Windows Defender Sandbox

GunJohn · Jun 2, 2023

So, i guess the general consensus is this is not currently working? There is simply no functional Windows Defender Interface within the Windows Sandbox.

mecanicogolf · Jun 2, 2023

GunJohn said:
So, i guess the general consensus is this is not currently working? There is simply no functional Windows Defender Interface within the Windows Sandbox.

Gee. I wish MS would say something about this. It's sooo important.

mecanicogolf · Jun 6, 2023

Nobody here in the forum seems to know either.

OAT · Jun 6, 2023

You are better off using a VM if that is your concern during testing.
For now, it is just not available and you are right, there seems to be no documentation on that.
Sandbox itself, in the end, uses Windows' API on the host, so everything that goes on inside the Sandbox is still protected by the Defender instance running inside the host.

mecanicogolf · Jun 6, 2023

OAT said:
You are better off using a VM if that is your concern during testing.
For now, it is just not available and you are right, there seems to be no documentation on that.
Sandbox itself, in the end, uses Windows' API on the host, so everything that goes on inside the Sandbox is still protected by the Defender instance running inside the host.

Thanks a lot.

jimbo45 · Jun 10, 2023

OAT said:
You are better off using a VM if that is your concern during testing.
For now, it is just not available and you are right, there seems to be no documentation on that.
Sandbox itself, in the end, uses Windows' API on the host, so everything that goes on inside the Sandbox is still protected by the Defender instance running inside the host.

These days running sandbox I can't see what this brings to the table any more -- most modern computers -- even a few years old would be far better off running a full blown VM.

If you want to run Linux or Android without using a VM the WSL for Linux or Android on Windows in any case is a far better option than running a sandbox -- note that a lot of Linuxprograms that run with a linux GUI will run on WSL without installing the "Native distro" too. The WSL has improved by loads recently too.

Cheers
jimbo

cereberus · Jun 11, 2023

Firstly, this thread is using confusing terminology.

Windows Sandbox refers to running a Windows operating system in a virtualised environment where it is isolated from main OS to prevent cross infections.

Windows Defender Sandbox is really a slang term. Thisz is why people may think it no longer exists.

The correct name is Microsoft Defender Application Guard. This works at the application level sandboxing an application inside a virtualised environment.

It requires the type 1 hypervisor environment to be switched on.

The app is in effect sort of a (partial) copy running in a container and e.g. if office was being used and a document has malicious macros, the main installation of office os protected.

Microsoft Defender Application Guard - Windows Security

Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.

learn.microsoft.com

However, turning on the hypervisor by default can have performance issues with other 3rd party apps e.g. some android emulators fall over if MDAG is activated.

This feature is really aimed at the corporate enterprise market.

mecanicogolf · Jun 11, 2023

cereberus said:
Firstly, this thread is using confusing terminology.

Windows Sandbox refers to running a Windows operating system in a virtualised environment where it is isolated from main OS to prevent cross infections.

Windows Defender Sandbox is really a slang term. Thisz is why people may think it no longer exists.

The correct name is Microsoft Defender Application Guard. This works at the application level sandboxing an application inside a virtualised environment.

View attachment 62074

It requires the type 1 hypervisor environment to be switched on.

The app is in effect sort of a (partial) copy running in a container and e.g. if office was being used and a document has malicious macros, the main installation of office os protected.

Microsoft Defender Application Guard - Windows Security

Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.

learn.microsoft.com

However, turning on the hypervisor by default can have performance issues with other 3rd party apps e.g. some android emulators fall over if MDAG is activated.

This feature is really aimed at the corporate enterprise market.

Good explanation. Thanks for the info.

windoc · Jun 19, 2023

Windows Defender Sandbox, referred to as WD Sandbox, is a feature Microsoft introduced to improve the security of its Windows Defender (now Microsoft Defender) antivirus service. This feature is designed to isolate antivirus processes from the rest of the system, ensuring that if the antivirus software is attacked or compromised, the rest of the system remains protected.

As for why it is off by default, it primarily relates to system resource usage and compatibility. Running WD Sandbox uses more system resources because it creates a separate, isolated environment for the Defender processes. If your system has limited resources (CPU, RAM), running WD Sandbox could potentially slow it down. Furthermore, the feature could potentially lead to compatibility issues with some systems or software.

Turning on WD Sandbox is generally safe and could provide enhanced security, especially on systems with ample resources. However, it is important to monitor your system performance after enabling it. If you notice your system slowing down or other issues arising, you may want to reconsider its use.

As to why Microsoft has not promoted or discussed the feature as much in recent years, there could be several reasons. It is possible that Microsoft has been focusing more on other features, services, or products. Additionally, since WD Sandbox is an advanced feature that can affect system performance, it may not be suitable for all users, especially those with less powerful systems or less technical knowledge.

As for the command you provided (setx /M MP_FORCE_USE_SANDBOX 1), it is a command-line instruction that you can use to enable WD Sandbox. The /M switch is used to apply the setting for the entire system, not just the current user. However, remember to open the command prompt as an administrator before running this command, or it will not work. Also, you may need to restart your computer for changes to take effect.

Ensure you understand the implications of any changes you make to your system's configuration. In this case, while the Sandbox can provide an extra layer of security, make sure your system has the resources to manage it, and watch for any possible negative impacts on performance or compatibility.

Fabler2 · Jun 19, 2023

windoc said:
Windows Defender Sandbox, referred to as WD Sandbox, is a feature Microsoft introduced to improve the security of its Windows Defender (now Microsoft Defender) antivirus service. This feature is designed to isolate antivirus processes from the rest of the system, ensuring that if the antivirus software is attacked or compromised, the rest of the system remains protected.

As for why it is off by default, it primarily relates to system resource usage and compatibility. Running WD Sandbox uses more system resources because it creates a separate, isolated environment for the Defender processes. If your system has limited resources (CPU, RAM), running WD Sandbox could potentially slow it down. Furthermore, the feature could potentially lead to compatibility issues with some systems or software.

Turning on WD Sandbox is generally safe and could provide enhanced security, especially on systems with ample resources. However, it is important to monitor your system performance after enabling it. If you notice your system slowing down or other issues arising, you may want to reconsider its use.

As to why Microsoft has not promoted or discussed the feature as much in recent years, there could be several reasons. It is possible that Microsoft has been focusing more on other features, services, or products. Additionally, since WD Sandbox is an advanced feature that can affect system performance, it may not be suitable for all users, especially those with less powerful systems or less technical knowledge.

As for the command you provided (setx /M MP_FORCE_USE_SANDBOX 1), it is a command-line instruction that you can use to enable WD Sandbox. The /M switch is used to apply the setting for the entire system, not just the current user. However, remember to open the command prompt as an administrator before running this command, or it will not work. Also, you may need to restart your computer for changes to take effect.

Ensure you understand the implications of any changes you make to your system's configuration. In this case, while the Sandbox can provide an extra layer of security, make sure your system has the resources to manage it, and watch for any possible negative impacts on performance or compatibility.

Turning it on via CMD admin seems to do nothing although shows success. This on the Canary channel, Process Explorer not showing MsMpEngCP.exe. Must be dead in the water?

windoc · Jun 19, 2023

Fabler2 said:
Turning it on via CMD admin seems to do nothing although shows success. This on the Canary channel, Process Explorer not showing MsMpEngCP.exe. Must be dead in the water?

View attachment 62794

If you're not seeing MsMpEngCP.exe after enabling the sandbox, there could be several reasons:

There might be a bug or compatibility issue in the Canary build you're using.
The sandbox feature might be disabled or not fully implemented in that build.
Microsoft might have made changes to how the sandbox feature works, and the new implementation doesn't use the MsMpEngCP.exe process.

I would recommend reaching out to Microsoft Support or using the Feedback Hub to report the issue and get more up-to-date assistance.

Fabler2 · Jun 19, 2023

windoc said:
If you're not seeing MsMpEngCP.exe after enabling the sandbox, there could be several reasons:

There might be a bug or compatibility issue in the Canary build you're using.

The sandbox feature might be disabled or not fully implemented in that build.

Microsoft might have made changes to how the sandbox feature works, and the new implementation doesn't use the MsMpEngCP.exe process.

I would recommend reaching out to Microsoft Support or using the Feedback Hub to report the issue and get more up-to-date assistance.

Thanks for the recommendation but nah thanks. Just playing around with it. I don't use Application Guard either.

mecanicogolf · Jul 28, 2023

I'm back! I have decided to leave it off because MS must have their reasons and I won't contradict that. Besides, using Insider builds as I do, may affect it in some way so I'll just leave it alone. MS will turn it back on when it's necessary.

GunJohn · Jul 28, 2023

It is not functional. It's that simple

mecanicogolf · Jul 28, 2023

But MS doesn't say that. Are you sure? I'm not.

GunJohn · Jul 28, 2023

I tried to use it as don't need a sandbox or machine very often. And it DOES NOT WORK WITH DEFENDER. Try using it and upload a virus. It doesn't pick it up. Simple. Im forced to use hyper v instead.

mecanicogolf · Jul 28, 2023

Alright. Then I'll leave it off. Or keep it on? Off or on? Off/on? I started this thread way back when and it seems no one can say anything for sure because no one knows for sure. Not even MS. I'm so sorry I brought it up. Looking for answers that are not there.

mecanicogolf · Jul 28, 2023

I officially

this thread. That's it

mecanicogolf · Jan 6, 2024

I am opening this thread back up due to the fact that I have been using this feature and have not found any impact on my system what so ever.
Would like to know anyway if someone from this forum has found or knows anything else on this topic.

ThrashZone · Jan 6, 2024

Hi,
Well good why don't tell all how exactly you used it and what apps did you use it with.

Personally I've not and never will use it because it's unnecessary.
I turn off most of defender stuff and use just the firewalls.