Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Windows Microsoft Security

Windows Defender Becomes First Antivirus To Run Inside a Sandbox (zdnet.com) 110

An anonymous reader writes: Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment, Microsoft said in an announcement. In software design, a "sandbox" is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources. The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS.

"We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said in a celebratory blog post. Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps.

This discussion has been archived. No new comments can be posted.

Windows Defender Becomes First Antivirus To Run Inside a Sandbox

Comments Filter:
  • ... when will this be available in Windows 7 - you know, the version everyone still uses (and likes)?
    • Moved to it about a year ago and hardly miss Win 7. Even come to like it.

      We have come a complete circle, everyone loved Win NT and stuck to it until USB came out and MS did not provide driver support for USB, soon people moved and now like Win 7.

      Sometime I feel people don't like to embrace change.

      • People don't like to embrace change for the sake of change, because I still don't see any benefit in using Windows 10. What is my advantage? The apps I can't get rid of that clutter the inferior user interface, or the telemetry that still doesn't tell me just what information is sent to its master?

        • Here's the thing, as far as I see it, they just seem like they are adding bloat without really changing the functionality that much. I just put Windows XP on an old machine with an SSD and that operating system just flies. I was just going back because of nostalgia, and don't plan to use it on a day to day basis. However, that computer is quite fast and a more modern operating system really wouldn't give it that much extra functionality. Also, the install footprint is much smaller.

          • by bobby ( 109046 )

            Yup! I've got several machines still running XP. MS keeps releasing lots of updates. My feeling is: hopefully someday all the bugs will be found and patched. I know, dream on! But XP _has_ to be more mature, right?

            XP updating can be tricky. Sometimes it won't update if you wait too long- I suspect the updater / encryption mechanism gets changed at the MS servers. I've had to go to the MS update catalog, search for the updates, download and manually install them, then the automatic updates work again.

          • by nojayuk ( 567177 )

            The Windows XP filesystem doesn't support TRIM for SSDs to allow for wear levelling so it will tend to write specific sectors at fixed addresses repeatedly causing the SSD to wear out prematurely. WinXP has a maximum disc volume of 2TB and 32-bit XP has a maximum RAM utilisation of under 4GB. There are reasons other than problems with security to move away from XP.

            I've put Windows 7 on a couple of netbooks after adding SSDs to them. They have limited RAM (which I also maxed out) and low-power CPUs but they

            • Theses are things that can be fixed without bloating the entire OS though. They could add TRIM support, allow disks over 2TB, and other features like TLS 1.2 without making the operating system that much bigger. It's a 32 bit OS, so you can't really get over 4GB of ram without some big changes, but there's a lot of machines that don't need more than 4 GB of RAM. They're still selling computers with 4 GB of RAM as of this day.

              • by nojayuk ( 567177 )

                Theses are things that can be fixed without bloating the entire OS though.

                MS tried that, to make a MkII version of XP to fix a number of problems including user space control, security enhancements, improved networking etc. It was called Vista. What a dog.

                The real replacement for XP was "bloated" Win 7. Funny thing though, when folks tested Win 7 against XP, despite the claims of "bloat" they found that on similar/identical hardware Win 7 ran a little faster or about the same as Win XP, ditto for program

        • Well to call it a niche use case is an understatement; but windows 10 is the only OS that seems to offer hot plugging e-GPU's over tb3. (Though not sure if macOS allows this yet).

      • Sometime I feel people don't like to embrace change.

        Why should they? What's in it for them?

      • I'll stick with 7. I can say no to updates that randomly delete my data.

      • If you like the OS rebooting while you're away from the computer, and losing all of your unsaved work, then sure.
  • I always thought that a multi-user, multi-tasking operating system by definition, was expected to isolate users and tasks in a way that they could not interfere with each other. That's what an OS does - provide isolation, virtualization, and security between processes so that the OS is stable, and any one badly behaved task can't interfere with either other tasks or the OS itself (subject to certain permissions).

    While I applaud Microsoft's announcement, it seems to me that the need to do this shows a fundam

    • by Misagon ( 1135 ) on Monday October 29, 2018 @11:59AM (#57555977)

      No, that's a misconception. Only very few operating systems actually isolate all its tasks fully according to the principle of least privilege.

      In most mainstream operating systems, sandboxing is not the default but has to be initiated by the parent process before the process starts, or even voluntarily by the process itself.
      Most sandboxing mechanisms were added as afterthoughts, so they do have some kind of quirk that either makes it hard to use or opens up a hole if you are not careful.

    • by Junta ( 36770 )

      The problem generally is that the granularity of the model is weak and around certain concrete things.

      Can process A access the memory of process B? No. Can user X open a file written privately by user Y? No.

      However, if process A and B both belong to user X, then they may not be able to read each other's memory, but they do have equivalent access to the filesystem, because that wasn't the granularity OSes had in mind.

      So now we have an assortment of various named facilities to go further. Mandatory Access

  • by rsilvergun ( 571051 ) on Monday October 29, 2018 @10:56AM (#57555507)
    since it's going to have to leave it's sandbox to scan your file system and it's going to have to have root or near root to do it. That's probably why they're the "first", because it's not a very good idea.
    • by beuges ( 613130 ) on Monday October 29, 2018 @11:10AM (#57555585)

      You clearly don't understand how the sandbox concept works.

      The part outside the sandbox, which does have SYSTEM privileges, no longer examines the contents of the file for malware. It passes it to the part inside the sandbox, which scans the content for malware. If the malware triggers an error in the scanning engine, it cannot be exploited because the scanning engine is in a sandbox and is running with reduced privileges, compared to previously when there was no sandbox and the scanning engine ran as SYSTEM as well.

    • A sandbox in terms of computers just means that there are strict limitations on what it can do. It doesn't define what those restrictions are supposed to be. Making it run in a sandbox actually makes it better because it mean that the virus scanner can read ll the system files while actually not running as administrator/root and thereby not being able to write to the file or do other things it's not supposed to be doing. Running a virus scanner as root is actually a very bad idea. What you actually want t

    • since it's going to have to leave it's sandbox to scan your file system and it's going to have to have root or near root to do it. That's probably why they're the "first", because it's not a very good idea.

      By your logic all sandboxes are not a very good idea. You're missing the key component here, the attack surface of the privileged code becomes smaller when all it does is fetches stuff and hands it off to a sandboxed environment.

  • If I remind well, ThunderBird Anti virus under DOS also used to work in a sandbox...
    And it's generic detection was quite good...

    Until some crack in the sandbox have been discovered and virus maker started to use them to infect the computer DURING THE SCAN...

  • It never detects the Windows 10 virus.

  • Just so I understand a process with global read access to every file on a system is now sandboxed because the people who wrote it are incapable of ensuring their AV parsers are not exploitable?

    Now we are to believe the supposed remedy to this is to rely on a sandboxing system orders of magnitude less defensible than the AV software itself?

    In the event of successful exploitation of AV but miraculously sandbox works as intended what prevents anything on your system including any inspected network data from be

  • Sandboxing of Windows Defender was done over a year ago by a security researcher at Trail of Bits: Microsoft didnâ(TM)t sandbox Windows Defender, so I did [trailofbits.com].

    Did Microsoft copy his work?

  • Basically the idea is to do what SELinux does, given to a process the least permissions.

    It is useful, the only drawback I can think of is that everything gets so locked down that if anything goes wrong in the "security" mechanism you are basically locked out and cannot retrieve anything.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...