Microsoft is testing a security improvement to its built-in anti-malware utility for Windows 10, Defender, which will see the program run isolated from the rest of the operating system.
Traditionally, anti-malware programs need to run at high privileges to reach and scan all parts of a computer and its operating system for malicious code.
This full system access position, however, often means anti-malware programs themselves become targets for attack, Mady Marinescu and Erica Avena of the Windows Defender engineering team said.
"Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’s content parsers that could enable arbitrary code execution," the pair said.
Sandboxing is a technique that protects other parts of the computer system in the event of a program being compromised.
While sandboxing has been desirable for high-value targets such as Windows Defender, implementing it was an engineering challenge for Microsoft, as process isolation had the potential to cause performance degradation.
Microsoft says it achieved the sandboxing by layering inspection processes for the antivirus into ones that absolutely have to run with full system privileges and others which can be isolated, with minimal amounts of interaction between these in order
The effort was lauded by Google Project Zero security researcher Tavis Ormandy, who on social media said it was "amazing" and "game changing".
Ormandy has in the past discovered vulnerabilities in Windows Defender, including one bug last year that allowed for remote execution of arbitrary code via the anti-malware program's x86 emulation layer.
Participants in Microsoft's Windows Insider early adopter program will be the first to trial sandboxing for the anti-malware tool.
Users on Windows 10, version 1703 or later can also use the command setx /M MP_FORCE_USE_SANDBOX 1 which will enable the sandboxing after restarting their computers.
