Andy Ful

Level 48
Verified
Trusted
Content Creator
I'm right about all of it.
The answer is as simple as I've been making it out. There's no need to over-complicate this.
...
This conversation can go on for decades but the obsession of Sandboxie being more powerful than Microsoft's sandbox technology when Microsoft use dedicated CPU features designed for isolation is shocking.
There is nothing to discuss on the advantage of Hyper-V container technology over Sandboxie. It is clear for anyone who read something about both solutions.
It is also clear that Hyper-V container allows running much more in the sandbox that it can be run in restricted Sandboxie sandbox.

The rest is speculation which is hard to prove.
I think that bypassing Sandboxie would be in theory much easier than bypassing Hyper-V container. But this is not the same as the probability of bypassing if no one will try to bypass Sandboxie in the wild.
In my opinion, the properly restricted Sandboxie sandbox in the home environment will probably stop a similar amount of malware in the wild (including spying by exploiting the web browser) as the non-restricted Hyper_V container.
Of course, this is my personal opinion and if anyone thinks otherwise, I will not be angry.:giggle:(y)
 
Last edited:
  • Applause
Reactions: Handsome Recluse
The rest are our speculations which are hard to prove.
No, they aren't speculations.

I'm an engineer who has to actually use the CPU virtualization features as part of my job.

Hyper-V doesn't stop malware. Hyper-V is a Virtual Machine software. Hyper-V is used by Windows Sandbox to create a guest environment that the end user can operate. Malware can infect the Hyper-V environment however it cannot escape unless the end user does something silly (e.g. allowing access to an organization network from within Hyper-V) or without a zero-day exploit (which is even less likely than pigs flying to Mars and back at this point).

Sandboxie does not offer a guest environment. Sandboxie has no real isolation that exceeds past the main host environment. Sandboxie is definitely not leveraging CPU features designed for virtualization. Sandboxie is relying on APIs which Microsoft developed and control in order to function properly.

You're free to use whichever software you want to use and you're also free to have your opinion. However, my point stands... Hyper-V is using a design which is safer than Sandboxie. Whether your opinion conflicts with this is irrelevant because it doesn't change anything.

I really hope I don't have to iterate it another time because this is getting a bit ridiculous.
 

shmu26

Level 83
Verified
Trusted
Content Creator
Hi-

Which is the best way of browsing potentially unsafe websites ? Is it by running Edge in the Windows 10 Sandbox OR by opening an Application Guard Window in Edge ?

I assume that browsing a site within the Sandbox guards against canvas fingerprinting as it runs a fresh installation of Windows ?

And while I am at it, is there a way of automtically opening Edge in Application Guard mode ?

Thanks for your comments !
@crezz Did you get helpful answers to your question? The discussion seems to have drifted off into an academic debate over whether pigs can fly to Mars and back.
 
  • Like
Reactions: SFox and Andy Ful

Andy Ful

Level 48
Verified
Trusted
Content Creator
No, they aren't speculations.

I'm an engineer who has to actually use the CPU virtualization features as part of my job.

Hyper-V doesn't stop malware. Hyper-V is a Virtual Machine software. Hyper-V is used by Windows Sandbox to create a guest environment that the end user can operate. Malware can infect the Hyper-V environment however it cannot escape unless the end user does something silly (e.g. allowing access to an organization network from within Hyper-V) or without a zero-day exploit (which is even less likely than pigs flying to Mars and back at this point).

Sandboxie does not offer a guest environment. Sandboxie has no real isolation that exceeds past the main host environment. Sandboxie is definitely not leveraging CPU features designed for virtualization. Sandboxie is relying on APIs which Microsoft developed and control in order to function properly.

You're free to use whichever software you want to use and you're also free to have your opinion. However, my point stands... Hyper-V is using a design which is safer than Sandboxie. Whether your opinion conflicts with this is irrelevant because it doesn't change anything.

I really hope I don't have to iterate it another time because this is getting a bit ridiculous.
As I said we start from the same facts but draw different conclusions. That is nothing wrong with it.
But I would like to point out some speculative thinking in your post:
  1. "Hyper-V doesn't stop malware."
    You ignore the fact, that the user is vulnerable to spying. In restricted Sandboxie sandbox, the malware (If EXE file or Windows script) can be stopped.
  2. "Malware can infect the Hyper-V environment however it cannot escape unless the end user does something silly (e.g. allowing access to an organization network from within Hyper-V) or without a zero-day exploit (which is even less likely than pigs flying to Mars and back at this point)."
    If no one will try to exploit Sandboxie, then the same can be said about Sandboxie.
So, the question is: "Do such events can be sufficiently frequent to overcompensate the technology advantage of Hyper-V over Sandboxie?"
In my opinion, the answer may be positive. But, as I said before, it is a speculation based on my experience.
It is pointless to discuss speculations, so let's agree to disagree on the practical advantage of Hyper-V over Sandboxie.
 
You ignore the fact, that the user is vulnerable to spying. In restricted Sandboxie sandbox, the malware (If EXE file or Windows script) can be stopped.
The end user is vulnerable to spying within the guest environment which can be discarded at the end user's discretion. This is obviously implied. I stated that Hyper-V doesn't stop malware for a reason - I didn't think that I'd have to literally outline every singe thing that malware could to do an end user when it's on a guest environment.

If a browser under Sandboxie does become compromised by an RCE vulnerability (there's been a recent one for Google Chrome that wasn't patched in the release for a few weeks and there was recently a Firefox sandbox escape) then an attacker can deploy a botnet attack without leaving the context of the browser. So, bad things can happen whilst a browser is under Sandboxie as well. I didn't think this needs to be explicitly implied either until now.

If no one will try to exploit Sandboxie, then the same can be said about Sandboxie.
People have tried to exploit Sandboxie during it's prime time to shine and they succeeded. When Sandboxie was of interest in the market (not just within these forums), security researchers took it on and succeeded. You can google for old Sandboxie bypasses between 2010-2014 when it was of interest to people. I'm not doing your homework for you.

For everything that Sandboxie cannot officially and ethically do on the environment from a kernel-level, it moves to using rootkit techniques like from the books of the early 2000s but in user-mode. It takes the easy way out instead of doing things the proper way for isolation... which these days, would be leveraging CPU features explicitly designed for such use cases.

Sandboxie messes with the memory of processes belonging to other people's software which also makes the threat surface raise for the products being put under the sandbox. Furthermore, Sandboxie tarnishes code integrity which is there for a good reason: to help make sure that an attacker hasn't been messing with memory to control things.

You do not need to pretend to understand it because the fact you're still trying to change my opinion and voice the impression that there's little difference between Microsoft's sandbox technology and Sandboxie evidently proves that you do not understand my points. At this point, you may never understand my points. I'm fine with that. I'm content with it.
 

shmu26

Level 83
Verified
Trusted
Content Creator
The end user is vulnerable to spying within the guest environment which can be discarded at the end user's discretion. This is obviously implied. I stated that Hyper-V doesn't stop malware for a reason - I didn't think that I'd have to literally outline every singe thing that malware could to do an end user when it's on a guest environment.

If a browser under Sandboxie does become compromised by an RCE vulnerability (there's been a recent one for Google Chrome that wasn't patched in the release for a few weeks and there was recently a Firefox sandbox escape) then an attacker can deploy a botnet attack without leaving the context of the browser. So, bad things can happen whilst a browser is under Sandboxie as well. I didn't think this needs to be explicitly implied either until now.


People have tried to exploit Sandboxie during it's prime time to shine and they succeeded. When Sandboxie was of interest in the market (not just within these forums), security researchers took it on and succeeded. You can google for old Sandboxie bypasses between 2010-2014 when it was of interest to people. I'm not doing your homework for you.

For everything that Sandboxie cannot officially and ethically do on the environment from a kernel-level, it moves to using rootkit techniques like from the books of the early 2000s but in user-mode. It takes the easy way out instead of doing things the proper way for isolation... which these days, would be leveraging CPU features explicitly designed for such use cases.

Sandboxie messes with the memory of processes belonging to other people's software which also makes the threat surface raise for the products being put under the sandbox. Furthermore, Sandboxie tarnishes code integrity which is there for a good reason: to help make sure that an attacker hasn't been messing with memory to control things.

You do not need to pretend to understand it because the fact you're still trying to change my opinion and voice the impression that there's little difference between Microsoft's sandbox technology and Sandboxie evidently proves that you do not understand my points. At this point, you may never understand my points. I'm fine with that. I'm content with it.
The OP asked which option is better: "Is it by running Edge in the Windows 10 Sandbox OR by opening an Application Guard Window in Edge ?"
I don't see where he mentioned Sandboxie, or why you feel it is necessary to discuss SBIE's specs in such detail and with such vehemence. I would suggest you start a different thread.
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 48
Verified
Trusted
Content Creator
@crezz,
The discussion has been somewhat extended. Please, let us know if you do not want to include Sandboxie here. But generally, comparing Hyper-V containers to Sandboxie (or other sandboxes) can show their weak points for user security.
The Edge Application Guard solution has been prepared for safe browsing and uses a very strong technology of Hyper-V container in addition to Edge AppContainer, so it will be the best choice. Windows Sandbox can be used for other software (also for other web browsers).
 
The OP asked which option is better: "Is it by running Edge in the Windows 10 Sandbox OR by opening an Application Guard Window in Edge ?"
I don't see where he mentioned Sandboxie, or why you feel it is necessary to discuss SBIE's specs in such detail and with such vehemence. I would suggest you start a different thread.
It's evident that you're trolling now.


You read the thread and you acknowledged @SFox's post. We know you acknowledged it because you left a Like on it. Unless you have been aimlessly Liking posts, then you read it.

SFox said and I quote:
If you want to launch the browser in a really safe environment, it is better to use Sandboxie in the free version.
I quoted that and briefly mentioned why he or she was incorrect and shined light on a danger of Sandboxie. You read read that post here: Q&A - Windows Sandbox vs Edge Application Guard Window (which is safer ?)

@SFox continued it because they didn't like it and then your friend @Andy Ful resurrected the thread.

Therefore... don't make out like all of this is my fault.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
It's evident that you're trolling now.
..
Therefore... don't make out like all of this is my fault.
Please calm down. Do not seek trolls.
It is not your fault, we have just discussed slightly off topic. That happens all the time, so no need to be excited. The discussion was interesting to me, and I do not intend to change your opinion. I posted here to keep the balance in opinions. Our posts are also for other readers, not just for you and me. (y)
 

shmu26

Level 83
Verified
Trusted
Content Creator
Please calm down. Do not seek trolls.
It is not your fault, we have just discussed slightly off topic. That happens all the time, so no need to be excited. The discussion was interesting to me, and I do not intend to change your opinion. I posted here to keep the balance in opinions. Our posts are also for other readers, not just for you and me.
+1
It was an interesting discussion.
Like all good things, there is a point where we have had enough. :)
 

crezz

Level 5
Verified
Hey thanks for asking my original questions were being answered.

I take from the discussion so far that opening Edge in an Application Guard window would offer the same protection as opening Edge within the Windows 10 Sandbox. There is some debate as to whether applications opened in Sandboxie provide the same protection.

There were 2 outstanding questions that I originally asked however....

1. Is it possible to get Edge to open automatically in the Application Guard Window ?

2. Does browsing within the Microsoft Sandbox stop browser fingerprinting ?

Thanks.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Hey thanks for asking my original questions were being answered.

I take from the discussion so far that opening Edge in an Application Guard window would offer the same protection as opening Edge within the Windows 10 Sandbox. There is some debate as to whether applications opened in Sandboxie provide the same protection.

There were 2 outstanding questions that I originally asked however....

1. Is it possible to get Edge to open automatically in the Application Guard Window ?

2. Does browsing within the Microsoft Sandbox stop browser fingerprinting ?

Thanks.
  1. If I correctly recall you can manually start it via Application Guard companion app.
  2. No, if you mean fingerprinting your sessions in the sandbox. But, when you are in the sandbox, the fingerprinting cannot reach the information about your web browsing sessions outside the sandbox (and vice versa).
 
  • Like
Reactions: Jack and shmu26