Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Windows Defender's Sandbox - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Windows Defender's Sandbox

Microsoft's Windows Defender on Windows 10 supports sandboxing now.

The Windows Defender engine runs with high privileges, and contains a lot of code (for example to parse many different file formats, e.g. parsing untrusted input). A lot of code means many potential bugs. Exploitable bugs in a process running with high privileges is a high risk.

To mitigate this risk, Microsoft implemented a sandbox: parts of Windows defender can now run inside a process with restricted privileges. If a vulnerability in Windows Defender is exploited inside the sandbox, the exploit code is contained inside the sandbox and can not access the operating system's resources (unless, of course, a distinct sandbox escape vulnerability is discovered and used).

If you use Windows 10 1703 or later you can enable Windows Defender's sandbox by setting system environment variable MP_FORCE_USE_SANDBOX to 1 (and to 0 to disable it again).

An OS restart is required to have Windows Defender take into account the setting. The activation of the sandbox can be asserted, with Process Explorer for example, by checking that process MsMpEng.exe has a child process named MsMpEngCP.exe (i.e. the sandbox).

I encountered an issue to activate the sandbox: after creating the system environment variable, I shutdown my machine and then powered it on. This did not enable the sandbox. I had to perform a restart (Start Menu / Power / Restart) for the sandbox to be activated. The same thing happened when I tried to deactivate the sandbox: make sure you perform a restart (literally). This issue was reported to Microsoft, and should be fixed in an upcoming release.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

 DidierStevens

373 Posts
ISC Handler
Subscribe Nov 1st 2018
8 months ago
Thank you Didier Stevens
 Netmanzim

38 Posts
Quote Nov 1st 2018
8 months ago
Is this due to Fast Startup?
 Anonymous
Quote Nov 1st 2018
8 months ago
Indeed, this happens when Fast Startup is enabled on my Windows 10 machine (default).
It doesn't happen when I disable Fast Startup and then shutdown.
 DidierStevens

373 Posts
ISC Handler
Quote Nov 1st 2018
8 months ago
read https://www.howtogeek.com/349114/shutting-down-doesnt-fully-shut-down-windows-10-but-restarting-it-does/ that explains why
 DVK01

21 Posts
Quote Nov 3rd 2018
8 months ago

Sign Up for Free or Log In to start participating in the conversation!