Advice Request Windows Sandbox vs Edge Application Guard Window (which is safer ?)

Please provide comments and solutions that are helpful to the author of this topic.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
I'm right about all of it.
The answer is as simple as I've been making it out. There's no need to over-complicate this.
...
This conversation can go on for decades but the obsession of Sandboxie being more powerful than Microsoft's sandbox technology when Microsoft use dedicated CPU features designed for isolation is shocking.
There is nothing to discuss on the advantage of Hyper-V container technology over Sandboxie. It is clear for anyone who read something about both solutions.
It is also clear that Hyper-V container allows running much more in the sandbox that it can be run in restricted Sandboxie sandbox.

The rest is speculation which is hard to prove.
I think that bypassing Sandboxie would be in theory much easier than bypassing Hyper-V container. But this is not the same as the probability of bypassing if no one will try to bypass Sandboxie in the wild.
In my opinion, the properly restricted Sandboxie sandbox in the home environment will probably stop a similar amount of malware in the wild (including spying by exploiting the web browser) as the non-restricted Hyper_V container.
Of course, this is my personal opinion and if anyone thinks otherwise, I will not be angry.:giggle:(y)
 
Last edited:
  • Applause
Reactions: Handsome Recluse
Jun 26, 2019
75
The rest are our speculations which are hard to prove.
No, they aren't speculations.

I'm an engineer who has to actually use the CPU virtualization features as part of my job.

Hyper-V doesn't stop malware. Hyper-V is a Virtual Machine software. Hyper-V is used by Windows Sandbox to create a guest environment that the end user can operate. Malware can infect the Hyper-V environment however it cannot escape unless the end user does something silly (e.g. allowing access to an organization network from within Hyper-V) or without a zero-day exploit (which is even less likely than pigs flying to Mars and back at this point).

Sandboxie does not offer a guest environment. Sandboxie has no real isolation that exceeds past the main host environment. Sandboxie is definitely not leveraging CPU features designed for virtualization. Sandboxie is relying on APIs which Microsoft developed and control in order to function properly.

You're free to use whichever software you want to use and you're also free to have your opinion. However, my point stands... Hyper-V is using a design which is safer than Sandboxie. Whether your opinion conflicts with this is irrelevant because it doesn't change anything.

I really hope I don't have to iterate it another time because this is getting a bit ridiculous.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Hi-

Which is the best way of browsing potentially unsafe websites ? Is it by running Edge in the Windows 10 Sandbox OR by opening an Application Guard Window in Edge ?

I assume that browsing a site within the Sandbox guards against canvas fingerprinting as it runs a fresh installation of Windows ?

And while I am at it, is there a way of automtically opening Edge in Application Guard mode ?

Thanks for your comments !
@crezz Did you get helpful answers to your question? The discussion seems to have drifted off into an academic debate over whether pigs can fly to Mars and back.
 
  • Like
Reactions: Zorro and Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
No, they aren't speculations.

I'm an engineer who has to actually use the CPU virtualization features as part of my job.

Hyper-V doesn't stop malware. Hyper-V is a Virtual Machine software. Hyper-V is used by Windows Sandbox to create a guest environment that the end user can operate. Malware can infect the Hyper-V environment however it cannot escape unless the end user does something silly (e.g. allowing access to an organization network from within Hyper-V) or without a zero-day exploit (which is even less likely than pigs flying to Mars and back at this point).

Sandboxie does not offer a guest environment. Sandboxie has no real isolation that exceeds past the main host environment. Sandboxie is definitely not leveraging CPU features designed for virtualization. Sandboxie is relying on APIs which Microsoft developed and control in order to function properly.

You're free to use whichever software you want to use and you're also free to have your opinion. However, my point stands... Hyper-V is using a design which is safer than Sandboxie. Whether your opinion conflicts with this is irrelevant because it doesn't change anything.

I really hope I don't have to iterate it another time because this is getting a bit ridiculous.
As I said we start from the same facts but draw different conclusions. That is nothing wrong with it.
But I would like to point out some speculative thinking in your post:
  1. "Hyper-V doesn't stop malware."
    You ignore the fact, that the user is vulnerable to spying. In restricted Sandboxie sandbox, the malware (If EXE file or Windows script) can be stopped.
  2. "Malware can infect the Hyper-V environment however it cannot escape unless the end user does something silly (e.g. allowing access to an organization network from within Hyper-V) or without a zero-day exploit (which is even less likely than pigs flying to Mars and back at this point)."
    If no one will try to exploit Sandboxie, then the same can be said about Sandboxie.
So, the question is: "Do such events can be sufficiently frequent to overcompensate the technology advantage of Hyper-V over Sandboxie?"
In my opinion, the answer may be positive. But, as I said before, it is a speculation based on my experience.
It is pointless to discuss speculations, so let's agree to disagree on the practical advantage of Hyper-V over Sandboxie.
 
Jun 26, 2019
75
You ignore the fact, that the user is vulnerable to spying. In restricted Sandboxie sandbox, the malware (If EXE file or Windows script) can be stopped.
The end user is vulnerable to spying within the guest environment which can be discarded at the end user's discretion. This is obviously implied. I stated that Hyper-V doesn't stop malware for a reason - I didn't think that I'd have to literally outline every singe thing that malware could to do an end user when it's on a guest environment.

If a browser under Sandboxie does become compromised by an RCE vulnerability (there's been a recent one for Google Chrome that wasn't patched in the release for a few weeks and there was recently a Firefox sandbox escape) then an attacker can deploy a botnet attack without leaving the context of the browser. So, bad things can happen whilst a browser is under Sandboxie as well. I didn't think this needs to be explicitly implied either until now.

If no one will try to exploit Sandboxie, then the same can be said about Sandboxie.
People have tried to exploit Sandboxie during it's prime time to shine and they succeeded. When Sandboxie was of interest in the market (not just within these forums), security researchers took it on and succeeded. You can google for old Sandboxie bypasses between 2010-2014 when it was of interest to people. I'm not doing your homework for you.

For everything that Sandboxie cannot officially and ethically do on the environment from a kernel-level, it moves to using rootkit techniques like from the books of the early 2000s but in user-mode. It takes the easy way out instead of doing things the proper way for isolation... which these days, would be leveraging CPU features explicitly designed for such use cases.

Sandboxie messes with the memory of processes belonging to other people's software which also makes the threat surface raise for the products being put under the sandbox. Furthermore, Sandboxie tarnishes code integrity which is there for a good reason: to help make sure that an attacker hasn't been messing with memory to control things.

You do not need to pretend to understand it because the fact you're still trying to change my opinion and voice the impression that there's little difference between Microsoft's sandbox technology and Sandboxie evidently proves that you do not understand my points. At this point, you may never understand my points. I'm fine with that. I'm content with it.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
The end user is vulnerable to spying within the guest environment which can be discarded at the end user's discretion. This is obviously implied. I stated that Hyper-V doesn't stop malware for a reason - I didn't think that I'd have to literally outline every singe thing that malware could to do an end user when it's on a guest environment.

If a browser under Sandboxie does become compromised by an RCE vulnerability (there's been a recent one for Google Chrome that wasn't patched in the release for a few weeks and there was recently a Firefox sandbox escape) then an attacker can deploy a botnet attack without leaving the context of the browser. So, bad things can happen whilst a browser is under Sandboxie as well. I didn't think this needs to be explicitly implied either until now.


People have tried to exploit Sandboxie during it's prime time to shine and they succeeded. When Sandboxie was of interest in the market (not just within these forums), security researchers took it on and succeeded. You can google for old Sandboxie bypasses between 2010-2014 when it was of interest to people. I'm not doing your homework for you.

For everything that Sandboxie cannot officially and ethically do on the environment from a kernel-level, it moves to using rootkit techniques like from the books of the early 2000s but in user-mode. It takes the easy way out instead of doing things the proper way for isolation... which these days, would be leveraging CPU features explicitly designed for such use cases.

Sandboxie messes with the memory of processes belonging to other people's software which also makes the threat surface raise for the products being put under the sandbox. Furthermore, Sandboxie tarnishes code integrity which is there for a good reason: to help make sure that an attacker hasn't been messing with memory to control things.

You do not need to pretend to understand it because the fact you're still trying to change my opinion and voice the impression that there's little difference between Microsoft's sandbox technology and Sandboxie evidently proves that you do not understand my points. At this point, you may never understand my points. I'm fine with that. I'm content with it.
The OP asked which option is better: "Is it by running Edge in the Windows 10 Sandbox OR by opening an Application Guard Window in Edge ?"
I don't see where he mentioned Sandboxie, or why you feel it is necessary to discuss SBIE's specs in such detail and with such vehemence. I would suggest you start a different thread.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
@crezz,
The discussion has been somewhat extended. Please, let us know if you do not want to include Sandboxie here. But generally, comparing Hyper-V containers to Sandboxie (or other sandboxes) can show their weak points for user security.
The Edge Application Guard solution has been prepared for safe browsing and uses a very strong technology of Hyper-V container in addition to Edge AppContainer, so it will be the best choice. Windows Sandbox can be used for other software (also for other web browsers).
 
Jun 26, 2019
75
The OP asked which option is better: "Is it by running Edge in the Windows 10 Sandbox OR by opening an Application Guard Window in Edge ?"
I don't see where he mentioned Sandboxie, or why you feel it is necessary to discuss SBIE's specs in such detail and with such vehemence. I would suggest you start a different thread.
It's evident that you're trolling now.


You read the thread and you acknowledged @SFox's post. We know you acknowledged it because you left a Like on it. Unless you have been aimlessly Liking posts, then you read it.

SFox said and I quote:
If you want to launch the browser in a really safe environment, it is better to use Sandboxie in the free version.

I quoted that and briefly mentioned why he or she was incorrect and shined light on a danger of Sandboxie. You read read that post here: Q&A - Windows Sandbox vs Edge Application Guard Window (which is safer ?)

@SFox continued it because they didn't like it and then your friend @Andy Ful resurrected the thread.

Therefore... don't make out like all of this is my fault.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
It's evident that you're trolling now.
..
Therefore... don't make out like all of this is my fault.
Please calm down. Do not seek trolls.
It is not your fault, we have just discussed slightly off topic. That happens all the time, so no need to be excited. The discussion was interesting to me, and I do not intend to change your opinion. I posted here to keep the balance in opinions. Our posts are also for other readers, not just for you and me. (y)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Please calm down. Do not seek trolls.
It is not your fault, we have just discussed slightly off topic. That happens all the time, so no need to be excited. The discussion was interesting to me, and I do not intend to change your opinion. I posted here to keep the balance in opinions. Our posts are also for other readers, not just for you and me.
+1
It was an interesting discussion.
Like all good things, there is a point where we have had enough. :)
 

jetman

Level 10
Thread author
Verified
Well-known
Jun 6, 2017
477
Hey thanks for asking my original questions were being answered.

I take from the discussion so far that opening Edge in an Application Guard window would offer the same protection as opening Edge within the Windows 10 Sandbox. There is some debate as to whether applications opened in Sandboxie provide the same protection.

There were 2 outstanding questions that I originally asked however....

1. Is it possible to get Edge to open automatically in the Application Guard Window ?

2. Does browsing within the Microsoft Sandbox stop browser fingerprinting ?

Thanks.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
Hey thanks for asking my original questions were being answered.

I take from the discussion so far that opening Edge in an Application Guard window would offer the same protection as opening Edge within the Windows 10 Sandbox. There is some debate as to whether applications opened in Sandboxie provide the same protection.

There were 2 outstanding questions that I originally asked however....

1. Is it possible to get Edge to open automatically in the Application Guard Window ?

2. Does browsing within the Microsoft Sandbox stop browser fingerprinting ?

Thanks.
  1. If I correctly recall you can manually start it via Application Guard companion app.
  2. No, if you mean fingerprinting your sessions in the sandbox. But, when you are in the sandbox, the fingerprinting cannot reach the information about your web browsing sessions outside the sandbox (and vice versa).
 

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,152
The difference is in the usage of Windows Defender's Application Guard or Windows Sandbox, although both are backed by the same technology, which would be Hyper-V.

From what I gather from the net

Windows Sandbox allows users to launch a VM (virtual machine) with a basic version of Windows 10/11 and run suspicious applications without the danger of affecting the main operating system. This enables the user to run potentially threatening executable files in a container.

For WDAG if one goes to an untrusted site through Microsoft Edge, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
Sandboxie is based on the kernel driver, so its architecture is one level weaker compared to the solutions based on Hyper-V. Anyway, for the home users, Sandboxie (with advanced settings) is probably as safe as other solutions. The problem can be the compatibility with applications and drivers.
 

Mjolnir

Level 2
Verified
Jul 4, 2019
69
Not to complicate things...but it would be interesting to know how strong the security of the Comodo Secure Shopping module is compared to these other two technologies. Secure Shopping does not seem to get much attention...but it appears to offer very strong protection and seems like more than just a "shopping module"- as it loads a process that begins at start-up and never stops running - almost like a type of system monitor??

 
Last edited:
  • Like
Reactions: cryogent

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
How would they know when they do not use and pentest it?

It is easy. One can know that tank is stronger than a jeep without driving any of them. The most important thing here is knowing the advantage of Hyper-V over kernel solutions. :)
Anyway, I used Sandboxie for years (on very advanced settings) and I use/test Hyper-V solutions, so in my opinion, any of them can protect well at home. Sandboxie is probably more usable.(y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
Not to complicate things...but it would be interesting to know how strong the security of the Comodo Secure Shopping module is compared to these other two technologies.

CSS is slightly a different thing because it is focused on safe online shopping:
The Product performs a root certificate check, anti-injection, keyboard and desktop protection, copy/paste protection, remote check, private mode support for web browsing, Internet Explorer single process mode support, and self-protection. Protection against potential phishing is provided, as well as detection for https connections while browsing.

It is obviously safer for shopping, compared to more general sandboxes (without additional security layers). The Sandbox design is less important here, compared to the protection against things that happen in the Sandbox.

If one thinks about the protection of the shopping session on the already infected system (malware running outside the Sandbox), then Sandboxie protection is weaker, compared to CSS and Hyper-V solutions. Sandboxie was created to protect the system against threats from the sandbox. It was not created to protect the sandboxed processes against unsandboxed malware. The impact of unsandboxed malware can be decreased by using Sandboxie on a different account only for shopping.
 
Last edited:

Mjolnir

Level 2
Verified
Jul 4, 2019
69
I should note that CSS only seems to work with Firefox and Chrome as browsers and seems to prefer Firefox. I apologize...I do not mean to hijack this thread.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top