Microsoft partially lets Windows Defender run in sandbox

Oct

29

2018

Microsoft allows the running of part of Windows Defender in a sandbox, which should improve the security of the OS. The default placement of Defender in the sandbox is first available for Windows Insiders.

According to Microsoft , Windows Defender is the first complete antivirus package that can run in a sandbox and this ‘raises the bar’ for security. The software company brings the adjustment to Windows Insiders, but whoever runs version 1703 of Windows 10 or later versions can also force it with the environmental variable ‘ M MP_FORCE_USE_SANDBOX 1 ‘ which can be placed by setx. With Insiders versions of Windows it is turned on by default.

Microsoft claims that placing the security component in a sandbox was difficult, especially because the performance could suffer significantly, depending on the implementation. According to the company, it turned out that there was a need for feedback. Security packages run with increased privileges to perform deep scans on all components, but this also makes them popular targets for malicious parties. A sandbox must prevent them from doing damage outside of that application.

Microsoft has divided the functionality of Defender into features that absolutely require privilege and components that do not apply and that can therefore be stored in a sandbox. In addition, the interaction between the two resulting parts had to be minimized and both parts had to be prevented from consuming too much resources.

Both the privileged part and the sandboxed processes must have access to malware signatures and other metadata, but Microsoft wanted to prevent duplication of that data. Eventually the company shipped for a model where data was placed in memory-mapped files, which are read-only during runtime. Finally, Microsoft had to prevent a successful attack on the sandbox from causing malware to abuse a higher-level disinfection procedure.

The implementation test is an example of the advantage that Microsoft has of integrating its security package into Windows. According to Kaspersky , Microsoft used to abuse this position in the past by bothering anti-malware packages and benefiting its own av-suite. Kaspersky withdrew the objections last year after Microsoft made changes.

Windows Defender Sandbox
The contentprocess MsMpEngCP.exe placed in a sandbox runs alongside antimalware service MsMpEng.exe

Viewing:-36

In: A Technology & Gadgets Asked By: [20969 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »