How a Windows antimalware tool helps endpoint security

Benefits of sandboxes

Sandboxes have many benefits, and Microsoft outlined the significant benefits of running Windows Defender in a sandbox, along with the difficulties it faced while developing the functionality in a blog post. Leading web browsers and Adobe Reader have already implemented sandboxes within their core software, and other endpoint security tools have also implemented sandboxing.

For example, virtualization or containers are isolation methods organizations can use to create sandboxes. The use of a sandbox can also help create boundaries between trusted and untrusted code, so untrusted code can be executed in the sandbox to prevent the potentially malicious code from executing on the system.

The boundaries created by a sandbox may be difficult to define and control depending on the application or usage, such as if the application needs to access the network, disk or system memory.

Implementing a sandbox will not completely secure an endpoint, and if malware bypasses the antimalware tool and executes its malicious code on the endpoint, the malware could still disable the Windows Defender Antivirus program and infect the system. The Windows Defender Antivirus program necessarily runs with elevated privileges, so a vulnerability in it could be used to gain complete control of an endpoint. However, by implementing a sandbox, a significant additional barrier is created.

The boundaries created by a sandbox may be difficult to define and control depending on the application or usage, such as if the application needs to access the network, disk or system memory. Given that Windows Defender is intended to handle malicious code in many different forms, it was designed with layers of protection, which also affects how the sandbox is implemented.

Microsoft explicitly mentions performance issues caused by sandboxes as being a significant concern and mentions the ecosystem challenge when deploying this new feature. Enterprises will be part of this ecosystem, but they may have their own challenges when deploying this new functionality.

One of the difficulties with sandbox deployments is the additional complexity introduced by a sandbox. An additional difficulty Microsoft mentions is how to handle files it determines are not malicious and restore them to the proper location on the endpoint outside the sandbox.

Where can sandboxes be deployed in enterprises

Sandboxes are available in many different security tools ranging from software that runs on endpoints to network security tools that use sandboxes to detonate executables to determine if the files are malicious.

Deploying tools with sandbox functionality is different than deploying a security tool designed to sandbox applications on an endpoint. Adding an additional endpoint security tool requires additional ongoing management; however, incorporating the sandbox into an existing application could reduce that management.

The Windows Defender sandboxing functionality has been implemented for Windows Insiders in Windows 10 version 1703 or later. This will benefit enterprise endpoints running the most current version of the software. Microsoft states the sandbox functionality can be turned on at runtime to give an enterprise flexibility with how it's deployed.

Not all enterprises deploy the most current version of Windows, so it may take a while for this functionality to be broadly deployed. You may want to investigate if the endpoint antimalware tool in use at your enterprise has implemented sandboxing or if it has it on their roadmap -- if not, ask why or when so it can be implemented on your systems.

While sandboxing an enterprise's individual applications is a difficult task, upgrading applications to include sandbox functionality can improve endpoint security. Overall, the introduction of sandboxing to Windows Defender is a significant improvement.