Will you install the Application Guard Extension on your browser?

  • Yes

    Votes: 7 50.0%
  • No

    Votes: 7 50.0%
  • Total voters
    14

MalwareTips Bot

Robot
Verified
Content Creator
The hardware-based isolation technology on Windows 10 that allows Microsoft Edge to isolate browser-based attacks is now available as a browser extension for Google Chrome and Mozilla Firefox.

We introduced the container technology in 2017. Since then, we have been evolving the technology and engaging with customers to understand how hardware-based isolation can best help solve their security concerns. We know that many of our customers depend on multi-browser environments to allow enterprise apps to meet various compatibility requirements and enable productivity. And while modern browsers are continuously working to mitigate vulnerabilities, there are still exposures across these complex engines that can lead to irreversible and costly damages.


To provide customers with a comprehensive solution to isolate potential browser-based attacks, we have designed and developed Windows Defender Application Guard extensions, now generally available, to allow customers to integrate hardware-based isolation with Google Chrome and Mozilla Firefox.


How it works


The extensions for Google Chrome and Mozilla Firefox automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge. The extension relies on a native application that we’ve built to support the communication between the browser and the device’s Application Guard settings.

When users navigate to a site, the extension checks the URL against a list of enterprise sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as enterprise-trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to an enterprise site while in an isolated Microsoft Edge session, the user is taken back to the default browser.

To configure the Application Guard extension under managed mode, enterprise administrators can follow these recommended steps:

  1. Ensure devices meet requirements.
  2. Turn on Windows Defender Application Guard.
  3. Define the network isolation settings to ensure a set of enterprise sites is in place.
  4. Install the new Windows Defender Application Guard companion application from the Microsoft Store.
  5. Install the extension for Google Chrome or Mozilla Firefox browsers provided by Microsoft.
  6. Restart the device.
Intuitive user experience


We designed the user interface to be transparent to users about Windows Defender Application Guard being installed on their devices and what it does. We want to ensure that users are fully aware that their untrusted navigations will be isolated and why.

  1. When users initially open Google Chrome or Mozilla Firefox after the extension is deployed and configured properly, they will see a Windows Defender Application Guard landing page.
  2. If there are any problems with the configuration, users will get instructions for resolving any configuration errors.
  3. Users can initiate an Application Guard session without entering a URL or clicking on a link by clicking the extension icon on the menu bar of the browser.



Commitment to keep enterprise users and data safe


Hardware-based isolation is one of the innovations that enhance platform security on Windows 10. It is a critical component of the attack surface reduction capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) and the broader unified security in Microsoft Threat Protection. With the new Application Guard extension for Google Chrome and Mozilla Firefox, customers can extend the security benefits of isolation in their environments and further reduce attack surface. Customers can confidently navigate the expansive internet with protection for enterprise and personal data.

The Windows Defender Application Guard extensions for Google Chrome and Mozilla Firefox are now available for Windows 10 Professional, Enterprise, and Education SKUs, version 1803 and later with latest updates.



Rona Song
Windows platform security team





Talk to us


Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

The post New browser extensions for integrating Microsoft’s hardware-based isolation appeared first on Microsoft Security.
 
First, Edge now uses the same engine as Chrome, so the concepts of security and sandboxing are similar. What's the added benefit of Application Guard in this instance?
The official stable release of Microsoft Edge which comes pre-installed on Windows 10 systems does not use the Chromium engine yet - it still uses EdgeHTML. The Chromium version of Microsoft Edge is still in beta testing and it will likely stay this way for several more months.

It's irrelevant as to whether Microsoft Edge uses the old Internet Explorer engine, EdgeHTML, Chromium or Gecko as far as Application Guard's effectiveness is concerned. It doesn't change the benefits of using Application Guard, but those benefits do not outweigh the con's for everyone.

How does Application Guard fit alongside Exploit Mitigation? I mean, I have mitigations enabled for various programs, but NOT for Edge, because I don't use it. Does this mean my exploit-hardened Firefox has better security than the non-hardened Edge, regardless of the actual browser baseline security?
Yes and no.

The normal exploit mitigation's are there to... help prevent successful exploit attacks. Existing exploits may fail if they were not designed to bypass certain exploit mitigation's being enabled and new exploits may be harder to develop (even when a valid vulnerability has been identified) unless the mitigation's can be circumvented to make the vulnerability "reachable" for exploitation.

Application Guard isn't there to stop exploitation. It's there to isolate exploitation. The attack chain will be isolated within the Hyper-V environment which Application Guard is reliant on, which means the exploitation phase itself does not touch the host environment and anything attempted post-exploitation neither touches the host environment.

Firefox can still be exploited with every exploit mitigation known to man being enabled and the same is with Microsoft Edge. With Application Guard (assuming it is working for you - there's many complaints about it), the attack is contained under an isolated environment.

Speaking of Firefox, if you use Adblock and/or Noscript, there's a good chance you're filtering out a lot of noise and garbage, which also coincidentally happens to be associated with security risks. What additional benefits does Application Guard introduce that aren't covered by the above?
I've already answered this question, read above.

Home edition users don't get this nice thing. But then, if it's really good - based on what I was able to read, no actual testing just yet, then it begs the following question:

If Application Guard is so important and effective, why are Home edition users being left unprotected? And if Home edition users have adequate security already, then is there real practical value to Application Guard?
Home users do not need Application Guard - it would be overkill for them to need it. The normal exploit mitigation's are more than fine for home users. Application Guard was clearly not designed for home users and as such, it is weird that Microsoft have published an extension for it - I agree with the author on this being badly designed.

Home users are not normally targeted with zero-day exploits anymore. More often than not, vulnerabilities are patched in security updates before they can be deployed by attackers on a campaign which affects many home users. Attackers who are capable of exploiting zero-day vulnerabilities almost always save them for enterprise targets in which they know they can make more money with one target than many home user targets combined.

Application Guard can be effective without it needing to be tailored for home consumers.

It looks like an attempt to make people use Edge, one way or another, after roughly fifteen years of steady market share decline in Microsoft browsers.
There is bound to be truth in this, but it isn't just about that. It's also about compatibility. Microsoft control the development of their own browser and thus can ensure their Application Guard feature works properly for their own product.

Everything becomes more troublesome when you try and support something for somebody else's product, because you do not control the development of it. There's also the case of both Firefox and Google being unpredictable when it comes to working as a team, because Firefox are ignorant when it comes to helping others implement security-related features - for example, they dropped support for IOfficeAntivirus APIs - and Google are known to stir trouble - for example, warning about code injection from AV/AE software and falsely reporting that crashes were due to the injection on customers machines when they didn't have evidence that literally proved the accused was responsible for those specific recent crashes.

If Application Guard is anywhere as robust and flexible as EMET and friends, then it might be a worthy tool, browser engine notwithstanding.
EMET had many issues due to how it functioned.

1. EMET relied on code injection and API hooking. This can easily cause compatibility problems and introduce additional exploitable vulnerabilities into other people's software without them being aware. It isn't the job of software developers to clean up Microsoft's mess and it is unfair to expect them to do so.

2. Due to how EMET worked, there were many ways to bypass it. This isn't really the case with Application Guard due to how it works.

3. There were many public bypasses for EMET.

4. The technology behind EMET is old and was rootkit-like.

5. EMET had to be updated to approach new attack methods. Application Guard doesn't have to be updated so much because the attacks are isolated. Microsoft do not have to literally virtually patch attack methods anymore with Application Guard... they mainly need to just update for compatibility, performance and general improvements.

------

The author of the post does make some valid points though. Microsoft are misleading people with the browser extension. If it isn't going to support Google Chrome then Microsoft shouldn't be posting it on the Google Chrome Web Store either, in my opinion.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
...
Application Guard isn't there to stop exploitation. It's there to isolate exploitation. The attack chain will be isolated within the Hyper-V environment which Application Guard is reliant on, which means the exploitation phase itself does not touch the host environment and anything attempted post-exploitation neither touches the host environment.
...
I would like only comment on this fragment which can be misinterpreted by readers. The Application Guard isolation works in both directions:
Sandbox <------> Host
So, even when the malware is already running in the system, it is usually isolated from the browsing session due to memory isolation. This feature can be important for safe banking.
For example, Sandboxie Sandbox can only isolate in one direction:
Sandbox ------> Host