Windows Defender becomes first antivirus to run inside a sandbox

Windows Defender with sandbox support rolled out to Windows insiders, but some Windows 10 users can enable it right now.
Written by Catalin Cimpanu, Contributor

Microsoft announced today that Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment.

In software design, a "sandbox" is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources.

The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS.

A sandbox escape is one of the most complex pieces of exploitation malware, or a hacker can perform, and running programs inside sandboxed environments is considered an optimal security measure and good software architecture.

"We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said today in a celebratory blog post.

Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps:

  • Open the Start Menu and type "cmd.exe".
  • Right-click the cmd.exe (Command Prompt app) and click on the "Run as Administrator" option.
  • Type setx /M MP_FORCE_USE_SANDBOX 1
  • Press enter and wait for the validation.
  • Restart the PC.

Microsoft says it started working on porting Windows Defender to a sandbox environment after "security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus's content parsers that could enable arbitrary code execution."

The most infamous of these researchers is Google's Tavis Ormandy, who identified several of these types of vulnerabilities, including one that he labeled "crazy bad."

During many of his bug reports, Ormandy had privately and publicly recommended that Microsoft move Windows Defender to a sandbox and prevent attackers from using it as a way to take over Windows PCs.

This type of attack is possible because Windows Defender --but also all antivirus programs-- automatically scan all incoming files and data streams, such as emails, IM messages, or newly downloaded files. Windows Defender scans these files for viruses, but if the file contains malformed code, this automatic scan also ensures malicious code is executed as soon as it reaches a user's computer, with SYSTEM-level privileges.

If Windows Defender or any other antivirus is vulnerable, the attack can be devastating, allowing hackers to take full control over targeted PCs.

Microsoft said it did not see any such attacks against Windows Defender in the wild, but the company opted to sandbox Windows Defender and not take any risks with users' safety.

Windows 10 October 2018 Update: The new features that matter most

More Microsoft Coverage:

Editorial standards