Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Windows Defender's Sandbox - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Windows Defender's Sandbox

Microsoft's Windows Defender on Windows 10 supports sandboxing now.

The Windows Defender engine runs with high privileges, and contains a lot of code (for example to parse many different file formats, e.g. parsing untrusted input). A lot of code means many potential bugs. Exploitable bugs in a process running with high privileges is a high risk.

To mitigate this risk, Microsoft implemented a sandbox: parts of Windows defender can now run inside a process with restricted privileges. If a vulnerability in Windows Defender is exploited inside the sandbox, the exploit code is contained inside the sandbox and can not access the operating system's resources (unless, of course, a distinct sandbox escape vulnerability is discovered and used).

If you use Windows 10 1703 or later you can enable Windows Defender's sandbox by setting system environment variable MP_FORCE_USE_SANDBOX to 1 (and to 0 to disable it again).

An OS restart is required to have Windows Defender take into account the setting. The activation of the sandbox can be asserted, with Process Explorer for example, by checking that process MsMpEng.exe has a child process named MsMpEngCP.exe (i.e. the sandbox).

I encountered an issue to activate the sandbox: after creating the system environment variable, I shutdown my machine and then powered it on. This did not enable the sandbox. I had to perform a restart (Start Menu / Power / Restart) for the sandbox to be activated. The same thing happened when I tried to deactivate the sandbox: make sure you perform a restart (literally). This issue was reported to Microsoft, and should be fixed in an upcoming release.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

 DidierStevens

638 Posts
ISC Handler
Nov 1st 2018
Thread locked Subscribe Nov 1st 2018
3 years ago
Thank you Didier Stevens
 Netmanzim

69 Posts
Quote Nov 1st 2018
3 years ago
Is this due to Fast Startup?
 Anonymous
Quote Nov 1st 2018
3 years ago
Indeed, this happens when Fast Startup is enabled on my Windows 10 machine (default).
It doesn't happen when I disable Fast Startup and then shutdown.
 DidierStevens

638 Posts
ISC Handler
Quote Nov 1st 2018
3 years ago
read https://www.howtogeek.com/349114/shutting-down-doesnt-fully-shut-down-windows-10-but-restarting-it-does/ that explains why
 DVK01

21 Posts
Quote Nov 3rd 2018
3 years ago

Sign Up for Free or Log In to start participating in the conversation!