Windows Defender Sandbox

GunJohn said:

So, i guess the general consensus is this is not currently working? There is simply no functional Windows Defender Interface within the Windows Sandbox.

Click to expand...

OAT said:

You are better off using a VM if that is your concern during testing.
For now, it is just not available and you are right, there seems to be no documentation on that.
Sandbox itself, in the end, uses Windows' API on the host, so everything that goes on inside the Sandbox is still protected by the Defender instance running inside the host.

Click to expand...

OAT said:

You are better off using a VM if that is your concern during testing.
For now, it is just not available and you are right, there seems to be no documentation on that.
Sandbox itself, in the end, uses Windows' API on the host, so everything that goes on inside the Sandbox is still protected by the Defender instance running inside the host.

Click to expand...

cereberus said:

Firstly, this thread is using confusing terminology.

Windows Sandbox refers to running a Windows operating system in a virtualised environment where it is isolated from main OS to prevent cross infections.



Windows Defender Sandbox is really a slang term. Thisz is why people may think it no longer exists.

The correct name is Microsoft Defender Application Guard. This works at the application level sandboxing an application inside a virtualised environment.

View attachment 62074

It requires the type 1 hypervisor environment to be switched on.

The app is in effect sort of a (partial) copy running in a container and e.g. if office was being used and a document has malicious macros, the main installation of office os protected.

Microsoft Defender Application Guard

Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.

learn.microsoft.com

However, turning on the hypervisor by default can have performance issues with other 3rd party apps e.g. some android emulators fall over if MDAG is activated.

This feature is really aimed at the corporate enterprise market.

Click to expand...

windoc said:

Windows Defender Sandbox, referred to as WD Sandbox, is a feature Microsoft introduced to improve the security of its Windows Defender (now Microsoft Defender) antivirus service. This feature is designed to isolate antivirus processes from the rest of the system, ensuring that if the antivirus software is attacked or compromised, the rest of the system remains protected.



As for why it is off by default, it primarily relates to system resource usage and compatibility. Running WD Sandbox uses more system resources because it creates a separate, isolated environment for the Defender processes. If your system has limited resources (CPU, RAM), running WD Sandbox could potentially slow it down. Furthermore, the feature could potentially lead to compatibility issues with some systems or software.



Turning on WD Sandbox is generally safe and could provide enhanced security, especially on systems with ample resources. However, it is important to monitor your system performance after enabling it. If you notice your system slowing down or other issues arising, you may want to reconsider its use.



As to why Microsoft has not promoted or discussed the feature as much in recent years, there could be several reasons. It is possible that Microsoft has been focusing more on other features, services, or products. Additionally, since WD Sandbox is an advanced feature that can affect system performance, it may not be suitable for all users, especially those with less powerful systems or less technical knowledge.



As for the command you provided (setx /M MP_FORCE_USE_SANDBOX 1), it is a command-line instruction that you can use to enable WD Sandbox. The /M switch is used to apply the setting for the entire system, not just the current user. However, remember to open the command prompt as an administrator before running this command, or it will not work. Also, you may need to restart your computer for changes to take effect.



Ensure you understand the implications of any changes you make to your system's configuration. In this case, while the Sandbox can provide an extra layer of security, make sure your system has the resources to manage it, and watch for any possible negative impacts on performance or compatibility.

Click to expand...

Fabler2 said:

Turning it on via CMD admin seems to do nothing although shows success. This on the Canary channel, Process Explorer not showing MsMpEngCP.exe. Must be dead in the water?

View attachment 62794

Click to expand...

• There might be a bug or compatibility issue in the Canary build you're using.
• The sandbox feature might be disabled or not fully implemented in that build.
• Microsoft might have made changes to how the sandbox feature works, and the new implementation doesn't use the MsMpEngCP.exe process.

windoc said:

If you're not seeing MsMpEngCP.exe after enabling the sandbox, there could be several reasons:

• There might be a bug or compatibility issue in the Canary build you're using.
• The sandbox feature might be disabled or not fully implemented in that build.
• Microsoft might have made changes to how the sandbox feature works, and the new implementation doesn't use the MsMpEngCP.exe process.

I would recommend reaching out to Microsoft Support or using the Feedback Hub to report the issue and get more up-to-date assistance.

Click to expand...