The Windows 10 built-in antivirus program can now run in a sandbox. Even if an attacker compromises the antivirus engine, he has no access to the rest of the system. As Google Tavis Ormandy puts it, "this is a game that is changing."
In fact, Windows Defender is the first complete antivirus product that can run in a sandbox. None of the paid (or free) antivirus products you can download has this feature.
This message is from the official Microsoft Secure blog. As Microsoft puts it:
Security researchers inside and outside Microsoft have already identified ways in which an attacker could exploit vulnerabilities in Windows Defender Antivirus content savers that could allow arbitrary code execution. While we have not seen any active attacks on Windows Defender Antivirus, we take these reports seriously …
Running Sand Defined Windows Defender Antivirus Ensures That Malicious Actions Are Restricted to the System in the Unlikely Case of Compromise Isolation Environment that protects the rest of the system from harm
In other words, the Windows Defender antivirus process, which analyzes downloaded files and other content, runs with very few privileges. Even if there was an error in the antivirus process and a maliciously crafted file was interfering with the antivirus program itself, this now-dangerous antivirus process would not provide access to the rest of your system. The attack would have failed.
Sure, an antivirus program still needs a lot of access to your system. However, the main antivirus process, which runs with many privileges, does not parse files. The content is submitted to a low privilege sandboxed process that does dirty and dangerous work in a secure area.
The blog post from Microsoft describes how this feature was implemented without noticeable performance degradation:
Performance The main problem raised with sandboxing is that antimalware products are in many critical paths, such as: , For example, synchronously auditing file operations and processing and summarizing or adjusting a large number of runtime events. To ensure that performance is not compromised, we had to minimize the number of interactions between the sandbox and the privileged process, and at the same time only perform these interactions in key moments where their costs are not significant, such as when IO is being executed.
There are many more details than that in Microsoft's blog post, so check it out if you're interested.
When will you get it?
While this feature is exciting, it's not yet enabled by default on Windows 1
Warning : Microsoft is not confident enough about this feature to enable it by default for all users. However, errors may occur after you enable it. We activated it on our system and everything seemed to work well.
To enable this feature today, start a command prompt or PowerShell window as an administrator, run the following command, and then restart your PC:
setx / M MP_FORCE_USE_SANDBOX 1
This command works Windows 10, version 1703, also known as Creators Update, and newer versions of Windows 10. This version of Windows 10 was released in April 2017, so your PC almost certainly has this version or newer
To undo this change, execute the same command, replace the "1" with a "0" and restart your PC. If for any reason you have problems starting the computer, start safe mode and run the command.
After enabling sandboxing, a special content process called MsMpEngCP.exe appears with less permissions in addition to the default MsMpEng.exe Antimalware Process
Once upon a time, we were pretty critical of Microsoft's antivirus program, but we think the latest versions are pretty good. We recommend that you use Windows Defender to protect your PC without the upsell and errors introduced by third-party antivirus software. And it comes standard with Windows 10, so all Windows users finally have a solid antivirus program.
We would only wish that Microsoft's anti-virus program is more aggressive against blocking Crapware.
RELATED: What's the Best Antivirus for Windows 10? (Is Windows Defender good enough?)