new-sandbox-mode_WP10

New Sandbox Mode for Windows 10 Defender Antivirus: Here’s why you should pay attention…

Antivirus (AV) is a commonly relied upon security control. But it’s worth remembering that there’s nothing inherently “hack-proof” about this type of software. After all, no program (AV included) is immune to outside attack!

That said, if you can run your program in an isolated environment (i.e. a sandbox), it means that if the program is compromised, your wider system is protected against harm.

Bearing all this in mind, you start to realise the significance of the recent announcement concerning Windows Defender Antivirus.

Under Microsoft’s new Windows Insider preview, users now have the option of running Defender Antivirus in a sandbox. Getting this off the ground was no mean feat – and it’s not yet enabled by default (this will most likely happen with the arrival of Windows 10 version 1903 early next year). But Windows Defender users can now activate sandboxing for themselves.

Here’s a closer look at why this is potentially useful - and at how to activate it.

Antivirus software: Who’s guarding the guards?

  • By its nature, AV needs to have high level permissions to enable unfettered systems access. To do its job properly, the software must be able to read all files on disk, inspect all streams of data in memory – and to monitor events in real time. All of this demands the highest level of privilege.
  • There’s a flipside to all of this access-all-areas capability. For one thing, because they comprise multiple internal components necessary for examining such a wide range of data and file types, AV subsystems offer up a large attack surface. This offers up multiple attack points. If the AV software was to be compromised and malware was activated, such malware could potentially run with impunity, granting the attacker access right across the system.

How real is the risk?

So far, there have been no reported instances of in-the-wild attackers successfully targeting Windows Defender Antivirus.

But last year, the UK’s National Computer Security Centre (NCSC) flagged up a couple of bugs in the Windows Defender core (bugs that were quickly patched by Microsoft). The NCSC explained how exploitation of these vulnerabilities created the possibility of planting code in the ​OS and taking control of the system.

This discovery came shortly after UK agencies who handle classified data were warned by NCSC not to use Kaspersky AV – amid fears that Russian threat actors could use it as a means of obtaining back door access.

It’s thought likely that high-level threat actors are taking a close interest in popular commercial AV packages to add to their attack arsenal. For common-or-garden users, it’s fair to say that this particular threat is largely theoretical at this moment in time – or at least, ‘one to watch’. Microsoft’s introduction of a sandboxing mode at this stage can be seen as a way of keeping on top of the threat.

How does sandboxing reduce the risk?

A sandbox is essentially a tightly controlled ‘safe space’ for a program to run in. It allows you, for instance, to run a suspicious program or monitor a file without the risk of malicious code entering into the wider system.

But integrating sandboxing into a complex security package isn’t exactly easy. Once you start tinkering with the ability to inspect file operations in runtime, there’s a very real danger that performance will suffer. Too many protective measures can mean the whole process grinding to a halt. That’s why, up until now, no complete antivirus solution featured a sandboxing capability.

To get around all of this, Microsoft had to implement a number of significant changes, including the layering of inspection processes and minimising transfers to avoid leaving the sandbox so far as is possible.

This requires you to do the following:

1. Open Start

2. On the Command Prompt, select Run as administrator

3. Type the following command and press Enter: setx /M MP_FORCE_USE_SANDBOX 1

4. Restart the machine

NOTE:  To disable. Type the following command and press Enter: setx /M MP_FORCE_USE_SANDBOX 0

A final word about AV

Always remember that AV gives you a ​layer of protection – but it’s definitely not a complete security strategy in itself! Sandboxing, with plenty of justification, has been described as a game changer for Microsoft’s flagship AV package. But it doesn’t detract from the need to build in multiple layers of protection from the ground up.