Antivirus Game Changer – Sandbox Mode for Windows 10 Defender
Windows 10 Defender Antivirus is now the most commonly deployed AV on Windows 10 PCs.After all, it comes with the OS and is an excellent product. It is, however, worth remembering that it is just software like any other and, as such, potentially vulnerable to attack.
Anti-virus, by its very nature, needs to have high level permissions. To function properly, the software must be able to read all files, see all data in memory and to monitor all system events as they happen. This demands the highest level of privilege.
There’s a potential downside to this access-all-areas capability. If the AV software is compromised and malware activated, said malware could potentially run with impunity, giving the attacker access right across the system. Also, because AV has to check such a wide range of data, file types and processes, it presents a large attack surface in its own right. This can be a bad combination.
That said, if you can run your program in an isolated environment (i.e. a sandbox), it means that if your AV is compromised, your wider system is protected from harm.
Enter Sandbox
Bearing all this in mind, you start to realise the significance of the recent announcement concerning Windows Defender Antivirus.
Users now have the option of running Defender Antivirus in a sandbox. It’s not yet enabled by default, this will most likely happen with the arrival of Windows 10 version 1903 early 2019, but Windows Defender users can now activate sandboxing for themselves (see below for how to activate it).
What Are the Risks?
At time of writing, there have been no reported instances of attacks in-the-wild successfully targeting Windows Defender Antivirus. However, last year, the UK’s National Computer Security Centre (NCSC) identified some bugs in the Windows Defender core. The bugs were quickly patched by Microsoft. The NCSC showed how exploitation of these vulnerabilities created the possibility of planting code in the OS and taking control of the system.
This discovery came shortly after UK agencies who handle classified data were warned by NCSC not to use Kaspersky AV due to fears that Russian hackers could use it as a means of obtaining back door access.
It’s thought likely that high-level threat actors are taking an interest in popular commercial AV software as an addition to their attack arsenal. Microsoft’s introduction of a sandboxing mode at this stage can be seen as a way of keeping on top of the threat.
Why does Sandboxing Reduce the Risk?
A sandbox is essentially a tightly controlled ‘safe space’ for a program to run in. It allows you, for example, to run a suspicious program or monitor a file without the risk of malicious code accessing the wider system.
However, integrating sandboxing into a complex security package is not exactly easy. Once you start interfering with the ability to inspect file operations in runtime, there’s serious risk that performance will suffer. This is a major reason why, up until now, no complete antivirus solution featured a sandboxing capability.
To avoid this problem, Microsoft had to implement a number of significant changes, including the layering of inspection processes and minimising transfers to avoid leaving the sandbox as far as possible.
How to Turn on Sandbox Mode
To Enable:
Open Start
On the Command Prompt, select Run as administrator
Type the following command and press Enter:
setx /M MP_FORCE_USE_SANDBOX 1
Restart the machine
To Disable:
Type the following command and press Enter:
setx /M MP_FORCE_USE_SANDBOX 0
Remember
Always remember that AV gives you a layer of protection but it’s definitely not a complete security strategy in itself. Sandboxing, with some justification, has been described as a game changer for Microsoft’s in-house AV package. But this doesn’t detract from the need to implement a layered security approach.