Windows Defender can now run in sandboxed mode

[Carfax83]

I must say I am very impressed by what Microsoft is accomplishing with Windows Defender. Since the Fall 2017 update, they've managed to dramatically improve their detect rate (thanks to machine learning, A.I and cloud computing) to the point where, Windows Defender is actually quite comparable with top third party antimalware programs while still being free!

Now Microsoft is one upping the competition, because they've announced that Windows Defender can now be completely sandboxed.

Apparently this is a first for not only Microsoft, but for any other distributor of antimalware software. Windows Defender sandbox mode is not currently enabled in the latest official release of Windows 10. I believe it's enabled in the skip ahead version.

But you can force it (provided you're running Windows 10 version 1703 or later) if you want by using an elevated command prompt or windows powershell command, and RESTARTING (shutdown will not enable it due to a bug) your PC.

The command is:

setx /M MP_FORCE_USE_SANDBOX 1

To turn it off, just put a 0 on the end and restart.

So far though I haven't noticed any performance degradation or weirdness at all, so I'm keeping it enabled

Once the sandboxing is enabled, customers will see a content process MsMpEngCP.exe running alongside with the antimalware service MsMpEng.exe.

 

[VirtualLarry]

I've heard of sandboxing a browser, but not an anti-virus / anti-malware program. I thought, by their nature, they need to read all of the files in the system, so why sandbox them? In case they themselves get exploited (like Norton can or could)?

 

[Carfax83]

I've heard of sandboxing a browser, but not an anti-virus / anti-malware program. I thought, by their nature, they need to read all of the files in the system, so why sandbox them? In case they themselves get exploited (like Norton can or could)?

That's exactly why they are sandboxing Defender, to protect it from exploitation via the escalation of privileges. What Microsoft has done is use lower privilege sandboxed processes which are segmented from the main process. The low privilege processes do the heavy lifting when it comes to reading, inspecting and monitoring, and then somehow, that information is likely sent back to the main process for verification. I'm not a programmer so I'm likely wrong on what I just said, but it seems like they managed to pull off something spectacular indeed.