New Update Windows Defender Application Guard Extension for Google Chrome and Firefox

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Windows Defender Application Guard comes to 3rd-party apps

Microsoft has released a new extension for Google Chrome and Mozilla Firefox that’s supposed to protect users when visiting potentially-dangerous websites.

The Windows Defender Application Guard, which is available for download only for insiders before the public launch, has a very simple role: it checks the website you’re trying to load to determine if it’s a trusted link or not.

If it’s not, the extension automatically fires up an instance of Microsoft Edge running in a sandbox, which means that no matter what happens on the page after load, it can’t reach your data.

“The extension relies on a native application that we’ve built to support the communication between the browser and the device’s Application Guard settings,” Microsoft explains.

Extension requirements
Microsoft explains that the extension was designed to provide a seamless experience, so when users point the browser to a trusted website, the sandboxed session is automatically restored to the standard settings.

“In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to a trusted site while in an isolated Microsoft Edge session, the user is taken back to the default browser,” Microsoft explains.

After installing the browser extension, you should see a landing page that describes in detail how everything works. The extension automatically checks if all prerequisites are met. For example, the extension scans the device to determine if it’s compatible, the Application Guard companion app is installed, and the feature is turned on for your device.

Needless to say, the extension is only available for Windows 10 devices, and you can download it using the links below for the browser you’re using (the companion app is also required):

Get the Google Chrome extension

Get the Mozilla-Firefox extension

Get the Microsoft Store companion app


 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Mww :unsure: a few Chrome versions ago, there was a flag (don't recall exactly) that reduced the rights of websites which were on the Chrome Safer browsing blacklist. I always enabled that experimental flag without any problem. It is now gone, so I assume it is enabled by default.

Also Chrome and Edge already have an AppContainer sandbox, so I am kind of lost what the added practical use is of a blacklist based automated increase of protection. The only practical use I can imagine is when a user circumvents the 'danger pop-up' of the URL blacklist based surfing protection of Chrome or Edge.

Thoughts anyone?
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Also Chrome and Edge already have an AppContainer sandbox, so I am kind of lost what the added practical use is of a blacklist based automated increase of protection.
Neither Chrome/Firefox do the following, the Companion App + Extension expands WDAG to other browsers.

"Using a unique hardware-based isolation approach, Application Guard opens untrusted websites inside a lightweight container that is separated from the operating system via Hyper-V virtualization technology."
If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device and your device data protected. This companion to the browser extension ensures that untrusted sites open securely inside Application Guard's isolated environment.

via Get Windows Defender Application Guard Companion - Microsoft Store

Perhaps a build up before the Windows Sandbox.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
If it will work properly, then it could be a very good idea for people who do not use 3rd party Virtual Machines. Opening unsafe websites in the separate native built-in virtual environment is far safer than opening them in the same browser as for safe websites. This is the extended idea of Site Isolation in Chrome, but much stronger.
This is simple logic. On Chrome the safe and unsafe websites share the same application, even with Site Isolation. With Application Guard, we have:
  • two different applications,
  • two well isolated and different environments.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Perhaps a build up before the Windows Sandbox.
I know, that it is a hardware virtualization, but that is not what I am questioning.

The point is that this hardware virtualisation is triggered when a user surfs to a blacklisted URL and anyone can get a warning using the Windows Defender extension to NOT go/continue to that website. Also when I enable Windows Defender Network Protection these blacklisted URL's will be blocked when trying to download something.

So what is the practical added value? To browse to and open untrusted websites which are on a blacklist to protect morons ignoring popups?

So you are probably right, marketing buzz for the Windows Sandbox
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
The point is that this hardware virtualisation is triggered when a user surfs to a blacklisted URL ...
It seems that it is not related to blacklisted URLs, but rather to whitelisted URLs. So, If the URL is not trusted (not on the white list and not necessarily malicious), then the extension opens Edge via Application Guard.
"There, by using some unique hardware-based isolation approach, it opens untrusted websites inside a lightweight container. If an untrusted website you are trying to visit appears suspicious or turns out to be malicious, it continues to remain under the Application Guard’s secure container and does not enter your system."

It would be interesting to see how often the extension will be triggered. We will see soon how this extension will work in practice.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
Let's see if I get this.

Imagine there's a website that you normally go to. One day someone hijacks it to redirect visitors to a malicious site. This add-on would make sure that the redirected site opens contained in Edge.
In this case the user isn't actively going to malicious site rather they are send there unknowingly
Correct?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Let's see if I get this.

Imagine there's a website that you normally go to. One day someone hijacks it to redirect visitors to a malicious site. This add-on would make sure that the redirected site opens contained in Edge.
In this case the user isn't actively going to malicious site rather they are send there unknowingly
Correct?
There are two modes:
  1. Standalone mode (Windows 10 Professional and Windows 10 Enterprise ed.).
  2. Enterprise-managed mode (only Windows 10 Enterprise ed.).
The first work as Application Guard for Edge, so the user has to manually choose what website will be opened in the virtual environment.
The second mode works automatically and allows administrators in Enterprises to configure the list of trusted websites by the IP address range.
 
F

ForgottenSeer 72227

MS just want to make sure you use Edge

One could also argue that Google wants you to use Google products and Apple wants you to use Apple products, etc... In this case I do honestly think they are trying to make things more secure and it's not about promoting their product. That's just my opinion, but I do think MS is trying to do better things from a security stand point. I don't think we always have to try to look for the negatives or speculate that they are trying to do this due to some evil plan, because it's MS.:)(y)

Maybe it's because how Edge integrates into Windows and 3rd parties can't do the same thing, but the fact that they created an extension for both browsers and that it doesn't kick in unless it's a suspicious site, leaves me to believe they are doing this for a good reason to the benefit of everyone, regardless of which browser you are using. :)
 
Last edited by a moderator:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
It seems that it is not related to blacklisted URLs, but rather to whitelisted URLs.
Okay whitelistng makes more sense, but . . .

While white listing is a great idea in regard to programs which are hosted and executed on your computer, it has less practical value for websites, For white listed URL's you don't have any control on the software code which is active on that website. So the known good weakens down to the assumed good. There are over 3 billion websites. So how do you keep track whether the presumable good are still trusthworthy? See for instance Hacking Alert - Matousec.com - what happened whit the project page?

Other question which rises. With so many websites, many trustworthy websites will probably not be included in the whitelist. Does it has an option to recover downloaded files from the virtual environment?

EDIT
I tried it, only one PC qualified. The browsing on my wife's Yoga 520 slowed down because this new feature was evaluating websites all the time..
Curious to know any member has used it and if so on what hardware?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Okay whitelistng makes more sense, but . . .

While white listing is a great idea in regard to programs which are hosted and executed on your computer, it has less practical value for websites, For white listed URL's you don't have any control on the software code which is active on that website. So the known good weakens down to the assumed good. There are over 3 billion websites. So how do you keep track whether the presumable good are still trusthworthy? See for instance Hacking Alert - Matousec.com - what happened whit the project page?

Other question which rises. With so many websites, many trustworthy websites will probably not be included in the whitelist. Does it has an option to recover downloaded files from the virtual environment?
In the present form, this feature is available for home users as Standalone mode (no whitelist, no blacklist), just like for Edge. The whitelist and automatical switching to the virtual environment, can be applied by administrators only in Windows Enterprise ed., and there it makes sense to trust only some websites.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
One could also argue that Google wants you to use Google products and Apple wants you to use Apple products, etc... I this case I do honestly think they are trying to make things more secure and it's not about promoting their product. That's just my opinion, but I do think MS is trying to do better things from a security stand point. I don't think we always have to try to look for the negatives or speculate that they are trying to do this due to some evil plan, because it's MS.:)(y)

Maybe it's because how Edge integrates into Windows and 3rd parties can't do the same thing, but the fact that they created an extension for both browsers and that it doesn't kick in unless it's a suspicious site, leaves me to believe they are doing this for a good reason to the benefit of everyone, regardless of which browser you are using. :)
If your AV has a web filter feature you don't need the MS extension. Having too many software/extension checking the web means slowing down your surfing
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
If your AV has a web filter feature you don't need the MS extension. Having too many software/extension checking the web means slowing down your surfing
If I correctly understood, then this extension in the Standalone mode should not check any websites. It simply should allow the user running manually the URL via Edge (in a virtual environment) from Chrome or Firefox. I used Application Control for Edge some time ago, and the Edge was slightly slower.
 
F

ForgottenSeer 72227

If your AV has a web filter feature you don't need the MS extension. Having too many software/extension checking the web means slowing down your surfing

That's fair.

My guess (and this is only a guess) is that MS is probably looking at this from the point of someone using WD, even though you can use this extension regardless of which AV you are using. WD doesn't have a web scanner in the traditional sense, so they are adding an extension. Furthermore both Google and Mozilla are very anti-hooking into the browser and would prefer extensions vs hooks. You don't have to look hard to see their stance on the matter and it's one of the reasons why they are very against 3rd party security programs. I could be wrong, but I wouldn't be surprised if this is one of the reasons.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Andy Ful

Thanks for the answers, this sort of answers my question on the practical value for personal use. Att the moment when home users want to go into dodging browsing they can switch to Edge using sand-boxing and virtualization.

The whitelist has value for corporate users, they could automatically switch to virtualization when using their PC to visit not-whitelisted corporate websites. But it is offering ' mustard after the meal' as we say in Dutch, meaning that most large companies already have policies in place to deal with risky PC usage.

At the moment, most large companies in the Netherlands have a clause in their labor agreement in which employees have to promise to use their company PC in a wise and respectful way in compliance with the norms and values of that large company. Many labor agreements of large companies contain the clause that you will be fired when you don't comply with these conditions.

So also for corporate use it has limited value in the Netherlands is my guess (maybe only critical infrastructure companies and governmental bodies).
 
Last edited:
  • Like
Reactions: Andy Ful and shmu26

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top