silversurfer

Level 52
Verified
Trusted
Content Creator
Malware Hunter
Windows Defender Application Guard comes to 3rd-party apps

Microsoft has released a new extension for Google Chrome and Mozilla Firefox that’s supposed to protect users when visiting potentially-dangerous websites.

The Windows Defender Application Guard, which is available for download only for insiders before the public launch, has a very simple role: it checks the website you’re trying to load to determine if it’s a trusted link or not.

If it’s not, the extension automatically fires up an instance of Microsoft Edge running in a sandbox, which means that no matter what happens on the page after load, it can’t reach your data.

“The extension relies on a native application that we’ve built to support the communication between the browser and the device’s Application Guard settings,” Microsoft explains.

Extension requirements
Microsoft explains that the extension was designed to provide a seamless experience, so when users point the browser to a trusted website, the sandboxed session is automatically restored to the standard settings.

“In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to a trusted site while in an isolated Microsoft Edge session, the user is taken back to the default browser,” Microsoft explains.

After installing the browser extension, you should see a landing page that describes in detail how everything works. The extension automatically checks if all prerequisites are met. For example, the extension scans the device to determine if it’s compatible, the Application Guard companion app is installed, and the feature is turned on for your device.

Needless to say, the extension is only available for Windows 10 devices, and you can download it using the links below for the browser you’re using (the companion app is also required):

Get the Google Chrome extension

Get the Mozilla-Firefox extension

Get the Microsoft Store companion app


 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Mww :unsure: a few Chrome versions ago, there was a flag (don't recall exactly) that reduced the rights of websites which were on the Chrome Safer browsing blacklist. I always enabled that experimental flag without any problem. It is now gone, so I assume it is enabled by default.

Also Chrome and Edge already have an AppContainer sandbox, so I am kind of lost what the added practical use is of a blacklist based automated increase of protection. The only practical use I can imagine is when a user circumvents the 'danger pop-up' of the URL blacklist based surfing protection of Chrome or Edge.

Thoughts anyone?
 

Spawn

Administrator
Verified
Staff member
Also Chrome and Edge already have an AppContainer sandbox, so I am kind of lost what the added practical use is of a blacklist based automated increase of protection.
Neither Chrome/Firefox do the following, the Companion App + Extension expands WDAG to other browsers.

"Using a unique hardware-based isolation approach, Application Guard opens untrusted websites inside a lightweight container that is separated from the operating system via Hyper-V virtualization technology."
If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device and your device data protected. This companion to the browser extension ensures that untrusted sites open securely inside Application Guard's isolated environment.
via Get Windows Defender Application Guard Companion - Microsoft Store

Perhaps a build up before the Windows Sandbox.
 

mickel1

Level 2
Added it to Google Chrome. It opens a separate window in Microsoft Edge but I cannot open any website in that window. So, I already removed it. And yes, I enabled Windows Defender Application Guard in Windows Features and also installed the Windows Defender Application Guard app from the Microsoft Store. But I still cannot open any website in it.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
If it will work properly, then it could be a very good idea for people who do not use 3rd party Virtual Machines. Opening unsafe websites in the separate native built-in virtual environment is far safer than opening them in the same browser as for safe websites. This is the extended idea of Site Isolation in Chrome, but much stronger.
This is simple logic. On Chrome the safe and unsafe websites share the same application, even with Site Isolation. With Application Guard, we have:
  • two different applications,
  • two well isolated and different environments.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Perhaps a build up before the Windows Sandbox.
I know, that it is a hardware virtualization, but that is not what I am questioning.

The point is that this hardware virtualisation is triggered when a user surfs to a blacklisted URL and anyone can get a warning using the Windows Defender extension to NOT go/continue to that website. Also when I enable Windows Defender Network Protection these blacklisted URL's will be blocked when trying to download something.

So what is the practical added value? To browse to and open untrusted websites which are on a blacklist to protect morons ignoring popups?

So you are probably right, marketing buzz for the Windows Sandbox
 
Last edited:

Andy Ful

Level 48
Verified
Trusted
Content Creator
...
The point is that this hardware virtualisation is triggered when a user surfs to a blacklisted URL ...
It seems that it is not related to blacklisted URLs, but rather to whitelisted URLs. So, If the URL is not trusted (not on the white list and not necessarily malicious), then the extension opens Edge via Application Guard.
"There, by using some unique hardware-based isolation approach, it opens untrusted websites inside a lightweight container. If an untrusted website you are trying to visit appears suspicious or turns out to be malicious, it continues to remain under the Application Guard’s secure container and does not enter your system."

It would be interesting to see how often the extension will be triggered. We will see soon how this extension will work in practice.
 

Azure

Level 24
Verified
Content Creator
Let's see if I get this.

Imagine there's a website that you normally go to. One day someone hijacks it to redirect visitors to a malicious site. This add-on would make sure that the redirected site opens contained in Edge.
In this case the user isn't actively going to malicious site rather they are send there unknowingly
Correct?
 
  • Like
Reactions: Raiden and Andy Ful

Andy Ful

Level 48
Verified
Trusted
Content Creator
Let's see if I get this.

Imagine there's a website that you normally go to. One day someone hijacks it to redirect visitors to a malicious site. This add-on would make sure that the redirected site opens contained in Edge.
In this case the user isn't actively going to malicious site rather they are send there unknowingly
Correct?
There are two modes:
  1. Standalone mode (Windows 10 Professional and Windows 10 Enterprise ed.).
  2. Enterprise-managed mode (only Windows 10 Enterprise ed.).
The first work as Application Guard for Edge, so the user has to manually choose what website will be opened in the virtual environment.
The second mode works automatically and allows administrators in Enterprises to configure the list of trusted websites by the IP address range.
 

Raiden

Level 13
Verified
Content Creator
MS just want to make sure you use Edge
One could also argue that Google wants you to use Google products and Apple wants you to use Apple products, etc... In this case I do honestly think they are trying to make things more secure and it's not about promoting their product. That's just my opinion, but I do think MS is trying to do better things from a security stand point. I don't think we always have to try to look for the negatives or speculate that they are trying to do this due to some evil plan, because it's MS.:)(y)

Maybe it's because how Edge integrates into Windows and 3rd parties can't do the same thing, but the fact that they created an extension for both browsers and that it doesn't kick in unless it's a suspicious site, leaves me to believe they are doing this for a good reason to the benefit of everyone, regardless of which browser you are using. :)
 
Last edited:

Windows_Security

Level 23
Verified
Trusted
Content Creator
It seems that it is not related to blacklisted URLs, but rather to whitelisted URLs.
Okay whitelistng makes more sense, but . . .

While white listing is a great idea in regard to programs which are hosted and executed on your computer, it has less practical value for websites, For white listed URL's you don't have any control on the software code which is active on that website. So the known good weakens down to the assumed good. There are over 3 billion websites. So how do you keep track whether the presumable good are still trusthworthy? See for instance Hacking Alert - Matousec.com - what happened whit the project page?

Other question which rises. With so many websites, many trustworthy websites will probably not be included in the whitelist. Does it has an option to recover downloaded files from the virtual environment?

EDIT
I tried it, only one PC qualified. The browsing on my wife's Yoga 520 slowed down because this new feature was evaluating websites all the time..
Curious to know any member has used it and if so on what hardware?
 
Last edited:

Andy Ful

Level 48
Verified
Trusted
Content Creator
Okay whitelistng makes more sense, but . . .

While white listing is a great idea in regard to programs which are hosted and executed on your computer, it has less practical value for websites, For white listed URL's you don't have any control on the software code which is active on that website. So the known good weakens down to the assumed good. There are over 3 billion websites. So how do you keep track whether the presumable good are still trusthworthy? See for instance Hacking Alert - Matousec.com - what happened whit the project page?

Other question which rises. With so many websites, many trustworthy websites will probably not be included in the whitelist. Does it has an option to recover downloaded files from the virtual environment?
In the present form, this feature is available for home users as Standalone mode (no whitelist, no blacklist), just like for Edge. The whitelist and automatical switching to the virtual environment, can be applied by administrators only in Windows Enterprise ed., and there it makes sense to trust only some websites.
 

HarborFront

Level 46
Verified
Content Creator
One could also argue that Google wants you to use Google products and Apple wants you to use Apple products, etc... I this case I do honestly think they are trying to make things more secure and it's not about promoting their product. That's just my opinion, but I do think MS is trying to do better things from a security stand point. I don't think we always have to try to look for the negatives or speculate that they are trying to do this due to some evil plan, because it's MS.:)(y)

Maybe it's because how Edge integrates into Windows and 3rd parties can't do the same thing, but the fact that they created an extension for both browsers and that it doesn't kick in unless it's a suspicious site, leaves me to believe they are doing this for a good reason to the benefit of everyone, regardless of which browser you are using. :)
If your AV has a web filter feature you don't need the MS extension. Having too many software/extension checking the web means slowing down your surfing
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
If your AV has a web filter feature you don't need the MS extension. Having too many software/extension checking the web means slowing down your surfing
If I correctly understood, then this extension in the Standalone mode should not check any websites. It simply should allow the user running manually the URL via Edge (in a virtual environment) from Chrome or Firefox. I used Application Control for Edge some time ago, and the Edge was slightly slower.
 

Raiden

Level 13
Verified
Content Creator
If your AV has a web filter feature you don't need the MS extension. Having too many software/extension checking the web means slowing down your surfing
That's fair.

My guess (and this is only a guess) is that MS is probably looking at this from the point of someone using WD, even though you can use this extension regardless of which AV you are using. WD doesn't have a web scanner in the traditional sense, so they are adding an extension. Furthermore both Google and Mozilla are very anti-hooking into the browser and would prefer extensions vs hooks. You don't have to look hard to see their stance on the matter and it's one of the reasons why they are very against 3rd party security programs. I could be wrong, but I wouldn't be surprised if this is one of the reasons.