Q&A Edge App Guard should be used for banking/shopping?

Tiamati

Level 11
Verified
Nov 8, 2016
513
As most of you already know, some AV offer a safe browser for online banking/e-shopping. Some examples are Safe Money from KIS, Safepay from Bitdefender, etc.

I'm currently testing Windows Defender with @Andy Ful H_C/Configure Defender (set to MAX). I think that App Guard could be used as a free safe browser for online banking as it has an isolated environment. However, App Guard is more oriented to protect the Host from the Virtual Machine, so I'm not sure if this is really a promising idea and if it could act just like the paid AV options (or if it could be even better). What do you think? App guard could protect the transaction from key loggers, screen savers and other techniques?

In time, there is any free solution for that?

Ty!
 

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,122
Because Edge renderer/GPU process have code integrity guard enabled by default you don't have to worry about code injection (making Edge the safest general purpose chromium based browser for banking). With MD Exploit Protection it is even possible to enable code integrity for the Edge broker process also.

When you like to think out-of-the-box you could use kioskmode for banking. Microsoft will add in future versions extra protections (automatic delete of download files and blocking to start other programs).In Edge 90/91 these extra protections will arrive in stable version. I will provide reg-files and links. I am ging to use -kioskmode for safe banking, because it loads without extensions and is hardened against user changes in kioskmode.

I use Edge Application Guard for general browsing (have a look at the group policy settings to make the changes persistent so your settings are kept)
 

Tiamati

Level 11
Verified
Nov 8, 2016
513
With MD Exploit Protection it is even possible to enable code integrity for the Edge broker process also
I never heard about it... how this could help?

When you like to think out-of-the-box you could use kioskmode for banking. Microsoft will add in future versions extra protections (automatic delete of download files and blocking to start other programs).In Edge 90/91 these extra protections will arrive in stable version. I will provide reg-files and links. I am ging to use -kioskmode for safe banking, because it loads without extensions and is hardened against user changes in kioskmode.
It could work. However, i'm not sure if it could be practical for daily use. I never used kioske mode but for what i know, you should have to change account every time you wanted to use it, isn't?

I use Edge Application Guard for general browsing (have a look at the group policy settings to make the changes persistent so your settings are kept)
I'm trying it for now. I think, the virtual machine is a little slow for all day use. My current PC is equiped with Ryzen 5 1400, 8 gb Ram and a Samsung SSD. However, i believe it could be used for specific websites.

BTW, i've already changed Local Group Polices to allow App Guard persistence and allow me to save files to the host. It worked fine, but i wasn't able to configure the copy paste function, neither the print option. I enabled the copy from host to virutal machine for only texts. But windows keep telling me that my ADM won't allow me to copy and paste into app guard. I had to enable the copy paste function in windows security center, but it allows copy-paste from host to virtual and vice versa for all kind of archives (texts and images). Any idea why?

@Lenny_Fox i want to make sure that configured app guard correctly too. Your app guard also says it is administered by "your organization", and restrict some policies (like the ability to enable sync in app guard?

I personally use banking and shopping in just another Edge profile, see Updates - Chromium-Edge "3-Browser-Profiles" Solution
I'll take a look! Good idea, but this option could not protect the browser from an infected system i guess
 

SecurityNightmares

Level 40
Verified
Jan 9, 2020
2,955
I never heard about it... how this could help?
see Q&A - Maximum Anti-Exploit protection settings for your program

BTW, i've already changed Local Group Polices to allow App Guard persistence and allow me to save files to the host.
This is a huge attack surface and remove an important feature of Application Guard: clean everything after session is closed.


I'll take a look! Good idea, but this option could not protect the browser from an infected system i guess
For that, the Application Guard (on default mode, without persistent storage) is useful.
 

Tiamati

Level 11
Verified
Nov 8, 2016
513
I personally use banking and shopping in just another Edge profile, see Updates - Chromium-Edge "3-Browser-Profiles" Solution
I checked your post and i decided to apply the same idea but with 2 profiles: 1 for browsing and 1 for banking. However the banking profile will be inside app guard, so i'll have all the advantages of your idea + the protection from AppGuard.

I wasn't able to find all configs you mande in edge:
# no website navigation error help in Edge settings
Which option is that?
# block plug-ins outside of sandbox in Edge settings
I wasn't able to find this option in Edge 89
# block payment provider in Edge settings
Do you mean to block saving credit cards?

3. When using Edge Application Guard I would not opt for saving files on the real system (increase of attack surface).
This is a huge attack surface and remove an important feature of Application Guard: clean everything after session is closed.
Ty for the advices @SecurityNightmares and @Lenny_Fox . I've already disabled saving files on the real system.

It seems that i would have to micromanagement a lot of to make this work flawless

Screensavers and other techniques such as?
Good question :ROFLMAO:

2. Kioskmode would be done only for banking, not daily surf
It's an interesting option, but for now i'll stay with @SecurityNightmares profile idea + AppGuard. Ty
 
Top