Researchers of the company security Trail of Bits (R&D) managed to sandbox Windows Defender, the default anti-virus solution that comes with recent versions of Windows.
Sandboxing is a technical term that describes the implementation of an application within a specific framework. This framework prevents an attacker from exploiting the application to reach the underlying operating system.
Current versions of Windows Defender are not sandboxed
It's unbelievable, but as it turns out, Windows Defender, a critical part of the Windows operating system, doesn't work by default in sandbox, although the product - in various formats and names - has been part of the Windows application portfolio for at least 13 years.
The Trail of Bits team has created a framework with Rust, which runs Windows applications within their own AppContainers. Researchers released this framework under the name AppJailLauncher at GitHub.
"Or it allows you to wrap an application's I / O behind a TCP server, allowing the sandboxed application to run on a completely different machine, with an additional layer of isolation," the Trail of Bits team told AppJailLauncher.
This version of the sandbox is for 32-bit versions of Windows and the core component of Windows Defender – Malware Protection Engine (MsMpEng).
In recent months, Google's security team's engineers Project Zero have shown how vulnerable this component is, discovering many bugs which could be exploited to gain full control of vulnerable machinery.
Some of these bugs were so dangerous that a simple email or malicious JavaScript file was enough to undermine Windows systems.
Η Microsoft on the other hand it has focused in recent years on improving Windows security. Compared to previous versions of operating systems, Windows 10 is extremely well protected.
Microsoft engineers have already installed sandbox on some Windows applications. For example, the JIT code compiler in Microsoft Edge runs on sandbox. Applications such as Device Guard detect and prevent the exploitation of common vulnerabilities, keeping Windows systems safe.
As persignalmany experts commented on the Trail of Bits experiment, [1, 2], one reason why Microsoft chose not to use sandbox in Windows Defender may be related to the potential performance of the application.
The Trail of Bits experiment is just a proof that Windows Defender can be sandboxed but did not focus on performance-related metrics.
The technical details are described detailed here.