Windows Defender Becomes First Antivirus To Run Inside a Sandbox (zdnet.com) 110
An anonymous reader writes: Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment, Microsoft said in an announcement. In software design, a "sandbox" is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources. The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS.
"We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said in a celebratory blog post. Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps.
"We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said in a celebratory blog post. Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps.
Okay, but ... (Score:1)
Windows 10 is not bad (Score:1)
Moved to it about a year ago and hardly miss Win 7. Even come to like it.
We have come a complete circle, everyone loved Win NT and stuck to it until USB came out and MS did not provide driver support for USB, soon people moved and now like Win 7.
Sometime I feel people don't like to embrace change.
Re: (Score:2)
People don't like to embrace change for the sake of change, because I still don't see any benefit in using Windows 10. What is my advantage? The apps I can't get rid of that clutter the inferior user interface, or the telemetry that still doesn't tell me just what information is sent to its master?
Re: (Score:2)
Here's the thing, as far as I see it, they just seem like they are adding bloat without really changing the functionality that much. I just put Windows XP on an old machine with an SSD and that operating system just flies. I was just going back because of nostalgia, and don't plan to use it on a day to day basis. However, that computer is quite fast and a more modern operating system really wouldn't give it that much extra functionality. Also, the install footprint is much smaller.
Re: (Score:1)
Yup! I've got several machines still running XP. MS keeps releasing lots of updates. My feeling is: hopefully someday all the bugs will be found and patched. I know, dream on! But XP _has_ to be more mature, right?
XP updating can be tricky. Sometimes it won't update if you wait too long- I suspect the updater / encryption mechanism gets changed at the MS servers. I've had to go to the MS update catalog, search for the updates, download and manually install them, then the automatic updates work again.
Re: (Score:2)
The Windows XP filesystem doesn't support TRIM for SSDs to allow for wear levelling so it will tend to write specific sectors at fixed addresses repeatedly causing the SSD to wear out prematurely. WinXP has a maximum disc volume of 2TB and 32-bit XP has a maximum RAM utilisation of under 4GB. There are reasons other than problems with security to move away from XP.
I've put Windows 7 on a couple of netbooks after adding SSDs to them. They have limited RAM (which I also maxed out) and low-power CPUs but they
Re: (Score:2)
Theses are things that can be fixed without bloating the entire OS though. They could add TRIM support, allow disks over 2TB, and other features like TLS 1.2 without making the operating system that much bigger. It's a 32 bit OS, so you can't really get over 4GB of ram without some big changes, but there's a lot of machines that don't need more than 4 GB of RAM. They're still selling computers with 4 GB of RAM as of this day.
Re: (Score:2)
Theses are things that can be fixed without bloating the entire OS though.
MS tried that, to make a MkII version of XP to fix a number of problems including user space control, security enhancements, improved networking etc. It was called Vista. What a dog.
The real replacement for XP was "bloated" Win 7. Funny thing though, when folks tested Win 7 against XP, despite the claims of "bloat" they found that on similar/identical hardware Win 7 ran a little faster or about the same as Win XP, ditto for program
Re: (Score:2)
You may be the only person on the planet left with a working XP 64-bit system because for sure MS sold damn few of them. As for "software that issues TRIM commands" that sounds awfully like a third-party bodge since TRIM was never part of the XP file system for either 32-bit or 64-bit versions.
Re: (Score:2)
Well to call it a niche use case is an understatement; but windows 10 is the only OS that seems to offer hot plugging e-GPU's over tb3. (Though not sure if macOS allows this yet).
Re: (Score:2)
8.1 most decidedly does not support hotplugging egpu's. unplugging the video card => blue screen crash and a reboot needed.
Which makes me sad, i'd vastly prefer 8.1 over 10 for the reasons you just enumerated.
Re: (Score:2)
Sometime I feel people don't like to embrace change.
Why should they? What's in it for them?
For you (Score:2)
I'll stick with 7. I can say no to updates that randomly delete my data.
Re: (Score:2)
Re: (Score:2)
Then I guess we'll have to continue relying on third party AV software, since WinDef sucks on 7.
Re: (Score:2)
Windows Defender is the political candidate of the anti-virus world. It's the worst, except for all the alternatives.
Although from your comment I think you're implying that there exists an Anti-virus solution which doesn't suck? Normally this kind of thing would be reserved for an April 1st kind of post, but we're actually only a couple of days from being the furthest possible time from April first. Are you aiming for the April Fools equivalent of Christmas in July?
Re: (Score:2)
You aren't supposed to use windows defender on windows 7 it even pops up a warning telling you so if you try.
Windows 7 uses Microsoft Security Essentials which is waaaaaaaay better than windows defender anyway. Ranked higher also on its ability to thwart virus and malware.
Anyone trying to use defender in 7 deserves a virus cause it proves they are illiterate and can't read the warning that says do not use defender in 7.
Re: (Score:1)
Thanks for that info. This computer, running Windows 7 "ultimate", seems to have Defender installed. I don't remember being given a choice, nor any warnings.
That said, I rarely run mainstream AV software- I can't stand what it does to the machine (boggs to a crawl). I don't visit virulent websites. I remove the HD and run complete scans with McAfee Stinger, Clam AV, and others from time-to-time and I've never had a virus that I was not aware of. A few false positives, and some AV software doesn't like
Re: I must be missing something (Score:2)
Some think it's coming.
https://www.pcrisk.com/interne... [pcrisk.com]
Re:I must be missing something (Score:5, Interesting)
The AV product has to open and test the file. This can be a way for malware to hijack the AV product itself. By running that test in a sandbox, the malware has another hurdle (escaping the sandbox) before it can do anything.
Re: (Score:1)
Re: (Score:2)
Well it will properly report if the Anti-virus program itself is indeed infected or not.
I guess it may be able to read the other files, but if you were to quarantine a file or fix one, you are leaving your sandbox for a lot of actions.
Re: (Score:2)
In theory you pass the file into the sandbox and receive a yes/no response from the av scanner running within it...
This has worked well for many years with av running on gateway devices - eg i have a linux based email and web filter which runs inbound files past an av scanner in this way, the scanner itself is sandboxed and the file is fed over a socket connection.
Ofcourse this only really works for file scanning, if you want to do things like scan memory and hijack existing processes (which most windows ba
Re:That's cool and all (Score:5, Insightful)
Todays viruses are lot like the ones of old.
Newer OS's tend to use the App Store concept for most of your trusted applications, that reduces viruses. However the realization that real damage doesn't need to be at the root/system level. But on the user level. Because you data is more important then the OS. Sure you may not be able to open up a low number IP Port, but your user account even on Linux systems, is often good enough to cause a lot of damage.
Linux and Mac systems are protected by the fact that they are not used enough by average joe, and most software you get from trusted locations.
It's funny, but... (Score:2)
I always thought that a multi-user, multi-tasking operating system by definition, was expected to isolate users and tasks in a way that they could not interfere with each other. That's what an OS does - provide isolation, virtualization, and security between processes so that the OS is stable, and any one badly behaved task can't interfere with either other tasks or the OS itself (subject to certain permissions).
While I applaud Microsoft's announcement, it seems to me that the need to do this shows a fundam
Re:It's funny, but... (Score:4, Insightful)
No, that's a misconception. Only very few operating systems actually isolate all its tasks fully according to the principle of least privilege.
In most mainstream operating systems, sandboxing is not the default but has to be initiated by the parent process before the process starts, or even voluntarily by the process itself.
Most sandboxing mechanisms were added as afterthoughts, so they do have some kind of quirk that either makes it hard to use or opens up a hole if you are not careful.
Re: (Score:2)
The problem generally is that the granularity of the model is weak and around certain concrete things.
Can process A access the memory of process B? No. Can user X open a file written privately by user Y? No.
However, if process A and B both belong to user X, then they may not be able to read each other's memory, but they do have equivalent access to the filesystem, because that wasn't the granularity OSes had in mind.
So now we have an assortment of various named facilities to go further. Mandatory Access
It's not really a Sandbox (Score:3)
Re:It's not really a Sandbox (Score:5, Informative)
You clearly don't understand how the sandbox concept works.
The part outside the sandbox, which does have SYSTEM privileges, no longer examines the contents of the file for malware. It passes it to the part inside the sandbox, which scans the content for malware. If the malware triggers an error in the scanning engine, it cannot be exploited because the scanning engine is in a sandbox and is running with reduced privileges, compared to previously when there was no sandbox and the scanning engine ran as SYSTEM as well.
Re: (Score:3)
If your engine is only reading a string of bytes, it's not much of an engine. You're probably dealing with something naive that merely looks for known strings or byte sequences out of a dictionary.
A modern anti-malware engine on the other hand, must do a lot more. Once it reads the string of bytes, it needs to examine it to determine what type of data this string of bytes represents. Then, once it knows what type of data it is dealing with, it needs to pass that string of bytes through some sort of parser o
Re: (Score:2)
A sandbox in terms of computers just means that there are strict limitations on what it can do. It doesn't define what those restrictions are supposed to be. Making it run in a sandbox actually makes it better because it mean that the virus scanner can read ll the system files while actually not running as administrator/root and thereby not being able to write to the file or do other things it's not supposed to be doing. Running a virus scanner as root is actually a very bad idea. What you actually want t
Re: (Score:2)
since it's going to have to leave it's sandbox to scan your file system and it's going to have to have root or near root to do it. That's probably why they're the "first", because it's not a very good idea.
By your logic all sandboxes are not a very good idea. You're missing the key component here, the attack surface of the privileged code becomes smaller when all it does is fetches stuff and hands it off to a sandboxed environment.
TBAV under DOS anyone ? (Score:2)
If I remind well, ThunderBird Anti virus under DOS also used to work in a sandbox...
And it's generic detection was quite good...
Until some crack in the sandbox have been discovered and virus maker started to use them to infect the computer DURING THE SCAN...
It can't be that good (Score:2, Troll)
It never detects the Windows 10 virus.
Why not be the first to be secure instead? (Score:2, Insightful)
Just so I understand a process with global read access to every file on a system is now sandboxed because the people who wrote it are incapable of ensuring their AV parsers are not exploitable?
Now we are to believe the supposed remedy to this is to rely on a sandboxing system orders of magnitude less defensible than the AV software itself?
In the event of successful exploitation of AV but miraculously sandbox works as intended what prevents anything on your system including any inspected network data from be
Done a year ago... not by Microsoft (Score:2)
Sandboxing of Windows Defender was done over a year ago by a security researcher at Trail of Bits: Microsoft didnâ(TM)t sandbox Windows Defender, so I did [trailofbits.com].
Did Microsoft copy his work?
It is SELinux for Windows 10 (Score:2, Interesting)
Basically the idea is to do what SELinux does, given to a process the least permissions.
It is useful, the only drawback I can think of is that everything gets so locked down that if anything goes wrong in the "security" mechanism you are basically locked out and cannot retrieve anything.
Re: (Score:2)
SELinux is not a sandbox. How the hell did this get upvoted?