Ability to place Windows Defender in a restrictive environment follows feedback from the security community
Windows Defender has become the first antivirus solution to have the capability to run within a sandbox, Microsoft has announced.
The move will help ensure that, in the event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the user’s system from harm.
In a blog post on Friday, Mady Marinescu of the Windows Defender engineering team outlined the new developments, and explained how the ability to sandbox Windows’ native AV will help raise the bar for user security.
“From the beginning, we designed and built Windows Defender Antivirus to be resistant to attacks,” Marinescu said. “In order to inspect the whole system for malicious content and artifacts, it runs with high privileges. This makes it a candidate for attacks.
“Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’s content parsers that could enable arbitrary code execution.
“While we haven’t seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously. We immediately fixed potential problems and ramped up our own research and testing to uncover and resolve other possible issues.”
The sandbox function has initially been launched as an opt-in feature for Windows 10 users.
Microsoft said it is encouraging researchers and partners to examine the feature and provide feedback before it is made more broadly available.
One security researcher, Google’s Tavis Ormandy, has already chimed in, describing Microsoft’s move as “game changing”.
Others, however, questioned Microsoft’s claims that it was first to market with a sandboxed AV, noting that anti-malware solutions from Qihoo and Crowdstrike already ship with this capability.