Windows Built-in Antivirus Gets Secure Sandbox Mode – Turn It ON


Microsoft Windows built-in anti-malware tool, Windows Defender, has become the very first antivirus software to have the ability to run inside a sandbox environment.

Sandboxing is a process that runs an application in a safe environment isolated from the rest of the operating system and applications on a computer. So that if a sandboxed application gets compromised, the technique prevents its damage from spreading outside the closed area.

Since antivirus and anti-malware tools run with the highest level of privileges to scan all parts of a computer for malicious code, it has become a desired target for attackers.

The need for sandboxing an antivirus tool has become necessary after multiple critical vulnerabilities were discovered in such powerful applications, including Windows Defender, in past years that could have allowed attackers to gain full control of a targeted system.

That's why Microsoft announced to add a sandbox mode to its Windows Defender. So, even if an attacker or a malicious app exploiting a flaw in Defender compromises the antivirus engine, the damage can't reach out to other parts of the system.

"Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus' content parsers that could enable arbitrary code execution," Microsoft said in a blog post.

Google Project Zero's researcher Tavis Ormandy, who found and disclosed several of these types of flaws in the past year, lauded the Microsoft's effort on Twitter, saying it was "game-changing."

"Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm," Microsoft said.

According to Microsoft, implementing sandboxing in Windows Defender was a challenge for its engineers because the process had the potential to cause performance degradation and required a number of fundamental changes.

However, the research community has taken it as a welcoming step by Microsoft that has raised the bar on security for commercial antivirus and anti-malware solutions out there.

How to Turn On Sandbox Feature in Windows Defender Antivirus


For now, Windows Defender running on Windows 10, version 1703 (also known as the Creators Update) or later, support the sandbox feature, which is not enabled by default, but you can turn the feature on by running following command on your system:
  1. Open Start and Search for "CMD" or "Command Prompt"
  2. Right Click on it and select "Run as administrator."
  3. Type: "setx /M MP_FORCE_USE_SANDBOX 1" and then press ENTER
  4. Then restart your computer, that’s it

Microsoft is gradually rolling out a Windows Insider preview supporting the sandboxing feature in Defender Antivirus, and the feature will soon become widely available, though it is not sure when this will happen.