Windows Defender Becomes First Antivirus To Run Inside a Sandbox

An anonymous reader writes: Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment, Microsoft said in an announcement. In software design, a "sandbox" is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources. The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS.

"We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said in a celebratory blog post. Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps.

Okay, but ...

[fahrbot-bot]

... when will this be available in Windows 7 - you know, the version everyone still uses (and likes)?

Re:Okay, but ...

[Opportunist]

Then I guess we'll have to continue relying on third party AV software, since WinDef sucks on 7.

Re:Okay, but ...

Win10 is now 50%. W7 is less around 37%. So the answer is never.

Re:Okay, but ...

Use commercial products that have been offering privilege separation or a sandbox for quite some time already. This Defender sandbox is probably using all the latest Windows 10 mitigations, though.

Re:Okay, but ...

Microsoft Security Essentials works just fine on 7.

Re:Okay, but ...

[thegarbz]

Windows Defender is the political candidate of the anti-virus world. It's the worst, except for all the alternatives.

Although from your comment I think you're implying that there exists an Anti-virus solution which doesn't suck? Normally this kind of thing would be reserved for an April 1st kind of post, but we're actually only a couple of days from being the furthest possible time from April first. Are you aiming for the April Fools equivalent of Christmas in July?

Re:Okay, but ...

[Cito]

You aren't supposed to use windows defender on windows 7 it even pops up a warning telling you so if you try.

Windows 7 uses Microsoft Security Essentials which is waaaaaaaay better than windows defender anyway. Ranked higher also on its ability to thwart virus and malware.

Anyone trying to use defender in 7 deserves a virus cause it proves they are illiterate and can't read the warning that says do not use defender in 7.

Re:Okay, but ...

[bobby]

Thanks for that info. This computer, running Windows 7 "ultimate", seems to have Defender installed. I don't remember being given a choice, nor any warnings.

That said, I rarely run mainstream AV software- I can't stand what it does to the machine (boggs to a crawl). I don't visit virulent websites. I remove the HD and run complete scans with McAfee Stinger, Clam AV, and others from time-to-time and I've never had a virus that I was not aware of. A few false positives, and some AV software doesn't like Nirsoft and a few predictable others.

I DO run McAfee "Real Protect" and it's awesome. It did catch a few potential problems, so I know it works, and I think they have the right philosophy.

Re:Okay, but ...

No, it's not garbage and it's not hard to manage unless you are a moron.

Re:Okay, but ...

LAWL how long has 10 been out? This argument is dead in the water. There's no going back. DEAL WITH IT.

Re:Okay, but ...

What exactly makes it a piece of shit to manage in the Enterprise[sic]? Do you even have a job working in an enterprise environment or doing network administration? Or are you just tossing around words you heard the adults say?

Re:Okay, but ...

avast! is by far the best AV for Windows. Of course the best thing is to be smart about what you allow to execute on your computer. I run with nothing other than a periodic manual scan with ClamAV. It's so much nicer to not have an active AV that is constantly doing shit in the background.

I must be missing something

I always assumed it was ideal to have all apps sandboxed but not those who need access to everything. Surely an antivirus needs complete access otherwise it wouldn't be as efficient? Or is it the case an AV is actually a vector for attacks?

Re: I must be missing something

[reanjr]

Some think it's coming.

https://www.pcrisk.com/interne...

Re:I must be missing something

[E-Rock]

The AV product has to open and test the file. This can be a way for malware to hijack the AV product itself. By running that test in a sandbox, the malware has another hurdle (escaping the sandbox) before it can do anything.

Re:I must be missing something

[jellomizer]

Well it will properly report if the Anti-virus program itself is indeed infected or not.

I guess it may be able to read the other files, but if you were to quarantine a file or fix one, you are leaving your sandbox for a lot of actions.

Re:I must be missing something

[Bert64]

In theory you pass the file into the sandbox and receive a yes/no response from the av scanner running within it...
This has worked well for many years with av running on gateway devices - eg i have a linux based email and web filter which runs inbound files past an av scanner in this way, the scanner itself is sandboxed and the file is fed over a socket connection.
Ofcourse this only really works for file scanning, if you want to do things like scan memory and hijack existing processes (which most windows based av does) then it still needs to run at least some parts of the process with an extremely high privilege level.

Re: I must be missing something

Ahh so the AV bring the file it's scanning into the sandbox?

Certainly makes more sense now thank you.

Re: I must be missing something

Of course it DOESN'T, Bert doesn't know how it actually works but it certainly does NOT move the file into the sandbox.

Re:I must be missing something

[JoePete]

The referenced ZDNet article is notably sparse on details. This seems more like Microsoft trying to spin the negative that Windows Defender has had several vulnerabilities that in the grand scheme may have more weakened user's security than enhanced it. Let's strip away some pieces of this, however: 1) a "sandbox" is like saying "firewall" - it's a broad concept. The fact that Microsoft and the press are heralding this "advancement" without any supporting detail is revealing in and of itself as to how quickly we run toward and are duped by jargon. 2) The notion of using a sandbox relates to code execution. So the scary part is rather than preventing execution of suspect code, this sandboxing may in fact be enabling the execution but in an isolated part of the system. This is akin to believing you can train velociraptors. 3) Sandboxes require virtualization and that means a drain on resources. Even the idea of using some sort of application container, while more efficient, will be resource intensive. Moreover, however, without fully mimicking the WIndows 10 OS, there is just too much opportunity for malware writers to detect when their code is being run in a sandbox, and as such, have the code lie dormant, escaping detection. Perhaps it will be a step forward, but it would seem a more practical approach that rather than creating more software to compensate for the 661 currently known vulnerabilities in Windows 10, Microsoft would work on patching the OS.

That's cool and all

But if your OS didn't require an antivirus in the first place you wouldn't have to spend that much time on pointless stuff like that.

Re:That's cool and all

[jellomizer]

Todays viruses are lot like the ones of old.
Newer OS's tend to use the App Store concept for most of your trusted applications, that reduces viruses. However the realization that real damage doesn't need to be at the root/system level. But on the user level. Because you data is more important then the OS. Sure you may not be able to open up a low number IP Port, but your user account even on Linux systems, is often good enough to cause a lot of damage.
Linux and Mac systems are protected by the fact that they are not used enough by average joe, and most software you get from trusted locations.

Re:That's cool and all

But if your OS didn't require an antivirus in the first place you wouldn't have to spend that much time on pointless stuff like that.

The only OS that doesn't require an antivirus is an OS that nobody uses.

Re: That's cool and all

I've been using Linux and Apple products for 20 years with no anti virus.

0 infections.

Re: That's cool and all

That's like saying you've been wanking for 20 years and picked up no STDs

Probably not

I'm guessing they're leveraging Hyper-V based app sandboxing that was never available in Windows 7. The app sandboxing itself was only added to Windows 10 a few builds ago.

Honestly I'd just run VMWare Player with Qubes or something on top to do your shady web browsing on.

Windows 10 is not bad

[mrops]

Moved to it about a year ago and hardly miss Win 7. Even come to like it.

We have come a complete circle, everyone loved Win NT and stuck to it until USB came out and MS did not provide driver support for USB, soon people moved and now like Win 7.

Sometime I feel people don't like to embrace change.

Re:Windows 10 is not bad

[Opportunist]

People don't like to embrace change for the sake of change, because I still don't see any benefit in using Windows 10. What is my advantage? The apps I can't get rid of that clutter the inferior user interface, or the telemetry that still doesn't tell me just what information is sent to its master?

Re:Windows 10 is not bad

While there are all the disadvantages in telemetry etc, there have been improvements in memory use and the scheduler in Windows.

Re:Windows 10 is not bad

[WaffleMonster]

Sometime I feel people don't like to embrace change.

Why should they? What's in it for them?

Re:Windows 10 is not bad

Moved to it about a year ago and hardly miss Win 7. Even come to like it.

Really? Because I think it looks like ass and has devolved into a bunch of desktop apps who think they all want to run full screen and look like a web page written by idiots. They've literally turned useful things into clunky apps which have given up the notion they're on a fucking windowing system and want to run full screen and can't be resized.

Sometime I feel people don't like to embrace change.

Again, really? Telemetry, Microsoft deciding they'll update your OS any time they like (can't tell you how often I hear people who in the middle of presenting their screen suddenly get updates and a restart), ads and other shit ... Windows 10 basically says "it's our computer, you're only borrowing it".

I refuse to use Windows 10 on any machine I own not because I dislike change, but because for a consumer desktop, it's absolutely a shit OS unless you're willing to accept Microsoft doing whatever they want to it whenever they want.

Re:Windows 10 is not bad

Hardly. Windows 10 crashes just as often or more. And then there's all the ridiculous combined patches that are failing and deleting files... ENJOY, MORONS!

Re:Windows 10 is not bad

[CastrTroy]

Here's the thing, as far as I see it, they just seem like they are adding bloat without really changing the functionality that much. I just put Windows XP on an old machine with an SSD and that operating system just flies. I was just going back because of nostalgia, and don't plan to use it on a day to day basis. However, that computer is quite fast and a more modern operating system really wouldn't give it that much extra functionality. Also, the install footprint is much smaller.

Re:Windows 10 is not bad

[rogoshen1]

Well to call it a niche use case is an understatement; but windows 10 is the only OS that seems to offer hot plugging e-GPU's over tb3. (Though not sure if macOS allows this yet).

Re:Windows 10 is not bad

"clutter the interface"? I've never seen the preinstalled apps because I don't go looking for them.

The desktop has no fixed elements (the recycling bin icon can be disabled), so the clutter isn't there.

Are you referring to the start menu? I scroll through the list once every 4 months at best. I just press the windows key and start typing. It finds the app that I'm looking for.

Or are you referring to apps like Control Center?

And if you're worried about telemetry, you really need to stop using any electronic device. i devices automatically send crash reports. browsers automatically send typed URLs back to headquarters by default, software keyboards routinely anaylze and send back new words etc. etc.

Re:Windows 10 is not bad

First of all, you're thinking about Windows 8 or tablet mode, I've been running Windows 10 on practically all my machines and never use any Metro style apps... because I simply choose not to. Nobody is making you use Metro apps. Metro apps are designed to be simpler and less cluttered for the noobs. This is precisely why the Control Panel has two different styles now -- one for the average joe, and one for people like us.

As for the Updates, your friends or their IT department are stupid. The last time I had a computer reboot in the middle of while I was doing something was .... never. Worst case, there was a notification that I could dismiss. Also, take a look at the Windows Update setting and it literally asks you when you'd like to install updates. Plus, they've taken complaints like yours into consideration and now the update notification gives three options (update now, to dismiss to handle later, and to reschedule.) If your friend clicks "update now" while in the middle of the presentation, then yes, your friend can complain that an update occured in the middle of a presentation... But then they're also fucking retarded.

I also have the Pro version (i.e for people like us) that allow you to disable Automatic updates. And many people already use the "Metered Connection" trick for the non-pro version to prevent most updates.

You can absolutely refuse to use Windows 10 because of non-existent issues for most. That's your choice.

But then don't have doublestandards, especially about the telemetry issue:
- You can't even begin to disable automatic crash report telemetry on idevices that they never tell the average person is happening, so any i OS device is out. Android devices ask to send crash reports.
- Most browsers (though you can disable this) autosend things you type in the URL bar to provide suggestions -- but they now know what you're typing and is most certainly considered telemetry.
- Software keyboards also have the same telemetry as browsers -- they'll submit typed words to analyze common mistakes and such. Disable-able but not by default.

Re:Windows 10 is not bad

[bobby]

Yup! I've got several machines still running XP. MS keeps releasing lots of updates. My feeling is: hopefully someday all the bugs will be found and patched. I know, dream on! But XP _has_ to be more mature, right?

XP updating can be tricky. Sometimes it won't update if you wait too long- I suspect the updater / encryption mechanism gets changed at the MS servers. I've had to go to the MS update catalog, search for the updates, download and manually install them, then the automatic updates work again. Search for "posready".

I used to use "autopatcher.net" for Win98SE. I visited there recently but didn't get a clear idea if they're doing XP.

I'm on 10 a lot and fully grasp it, but it bugs me that they just rearrange things, change the UI, etc, and call it a "new" OS. My only real gripe is that I can not turn off automatic updating. That's a deal-breaker for any long-term computer use for me.

Re:Windows 10 is not bad

[nojayuk]

The Windows XP filesystem doesn't support TRIM for SSDs to allow for wear levelling so it will tend to write specific sectors at fixed addresses repeatedly causing the SSD to wear out prematurely. WinXP has a maximum disc volume of 2TB and 32-bit XP has a maximum RAM utilisation of under 4GB. There are reasons other than problems with security to move away from XP.

I've put Windows 7 on a couple of netbooks after adding SSDs to them. They have limited RAM (which I also maxed out) and low-power CPUs but they run quite well, leveraging the SSD's speed even though the HDD controller only supports SATA1. I tried putting Linux on them (Cinnamon and Xubuntu among others) but there was a problem with the GMA945 graphics drivers that meant they ran in emulated VGA mode, not a pretty sight. Win 7 just worked.

Re:Windows 10 is not bad

[CastrTroy]

Theses are things that can be fixed without bloating the entire OS though. They could add TRIM support, allow disks over 2TB, and other features like TLS 1.2 without making the operating system that much bigger. It's a 32 bit OS, so you can't really get over 4GB of ram without some big changes, but there's a lot of machines that don't need more than 4 GB of RAM. They're still selling computers with 4 GB of RAM as of this day.

Re:Windows 10 is not bad

[nojayuk]

Theses are things that can be fixed without bloating the entire OS though.

MS tried that, to make a MkII version of XP to fix a number of problems including user space control, security enhancements, improved networking etc. It was called Vista. What a dog.

The real replacement for XP was "bloated" Win 7. Funny thing though, when folks tested Win 7 against XP, despite the claims of "bloat" they found that on similar/identical hardware Win 7 ran a little faster or about the same as Win XP, ditto for programs written for XP run under Win 7 but it had TRIM, it had usable user control and privilege elevation, 64-bit internals, better USB support, better everything really. Time moves on and patching and plastering over the cracks in old beloved code that is no longer fit for use gets to be a waste of time and resources.

Re: Windows 10 is not bad

It does.

Re: Windows 10 is not bad

Clueless windows user tries to give advice. News at 11.

Re:Windows 10 is not bad

There is absolutely nothing that Windows 10 does or could ever do which would justify it being spyware, crippleware and adware.

Re: Windows 10 is not bad

That fact that you have to GO Out of your way to make it a decent experience, means it's trash to me.

Also your list doesn't apply to Apple system. All of that can be turned off. I send no data to Apple.

Re:Windows 10 is not bad

I have a Windows XP x64 system with 8GB of fully addressable RAM and software that issues TRIM commands, so there is no problem.

Re:Windows 10 is not bad

Wrong. Windows 8.1 support it just fine and it does it without spyware, crippleware limitations, advertisements and forced, poorly-coded, pre-alpha-test quality "updates" that break everything but allow you to help make Microsoft more money without being compensated like Windows 10.

Re:Windows 10 is not bad

And if you're worried about telemetry, you really need to stop using any electronic device.

Anybody who says something like that is a clueless newbie. You might try going to school or opening a book and learning about general computer operations, networking and security. Users can control their computers if they have the knowledge to do so. That's the whole point, moron.

And yes, Windows 10 is a massive pile of shit that only a clueless, tech-noob would use.

Re:Windows 10 is not bad

[nojayuk]

You may be the only person on the planet left with a working XP 64-bit system because for sure MS sold damn few of them. As for "software that issues TRIM commands" that sounds awfully like a third-party bodge since TRIM was never part of the XP file system for either 32-bit or 64-bit versions.

Re:Windows 10 is not bad

Incorrect. Windows Vista and Windows 7 are MUCH more closely related than XP and Vista. Windows 7 IS Windows Vista SP3. Microsoft only changed the name to "7" to distance it from the botched Vista launch. Once Vista hit SP1, it was a really good (relative to Microsoft standards) OS.

Re:Windows 10 is not bad

You may be the only person on the planet left with a working XP 64-bit system because for sure MS sold damn few of them.

Doubtful and there is no way you can possibly know how many copies of Windows XP x64 were used, especially considering most were bulk licensed. Regardless, it has worked well for many years and has upgraded into at least four wholly different PCs in that time.

As for "software that issues TRIM commands" that sounds awfully like a third-party bodge since TRIM was never part of the XP file system for either 32-bit or 64-bit versions.

If you can't trust software from the very makers of the SSD, then I certainly wouldn't trust Microsoft.

Re:Windows 10 is not bad

[rogoshen1]

8.1 most decidedly does not support hotplugging egpu's. unplugging the video card => blue screen crash and a reboot needed.

Which makes me sad, i'd vastly prefer 8.1 over 10 for the reasons you just enumerated.

Re:Windows 10 is not bad

64-bit uses twice the RAM of 32-bit, so XP's 4GB limit is more like 8GB on everything else.

2TB is a limit, yes. But other than techies, who needs even half this much? Techies find work arounds for such things, so who cares?

The TLS 1.2 thing is pure arrogance by MS. No excuses, no defense. FUMS.

One plus of running XP is it forces me to find better browsers than Chrome. Vivaldi and Pale Moon FTW.

Finally, I recently had to work on a Win7 system that was chronically trying to update to Win10, even when I ran Never10. Following online threads I ran across some of the angriest techies I have ever seen -- people super pissed off because of...Microsoft. Very very glad the majority of my systems are not on 7 (and of course not on 8 or 10).

Yes, my mileage is varying.

Re:Windows 10 is not bad

And yet I do it every single day without issue. Either your computer is crap or you don't know what you are doing.

Re:Windows 10 is not bad

Only an idiot blindly embraces change.

I only embrace change when it's an improvement. Windows 10 worse than all of its predecessors, so obviously I'll never accept it.

Re:Windows 10 is not bad

Also, take a look at the Windows Update setting and it literally asks you when you'd like to install updates.

Maybe you can help me to locate the "manual" or "never" setting because I couldn't find it. Also, where is the setting to disable and completely remove all traces of the bundled spyware?

Oh and none of my Android devices or apps (including the software keyboard) send data unless I specifically command them to, but thanks for the irrelevant whataboutism.

Re:Windows 10 is not bad

[ayesnymous]

If you like the OS rebooting while you're away from the computer, and losing all of your unsaved work, then sure.

Re:Windows 10 is not bad

A few hours after I made this post, I was asked to care for two children. It was an hour before bedtime, they had done all their homework, showered, etc. and it was fun time watching kids' shows on Netflix.

Except we couldn't...because Windows 10 had decided to do an update...without anything showing on screen until I did a hard reboot. Then 15 minutes went by while the kids suffered in silence.

Then came login, and of course I did not have the admin account/pw, so logged in as guest...that was not logged in to Netflix.

A crap show, thanks to Microsoft's deliberate ugliness.

And It Will Delete Files WIlly-Nilly?

SNAFU.

Yours,
Tim Cook

It's funny, but...

[surfdaddy]

I always thought that a multi-user, multi-tasking operating system by definition, was expected to isolate users and tasks in a way that they could not interfere with each other. That's what an OS does - provide isolation, virtualization, and security between processes so that the OS is stable, and any one badly behaved task can't interfere with either other tasks or the OS itself (subject to certain permissions).

While I applaud Microsoft's announcement, it seems to me that the need to do this shows a fundamental weakness in the their OS in the first place. It shouldn't be needed.

Re:It's funny, but...

You clearly are from some alternate dimension where such OSes/computers exist.

Re:It's funny, but...

[Misagon]

No, that's a misconception. Only very few operating systems actually isolate all its tasks fully according to the principle of least privilege.

In most mainstream operating systems, sandboxing is not the default but has to be initiated by the parent process before the process starts, or even voluntarily by the process itself.
Most sandboxing mechanisms were added as afterthoughts, so they do have some kind of quirk that either makes it hard to use or opens up a hole if you are not careful.

Re:It's funny, but...

[Junta]

The problem generally is that the granularity of the model is weak and around certain concrete things.

Can process A access the memory of process B? No. Can user X open a file written privately by user Y? No.

However, if process A and B both belong to user X, then they may not be able to read each other's memory, but they do have equivalent access to the filesystem, because that wasn't the granularity OSes had in mind.

So now we have an assortment of various named facilities to go further. Mandatory Access Control, 'sandboxing', and others are important for establishing finer grained controls.

For example, my photo viewer has no particular reason to open up my private gpg key, but the traditional user/process model is not adequate to model that.

The problem is that the granularity gets tricky and convoluted, requiring a great deal of verbose pre-canned policy (selinux, apparmor) or a more manageable but less flexible set of permissions (typical of mobile app OS and web browsers). Getting both a flexible desktop *and* one adequately held to respectable security design has been a challenge.

So Microsoft doing things along these lines is commendable and not so far out of line with modern desktop OS security.

Best NATIVE AV: No slowdown & security issues

See subject: Via APK Hosts File Engine 2.0++ 64-bit for Linux/BSD h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing you hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation.

* ONLY 1 of its kind in GUI 4 Linux/BSD!

(Better vs. Windows model in speed/efficiency/merge)

APK

P.S.=> Protects vs. script trackers/ads/DNS request tracking + redirect poisoned or downed DNS/botnets/malware downloads/malcript/email malicious payloads... apk

Security pros etc. QUOTED on hosts

"classic Windows hosts trick to block the Coinhive or Crypto-Loot domains" - https://www.bleepingcomputer.com/news/security/a-new-player-joins-coinhive-on-the-browser-cryptojacking-scene/ - BLEEPING COMPUTER

ZD NET http://www.zdnet.com/article/how-to-use-a-hosts-file-to-improve-your-internet-experience/ "Hosts files really shine by letting you block ads, spyware sites, malware sites, & tracking sites"

SANS ("A related approach to the DNS issue is to create a hosts file on each system that sends requests for spyware to some place else" hosts by myself & RAMU right @ START of "malware explosion" mid 2005 on) https://isc.sans.edu/forums/di...

Aryeh Goretsky/ESET/NOD32: hosts = good security https://it.slashdot.org/comments.pl?sid=7442373&cid=49747129/

Oliver Day (SYMANTEC/SECURITYFOCUS) http://www.securityfocus.com/columnists/491/

Spybot S&D uses hosts.

APK

P.S.=> Malwarebytes' hpHosts hosts & RECOMMENDS my program forum.hosts-file.net/viewtopic.php?f=5&t=4290

It's not really a Sandbox

[rsilvergun]

since it's going to have to leave it's sandbox to scan your file system and it's going to have to have root or near root to do it. That's probably why they're the "first", because it's not a very good idea.

Re:It's not really a Sandbox

Or... files can be fed through the sandbox instead of opening the sandbox to external access.

Re:It's not really a Sandbox

[beuges]

You clearly don't understand how the sandbox concept works.

The part outside the sandbox, which does have SYSTEM privileges, no longer examines the contents of the file for malware. It passes it to the part inside the sandbox, which scans the content for malware. If the malware triggers an error in the scanning engine, it cannot be exploited because the scanning engine is in a sandbox and is running with reduced privileges, compared to previously when there was no sandbox and the scanning engine ran as SYSTEM as well.

Re:It's not really a Sandbox

You clearly don't understand how the sandbox concept works.

The part outside the sandbox, which does have SYSTEM privileges, no longer examines the contents of the file for malware. It passes it to the part inside the sandbox, which scans the content for malware. If the malware triggers an error in the scanning engine, it cannot be exploited because the scanning engine is in a sandbox and is running with reduced privileges, compared to previously when there was no sandbox and the scanning engine ran as SYSTEM as well.

So, Microsoft finally discovered the principle of least privilege? Hey it only took them a few decades or so...

Re:It's not really a Sandbox

[CastrTroy]

A sandbox in terms of computers just means that there are strict limitations on what it can do. It doesn't define what those restrictions are supposed to be. Making it run in a sandbox actually makes it better because it mean that the virus scanner can read ll the system files while actually not running as administrator/root and thereby not being able to write to the file or do other things it's not supposed to be doing. Running a virus scanner as root is actually a very bad idea. What you actually want to do is give it only very specific access to the things you need it to do.

Re:It's not really a Sandbox

[thegarbz]

since it's going to have to leave it's sandbox to scan your file system and it's going to have to have root or near root to do it. That's probably why they're the "first", because it's not a very good idea.

By your logic all sandboxes are not a very good idea. You're missing the key component here, the attack surface of the privileged code becomes smaller when all it does is fetches stuff and hands it off to a sandboxed environment.

Re:It's not really a Sandbox

So what happens when malware hijacks the sandboxed AV to start marking various system files as infected? Right, the outside SYSTEM privileges service will start "quarantining" the files. Yes, you've limited the damage from hijacking the whole system and encrypted it for ransomware, but you've still always left with a DoS attack so long as system files can be marked as infected and the outside goes along with it. Of course this could be fixed with a sanity check where the digital signature was checked on a file and made by Microsoft, but clearly MS is too stupid for this because in the past people have had issues with Windows Defender failing just that.

So, congratulations on them having yet another Windows Defender exploit that presumably finally convinces them to sandbox their shitty written AV software.

Re:It's not really a Sandbox

How do you trigger an error in the scanning engine? How bad of an engine would it have to be to fail at the simple act of reading a string of bytes?

Re:It's not really a Sandbox

Welcome to Slashdot, where even the trolls are dumb.

For the malware to hijack the sandboxed malware it would need to have a sandbox escape which would then have it running as system and there is no need to do your stupid idea as you're system and can do far more interesting and useful things.

Re:It's not really a Sandbox

And yet somehow nobody else in the industry has at all. Since this is the first one.

Re:It's not really a Sandbox

Are you kidding? Reading a string of bytes is literally -- literally -- the only way anything gets automatically exploited (as opposed to socially engineered). It's the most dangerous possible operation.

Re:It's not really a Sandbox

[beuges]

If your engine is only reading a string of bytes, it's not much of an engine. You're probably dealing with something naive that merely looks for known strings or byte sequences out of a dictionary.

A modern anti-malware engine on the other hand, must do a lot more. Once it reads the string of bytes, it needs to examine it to determine what type of data this string of bytes represents. Then, once it knows what type of data it is dealing with, it needs to pass that string of bytes through some sort of parser or analyser to determine if the string of bytes represents a threat _for that data type_.

There have been file format parser exploits in all sorts of applications on all sorts of platforms, so it's not unreasonable to expect that there may be bugs or exploits in the scanning engine itself.

Isolating the engine to run in a sandbox ensures that if any such bug becomes exploitable in the engine, its ability to cause damage is contained to within the sandbox.

Hosts efficacy recently vs. threats

"It's working: Neville... it's working!" See subject & results from the past month https://it.slashdot.org/commen... https://it.slashdot.org/commen... & https://it.slashdot.org/commen... + https://it.slashdot.org/commen... + https://it.slashdot.org/commen... https://it.slashdot.org/commen... & https://search.slashdot.org/co... https://search.slashdot.org/co... that's only recently while I've been on Linux (few months now only) & 100's of times vs. MANY other botnets/malwares etc. in the past circa 2006-early 2018 while I was on Windows: CONCRETE VISIBLE UNDENIABLE REALITY (see those links as proof).

P.S.=> ... & that's ONLY what /. reported on (there are FAR more)... apk

but I thought..

I thought Avast had this for years... though that might have been marketing nonsense .. i dunno..

https://blog.avast.com/2012/11/16/what-is-the-avast-autosandbox-and-how-does-it-work/

Even CHINA copied me (vs. DNS down/redirected)

Who did it 1st: China or me? I did - dates are my proof https://theregister.co.uk/2017... w/ the FACT China rampantly STEALS U.S. Intellectual properties & military secrets https://it.slashdot.org/story/...

* IMITATION truly IS the SINCEREST FORM of FLATTERY!!!

(... & proves hosts work vs. DNS faults in tracking you via dns request logs (since you avoid it & resolve FASTER locally using hosts) + DNS being downed OR Kaminsky REDIRECT security flaw misdirected poisoned (or vs. DNSChanger))

APK

P.S.=> Let me tell you ALL 1 thing: It's NOT EASY being "World-Class" like me (lol - 100,000++ users prove it for me) - enjoy the fruits of my labors for FREE + going FASTER/SAFER/MORE RELIABLY online (w/ a bit more anonymity too via my program)... apk

Now do this...

With everything else. When everything is sandboxed, there's no need to fear anything.

Re:Now do this...

With everything else. When everything is sandboxed, there's no need to fear anything.

That depends on what you allow the sandboxed code to do.
If it's part of a botnet and it's able to connect to other machines or send spam, then it will happily perform it's designed malicious intent from within that sandbox.

Unless you're foolish enough to think that Microsoft wouldn't make those kinds of mistakes.

Registered /.ers reviews #1/5

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* For the Win32/64 model...

APK

P.S.=> Linux model's faster/more efficient/better MERGE feature too - More coming... apk

Re:Registered /.ers reviews #1/5

Your software is just crap - written in crayon, fictional... I'm going to continue using the Host File Engine as a punchline to a joke by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is fucking insane - by JazzLad April 20, 2016

his hosts "program" is actually a broken batch file by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to be a laughingstock while consuming excessive amounts of alcohol by alexgieg September 25 2015

I do use APK's host file in all my memes at home by OrangeTide December 01 2017

I've never tried to belittle (APK's work), I've flat out said it's crap - by BronsCon (927697)

I like your tinfoil hat by Karmashock September 09 2015

that APK nut, I can't get him to stop talking about his piece of shit file by rogoshen1 Tuesday March 03, 2015

I personally never would use a HOSTS file blocker produced from a retard called APK by 110010001000 October 27 2017

APK

P.S.=> When YOU do better than THAT by our /. registered peers, then talk (from behind your FAKE NAME for your FAKE LIE of a "so-called" WASTED life) - ok? apk

Re:Best NATIVE AV: No slowdown & security issu

The advice of skilled competent security pros everywhere is that security should be done in layers. You continuously reject that advice and advocate that all trust should be placed in a single blacklist (with all the disadvantages that come from their very nature). Then you act offended when you're not taken seriously. Let's just gloss over the constant spamming, shall we?

An objective look at your behavior suggests that you could be mentally ill (out of contact with reality for reasons other than lack of access to facts). I recommend you visit a qualified therapist and ask for an evaluation. If this conflicts with your pride remember you can do this without telling the rest of us.

If you need to accuse me of being someone I'm not, declare your "victory", pretend to be a victim of persecution, whatever you need to do, just get on with it. Believe me, I'll understand. And so will everyone else.

Registered /.ers reviews #2/5

Apk has the answer for that - really... kill automatic updates by adding a hosts file entry setting updates.steam.com or whatever to 127.0.0.1. You have to find the right hostname for each software you want to block updates on by raymorris (2726007) on Friday July 06, 2018

APK your posts on this and the hosts file posts, and more, have never been in error and/or bad advice by BlueStrat (756137) on Wednesday June 21, 2017

I support APK's stand on the hosts file and can't see why it's not used more than it is. My hosts file is 144247 lines long (4,332 Kb) it & a firewall serves me very well - by Trax3001BBS (2368736)

ABP is insufficient as a solid hosts file does everything APK reminds us about fast turtle September 17 2013

You need APK's hosts file - by Teun (17872) on Wednesday August 06, 2014

* For the Win32/64 model...

APK

P.S.=> Linux model's faster/more efficient + BETTER merge feature - More coming... apk

I've always advocated layered security

See subject: It even got me PAID for a security guide for Windows (not expected & nice) 1,000's used worldwide https://duckduckgo.com/?q="HOW+TO+SECURE+Windows+2000%2FXP"&t=vivaldi&ia=web

* So your statement IS based on YOUR IGNORANCE there...

APK

P.S.=> I've also MANY times stated hosts files do not "cure all" (nothing does) - only that hosts do MORE for LESS vs. other "solutions" loaded w/ security issues (DNS/AV) & they speed you up (where those SLOW YOU DOWN) - natively in kernelmode as a filter for the IP stack itself (no filtering driver overhead needed as in AV/Firewalls & hosts work on hostnames (used most in malwares/botnets BY FAR) - many firewalls don't (like Windows native one)) - all for more SECURITY/SPEED/RELIABLITY (vs. DNS down or redirect poisoned OR TRACKING YOU) & even Anonymity (dns request log)... apk

Registered /.ers reviews #3/5

Actually, APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience in this context. Of course, your phone has to be rooted, which isn't the case with Firefox + adblock." - by chihowa on Saturday May 16, 2015

APK solution STILL relevant Thud457 June 11 2015

In a footnote, I would like to note that I find your hosts file admirable - by vel-ex-tech (4337079) on Tuesday November 24, 2015

APK's monolithic hosts file is looking pretty good at the moment - by Culture20 on Thursday November 17

you're right about hosts files - by drinkypoo (153816) on Thursday May 26

APK, I know people give you a lot of shit regarding hosts, but please don't ever stop - by nasredin (958927) on Friday June 12, 2015 @03:34PM

* For the Win32/64 model...

APK

P.S.=> Linux model's faster/more efficient + BETTER merge feature - More coming... apk

Registered /.ers reviews #4/5

APK is kinda right... I've given up on JS based adblocking and gone to blackholing in /etc/hosts, just like it was back in the 90s. The computational load has gotten intolerable for any ad-blocking using JS. I've tried his hosts file generating software. It works. - by bmo (77928) on Thursday October 15, 2015

get around to 'installing' a hosts file list, not sure which one, likely the one from someonewhocares.org. If it works as well as what I used for a while about ten years ago, I'll be happy. And grateful to APK for the lesson and the reminder. - by kermidge (2221646) on Wednesday March 27

I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster. - by gl4ss (559668) on Thursday November 17

dammit MS, you proved APK right about something by lgw

* For the Win32/64 model...

APK

P.S.=> Linux model's faster/more efficient + BETTER merge feature - More coming... apk

Registered /.ers reviews #5/5

(APK) is still right a hosts file really does work. It even blocked a some of the video ads that were inserted into a stream OrangeTide February 10 2016

the Host File Engine performs exactly as promised - by mmell (832646) on Thursday February 16, 2017

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I've never tried to belittle (APK's work), I've flat out said it's good - by BronsCon (927697) on Thursday February 11, 2016 @06:48PM (#51491263)

(Toss on 100,000++ users worldwide too!)

* For the Win32/64 model...

APK

P.S.=> Linux model's faster/more efficient + BETTER merge feature... apk

Sorry - bad link (correcting now)... apk

Search "HOW TO SECURE Windows 2000/XP" on search engine 4 security guides I did PCPitstop http://www.pcpitstop.com/news/... (January 2008) paid up quite unexpectedly for a contest they had which I did NOT even KNOW about).

* That LAYERED SECURITY GUIDE (based on CIS Tool Guidance WHO even took FIXES from me for their product in security which is HIGHLY ESTEEMED no less) IS based purely on "layered/security"/"defense in depth"...

APK

P.S.=> Sorry about the bum link in the post I replied to now folks - it happens... apk

TBAV under DOS anyone ?

[Vapula]

If I remind well, ThunderBird Anti virus under DOS also used to work in a sandbox...
And it's generic detection was quite good...

Until some crack in the sandbox have been discovered and virus maker started to use them to infect the computer DURING THE SCAN...

Re:TBAV under DOS anyone ?

That's true, and it was a long time ago, in the 1990s. It was actually called Thunderbyte Antivirus. See https://en.wikipedia.org/wiki/ThunderByte_Antivirus

It can't be that good

[smooth+wombat]

It never detects the Windows 10 virus.

Re:creimer's asshole is my sandbox! Woooooooo!!

I'm pounding the sand in creimer's ass!! Woooooooo!

Fuck that cuck!!

So you like a fat guy's nasty ass hole?

I can't tell if that insults you or him. Both, maybe?

Why not be the first to be secure instead?

[WaffleMonster]

Just so I understand a process with global read access to every file on a system is now sandboxed because the people who wrote it are incapable of ensuring their AV parsers are not exploitable?

Now we are to believe the supposed remedy to this is to rely on a sandboxing system orders of magnitude less defensible than the AV software itself?

In the event of successful exploitation of AV but miraculously sandbox works as intended what prevents anything on your system including any inspected network data from being exfiltrated for exploitation by criminal enterprise?

Microsoft created .NET and Checked C... surely it's not beyond their capabilities to design a parser that can't be exploited in the first place.

Re: Why not be the first to be secure instead?

Just so I understand a process with global read access to every file on a system is now sandboxed because the people who wrote it are incapable of ensuring their AV parsers are not exploitable?

For reference, sudo, a root setuid binary on Linux has a very complicated configuration syntax and a history of parser related vulnerabilities in both the configuration and user passed arguments.

Re: Why not be the first to be secure instead?

What?

Done a year ago... not by Microsoft

[Misagon]

Sandboxing of Windows Defender was done over a year ago by a security researcher at Trail of Bits: Microsoft didnâ(TM)t sandbox Windows Defender, so I did.

Did Microsoft copy his work?

Re:Done a year ago... not by Microsoft

Not to mention that ClamAV has supported sandboxing on Linux for what, two decades now, and gets stronger with every release. This is more a story of how Windows has caught up to process separation in Linux to the point where their virus scanner is where process isolation was in Linux a few years ago.

Probably a useful step to sandbox

I have always used Defender back when it was Security Essentials. The sandboxing probably will take up more memory (RAM) but probably not much with todays RAM capacity. From what I read this will not be available in Windows 7 version, because that is a more simplistic version which is also not being improved and a legacy application. Makes sense since Windows 7 for most is no more in about a year. Personally I think Windows 10 is very good for a Windows version and security has improved a lot. Yeah its not Windows 7 but then again your living in the past with a OS not being improved and barely holding on to life. Time to move on and stop making excuses.

For you

[ArchieBunker]

I'll stick with 7. I can say no to updates that randomly delete my data.

It is SELinux for Windows 10

[what+about]

Basically the idea is to do what SELinux does, given to a process the least permissions.

It is useful, the only drawback I can think of is that everything gets so locked down that if anything goes wrong in the "security" mechanism you are basically locked out and cannot retrieve anything.

Re:It is SELinux for Windows 10

[geek]

SELinux is not a sandbox. How the hell did this get upvoted?

Re:It is SELinux for Windows 10

SELinux is not a sandbox. How the hell did this get upvoted?

Oh gosh, I don't know! Why are the increasingly conservative Slashdot audience also increasingly ignorant about the finer points of Mandatory Access Control technologies?

It's a fucking mystery for the ages!

c6gunner + other impersonators, please... apk

c6gunner's name on this post as submitter yet signed "APK" https://linux.slashdot.org/com... & he ran from a fair challenge I put to him https://linux.slashdot.org/com... after insulting me.

* QUESTION: Why are you harassing me & IMPERSONATING me TWISTING /.ers words when I'm on topic, YOU'RE NOT & this helps vs. this threat?

(See subject: GROW UP!)

APK

P.S.=> I'd like an answer to that QUESTION above... apk

Re:creimer's asshole is my sandbox! Woooooooo!!

It's no insult. I'm a gay, a fatty chaser and love dirty buttholes. Wooooooo!

Bend over and let me fuck your butt!!!

Absolute bullshit!

What a load of crap. I've been running antivirus products inside sandboxes for over 20 years. Nothing new at all. Typical of Microsoft to claim credit for something that's anything but new.