Windows Defender Now Plays In Sandbox

Category: Anti-Virus

Windows Defender is now the world’s most secure antivirus software. Even if malware compromises Defender’s virus detection module, the malware cannot go on to take over control of the host device. Defender’s impenetrable shield is a “sandbox” - a virtual machine that exists in RAM, isolated from other components. Does that make it the best at malware detection? Read on for the scoop...

Should Your Antivirus Run in a Sandbox?

Viruses often target antivirus software because the latter has elevated privileges on the host machine that a virus can use to evil effect. Microsoft security researchers came up with a clever way to isolate the vulnerable part of Defender in a sandbox.

Defender consists of several security apps, including “content parsers” that analyze unknown files. Running these apps in a sandbox gives them very few privileges on the host machine. Even if a Defender parser is compromised by malware, it cannot be used to do harm on the host machine. When the parser is no longer needed, it and the sandbox simply dissolve back into free RAM, along with any virus infection.

Is this level of security necessary? Microsoft seems to take the “abundance of caution” position in its announcement of Defender’s new sandbox feature: Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’s content parsers that could enable arbitrary code execution. While we haven’t seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously…”

Windows Defender runs in Sandbox environment

And, “Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm.”

The main Defender app still needs high-level privileges, access to many areas of the host machine. But it passes the low-level, dangerous job of analyzing unknown files to its sandboxed parsers, so there is no direct contact between the highly-privileged Defender and suspicious software. This strategy effectively makes Defender immune to virus infections.

For now, though, Microsoft is cautiously rolling out this new sandboxing feature. In their announcement, it says they are "in the process of gradually enabling this capability for Windows Insiders and continuously analyzing feedback to refine the implementation. The article also mentions a way to manually turn on Defender's sandboxing, if you are running Windows 10 version 1703 (released March 2017) or later.

Thinking Inside the Box

Security researchers outside of Microsoft are impressed. Even the notorious security gadfly, Google’s Tavis Ormandy, calls sandboxed Defender “game-changing.” Ormandy was one of the researchers who identified bugs in Defender that might enable an attacker to take over the host machine, including one he openly denounced as “crazy bad.”

No other antimalware suite offers sandbox protection right now, but I expect a rush to implement it across the antimalware industry. Sandboxing is an elegant, tried-and-true way to protect a favorite target of malware – the antimalware software that opposes it. Defender is hardly the first antivirus program found to contain bugs that could be exploited by malware. Some examples from the past couple of years include “Multiple Vulnerabilities in Avast Antivirus” (April 2017), “Security vulnerabilities in Symantec and Norton 'as bad as it gets' warns researcher” (June 2016), and
“Google Security Researcher Finds Serious Vulnerability In Kaspersky's TLS Interception Tool” (January, 2017).

Time to Switch?

So am I recommending that everyone dump their existing third-party security tools? No, and here's why. I started this article by saying that "Windows Defender is now the world’s most secure antivirus software." But I didn't say it was the best. The fact that Defender's parsing module is secure is cool, but that doesn't make it the best at detection and protection. In fact, Microsoft has never intended Defender to be the best anti-malware solution. By their own admission, Defender is supposed to establish a baseline for anti-malware tools, a set of minimum features that every third-party security suite is expected to match or exceed.

That said, Defender has come a long way since the early days when it consistently ranked dead last in independent malware detection tests. In the latest test results from AV-Comparatives, Defender scored very well on detection, but led the league in false positives.

The free versions of AVG, Avast, and Bitdefender all got top marks from AV-Comparatives, but it's important to note that these lab tests really don't represent what I see as real world usage. According to their factsheet, they ran their tests under Microsoft Windows 10 Pro "with up-to-date third-party software (such as Adobe Flash, Adobe Acrobat Reader, Java, etc.). Due to this, finding in-the-field working exploits and running malware is much more challenging than e.g. under an non-up-to-date system with unpatched/vulnerable third-party applications."

So what is the practical upshot of this news? Third-party developers do not want to be known as “not even as good as Windows Defender.” Therefore, I predict that sandboxing will be the next “big thing” in security suites. Kudos to Microsoft for setting that high bar. Kudos, too, to Tavis Ormandy and other security researchers who expose vulnerabilities in complacent companies’ products and goad them into developing solutions.

Are you confident that Windows Defender will provide adequate protection, or do you use a third-party security tool? Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 30 Oct 2018

For Fun: Buy Bob a Snickers.

Prev Article:
[WARNING] Don't Click This Button!

The Top Twenty
Next Article:
[SNAP] Awesome Apps for Photographers

Most recent comments on "Windows Defender Now Plays In Sandbox"

Posted by:

30 Oct 2018

the less i have to do with microsoft, google and facebook, the better i feel...never cared for big brother!!!

Posted by:

Ihor Prociuk
30 Oct 2018

Hi Bob: Will "sandboxing" prevent other malware from getting in like ransomware, rootkits, keyloggers, etc? Will any security software tell if your computer is part of a "botnet" (and then remove the malware)?

Posted by:

Kenneth Heikkila
30 Oct 2018

Kaspersky works for me, but I am glad top see MS raising the bar.

Posted by:

Bob Dennett
30 Oct 2018

Bob: Some time ago you recommended using PrivaZar
as a virus controller and I started it then and there. Since then the only items (2 folders) found were both downloaded from MS without my permission and both immediately deleted so no need to say how happy I am about that and thanks
for the advice........

Posted by:

30 Oct 2018

Sandboxing only preserves the integrity of Defender. If the antivirus software is compromised, the malware can do anything it wants.

The sandboxing does nothing by itself to protect you but it lets the antivirus software work better to protect you.

If you do a quick internet search on each of the items you ask about, you will get your answers on them.

Posted by:

Louis Toscano
30 Oct 2018

Microsoft security products take too long to run.

Posted by:

Ken B
30 Oct 2018

Does this information apply only to Windows 10, or does it also apply to W7 and W8?

Posted by:

Hardie Johnson
30 Oct 2018

Doesn't Avast have sandbox already? Seems to have it for years?

Posted by:

David Evjen
30 Oct 2018

In previous remarks, even recently, you have talked positively about PC Matic. I have had horrible experiences with other products. but PC-Matic has been stable and I have not had any other hacking problems.

I was wondering what your thoughts about the relative comparison of PC-Matic and these other AV products you discussed.

EDITOR'S NOTE: I was going to mention the benefits of the whitelisting approach used by PC Matic, but didn't want to make this article too long. Here's my review of PC Matic:

I'm still using the copy I purchased about 2 months ago, and very happy with it.

Posted by:

30 Oct 2018

It's PC-Matic for me. Have used it for years, and I've never had any problem with it or any virus or other problems. I won't be changing to Defender only.

Posted by:

31 Oct 2018

I have been using PC Matic for about three years and have watched the improvements over time, quite happy. I have tried Avast, Win-zip products, and have kept only Defender and C Cleaner. Win-Zip used to delete Super Shield all the time and really didn't seem relevant other than that. I find that back-ups are a little odd because PC Matic works in the cloud but always gets skipped when running a standard machine weekly back-up.
As always Thanks for some more interesting information.

Posted by:

Brian B
31 Oct 2018

PC Matics white list, and a Macrium Reflect weekly backup is all you could ever need. A white list is never fooled by an attack attempt. You have complete control on what is, and by extension, what isn't allowed through the door. A full, up to date disk immage is a life saver in any situation where ransomware is attempted, or indeed any other complete complete loss of data and software.

Posted by:

31 Oct 2018

Can you run Kaspersky Internet Security Suite 2018 with PC Matic?

Posted by:

John G
31 Oct 2018

Have been using Windows Defender exclusively on 4 PCs for about 4 years. Never a problem. Got rid of Norton, Kaspersky Symantec, etc. that came with PCs/internet subscription/corporate dictate. Have thought about PCMatic but don't seem to need it. Use free versions of CCleaner, iObit Unistaller, Advanced System Care. No issues, ever.

Posted by:

31 Oct 2018

At Bob's advice a while ago, I just use Defender and Malwarebytes. Hope it all continues to work ok for me.

Posted by:

Wild Bill
06 Nov 2018

A note in passing: I have been using Avast Free for several years now, satisfactorily, supplemented with
Malwarebytes scans and ADWCleaner scans. However, I
suspect that my current good fortune is also due to
a low value target posture as well as the use of common sense in clicking (or not clicking)on questionable items. Low profile posture supported by
good sense may be the first line of defense.

Posted by:

06 Nov 2018

I have been running Malwarebytes Premium alongside Windows Defender about 9 months now on my Windows 10 Home desktop. I have a lot of faith in Malwarebytes. I was deciding about installing Bitdefender Free to run with Malwarebytes and then I read this article about the sandboxing. I used Sandboxie with Windows XP years ago and was well pleased with it.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Windows Defender Now Plays In Sandbox (Posted: 30 Oct 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved