Spawn

Administrator
Verified
Staff member
Windows Defender Application Guard for Microsoft Edge


Microsoft Edge with Windows Defender Application Guard mode enabled on the Edge browser will protect enterprises from advanced attacks that can infiltrate your network and devices via the Internet, creating a safer, worry-free browsing experience for customers.

ARSTECHNICA - Application Guard extends Virtualization Based Security to protect against browser flaws.


Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging.

[...]

Microsoft recognizes that this feature would be desirable on consumer machines, too, and not just for Edge.

This may be acceptable for a locked-down enterprise environment, but it isn't a good fit for consumers. Virtualization also likely comes at some performance cost, although Microsoft is not saying just what that performance cost is right now.

Nonetheless, this use of virtualization to harden a system is an exciting move.

Application Guard will become available later this year in Insider builds of Windows, hitting a stable version some time in 2017.

Continue Reading - http://arstechnica.com/information-technology/2016/09/windows-10-will-soon-run-edge-in-a-virtual-machine-to-keep-you-safe/

Share your thoughts and opinions below.
 

SHvFl

Level 35
Verified
Trusted
Content Creator
In theory it sounds good but let's wait to actually see the feature. Makes no sense to make appcontainer and then decide to do a Vm so soon and why would they put it only on Edge? Micro vm usually involves higher resource usage but who knows MS has the money to maybe figure it out. It will be good for the industry.
 
  • Like
Reactions: XhenEd

Av Gurus

Level 29
Verified
Trusted
Malware Hunter
Windows Defender Application Guard is a new security feature of the Windows 10 operating system that Microsoft revealed back in 2016.

The company revealed back then that it would integrate the feature in a future Windows Insider build before shipping it with the new feature update of Windows, the Windows 10 Creators Update.

It appears that the time has come, as information about the feature is now included in Microsoft Edge already.

When you load about:applicationguard right now in the latest Microsoft Edge Insider Build version, you are taken to a welcome screen that highlights the feature to you.

Windows Defender Application Guard


The Welcome Screen reads: Welcome to Windows Defender Application Guard. Windows Defender Application Guard is a lightweight virtual machine that helps isolate potentially malicious website activity from reaching your operating system, apps, and data.

Below that are the three core features of Windows Defender Application Guard:

  • Isolated Browsing -- Windows Defender Application Guard uses the latest virtualization technology to help protect your operating system by creating an isolated environment for your Microsoft Edge session.
  • Help Safeguard your PC -- Windows Defender Application Guard starts up every time you visit a non-work-related site to help keep potentially malicious attacks away from your PC.
  • Malware Removal -- Any websites you visit, files you download, or settings you change while in this isolated environment are deleted when you sign out of Windows, wiping out any potential malware.
Microsoft's introduction of the feature back in 2016 reveals the underlying technology used to power the feature. According to the article -- linked in the first paragraph -- it uses Microsoft's Hyper-V virtualization technology to create a new layer of defense around Microsoft Edge.

This is a sandbox more or less that Edge processes run in if they are not in the list of trusted sites. Trusted sites work exactly like they do right now in the current stable version of Edge. Sites and services have access to local storage, may read and write cookies, and do all the other things they have permission for either automatically or on user request.

The following happens if a site or service is not in the trusted sites list.

Application Guard’s enforcement includes completely blocking access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker

Microsoft notes that this sandboxed copy has no access to credentials, including domain credentials. Strict no access to anything rules would break sites or services that rely on these features. Application Guard does provide access to "essential features", and some can be configured via the Grop Policy or other management tools.



If you open the Group Policy editor in the latest Insider Build for instance, you find four application guard specific entries under Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard:

  1. Turn On/Off Windows Defender Application Guard.
  2. Block Enterprise websites to load non-Enterprise content in IE and Edge.
  3. Configure Windows Defender Application Guard clipboard settings.
  4. Configure Windows Defender Application Guard print settings.
Closing Words
Since Microsoft mentions Internet Explorer in the Group Policy, it seems that at least some of the security feature's functionality is protecting Internet Explorer users as well.

It remains to be seen how effective Windows Defender Application Guard is in protecting user systems, and how restrictive it is for users to work with.

Microsoft has not revealed yet if Application Guard will be made available to all editions of Windows 10. Also, it is unclear whether the company plans to expand the use of the feature to other applications on the system.
 

Handsome Recluse

Level 20
Verified
I mentioned it before, now we have more details on how they make Edge far safer than any browsers on the market. It seems made for Windows 10 Ent.
The browser usage and the fact that Google is just as big, competent and ubiquitous means it's probably not gonna take off in the home especially because exploits aren't common enough for the user to immediately discern the difference between the two.
 

Rolo

Level 18
Verified
If ever it will be available for home users, I think it will only be implemented to the Pro version, given the required Group Policy Editor, Hyper-V and other things. So, no, I don't think that it will be available to all Windows 10 users. :(
Maybe. Or they could change that or include a purpose-specific version of it.


Since it uses Hyper-V, I'd assume that it wouldn't be compatible with other virtualization software, like VirtualBox, that already has conflicts with Hyper-V...?
 
A

antreas

Help Safeguard your PC -- Windows Defender Application Guard starts up every time you visit a non-work-related site to help keep potentially malicious attacks away from your PC.

That mean the browser check every website i visit to see if it work relate? That mean microsoft can spy on me.
 
  • Like
Reactions: Deleted member 2913
D

Deleted member 178

Help Safeguard your PC -- Windows Defender Application Guard starts up every time you visit a non-work-related site to help keep potentially malicious attacks away from your PC.

That mean the browser check every website i visit to see if it work relate? That mean microsoft can spy on me.
I have a revelation for you...your browser spy on you, it knows what site you are visiting !!!!
 
5

509322

Help Safeguard your PC -- Windows Defender Application Guard starts up every time you visit a non-work-related site to help keep potentially malicious attacks away from your PC.

That mean the browser check every website i visit to see if it work relate? That mean microsoft can spy on me.
With the keywords "non-work related site" that tells me this feature will be for Enterprise\Education.
 
5

509322

That mean the browser check every website i visit to see if it work relate? That mean microsoft can spy on me.
Microsoft always has collected your browsing data. All the browser publishers harvest your browsing data. On top of it, visited URLs are saved to your system in various Windows logs. So if someone gained direct access to your system then they can see what you've been up to online.

There are countermeasures, like not saving browsing history, browser-opt-out settings, ad\tracking blockers, privacy utilities like Privazer, CCleaner, etc.

Research it. It's an extensive subject that can't be covered in a few lines on a security forum.
 

Rolo

Level 18
Verified
Help Safeguard your PC -- Windows Defender Application Guard starts up every time you visit a non-work-related site to help keep potentially malicious attacks away from your PC.

That mean the browser check every website i visit to see if it work relate? That mean microsoft can spy on me.
Good grief, no. It means it's not going to mess with work-related (as configured by the deployment) sites. It's an elaborate way to say "trusted sites".

If you don't trust Microsoft, then why are you running their OS?
 
A

antreas

Good grief, no. It means it's not going to mess with work-related (as configured by the deployment) sites. It's an elaborate way to say "trusted sites".

If you don't trust Microsoft, then why are you running their OS?
Because most steam games works on windows. If i was able i would infidelity buy a mac than use windows.