Slashdot Mirror
Windows Defender Becomes First Antivirus To Run Inside a Sandbox (zdnet.com)
An anonymous reader writes: Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment, Microsoft said in an announcement. In software design, a "sandbox" is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources. The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS.
"We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said in a celebratory blog post. Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps.
"We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said in a celebratory blog post. Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps.
Some think it's coming.
https://www.pcrisk.com/interne...
The AV product has to open and test the file. This can be a way for malware to hijack the AV product itself. By running that test in a sandbox, the malware has another hurdle (escaping the sandbox) before it can do anything.
Well it will properly report if the Anti-virus program itself is indeed infected or not.
I guess it may be able to read the other files, but if you were to quarantine a file or fix one, you are leaving your sandbox for a lot of actions.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Then I guess we'll have to continue relying on third party AV software, since WinDef sucks on 7.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I always thought that a multi-user, multi-tasking operating system by definition, was expected to isolate users and tasks in a way that they could not interfere with each other. That's what an OS does - provide isolation, virtualization, and security between processes so that the OS is stable, and any one badly behaved task can't interfere with either other tasks or the OS itself (subject to certain permissions).
While I applaud Microsoft's announcement, it seems to me that the need to do this shows a fundamental weakness in the their OS in the first place. It shouldn't be needed.
People don't like to embrace change for the sake of change, because I still don't see any benefit in using Windows 10. What is my advantage? The apps I can't get rid of that clutter the inferior user interface, or the telemetry that still doesn't tell me just what information is sent to its master?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Todays viruses are lot like the ones of old.
Newer OS's tend to use the App Store concept for most of your trusted applications, that reduces viruses. However the realization that real damage doesn't need to be at the root/system level. But on the user level. Because you data is more important then the OS. Sure you may not be able to open up a low number IP Port, but your user account even on Linux systems, is often good enough to cause a lot of damage.
Linux and Mac systems are protected by the fact that they are not used enough by average joe, and most software you get from trusted locations.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
since it's going to have to leave it's sandbox to scan your file system and it's going to have to have root or near root to do it. That's probably why they're the "first", because it's not a very good idea.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Windows Defender is the political candidate of the anti-virus world. It's the worst, except for all the alternatives.
Although from your comment I think you're implying that there exists an Anti-virus solution which doesn't suck? Normally this kind of thing would be reserved for an April 1st kind of post, but we're actually only a couple of days from being the furthest possible time from April first. Are you aiming for the April Fools equivalent of Christmas in July?
You aren't supposed to use windows defender on windows 7 it even pops up a warning telling you so if you try.
Windows 7 uses Microsoft Security Essentials which is waaaaaaaay better than windows defender anyway. Ranked higher also on its ability to thwart virus and malware.
Anyone trying to use defender in 7 deserves a virus cause it proves they are illiterate and can't read the warning that says do not use defender in 7.
Sometime I feel people don't like to embrace change.
Why should they? What's in it for them?
If I remind well, ThunderBird Anti virus under DOS also used to work in a sandbox...
And it's generic detection was quite good...
Until some crack in the sandbox have been discovered and virus maker started to use them to infect the computer DURING THE SCAN...
In theory you pass the file into the sandbox and receive a yes/no response from the av scanner running within it...
This has worked well for many years with av running on gateway devices - eg i have a linux based email and web filter which runs inbound files past an av scanner in this way, the scanner itself is sandboxed and the file is fed over a socket connection.
Ofcourse this only really works for file scanning, if you want to do things like scan memory and hijack existing processes (which most windows based av does) then it still needs to run at least some parts of the process with an extremely high privilege level.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It never detects the Windows 10 virus.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Here's the thing, as far as I see it, they just seem like they are adding bloat without really changing the functionality that much. I just put Windows XP on an old machine with an SSD and that operating system just flies. I was just going back because of nostalgia, and don't plan to use it on a day to day basis. However, that computer is quite fast and a more modern operating system really wouldn't give it that much extra functionality. Also, the install footprint is much smaller.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Just so I understand a process with global read access to every file on a system is now sandboxed because the people who wrote it are incapable of ensuring their AV parsers are not exploitable?
Now we are to believe the supposed remedy to this is to rely on a sandboxing system orders of magnitude less defensible than the AV software itself?
In the event of successful exploitation of AV but miraculously sandbox works as intended what prevents anything on your system including any inspected network data from being exfiltrated for exploitation by criminal enterprise?
Microsoft created .NET and Checked C... surely it's not beyond their capabilities to design a parser that can't be exploited in the first place.
Sandboxing of Windows Defender was done over a year ago by a security researcher at Trail of Bits: Microsoft didnâ(TM)t sandbox Windows Defender, so I did.
Did Microsoft copy his work?
"We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
Well to call it a niche use case is an understatement; but windows 10 is the only OS that seems to offer hot plugging e-GPU's over tb3. (Though not sure if macOS allows this yet).
I'll stick with 7. I can say no to updates that randomly delete my data.
Only the State obtains its revenue by coercion. - Murray Rothbard
Thanks for that info. This computer, running Windows 7 "ultimate", seems to have Defender installed. I don't remember being given a choice, nor any warnings.
That said, I rarely run mainstream AV software- I can't stand what it does to the machine (boggs to a crawl). I don't visit virulent websites. I remove the HD and run complete scans with McAfee Stinger, Clam AV, and others from time-to-time and I've never had a virus that I was not aware of. A few false positives, and some AV software doesn't like Nirsoft and a few predictable others.
I DO run McAfee "Real Protect" and it's awesome. It did catch a few potential problems, so I know it works, and I think they have the right philosophy.
Yup! I've got several machines still running XP. MS keeps releasing lots of updates. My feeling is: hopefully someday all the bugs will be found and patched. I know, dream on! But XP _has_ to be more mature, right?
XP updating can be tricky. Sometimes it won't update if you wait too long- I suspect the updater / encryption mechanism gets changed at the MS servers. I've had to go to the MS update catalog, search for the updates, download and manually install them, then the automatic updates work again. Search for "posready".
I used to use "autopatcher.net" for Win98SE. I visited there recently but didn't get a clear idea if they're doing XP.
I'm on 10 a lot and fully grasp it, but it bugs me that they just rearrange things, change the UI, etc, and call it a "new" OS. My only real gripe is that I can not turn off automatic updating. That's a deal-breaker for any long-term computer use for me.
The Windows XP filesystem doesn't support TRIM for SSDs to allow for wear levelling so it will tend to write specific sectors at fixed addresses repeatedly causing the SSD to wear out prematurely. WinXP has a maximum disc volume of 2TB and 32-bit XP has a maximum RAM utilisation of under 4GB. There are reasons other than problems with security to move away from XP.
I've put Windows 7 on a couple of netbooks after adding SSDs to them. They have limited RAM (which I also maxed out) and low-power CPUs but they run quite well, leveraging the SSD's speed even though the HDD controller only supports SATA1. I tried putting Linux on them (Cinnamon and Xubuntu among others) but there was a problem with the GMA945 graphics drivers that meant they ran in emulated VGA mode, not a pretty sight. Win 7 just worked.
Basically the idea is to do what SELinux does, given to a process the least permissions.
It is useful, the only drawback I can think of is that everything gets so locked down that if anything goes wrong in the "security" mechanism you are basically locked out and cannot retrieve anything.
The referenced ZDNet article is notably sparse on details. This seems more like Microsoft trying to spin the negative that Windows Defender has had several vulnerabilities that in the grand scheme may have more weakened user's security than enhanced it. Let's strip away some pieces of this, however: 1) a "sandbox" is like saying "firewall" - it's a broad concept. The fact that Microsoft and the press are heralding this "advancement" without any supporting detail is revealing in and of itself as to how quickly we run toward and are duped by jargon. 2) The notion of using a sandbox relates to code execution. So the scary part is rather than preventing execution of suspect code, this sandboxing may in fact be enabling the execution but in an isolated part of the system. This is akin to believing you can train velociraptors. 3) Sandboxes require virtualization and that means a drain on resources. Even the idea of using some sort of application container, while more efficient, will be resource intensive. Moreover, however, without fully mimicking the WIndows 10 OS, there is just too much opportunity for malware writers to detect when their code is being run in a sandbox, and as such, have the code lie dormant, escaping detection. Perhaps it will be a step forward, but it would seem a more practical approach that rather than creating more software to compensate for the 661 currently known vulnerabilities in Windows 10, Microsoft would work on patching the OS.
Theses are things that can be fixed without bloating the entire OS though. They could add TRIM support, allow disks over 2TB, and other features like TLS 1.2 without making the operating system that much bigger. It's a 32 bit OS, so you can't really get over 4GB of ram without some big changes, but there's a lot of machines that don't need more than 4 GB of RAM. They're still selling computers with 4 GB of RAM as of this day.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Theses are things that can be fixed without bloating the entire OS though.
MS tried that, to make a MkII version of XP to fix a number of problems including user space control, security enhancements, improved networking etc. It was called Vista. What a dog.
The real replacement for XP was "bloated" Win 7. Funny thing though, when folks tested Win 7 against XP, despite the claims of "bloat" they found that on similar/identical hardware Win 7 ran a little faster or about the same as Win XP, ditto for programs written for XP run under Win 7 but it had TRIM, it had usable user control and privilege elevation, 64-bit internals, better USB support, better everything really. Time moves on and patching and plastering over the cracks in old beloved code that is no longer fit for use gets to be a waste of time and resources.
You may be the only person on the planet left with a working XP 64-bit system because for sure MS sold damn few of them. As for "software that issues TRIM commands" that sounds awfully like a third-party bodge since TRIM was never part of the XP file system for either 32-bit or 64-bit versions.
8.1 most decidedly does not support hotplugging egpu's. unplugging the video card => blue screen crash and a reboot needed.
Which makes me sad, i'd vastly prefer 8.1 over 10 for the reasons you just enumerated.
If you like the OS rebooting while you're away from the computer, and losing all of your unsaved work, then sure.