The Windows Defender Antivirus Sandbox in Windows 10

Martin Brinkmann
Oct 29, 2018
Windows, Windows 10

Microsoft implemented new functionality in Windows Defender Antivirus for Windows 10 recently that makes the antivirus solution run in a sandbox on the system.

The feature, which is available in Windows 10 version 1703 and newer, needs to be enabled for the time being as it is not active by default currently.

Microsoft hopes that Windows Defender Antivirus' new restrictive process execution environment helps protect the application against attacks that are targeted directly at it. Antivirus solutions often need to run with high privileges to protect the entire system against malicious attacks; the need to run with high privileges make antivirus programs high profile targets, especially if they are used widely.

Microsoft stated that it is unaware of  targeted attacks "in-the-wild" against Windows Defender Antivirus but that security researchers identified ways to attack Windows Defender Antivirus successfully in the past.

A sandboxed environment adds another layer of protection to the antivirus solution. Malware that aims to exploit Windows Defender Antivirus successfully would have to exploit a vulnerability in the application itself and find a way to break out of the sandboxed environment that Microsoft created for the security software.

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm.

Enable Windows Defender Antivirus sandboxing

windows defender antivirus sandbox

Sandboxing is not enabled by default at the time of writing. It is available, however, on all devices running Windows 10 version 1703 or higher.

Tip: if you are unsure about the Windows version run winver.exe on Start to display it.

Here is what you need to do to enable Windows Defender Antivirus sandboxing right now:

  1. Open the Start menu.
  2. Type powershell.exe to display PowerShell as one of the results.
  3. Right-click on the result and select "run as administrator" or hold down the Shift-key and the Ctrl-key before you select the result. Both options execute PowerShell with elevated rights.
  4. Confirm the UAC prompt that may be displayed.
  5. Run setx /M MP_FORCE_USE_SANDBOX 1.
  6. Restart Windows.

The command sets a new system variable that tells Windows to run Windows Defender Antivirus with sandbox functionality.

Verifying that the sandbox is running is simple: open the Windows Task Manager with a tap on Ctrl-Shift-Esc and make sure you display all details (click on more details if not), and look on the Details tab of the program.

Locate MsMpEngCP.exe there. If you see it, the sandbox is up and running. The process runs with low privileges and uses "all available mitigation policies" according to Microsoft.

You can use third-party programs like Process Explorer as well if you prefer those to verify that the sandbox is enabled.

Check out Microsoft's blog post on the Microsoft Secure blog for implementation details and challenges that Microsoft faced during research and development.

Now You: Which antivirus solution do you run?

The Windows Defender Antivirus Sandbox in Windows 10
Article Name
The Windows Defender Antivirus Sandbox in Windows 10
Microsoft implemented new functionality in Windows Defender Antivirus for Windows 10 recently that makes the antivirus solution run in a sandbox on the system.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. chesscanoe said on January 30, 2019 at 4:46 pm

    I like Windows Defender (Windows Security) a lot and have been using it for over 3 years except for a few tests of alternatives. Finally likes it as well.

  2. MR2 said on November 2, 2018 at 8:39 pm

    The nice Kaspersky Free.

  3. stefann said on October 30, 2018 at 1:02 am

    Microsoft and security should never be used in the same sentence…..

    1. Anonee said on October 30, 2018 at 10:30 am

      Yet you’ll still use MS products…

  4. John G. said on October 29, 2018 at 5:18 pm

    I think I’ve found it with regedit, however please confirm before post if possible:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]

  5. John G. said on October 29, 2018 at 5:10 pm

    By the way, any idea about how to enable this feature with regedit?
    Please MS let us to enable sandbox with more easy way! :(

  6. John G. said on October 29, 2018 at 5:04 pm

    I like Windows Defender. I have been using it since W10-1511 with no problem at all.

  7. Paulus said on October 29, 2018 at 5:03 pm

    Martin, I use Eset internet security version 12.
    Windows defender has always run happily together with before Eset antivirus and now Eset internet security version 12. But last week everything changed completely.

    I had to turn off the Windows Defender program (remove it from the startup list) last week this because there was given me a warning (Windows notification area / the Defender icon) that Windows defender was not working properly anymore, more specific the antivirus part.
    I could not find any solution provided on any website after trying a wide range of search hooks on all kind of different search engines like,,,,, etc etc.?
    Now I am thinking could this be because Microsoft added the sandbox that main number one security program does not want to work together with the Windows defender sandbox?
    Do you know or think (Martin or anybody else) that when I use the sandbox activation method from here above, the problems will go away or could it be something else?

    1. cas said on October 29, 2018 at 6:41 pm

      when you say running happily do you mean you have 2 real time security monitors working at the same time? thought that’s not supposed to happen. you can have wd running real time and nothing else doing the same, or something else running real time with wd doing background scans from time to time (but not running in real time)

      which brings up the sandbox thing. is it in use when wd is doing real time protection or can it be used when it does background scans only?

      1. Paul(us) said on October 29, 2018 at 10:19 pm

        Eset en Wd on real-time but no scans from Wd.
        About the Sandbox thing, when I read Martin his article the sandbox is standard not working and I have to put it to work. And I did not configure it to work yet.
        But I am confused because I can’t figure out or now even when the sandbox is supposed to be not working there is a possibility that the new sandbox function, is the reason that in the Windows notification area, without really mentioning of what is really wrong, there is giving an error sign that main windows defender is not configured correctly?
        Any thoughts about that?

      2. cas said on October 30, 2018 at 10:39 pm

        well, if you have eset on real time, then stop wd from doing realtime. only surprising thing is that that it didn’t disable wd’s realtime scan when you installed it, as that’s what should happen, or at least for most 3rd party av solutions. multiple realtime monitors working at the same time is a bad thing.

        as for the sandbox bit.. that wasn’t a question for how it’s working on your box, but rather a general question of how it’s meant to work… on any machine.

      3. Pau(us) said on October 31, 2018 at 1:00 pm

        Cas, Sandbox is the real thing for computers. It’s a security space which is totally separated from the rest of the computer (Let say the world).
        Hopefully, all computer operating systems will be standard equipped with it in the ferry near future.
        What your doing is making with the virtual machine program a fully working copy of your operating system and all your installed programs. Then you’re from then on working with this copy in a completely virtual world with is running in your P.C. his memory and thru/by your P.C. his processor. Nothing is written on your SDD/ Winchester/USB, etc.. Only when you want you can save lets say your data on your SSD/ Winchester/USB,etc..
        I really like VMware, some like Sandboxie. But there are more choices.

  8. Anders said on October 29, 2018 at 12:57 pm

    Avast or Comodo, trusting Microsoft with security or system stability has become a burden. AV solutions from MS have always been a system hog, especialy on Windows 10 where the notorious Windows Defender cannot even set exculsions and remember them. Malicious software removal tool by MS is also a 10/10 fail.

    Yeah, I would like to switch to Linux but those noobs don’t even have a decent AMD graphics support, SSD support etc.

    1. Kwasiarz said on October 30, 2018 at 10:56 am

      Anything but Avast.

    2. rickmv said on October 29, 2018 at 10:26 pm

      WOW! Linux Devs. noobs! And the hardware support ones, maybe even kernel Devs… Poor M$ Pro who knows how to install Windows… if only ever to see a single line from Linux hardware support drivers… not that he should even can read the comment lines…

    3. XCV said on October 29, 2018 at 2:13 pm

      WD does save the exceptions you make, I have like 5 of them for ages.

      The community of Linux apreciates that you don’t go there, nobody want’s a poor and un-thankful person there. The linux systems are made by the community and non-profit organizations, that charge you 0$ for using what they create and the little money they get is petitions or ads. you are lucky just for having linux systems. You called them Noobs, that means you are a pro, why don’t you create the drivers and solve the bugs then?

      a person who is migrating to linux does his homework by firstly searching about what hardware is compatible with linux before they buy it and assemble their own desktop computer. they have no fault that you are running hardware created for windows.

      don’t show up on linux world, we don’t want people like you, go chrome OS or something, we don’t want retarded people here.

      1. Anders said on October 29, 2018 at 6:15 pm

        XCV, ROFL, I’ve shown up in the Linux world many times before, on many distribs and comunity forums. No probs there. All have the same flaws, don’t get excited. Mint x64 Cinnamon, Manjaro KDE, Ubuntu burn my GPU on 70°C while on Windows it’s on 36°, idle. With or without propertiary drivers. Be aware that those distribs DO have their own drivers specific to my hardware. SSD TRIM function is supported but you have to manually set a task to even start it. I know how to do it and I’ve done it but majority of users do not even know what Terminal is or how to open it.

        I may not be a pro for your stable genius standards and I sincerely doubt you’re using Linux on a daily basis.

        This, ROFL: “They have no fault that you are running hardware created for Windows.”
        Which hardware was created for Linux? Do tell me, noob.

        Unfortunatelly for Linux community people like you exist and most would agree that your comment “don’t show up on linux world…we don’t want retarded people here.” was also for you. Hehe.

        P.S. Martin usually censors comments heavily, you must be a good friend since he approved it. Linux fanboys keeping together is so cute.

      2. stefann said on October 30, 2018 at 1:06 am

        I agree with You on this, Anders ! Spot on !

        I have tried tons of distributions of Linux and each works differently dependent on Your hardware. Sometimes good other times just lousy.

        The problem with the Linux community is that if You ask anything on their forums either You get a very good explanation of whatever You want to know, or they are just rude as …. !

      3. Terrasim said on October 29, 2018 at 3:19 pm

        Why do you have to attack someone and slander a person just because this person has a differnet opinion than you do ? Who gives you the right to speak for the entire Linux world ?

        If you fly of the handle because someone says “noobs” than this is simply your problem. I am sure the big majority of Linux can’t get excited about this and doesn’t give a sh……

      4. XCV said on October 29, 2018 at 7:40 pm

        Terrasim, he doesn’t has any different opinion, he just generalized the support on linux as not decent when people there just work and force themselves into talking and doing agreements so that companies at least provide some sort of support.

        Anders, there is indeed hardware that is more compatible or hardware designed to work in a specific way, because every system is different, drivers and other software may provide a “workaround” but the hardware will never run on perfect conditions. cases like those are for example gaming hardware… do you really think that GTX 1080TI will work at 100% on a linux system? it won’t.

        I remember there was a website a few years ago that would keep a list on the most compatible hardware with linux systems, basically pre-builds of computers.
        I am no longer using linux for the last 3 months, got a new desktop computer and it’s still on warranty, can’t touch it. but I was using a computer with a Radeon R7 and an i3 with no problems. Jumped around from Debian, Ubuntu, Solus, Mint, and other distros I can no longer remember. I was a full time user for 1 year of Solus OS, before that 3 years of Fedora, but I also had my mini pc with windows for when I needed MS office.

        it’s not that I am a linux fanboy, I just don’t stand people talking without knowing. also, “Ubuntu burn my GPU on 70°C while on Windows it’s on 36°, idle.” just proves how your GPU is tweaked to work on windows. Do you really think companies just make the GPU’s and CPU’s like just add more power and ram and it’s done? the hardware itself is tweaked to work on a specific “environment”, on a specific way, it’s like having a car, you can have 2 same models, one may be weaker than the other, but just because you swap the engines doesn’t mean the weaker model will run as fast as the other from where the engine came from.
        they are all engines right? they are all made the same way right, like all have pistons, all have 2 fuel admission valves and 1 exhaust valve, etc… than what changes is the details… one may have more pistons, one may have more compression, one may have bigger exhaust valve, etc… same works for electrical hardware.

        So just get a compatible hardware, search the internet I bet there are many websites with that information.
        here, made you breakfast:
        now go find yourself lunch and dinner.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.