Windows Defender has been around in some form or another since January 2005. In 2004, Microsoft bought GIANT AntiSpyware, an application which prevents spyware infections. Spyware is a type of malware which spies on you and allows cyber attackers to see what you’re doing on your computer and to view all the files on your hard drive.
In 2005, the application was called Microsoft AntiSpyware. By February 2006, Microsoft renamed it Windows Defender and gave it a new look. They also made it free for people with properly licensed versions of Windows 2000, Windows XP, and Windows Server 2003. The first version that was called Windows Defender was a beta version, which means it was an experimental version for testing how well it worked and seeing how it could be improved for a completed “stable” version. The first “stable” version of the renamed Windows Defender was released in October 2006.
By the time Microsoft released Windows Vista and Windows 7, Windows Defender came pre-installed. But if users downloaded and installed Microsoft Security Essentials, their full antivirus software, it would replace Windows Defender. Back then, Windows Defender only prevented spyware, whereas Microsoft Security Essentials was designed to prevent all types of malware, spyware included.
There was no more Microsoft Security Essentials for Windows 8. The version of Windows Defender that came with Windows 8 was designed to stop all types of malware, making Microsoft Security Essentials redundant. But if a user installs their own third-party antivirus software, Windows Defender will turn itself off. Running two active antivirus shields at the same time won’t work because they will probably attack each other.
When Windows Defender was included in Windows 10, it became two different applications—Windows Defender Antivirus and Windows Defender Security Center. Windows Defender Security Center monitors your antivirus software, whether it’s Windows Defender Antivirus or a third-party alternative. Hopefully, you have a legitimate antivirus application of some sort. If not, Windows Defender Security Center will warn you to install one.
Windows Defender Security Center also contains Windows Firewall, which monitors your internet ports and ensures you don’t have open ones with no purpose. Cyber attackers can attack your Windows machine through an open, unmonitored internet port. Windows Defender Security Center monitors Windows Update, the application that Microsoft uses to update your Windows operating system, as it needs to guarantee updates are coming from Microsoft and not from a hacker!
What is sandboxing?
Windows Defender Antivirus in Windows 10 now has sandboxing, which contains malware so it can’t infect the rest of your computer. Picture how a real-life sandbox keeps the sand inside so it doesn’t leak onto the lawn. A real-life sandbox contains sand most of the time, just as long as the children aren’t purposefully flinging it in all directions. Similarly, an antivirus sandbox will prevent malware from infecting the rest of your Windows PC unless the cyber attacker who designed the malware is extra clever and finds another way in.
What does Microsoft say?
Here’s what Microsoft wrote about Windows Defender Antivirus’ new sandboxing feature:
“Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’s content parsers that could enable arbitrary code execution. While we haven’t seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously. We immediately fixed potential problems and ramped up our own research and testing to uncover and resolve other possible issues.”
They went on to say, “At the same time, we continued hardening Windows 10 in general against attacks. Hardware-based isolation, network protection, controlled folder access, exploit protection, and other technologies reduce the attack surface and increase attacker costs. Notably, escalation of privilege from a sandbox is so much more difficult on the latest versions of Windows 10. Furthermore, the integration of Windows Defender Antivirus and other Windows security technologies into Windows Defender ATP’s unified endpoint security platform allows signal-sharing and orchestration of threat detection and remediation across components.”
In conclusion, they stated, “Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. This is part of Microsoft’s continued investment to stay ahead of attackers through security innovations. Windows Defender Antivirus and the rest of the Windows Defender ATP stack now integrate with other security components of Microsoft 365 to form Microsoft Threat Protection. It’s more important than ever to elevate security across the board, so this new enhancement in Windows Defender Antivirus couldn’t come at a better time.”
What does that mean?
Let’s break that down in plain English.
Arbitrary code execution in Windows Defender Antivirus means that a cyber attacker can run their own harmful code on your computer using design mistakes of Windows Defender Antivirus. All applications have bugs, and when a bug can be used by a hacker, they’re called security vulnerabilities. Software developers try to make their applications as bug-free as possible, and sometimes bugs are fixed with software updates.
Hardware-based isolation is another way to keep malware from infecting your PC, but it’s a bit different from sandboxing. It’s complicated to explain, but basically it uses features in your CPU, memory, and possibly other hardware components to isolate malware from the rest of your operating system. Your attack surface is everything in your computer’s hardware, software, and network that cyber attackers can access in order to harm you.
Escalation of privilege (or privilege escalation) lets an application or a user account do more to your computer than was originally intended. For example, your account or your application needs to be an administrator in order to uninstall applications. So, in privilege escalation, an application or an account won’t be allowed to do administrator stuff at the beginning, but then it will find a way to make itself an administrator. If the applicat#ion is malware, cyber attackers will try to escalate their privileges so they can do more harm to your computer.
Microsoft is suggesting Windows Defender Antivirus can handle all of that—and sandboxing too. No antivirus software is perfect! But sandboxing should make Windows Defender Antivirus more effective at preventing cybe rattacks. And that’s great news for everyone.