
Microsoft Sandboxes Windows Defender - chablent
https://www.bleepingcomputer.com/news/microsoft/microsoft-sandboxes-windows-defender/
======
Someone1234
This is great news. The old implementation was a little scary, they had a full
JavaScript parsing engine (and other similar parsers) running as SYSTEM. You
can get a sense of it via this Project Zero bug report:

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1252)

That specific bug and others were of course fixed.

The issue is that such complex code is hard to write well in the language
they're using, and running as SYSTEM is just asking for a zero day take over
from simply visiting a site with a malicious file or an unread email.

I hope other AV vendors follow suit on the component sandboxing. They're
scanning untrusted files, who will happily try to crash or take-over the AV
process itself.

------
hs86
Microsoft's announcement:
[https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/...](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-
defender-antivirus-can-now-run-in-a-sandbox/)

~~~
ccnafr
Yo mods... can we stop the blog-spam?

~~~
mathnode
Recently I linked to a press release for a software acquisition, but mine was
marked as a dupe, and the blog link promoted.

I am not trying to get them sweet sweet up-votes. Just engage in my community.

~~~
xenophonf
Press releases are glorified advertisements. Please post something more
substantive instead. Even release notes or change logs are better. An actual
review like the really awesome in-depth Mac OS X reviews of yore would be even
better.

~~~
Ajedi32
I'd much rather read a glorified advertisement than a news article
regurgitating various portions of the glorified advertisement, interspersed
with a bunch of filler, ads, and background information I already know.

------
youdontknowtho
I know that sandboxing is desirable here, but it runs as SYSTEM. How do you
sandbox something running as SYSTEM? They must have changed the identity of
Defender. That's all I can come up with. Anyone else know how this works?

~~~
userbinator
I believe it runs with even higher privileges than SYSTEM --- a while ago I
had to deal with an unresponsive and 100%-CPU-consuming scanner process, which
I tried to kill it from a command prompt running as SYSTEM, and it still said
"access denied".

I know the reasoning is "if SYSTEM can kill it then so can malware", but still
a bit unsettling that there's processes running on your system that even the
owner doesn't have privilege to control.

~~~
ourmandave
_...but still a bit unsettling that there 's processes running on your system
that even the owner doesn't have privilege to control._

Welcome to Windows 10 Home Edition!

~~~
tbronchain
Can you get higher system privileges on other editions?

------
Too
Why not sandbox applications instead and remove any reason for defender to
exist in the first place.

~~~
viraptor
There's a reason for defender even with a sandboxed app. Exploiting the
sandboxed app may not allow the virus to access other parts of the system, but
it still allows messing with the apps memory and spreading online (you likely
got it from an app with network permissions in the first place)

------
excalibur
The diagram at the top of this article is amusing.

~~~
Lukas_Skywalker
Bugs me that the "secure sandbox" arrow isn't pointing from the label
_towards_ the sandbox. Makes it look like a flow diagram.

------
Lapsa
windows anti-malware-something frequently eats up half of my processor power.
got batch file on desktop to suspend it. sad

~~~
uryga
could you please share the script? i wanted to do that too but never got
around to it.

(it's especially bad when something creates a lot of small files, because
Service Executable starts scanning them, and whitelisting processes doesn't
seem to do much to deter it)

------
ahoka
From the official blog post:

"Users can also force the sandboxing implementation to be enabled by setting a
machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and
restarting the machine. This is currently supported on Windows 10, version
1703 or later."

------
ericcholis
Slight tangent, strawpoll on what everybody prefers for their Antivirus these
days. Corporate and personal. I've been using ESET for years and anecdotally
never had any issue.

~~~
EliRivers
You know, I've pretty much stopped using them. Haven't had one installed on a
Win machine for a few years.

I take a handful of basic precautions along the lines of closing ports,
installing OS updates, having my eMail text only and passive, disabling a few
things on the web browser and never downloading/running anything suspicious.
It's been good enough that the last time I installed a new Win, a dedicated
antivirus didn't even occur to me.

On occasion I'll run a malware finder when I'm seeing odd behaviour and want
to be sure, but I can't remember the last time there was a genuine positive
find.

~~~
52-6F-62
I’m pretty much in the same boat here for a few years now.

I believe I ran some Symantec search tool once when things seemed off and was
able to install a targeted removal tool by them and remove them afterward.

Same principles with my macs.

Any Linux machine I use tends to be virtual and pretty blackboxed save web,
ssh, and ssl ports. (And maybe a port open connected to a database)

------
RaleyField
Welcome to 2006. Only took them 12 years.

~~~
neolefty
Are there other sandboxed security scanners?

~~~
RaleyField
I hope I'm getting downvoted for my sarky tone.

There have been stories that other vendors are even worse but it doesn't
matter, they should've updated Defender 12 years ago concurrently with IE as
they were developing the tech for Vista, because.. Defender has high false
negative detection ratio and so is a plan B, hail marry kind of technology -
you should do everything so that you don't rely on it working as it works only
passably well for a percentage of stale threats. That's why if it and similar
software is enabled it should affect your security only additively and should
never contribute to attack surface. Instead in an effort to check if a file
contains any of months old malware you get pwned by a bug in decompression
function for a file that that you didn't even open that just passed your
system and so you'd survive the attack if it weren't for the system that tries
to help you survive attacks stupidly.

------
vectorEQ
"unless the attacker finds a way to escape the sandbox, which is among the
toughest things to do, the system remains safe."

How was that determined xD.... wtf. There have been trivial sandbox escapes
for most sandboxes in existence...

stopped reading there >.> pure speculation on how effective this thing will
really be in the first paragraph, casts doubt on the accuracy of the rest of
the information.

~~~
shawnz
It was determined by design. If the sandbox were trivial to bypass, why have
it at all? The sandbox has to meet those conditions or it's a non-starter. And
regardless, it would certainly be easier to audit the security of a small
component like a sandbox versus the entirety of the Windows Defender
application.

------
mtgx
I imagine Windows Defender has been and will continue to be (even after this)
nation state intelligence agencies' #1 way to get into users' Windows PCs.

I for one haven't trusted Windows Defender in a while, both because I don't
trust Microsoft not to be malicious with it (at the very least they've
steadily increased the amount and types of telemetry they collect through it)
and also because it's such an easy target for all sorts of attackers.

~~~
cwyers
If Microsoft was going to put in a backdoor into Windows PCs, _why would they
put it in an optional component?_

