Windows Defender can now run in a sandbox providing you with better security and reliability. In fact, Windows Defender is the first antivirus to run in a sandboxed environment. Now, you might be thinking what's so special about Windows Defender running in a sandbox and how it helps you. That is a valid question.
Windows Defender Can Now Run In a Sandbox, But Why?
Being an antivirus, Windows Defender needs to run with highest privileges to scan, detect, and remove any and all infections. Windows Defender has its own user account in Windows 10. Some clever hacker can craft a malware that can compromise Windows Defender and infect the system. Since Windows Defender has highest privileges, the attack surface would be bigger and worse.
By running Windows Defender in a sandbox, even if the Windows Defender is compromised or has a bug in it, the malware couldn't affect the system. It stays within the sandbox. The best thing is, according to Microsoft, the Windows Defender secure sandbox feature is implemented without any performance drop or loss.
As of writing this, this feature is still in its early stage and may contain bugs. You need to manually enable it to run Windows Defender in a sandbox. That being said, this feature will be automatically enabled with the future versions of Windows. You can enable Windows Defender sandbox mode from the command prompt. It is as easy as executing a single command. Make sure that you are running Windows 10 version 1703 (Creators Update) or higher for this to work.
Enable Windows Defender Sandbox Mode
1. Search for Command Prompt in the start menu and click on the option "Run as Administrator." You can also right-click on the Command Prompt result and select "Run as Administrator" option.
2. In the command prompt window, execute the below command. You will see a response "SUCCESS: Specified value was saved."
setx /M MP_FORCE_USE_SANDBOX 1
3. Restart Windows system to make the changes take effect.
That is all, you've successfully enabled Windows Defender sandbox in Windows 10.
Verify Windows Defender Sandbox Status
As the command prompt doesn't give any sensible message to let you know if the Windows Defender is running in a sandbox, we are going to use a portable application called Process Explorer, a portable application from Microsoft You can think of Process Explorer as Task Manager on steroids. You can also use the Task Manager.
Download Process Explorer and open it. Take a look at the process list you should see MsMpEngCP.exe running alongside the MsMpEng.exe antimalware service process.
As I said before, the Windows Defender secure sandbox is a new feature that is still in testing. So, if your system is behaving oddly after enabling secure sandbox then you should probably disable it for the time being. To disable Windows Defender sandbox, all you have to do is execute the below command and restart your system. As you can see, we just replaced
1 in the above command with
setx /M MP_FORCE_USE_SANDBOX 0
I've been running Windows Defender in a sandbox for a couple of days. My system is working fine.