Microsoft began the process of moving Windows Defender to a sandbox after much input from the security community. Researchers inside and outside the company had detected ways an attacker could abuse flaws in the tool’s content parsers and enable arbitrary code execution.
But the project was a “complex undertaking,” said Mady Marinescu, of the Windows Defender Engineering team, and Eric Avenca of Microsoft Content Experience, in a blog post on the news. The team had to study the implications for performance and functionality, as well as identify high-risk areas to make sure sandboxing didn’t counter any existing security measures.
Windows Defender runs with high privileges to scan systems for malicious content; because of this, it’s already a prime target for cyberattacks. If someone successfully exploits a bug in Windows Defender, an entire system can be taken over. Microsoft reports it hasn’t seen attacks targeting its antivirus tool in the wild, but it has been hardening Windows 10 over time with hardware-based isolation, network protection, controlled folder access, and other tech.
With Windows Defender running in a restrictive process execution environment, attackers who break in are stuck inside the isolated environment and can’t affect the rest of the system.
The feature is now available to Windows Insiders to test in upcoming versions of Windows 10. If you are not in the program and can’t wait for Microsoft to release it in full, you can force-enable Windows Defender to run in a sandbox on Windows 10 version 1703 and later.
Microsoft is looking ahead and now working on anti-tempering defenses for Windows Defender Antivirus, it reports.