Microsoft created the first sandboxed antivirus solution in its latest Insider version of Windows Defender for Windows 10, moving proactively to harden the product against attacks.
Windows Defender has become the antivirus solution designed to be capable of running inside of a sandbox in the latest Insider version of the software for Windows 10.
Microsoft said allowing for the sandboxed antivirus solution was something the community had been asking for and the company described the feature as the natural progression of building Windows Defender to harden the software.
"From the beginning, we designed and built Windows Defender Antivirus to be resistant to attacks. In order to inspect the whole system for malicious content and artifacts, it runs with high privileges. This makes it a candidate for attacks," Mady Marinescu, software engineer on the Windows Defender Engineering team, wrote in a blog post. "Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus's content parsers that could enable arbitrary code execution. While we haven't seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously."
Marinescu said the Defender sandboxed antivirus environment should protect a full system in the "unlikely event of a compromise" by isolating malicious activity. But, creating this feature was difficult, Marinescu said, because the team had to be careful to avoid any major performance impact for users.
The ability to sandbox an AV/malware detection system allows for much more aggressive detection processes that are not safe on the base OS.
Lamar Baileydirector of security research and development, Tripwire
"Performance is often the main concern raised around sandboxing, especially given that antimalware products are in many critical paths like synchronously inspecting file operations and processing and aggregating or matching large numbers of runtime events," Marinescu wrote. "To ensure that performance doesn't degrade, we had to minimize the number of interactions between the sandbox and the privileged process, and at the same time, only perform these interactions in key moments where their cost would not be significant, for example, when IO is being performed."
Microsoft is also being careful to roll out the sandboxed antivirus environment slowly and refine the product before making it available to everyone. It is currently available to Windows insiders using Windows 10 and it is unclear when it will be more widely available.
Danny Allan, vice president of product strategy at Veeam, a data management firm based in Baar, Switzerland, praised the ability to run Defender as a sandboxed antivirus solution.
Lamar Bailey, director of security research and development at Tripwire, based in Portland, Ore., said it will be interesting to see the sandboxed antivirus on more machines.
"The ability to sandbox an AV/malware detection system allows for much more aggressive detection processes that are not safe on the base OS. The sandbox provides a safe environment that can easily be wiped cleaned after use," Bailey wrote via email. "This functionality is usually seen as add-on products targeted towards servers, so seeing it included by Microsoft for consumer and workstation OSes is a good improvement in security for home users."
