature after security researchers found vulnerabilities in the content parsers of Windows Defender. This makes it possible to execute (malicious) code.

Although we haven’t seen any attacks in the wild, we take these reports seriously. We immediately solved potential problems and increased our own research and testing, writes Mady Marinescu of the Windows Defender Engineering team in a blog post. At the same time, we have continued to harden Windows 10 against attacks in general.

Sandbox

By using Windows Defender in a sandbox, vulnerabilities can no longer be exploited to damage the system. The antivirus functions completely shut down in a separate, isolated environment. According to Microsoft, it is the first complete antivirus solution that can run completely in a sandbox.

The sandbox support was, according to the company itself, a difficult undertaking for the Redmond-based giant. We had to study the performance and functionality implications carefully, says Marinescu. More importantly, we had to identify high-risk areas and ensure that sandboxing did not adversely affect the security level.

Self-activation

Because of this challenge, Microsoft is gradually rolling out the functionality to Insiders, in order to first collect as much feedback as possible. However, it is also possible to activate the sandbox manually.

Users can activate the sandbox with the command setx /M MP_FORCE_USE_SANDBOX 1. After a restart, the function is active, provided you use Windows 10 version 1703 or newer.

Once the sandboxing is enabled, a new process MsMpEngCP.exe appears next to the antimalware service MsMpEng.exe.