Windows Defender Sandbox

Last week Microsoft announced that users can enable a feature that adds Windows Defender to a sandbox, which protects the computer from vulnerabilities found in Defender. A bug was discovered, though, that may cause you to think that this sandbox feature is enabled, when it really isn't.

To enable the sandbox feature a user needs to create a system environment variable named MP_FORCE_USE_SANDBOX and set it to 1. They then need to restart Windows to activate it.

ISC Handler Didier Stevens has discovered a bug in this process that causes the Windows Defender sandbox to not activate if you shutdown the computer, rather than restarting it.

"I encountered an issue to activate the sandbox: after creating the system environment variable, I shutdown my machine and then powered it on," stated Stevens in a handler diary. "This did not enable the sandbox. I had to perform a restart (Start Menu / Power / Restart) for the sandbox to be activated. The same thing happened when I tried to deactivate the sandbox: make sure you perform a restart (literally). This issue was reported to Microsoft, and should be fixed in an upcoming release."

When Didier reported it to Microsoft via Twitter, they responded that the team has fixed the bug and the fix will be released in a future engine update.

In conversations with BleepingComputer, Didier explained that this bug requires a restart every time you make a change to the MP_FORCE_USE_SANDBOX variable and not just when enabling it.

"Correct, but this happens only when variable MP_FORCE_USE_SANDBOX is created, changed or removed. On one of my laptops, whenever I make a setting change via variable MP_FORCE_USE_SANDBOX, I have to make sure to do a restart of the laptop and not a shutdown/power-on. First I did a shutdown and then press the power button to start again, and that does not work. The sandbox was not activated. Once the sandbox is activated, it stays activated: I can shutdown the computer and power it up again, and it remains activated."

For those who want to make sure the sandbox is running, you can download Process Explorer and look for the MsMpEng.exe process. Under this process, should be a subprocess called MsMpEngCP.exe as shown below. 

MsMpEngCP.exe Process
MsMpEngCP.exe Process

If the MsMpEngCP.exe process is present, then Windows Defender is running in sandboxed mode. If not, and the environment variable has been created, restart your computer and it should now be present.

Related Articles:

Erratic Windows 10 Bug Breaks Changing of Default File Associations

Microsoft Bug is Deactivating Windows 10 Pro Licenses and Downgrading to Home

Microsoft Acknowledges Zip File Overwrite Bug - Fix Coming in November

Missing Files, Bugs Reported After Windows 10 October 2018 Update

Microsoft Releases Info on Protecting BitLocker From DMA Attacks