New Sandbox Mode for Windows 10 Defender Antivirus: Here’s why you should pay attention…

Antivirus (AV) is a commonly relied upon security control. But it’s worth remembering that there’s nothing inherently “hack-proof” about this type of software. After all, no program (AV included) is immune to outside attack!

That said, if you can run your program in an isolated environment (i.e. a sandbox), it means that if the program is compromised, your wider system is protected against harm.

Bearing all this in mind, you start to realise the significance of the recent announcement concerning Windows Defender Antivirus.

Under Microsoft’s new Windows Insider preview, users now have the option of running Defender Antivirus in a sandbox. Getting this off the ground was no mean feat – and it’s not yet enabled by default (this will most likely happen with the arrival of Windows 10 version 1903 early next year). But Windows Defender users can now activate sandboxing for themselves.

Here’s a closer look at why this is potentially useful – and at how to activate it.

Antivirus software: Who’s guarding the guards?

  • By its nature, AV needs to have high level permissions to enable unfettered systems access. To do its job properly, the software must be able to read all files on disk, inspect all streams of data in memory – and to monitor events in real time. All of this demands the highest level of privilege.
  • There’s a flipside to all of this access-all-areas capability. For one thing, because they comprise multiple internal components necessary for examining such a wide range of data and file types, AV subsystems offer up a large attack surface. This offers up multiple attack points. If the AV software was to be compromised and malware was activated, such malware could potentially run with impunity, granting the attacker access right across the system.

How real is the risk?

So far, there have been no reported instances of in-the-wild attackers successfully targeting Windows Defender Antivirus.

But last year, the UK’s National Computer Security Centre (NCSC) flagged up a couple of bugs in the Windows Defender core (bugs that were quickly patched by Microsoft). The NCSC explained how exploitation of these vulnerabilities created the possibility of planting code in the ​OS and taking control of the system.

This discovery came shortly after UK agencies who handle classified data were warned by NCSC not to use Kaspersky AV – amid fears that Russian threat actors could use it as a means of obtaining back door access.

It’s thought likely that high-level threat actors are taking a close interest in popular commercial AV packages to add to their attack arsenal. For common-or-garden users, it’s fair to say that this particular threat is largely theoretical at this moment in time – or at least, ‘one to watch’. Microsoft’s introduction of a sandboxing mode at this stage can be seen as a way of keeping on top of the threat.

How does sandboxing reduce the risk?

A sandbox is essentially a tightly controlled ‘safe space’ for a program to run in. It allows you, for instance, to run a suspicious program or monitor a file without the risk of malicious code entering into the wider system.

But integrating sandboxing into a complex security package isn’t exactly easy. Once you start tinkering with the ability to inspect file operations in runtime, there’s a very real danger that performance will suffer. Too many protective measures can mean the whole process grinding to a halt. That’s why, up until now, no complete antivirus solution featured a sandboxing capability.

To get around all of this, Microsoft had to implement a number of significant changes, including the layering of inspection processes and minimising transfers to avoid leaving the sandbox so far as is possible.

How to enable sandbox mode

This requires you to do the following:

1. Open Start

2. On the Command Prompt, select Run as administrator

3. Type the following command and press Enter: setx /M MP_FORCE_USE_SANDBOX 1

4. Restart the machine

NOTE:  To disable. Type the following command and press Enter: setx /M MP_FORCE_USE_SANDBOX 0

A final word about AV

Always remember that AV gives you a ​layer of protection – but it’s definitely not a complete security strategy in itself! Sandboxing, with plenty of justification, has been described as a game changer for Microsoft’s flagship AV package. But it doesn’t detract from the need to build in multiple layers of protection from the ground up.

  • Abi says:

    Hi Nathan,

    I’m very much enjoying the courses I purchased from you. Just one question, how can I check if my computer is hack? and clean it?

    • Nathan House says:

      It is a process to work this out. You will need a course on it. You have my course. Look at volume 4 on detecting malware and hackers.

  • Wayne Hubbard says:

    I am running Win 10.
    Where do I open Start?
    How do I run the command Prompt as admin?
    Thank you

    • Nathan House says:

      If you don’t know how to do that then don’t do this. You don’t know enough yet and this is still in beta.

    • Shamya Majumder says:

      Press Windows key + Q and then search command prompt. Mouse over to Command prompt and right click to Run as administrator. Stick to Nathan Sir’s advice.

  • Hamed says:

    nice subject

  • Arty says:

    Very informative!

    Thanks Nathan!

    PS – your courses are awesome.

  • Jayne Samuel-Walker says:

    A very useful post, Nathan, thank you ?

  • Bazza says:

    Cheers Nathan! Simplified, valuable and comprehensive content as usual. Thanks a million.

  • Ovi Sazzad says:

    Hi Nathan, I just activated sandbox as you mentioned. But Can you please also share how to use it? or any reference guideline for this sandox? Thanks

    • Nathan House says:

      The ms AV uses it to help stop people hacking you through a weakness in the AV. There is nothing else for you to do with it.

  • Mike says:

    Hi Nathan,

    How similar is this to applications like Shade sandbox? once I enable sandbox mode, does that mean every application I run will be running in a sandbox by default?

    • Nathan House says:

      This is a sandbox for the ms AV. This stops the av from being used to attack you. So for example. I send you an email with an attachment. When the av scans the attachment it exploits an Ms av vulnerability to compromise your system. This sandbox provides isolation to help mitigate the attack.

  • Víctor Valentinuzzi says:

    Just Like that? type in cmd: setx /M MP_FORCE_USE_SANDBOX 1 and restar the computer?

  • shyam says:

    Dear Sir
    Do you have course on hand on ethical hacking course

    Kindly advice

  • Alishia says:

    Windows Defender Anti-virus has raised the bar for security by this new development.

  • >