Modern antimalware products are required to inspect many inputs, for example, files on disk, streams of data in memory, and behavioral events in real time. Many of these capabilities require full access to the resources in question. The first major sandboxing effort was related to layering Windows Defender Antivirus’s inspection capabilities into the components that absolutely must run with full privileges and the components that can be sandboxed. The goal for the sandboxed components was to ensure that they encompassed the highest risk functionality like scanning untrusted input, expanding containers, and so on. At the same time, we had to minimize the number of interactions between the two layers in order to avoid a substantial performance cost.The feature will be rolled out gradually for Windows Insiders. Users running Windows 10 version 1703 or later can also force their system to use this sandbox implementation by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. More at the Microsoft Secure blog.
Microsoft lets Windows Defender run in a sandbox
Posted on Monday, October 29 2018 @ 13:56 CET by Thomas De Maesschalck