In 2017, Google Project Zero vulnerability researcher Tavis Ormandy and colleagues Natalie Silvanovich and Mateusz Jurczyk have flagged many critical RCE vulnerabilities in the Microsoft Malware Protection Engine, which powers a number of Microsoft antimalware software, including Windows Defender. Like any other software, AV software can have vulnerabilities that can be found and exploited by attackers.
“More mitigation policies will be introduced in the future, alongside other techniques that aim to reduce even further the risk of compromise, such as multiple sandbox processes with random assignment, more aggressive recycling of sandbox processes without a predictable schedule, runtime analysis of the sandbox behavior, and others,” he concluded. The content processes take advantage of modern exploit mitigation techniques (DEP, ASLR, CFG), disable Win32K system calls and all extensibility points, and make sure that only signed and trusted code can be loaded.
Lastly, they made sure that disinfection happens with high privileges so that sandbox compromise doesn’t lead to malicious modifications of targeted binaries. To avoid problems of inter-process communication, they opted for low-privilege AppContainers, which allow fine-grained control on specifying what the sandbox process can do. They minimized the number of interactions between the sandbox and the privileged process, made it so that these interactions are only performed in moments where their cost would not be significant, and made the two processes able pass data/content between themselves safely by hosting them in memory-mapped files that are read-only at runtime. At the same time, we had to minimize the number of interactions between the two layers in order to avoid a substantial performance cost,” he noted. “The goal for the sandboxed components was to ensure that they encompassed the highest risk functionality like scanning untrusted input, expanding containers, and so on. The developers had to layer the AV’s inspection capabilities into components that absolutely must run with full privileges and components that can be sandboxed. The feature is available to members of the Windows Insiders program and currently works only on Windows 10 version 1703 or later.Īdrian “Mady” Marinescu from the Windows Defender Engineering team explained that implementing the sandbox was a complex undertaking as a fine balance had to be struck between security, performance and functionality. Microsoft has made it possible for Windows Defender Antivirus to be run within a sandbox, a restrictive environment that separates the AV’s processes from those of the underlying Windows OS, thus limiting the actions of malware that can exploit the software’s flaws.
0 kommentar(er)
