Windows Defender to Run Inside a Sandbox Instead of Sandboxing Unknown Apps

Windows Defender is testing a new feature that enables some of its core components to run in a sandbox as a means of self-protection.

If they instead ran all unknown apps (not just Windows 10 apps) in a sandbox, there would realistically be little need to do this in the first place. Doh.,news-59377.html

I wouldn’t describe it as self-protection. It’s rather a way to make WDA less exploitable, which helps protect the whole system. AVs must be built in such a way that the software they scan can not easily exploit them. To lower the AV’s privileges is a sensible way to do that.

I wouldn’t be surprised if others follow.

Here is Microsoft’s announcement:

Well in theory I don’t see why containment can’t be used for both.

Though the end goal is still the same either way i.e. to protect the system.

Either you protect the system from a compromised AV, with the potential sacrifice of losing your AV and the repercussions thereafter.


You protect your AV with the sacrifice of losing your system. If you had a truly separate AV container it could theoretically actually be used to repair an infected system.

Either way you look at it, it’s a bit of a mess as you are now on the back foot trying to mitigate damage whilst the security of the compromised system just got degraded.

Yet, if they instead chose to sandbox all unknown applications, instead of just their own security app, that problem of the AV being attacked would have been significantly reduced in the first place.

In my opinion they should be allowing for both AV App and Unknown App sandboxes!

They should have sand coming out their ears, out their ears dang it!

What do you mean by “potential sacrifice of losing your AV”?

I don’t think Microsoft will distinguish between known and unknown software with the purpose to sandbox the latter. Instead, their goal seems to be to sandbox all applications. All applications from Microsoft Store are sandboxed, and Windows 10 S allows only applications from the Store.

Well currently they are not sandboxing all Win32 apps. Sandboxing just UWA is not good enough.

If they manage to Sandbox all Win32 apps though then great.

Although I do not see that happening any time soon.

Regarding losing your AV, I mean it being compromised to the point that it ceases to effectively function.

Restricting legacy application not from the Store, which were not designed to run restricted, will undoubtedly cause issues. And already running the application’s installer as administrator bypasses nearly all security.

I foresee that these things will change, and that the Store will play a bigger role in the future. The S-mode is one step.

Sandboxing should help mitigating that.

Yup I think Microsoft will increase it’s virtualisation efforts too not just in the Windows App store.

More sandboxing in Windows 10 Insider Preview Build 18305.

Introducing Windows Sandbox! Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.

How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn’t want to set up a virtual machine?

At Microsoft, we regularly encounter these situations, so we developed Windows Sandbox: an isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all of its files and state are permanently deleted.

More none-UWP specific sandboxing as I expected from Microsoft.

Good to see, thanks for the post JoWa :slight_smile:

P.s. I wonder if they will allow a security policy to run all unknown executable files in the sandbox if they are not listed as safe by Smart Screen?

I am thinking they may well do :stuck_out_tongue:

I don’t think SmartScreen has a list of known (good) executable files.

Smart Screen has a list of files it deems to be “well known” for the purpose of checking unknown files against it.

Smart Screen Overview:

SmartScreen determines whether a downloaded app or app installer is potentially malicious by:
Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.

Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution.</blockquote>

This is why I wonder if they will go further and keep a list of files that are not just well known, but safe.

Even if they just allowed for auto-sandboxing files deemed as not “well known”, I feel that this would be a good step forward.

Either way, I certainly do think that they might do either of these options.