Last week Microsoft announced that users can enable a feature that adds Windows Defender to a sandbox, which protects the computer from vulnerabilities found in Defender. A bug was discovered, though, that may cause you to think that this sandbox feature is enabled, when it really isn't.
To enable the sandbox feature a user needs to create a system environment variable named MP_FORCE_USE_SANDBOX and set it to 1. They then need to restart Windows to activate it.
ISC Handler Didier Stevens has discovered a bug in this process that causes the Windows Defender sandbox to not activate if you shutdown the computer, rather than restarting it.
"I encountered an issue to activate the sandbox: after creating the system environment variable, I shutdown my machine and then powered it on," stated Stevens in a handler diary. "This did not enable the sandbox. I had to perform a restart (Start Menu / Power / Restart) for the sandbox to be activated. The same thing happened when I tried to deactivate the sandbox: make sure you perform a restart (literally). This issue was reported to Microsoft, and should be fixed in an upcoming release."
When Didier reported it to Microsoft via Twitter, they responded that the team has fixed the bug and the fix will be released in a future engine update.
Thanks for flagging this. I spoke with the team and they have fixed this for a future engine update.— Matt Miller (@epakskape) October 31, 2018
In conversations with BleepingComputer, Didier explained that this bug requires a restart every time you make a change to the MP_FORCE_USE_SANDBOX variable and not just when enabling it.
"Correct, but this happens only when variable MP_FORCE_USE_SANDBOX is created, changed or removed. On one of my laptops, whenever I make a setting change via variable MP_FORCE_USE_SANDBOX, I have to make sure to do a restart of the laptop and not a shutdown/power-on. First I did a shutdown and then press the power button to start again, and that does not work. The sandbox was not activated. Once the sandbox is activated, it stays activated: I can shutdown the computer and power it up again, and it remains activated."
For those who want to make sure the sandbox is running, you can download Process Explorer and look for the MsMpEng.exe process. Under this process, should be a subprocess called MsMpEngCP.exe as shown below.
If the MsMpEngCP.exe process is present, then Windows Defender is running in sandboxed mode. If not, and the environment variable has been created, restart your computer and it should now be present.