Researchers of the company security Trail of Bits (R&D) managed to sandbox Windows Defender, the default anti-virus solution that comes with recent versions of Windows.
Sandboxing is a technical term that describes the act of running an application within a special context. This framework prevents an attacker from exploiting the application to reach the subject operating system.
Current versions of Windows Defender are not sandboxed
It's unbelievable, but as it turns out, Windows Defender, a critical part of the Windows operating system, doesn't work by default in a sandbox environment, even though it product – in various guises and names – has been part of the Windows application portfolio for at least 13 years.
The Trail of Bits team has created a framework with Rust, which runs Windows applications within their own AppContainers. The researchers released this framework with the name AppJailLauncher in the GitHub.
"Or it allows you to wrap an application's I / O behind a TCP server, allowing the sandboxed application to run on a completely different machine, with an additional layer of isolation," the Trail of Bits team told AppJailLauncher.
This version of the sandbox is for 32 bit versions of Windows and the key component of Windows Defender - the Malware Protection Engine (MsMpEng).
In recent months, Google's security team's engineers Project Zero have shown how vulnerable this component is, discovering many bugs which could be exploited to gain full control of vulnerable machinery.
Some of these bugs were so dangerous that a simple email or malicious JavaScript file was enough to undermine Windows systems.
Microsoft, on the other hand, has been focusing on improving Windows security in recent years. Compared with previous versions of operating systems, Windows 10 is extremely well protected.
Microsoft engineers have already sandboxed some Windows applications. For example, the JIT code compiler in the Microsoft Edge runs in sandbox. Applications such as Device Guard detect and prevent the exploitation of common vulnerabilities, keeping Windows systems safe.
As many experts who commented on the Trail of Bits experiment, [1, 2], one reason why Microsoft chose not to use sandbox in Windows Defender may be related to the potential performance of the application.
The Trail of Bits experiment is just a proof that Windows Defender can be sandboxed but did not focus on performance-related metrics.
The technical details are described detailed here.