Windows 10’s built-in antivirus can now run in a sandbox. Even if an attacker compromises the antivirus engine, they wouldn’t have access to the rest of the system. As Google’s Tavis Ormandy puts it, “this is game changing.”
In fact, Windows Defender is the first complete antivirus product that can run in a sandbox. None of the paid (or free) antivirus products you can download boast this feature.
This news comes from the official Microsoft Secure blog. As Microsoft puts it:
Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’s content parsers that could enable arbitrary code execution. While we haven’t seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously…
Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm.
In other words, the Windows Defender antivirus process that analyzes downloaded files and other content will run with very few permissions. Even if there was a bug in the antivirus process and a maliciously crafted file managed to compromise the antivirus itself, that now-dangerous antivirus process wouldn’t provide any access to the rest of your system. The attack would have failed.
Sure, an antivirus still needs a lot of access to your system. But the main antivirus process that runs with a lot of permissions won’t analyze files. It hands content off to a low-privilege sandboxed process, which does the dirty and dangerous work in a secure area.
Microsoft’s blog post goes on to describe how this feature was implemented without any noticeable performance drops:
Performance is often the main concern raised around sandboxing, especially given that antimalware products are in many critical paths like synchronously inspecting file operations and processing and aggregating or matching large numbers of runtime events. To ensure that performance doesn’t degrade, we had to minimize the number of interactions between the sandbox and the privileged process, and at the same time, only perform these interactions in key moments where their cost would not be significant, for example, when IO is being performed.
Post a Comment Blogger Facebook
We welcome comments that add value to the discussion. We attempt to block comments that use offensive language or appear to be spam, and our editors frequently review the comments to ensure they are appropriate. As the comments are written and submitted by visitors of The Sheen Blog, they in no way represent the opinion of The Sheen Blog. Let's work together to keep the conversation civil.