[German]Microsoft Defender is in use at many companies. I read the other day that Microsoft Defender can now be used to isolate unmanaged Windows devices that have been hacked. Further, I got a report from a user about issues with Defender cauing issues like Word no longer starts. I summarize the two topics in this collective post.
Advertising
Microsoft Defender device isolation
Once a device is infected, an attacker or malware can spread to other devices over a network. Microsoft has therefore added a new device isolation feature to its Microsoft Defender for Endpoint. I became aware of the issue via the following tweet and this article by colleagues at Bleeping Computer.
Microsoft describes the new feature in thesection Contain devices from the network of this document as follows.
If an unmanaged device that is compromised or potentially compromised is identified, that device can be excluded from the network. If you restrict a device, any device integrated with Microsoft Defender for Endpoint blocks inbound and outbound communication with that device. This action can prevent neighboring devices from being compromised while Security Operations Analyst locates, identifies and remediates the threat on the compromised device.
Blocking inbound and outbound communications with a "trapped" (blocked) device is supported by Microsoft Defender for Endpoint in Windows 10 and Windows Server version 2019 and later. It is managed in the Microsoft 365 Defender portal via the Device Inventory page.
Defender sandbox mode is causing issues
Since fall 2018, Windows Defender, which is included in Windows 10, has supported an additional security feature. The antivirus solution can run in a protected sandbox environment starting with Windows 10 V1703. Now it looks like this sandbox mode may be responsible for issues in Windows 10. I had recently reported here on the blog in various blog posts about issues with Windows 10 caused by Defender for Endpoint (see article links at the end of the post). Among other things, it is about an observation of blog reader Markus K. Markus is an administrator for several thousand Windows clients in a network structure and runs into problems:
Advertising
- MS-Word (2016 or 2019 CTR) does not want to start
- SAP software does not want to start
- Event log not viewable (remote and local)
In his environment, only a few computers are ever affected (~50-100 clients out of over 7000). An update of the Defender signature files brought only short-term relief, as I detailed in the blog post Defender for Endpoint causes issues with Windows 10 20H2 clients (April 26, 2022). Now Markus K. contacted me by mail, because he thinks he found the root cause. He wrote:
It seems that I have finally found the problem bear. It is the Windows Defender Sandbox Mode. How to test and fix it:
If you turn on the Sandbox Mode (at least with W10 Enterprise) then you can observe e.g. in my case very well the following.
Install a fresh system including Office and patch it completely.
After that, e.g. Winword.exe wan't open. Without sandbox everything works without problem.
Call e.g. displayswitch.exe, which takes an infinite time if the sandbox is on. Otherwise the tool opens immediately.
For me it seems again that we are the only ones far and wide using the sandbox, at least there is nobody on the NTSysamin list with feedback that the same is used.
I assume that all our strange effects come from this corner (at least I hope so) and disappear with turning off the sandbox.
Exciting question: is there anyone else among the readership who uses the Defender sandbox mode and notices similar problems or can refute this?
Similar articles:
Defender signatures cause extreme RAM usage (April 2022)
Defender for Endpoint causes issues with Windows 10 20H2 clients (April 26, 2022)
Windows issue: Defender collides with FMAPOService
