Her researchers companyς ασφαλείας Trail of Bits (R&D) κατάφεραν να κάνουν sandboxed το Windows Defender, the default antivirus solution that comes with the latest versions of Windows.
Sandboxing is a technical term that describes the implementation of an application within a specific framework. This framework prevents an attacker from exploiting the application to reach the underlying operating system.
Current versions of Windows Defender are not sandboxed
It's unbelievable, but as it turns out, Windows Defender, a critical part of the Windows operating system, doesn't work by default in a sandbox environment, even though it product – in various guises and names – has been part of the Windows application portfolio for at least 13 years.
The Trail of Bits team has created a framework with Rust, which runs Windows applications within their own AppContainers. Researchers released this framework under the name AppJailLauncher at GitHub.
"Or it allows you to wrap an application's I / O behind a TCP server, allowing the sandboxed application to run on a completely different machine, with an additional layer of isolation," the Trail of Bits team told AppJailLauncher.
This version of the sandbox is for 32-bit versions of Windows and the core component of Windows Defender – Malware Protection Engine (MsMpEng).
In recent months, Google's security team's engineers Project Zero have shown how vulnerable this component is, discovering many bugs which could be exploited to gain full control of vulnerable machinery.
Some of these errors were so dangerous that a simple message email or a malicious JavaScript file was enough to compromise Windows systems.
Microsoft, on the other hand, has been focusing on improving Windows security in recent years. Compared with previous versions of operating systems, Windows 10 is extremely well protected.
Microsoft engineers have already installed sandbox on some Windows applications. For example, the JIT code compiler in Microsoft Edge runs on sandbox. Applications such as Device Guard detect and prevent the exploitation of common vulnerabilities, keeping Windows systems safe.
As many experts who commented on the Trail of Bits experiment, [1, 2], one reason why Microsoft chose not to use sandbox in Windows Defender may be related to the potential performance of the application.
The Trail of Bits experiment is just a proof that Windows Defender can be sandboxed but did not focus on performance-related metrics.
The technical details are described detailed here.