Windows Defender Now Plays In Sandbox
Windows Defender is now the world’s most secure antivirus software. Even if malware compromises Defender’s virus detection module, the malware cannot go on to take over control of the host device. Defender’s impenetrable shield is a “sandbox” - a virtual machine that exists in RAM, isolated from other components. Does that make it the best at malware detection? Read on for the scoop...
Should Your Antivirus Run in a Sandbox?
Viruses often target antivirus software because the latter has elevated privileges on the host machine that a virus can use to evil effect. Microsoft security researchers came up with a clever way to isolate the vulnerable part of Defender in a sandbox.
Defender consists of several security apps, including “content parsers” that analyze unknown files. Running these apps in a sandbox gives them very few privileges on the host machine. Even if a Defender parser is compromised by malware, it cannot be used to do harm on the host machine. When the parser is no longer needed, it and the sandbox simply dissolve back into free RAM, along with any virus infection.
Is this level of security necessary? Microsoft seems to take the “abundance of caution” position in its announcement of Defender’s new sandbox feature: Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’s content parsers that could enable arbitrary code execution. While we haven’t seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously…”
And, “Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm.”
The main Defender app still needs high-level privileges, access to many areas of the host machine. But it passes the low-level, dangerous job of analyzing unknown files to its sandboxed parsers, so there is no direct contact between the highly-privileged Defender and suspicious software. This strategy effectively makes Defender immune to virus infections.
For now, though, Microsoft is cautiously rolling out this new sandboxing feature. In their announcement, it says they are "in the process of gradually enabling this capability for Windows Insiders and continuously analyzing feedback to refine the implementation. The article also mentions a way to manually turn on Defender's sandboxing, if you are running Windows 10 version 1703 (released March 2017) or later.
Thinking Inside the Box
Security researchers outside of Microsoft are impressed. Even the notorious security gadfly, Google’s Tavis Ormandy, calls sandboxed Defender “game-changing.” Ormandy was one of the researchers who identified bugs in Defender that might enable an attacker to take over the host machine, including one he openly denounced as “crazy bad.”
No other antimalware suite offers sandbox protection right now, but I expect a rush to implement it across the antimalware industry. Sandboxing is an elegant, tried-and-true way to protect a favorite target of malware – the antimalware software that opposes it. Defender is hardly the first antivirus program found to contain bugs that could be exploited by malware. Some examples from the past couple of years include “Multiple Vulnerabilities in Avast Antivirus” (April 2017), “Security vulnerabilities in Symantec and Norton 'as bad as it gets' warns researcher” (June 2016), and
“Google Security Researcher Finds Serious Vulnerability In Kaspersky's TLS Interception Tool” (January, 2017).
Time to Switch?
So am I recommending that everyone dump their existing third-party security tools? No, and here's why. I started this article by saying that "Windows Defender is now the world’s most secure antivirus software." But I didn't say it was the best. The fact that Defender's parsing module is secure is cool, but that doesn't make it the best at detection and protection. In fact, Microsoft has never intended Defender to be the best anti-malware solution. By their own admission, Defender is supposed to establish a baseline for anti-malware tools, a set of minimum features that every third-party security suite is expected to match or exceed.
That said, Defender has come a long way since the early days when it consistently ranked dead last in independent malware detection tests. In the latest test results from AV-Comparatives, Defender scored very well on detection, but led the league in false positives.
The free versions of AVG, Avast, and Bitdefender all got top marks from AV-Comparatives, but it's important to note that these lab tests really don't represent what I see as real world usage. According to their factsheet, they ran their tests under Microsoft Windows 10 Pro "with up-to-date third-party software (such as Adobe Flash, Adobe Acrobat Reader, Java, etc.). Due to this, finding in-the-field working exploits and running malware is much more challenging than e.g. under an non-up-to-date system with unpatched/vulnerable third-party applications."
So what is the practical upshot of this news? Third-party developers do not want to be known as “not even as good as Windows Defender.” Therefore, I predict that sandboxing will be the next “big thing” in security suites. Kudos to Microsoft for setting that high bar. Kudos, too, to Tavis Ormandy and other security researchers who expose vulnerabilities in complacent companies’ products and goad them into developing solutions.
Are you confident that Windows Defender will provide adequate protection, or do you use a third-party security tool? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 30 Oct 2018
|For Fun: Buy Bob a Snickers.|
[WARNING] Don't Click This Button!
The Top Twenty
[SNAP] Awesome Apps for Photographers
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Windows Defender Now Plays In Sandbox (Posted: 30 Oct 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved