Windows Defender is testing a new feature that enables some of its core components to run in a sandbox as a means of self-protection.
If they instead ran all unknown apps (not just Windows 10 apps) in a sandbox, there would realistically be little need to do this in the first place. Doh.
I wouldn’t describe it as self-protection. It’s rather a way to make WDA less exploitable, which helps protect the whole system. AVs must be built in such a way that the software they scan can not easily exploit them. To lower the AV’s privileges is a sensible way to do that.
Well in theory I don’t see why containment can’t be used for both.
Though the end goal is still the same either way i.e. to protect the system.
Either you protect the system from a compromised AV, with the potential sacrifice of losing your AV and the repercussions thereafter.
or
You protect your AV with the sacrifice of losing your system. If you had a truly separate AV container it could theoretically actually be used to repair an infected system.
Either way you look at it, it’s a bit of a mess as you are now on the back foot trying to mitigate damage whilst the security of the compromised system just got degraded.
Yet, if they instead chose to sandbox all unknown applications, instead of just their own security app, that problem of the AV being attacked would have been significantly reduced in the first place.
In my opinion they should be allowing for both AV App and Unknown App sandboxes!
They should have sand coming out their ears, out their ears dang it!
What do you mean by “potential sacrifice of losing your AV”?
I don’t think Microsoft will distinguish between known and unknown software with the purpose to sandbox the latter. Instead, their goal seems to be to sandbox all applications. All applications from Microsoft Store are sandboxed, and Windows 10 S allows only applications from the Store.
Restricting legacy application not from the Store, which were not designed to run restricted, will undoubtedly cause issues. And already running the application’s installer as administrator bypasses nearly all security.
I foresee that these things will change, and that the Store will play a bigger role in the future. The S-mode is one step.
Introducing Windows Sandbox!
Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.
How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn’t want to set up a virtual machine?
At Microsoft, we regularly encounter these situations, so we developed Windows Sandbox: an isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all of its files and state are permanently deleted.
Smart Screen has a list of files it deems to be “well known” for the purpose of checking unknown files against it.
Smart Screen Overview:
SmartScreen determines whether a downloaded app or app installer is potentially malicious by:
Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.
Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution.</blockquote>
This is why I wonder if they will go further and keep a list of files that are not just well known, but safe.
Even if they just allowed for auto-sandboxing files deemed as not “well known”, I feel that this would be a good step forward.
Either way, I certainly do think that they might do either of these options.