Advice Request Windows Sandbox vs Edge Application Guard Window (which is safer ?)

Please provide comments and solutions that are helpful to the author of this topic.

jetman

Level 10
Thread author
Verified
Well-known
Jun 6, 2017
477
Hi-

Which is the best way of browsing potentially unsafe websites ? Is it by running Edge in the Windows 10 Sandbox OR by opening an Application Guard Window in Edge ?

I assume that browsing a site within the Sandbox guards against canvas fingerprinting as it runs a fresh installation of Windows ?

And while I am at it, is there a way of automtically opening Edge in Application Guard mode ?

Thanks for your comments !
 
Jun 26, 2019
75
You can use Windows Defender's Application Guard or Windows Sandbox - it's a matter of preference because they are both backed by the same technology, which would be Hyper-V.

If you want to launch the browser in a really safe environment, it is better to use Sandboxie in the free version.
Sandboxie is dangerous compared to Windows Defender's Application Guard or Windows Sandbox because it uses undocumented techniques to achieve a fair portion of its features. In comparison to what Microsoft has to offer, Sandboxie cannot even begin to compete, because it's still hiding behind the sandbox designs of 2006-2010 times unlike Microsoft who've been adopting hardware isolation technology for years now.
 

Zorro

Level 9
Verified
Well-known
Jun 11, 2019
408
Sandboxie is dangerous compared to Windows Defender's Application Guard or Windows Sandbox because it uses undocumented techniques to achieve a fair portion of its features. In comparison to what Microsoft has to offer, Sandboxie cannot even begin to compete, because it's still hiding behind the sandbox designs of 2006-2010 times unlike Microsoft who've been adopting hardware isolation technology for years now.
Even if we assume that Sandboxie relies on the technology of 2010, this technology is still quite viable and I have not found a single detailed case when a malicious program could bypass this sandbox. Only target viruses created to infect a particular computer on which this sandbox program is installed can do this. But it is doubtful that with ordinary surfing a simple user would face such a threat. And the author wants just the usual safe surfing.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
It is not necessary for home users to add an extra sandbox on top of the native sandboxing of Chrome and Edge Chromium in Windows 10. Even regular Edge at default settings runs in appcontainer. Home users are not at risk of malware attacks escaping this layer of protection. If the OP is worried about fingerprinting, there are browser add-ons for that.
 

Zorro

Level 9
Verified
Well-known
Jun 11, 2019
408
It is not necessary for home users to add an extra sandbox on top of the native sandboxing of Chrome and Edge Chromium in Windows 10. Even regular Edge at default settings runs in appcontainer. Home users are not at risk of malware attacks escaping this layer of protection. If the OP is worried about fingerprinting, there are browser add-ons for that.
That's right. The only thing that we never know what other vulnerabilities are in the browser, the same Google Chrome or Edge, and how high the probability that the threats of zero day are already used by attackers right now. A third-party sandbox still provides certain protection and against zero-day threats that could potentially be used by intruders.
 
Jun 26, 2019
75
Even if we assume that Sandboxie relies on the technology of 2010, this technology is still quite viable and I have not found a single detailed case when a malicious program could bypass this sandbox.
If you know how Sandboxie works then you'll be able to find online content describing how the technology can be beaten - I'm referring to the techniques behind Sandboxie for clarification. None of them are written specifically for Sandboxie, but then again, not many people outside these forums could care less about Sandboxie nowadays. In fact, a good portion of the experts in the Information & Security industry take a disliking to all security software that doesn't originate from Microsoft.

It's not about whether Sandboxie can be defeated by malicious software or not though. It doesn't matter what you use... anything is going to be defeated eventually. It's inevitable. I'm not saying that Microsoft's technology is invincible whereas Sandboxie is not. What I'm saying is that due to how they all work, Microsoft's is better in general from a security perspective.

Only target viruses created to infect a particular computer on which this sandbox program is installed can do this.
Sorry, but that's simply not true. It's not a James Bond movie. There are ways to evade certain features of Sandboxie which will work just as successfully when there's nothing like Sandboxie to be defeated.

And the author wants just the usual safe surfing.
You said and I quote, "If you want to launch the browser in a really safe environment, it is better to use Sandboxie", except that's simply false. It's fine if it's your opinion, but you've voiced it like a fact. If you had actually investigated the differences of Microsoft's sandbox technology and Sandboxie, you'd have already known in advance and wouldn't have spread false information.

I'm merely correcting your false information. The topic was about Windows Defender's Application Guard and Windows Sandbox. See the thread title.
 
Jun 26, 2019
75
A third-party sandbox still provides certain protection and against zero-day threats that could potentially be used by intruders.
Sandboxie would actually raise the threat surface in a negative way for someone of interest to resourceful threat actors. The reasoning behind this is down to the fact that Sandboxie messes with the memory of processes it doesn't own, which also causes a slew of compatibility issues when things get updated, potentially making the dangerous impact from Sandboxie elevated.
 
Jun 26, 2019
75
Can someone please link me to a single case in recent years where a home user's computer got infected from visiting random websites?
It's not feasible because home users don't often know how they got infected when they believe in the "magic" having happened to them. Someone might believe they were "magically" infected by visiting a random website when in actual fact it was a download they foolishly ran several days ago. As a result of this, you'll find many search results from people complaining about AVs failing to protect them from magical threats which actually entered the environment differently to how the end user believes they did.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
It's not feasible because home users don't often know how they got infected when they believe in the "magic" having happened to them. Someone might believe they were "magically" infected by visiting a random website when in actual fact it was a download they foolishly ran several days ago. As a result of this, you'll find many search results from people complaining about AVs failing to protect them from magical threats which actually entered the environment differently to how the end user believes they did.
AFAIK there are no documented cases. I don't believe in magic. If you have an updated, modern OS, and an updated, modern browser, that's more than enough.
 

Zorro

Level 9
Verified
Well-known
Jun 11, 2019
408
If you know how Sandboxie works then you'll be able to find online content describing how the technology can be beaten - I'm referring to the techniques behind Sandboxie for clarification. None of them are written specifically for Sandboxie, but then again, not many people outside these forums could care less about Sandboxie nowadays. In fact, a good portion of the experts in the Information & Security industry take a disliking to all security software that doesn't originate from Microsoft.
Naturally, since Sandboxie is a sandbox that uses isolation technology based on partial file system and registry virtualization, there are probably ways to bypass its protection. There is no perfect program. I said that it’s my subjective opinion. I do not impose it on anyone, everyone chooses by himself what to use, I just say, based on my personal experience and feedback on the program from those users who use it. And the fact that I and many others, using this program for safe surfing, did not encounter system infection through visiting various sites (let's leave the question of how realistic it is to get infected in this way, but for the sake of interest I even went with this program and with the antivirus turned off according to known malicious sites), says that the program really makes Internet surfing safe. I can not say that the sandbox from Microsoft will not be able to protect, I did not use it. But I read a lot of reviews from ordinary users, from which I can judge that this sandbox causes no less problems than Sandboxie, but it’s definitely impossible to say anything specific about the quality of protection. As already said, there is no ideal program, there are more convenient and less convenient, more difficult to break and less difficult to break. And time will tell what is more convenient and less penetrable - Sandboxie or Microsoft's sandbox.
"A good portion of the experts in the Information & Security industry take a disliking to all security software that doesn't originate from Microsoft". Where are the expert polls? Statistics? Where are the interviews in which cybersecurity officials say they prefer the security offered by Microsoft? In tests of experts of antivirus laboratories on a pedestal, we see invariably products of Kaspersky Lab, Bitdefender, Symantek, Avast... These antiviruses receive from the experts the honorary titles of "outstanding products" and "products of the year" (Summary Report 2018 | AV-Comparatives). In the results table, the protective product from Microsoft is far from the top, although it cannot be said that it is completely bad. This is the opinion of experts and testers in the field of computer security.
 
  • Like
Reactions: Dave Russo
Jun 26, 2019
75
Naturally, since Sandboxie is a sandbox that uses isolation technology based on partial file system and registry virtualization, there are probably ways to bypass its protection. There is no perfect program. I said that it’s my subjective opinion. I do not impose it on anyone, everyone chooses by himself what to use, I just say, based on my personal experience and feedback on the program from those users who use it. And the fact that I and many others, using this program for safe surfing, did not encounter system infection through visiting various sites (let's leave the question of how realistic it is to get infected in this way, but for the sake of interest I even went with this program and with the antivirus turned off according to known malicious sites), says that the program really makes Internet surfing safe. I can not say that the sandbox from Microsoft will not be able to protect, I did not use it. But I read a lot of reviews from ordinary users, from which I can judge that this sandbox causes no less problems than Sandboxie, but it’s definitely impossible to say anything specific about the quality of protection. As already said, there is no ideal program, there are more convenient and less convenient, more difficult to break and less difficult to break. And time will tell what is more convenient and less penetrable - Sandboxie or Microsoft's sandbox.
Microsoft develop the Windows APIs and they have access to all of the material which for everyone else would be undocumented and unsafe to use. Microsoft own Windows which permits them that privilege. Due to this, not only do they already have the advantage of hardware isolation which Sandboxie lacks, but they have the advantage of maintaining compatibility with other people's software and even controlling influence among developers on how they develop their software.

These are the facts:
1. Sandboxie heavily relies on undocumented techniques.
2. Sandboxie messes with the memory of processes belonging to other people's software.
3. Sandboxie's design is still incredibly influenced by rootkit techniques from rootkit books written in the late 1990s and early 2000s.

This isn't about what your favorite sandbox is or whether it has worked great for you and other people on this forum. I do not need to send you technical write-up papers of how Sandboxie works or the same for Microsoft's technology. I have nothing to prove to you. You are more than capable of doing your own homework by researching all of this.

The time it took you to write that big wall of text would have been sufficient timing for you to have educated yourself on how Microsoft's sandbox technology works and work out the differences compared to Sandboxie. Get out your notepad and pen and start taking notes, because I'm not going to do your work for you.

Where are the expert polls? Statistics? Where are the interviews in which cybersecurity officials say they prefer the security offered by Microsoft?
It's mainly due to compatibility and the fact that Microsoft do not have to be as dirty as most other AVs since they own Windows and thus can make changes at their own discretion whilst doing things which would be unsafe for others to do. Microsoft also own the special anti-virus APIs which other vendors want their hands on to cut down on the unstable things they might be doing, making things even more advantageous for Microsoft.

Read some tweets by people from the Mozilla Firefox team, Google Project Zero team, etc. and you'll start to see a consistent pattern of Windows Defender being favored compared to third-party vendors.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
When using Edge extra protect it with WD Exploit protection (App & Browser control) together with AppContainer it should be faster and stronger than messing with pre-windows 8 technology of Sandboxie.

215622
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
Unsafe as in 'Site contains Adware'' or contains ITW Exploits?

Is it by running Edge in the Windows 10 Sandbox OR by opening an Application Guard Window in Edge ?
I assume that browsing a site within the Sandbox guards against canvas fingerprinting as it runs a fresh installation of Windows ?
And while I am at it, is there a way of automtically opening Edge in Application Guard mode ?
For a short time on v1809 (Pro), I tested out WDAG for Edge, but it was not practical enough to keep it due to it's severe limitations. On v1903 (Pro) neither had access the Internet and I looked online to no avail.

If your hardware supports it and don't mind setting up Windows, try using Hyper-V Manager. In the classic Windows Features, I enabled Hyper-V, Virtual Machine Platform and Windows Hypervisor Platform. Host OS must be running Windows 10 Pro or above.

The 'Quick Create' helps you get started, or you can use your own OS ISO.
1561586057912.png 1561585896789.png

If not, try VirtualBox with seamless headless mode activated for a more seamless experience.

Edited
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Although Veloce is right about Sandboxie's technology and compatibility issues, the answer is not as simple as it seems.
Sandboxie relies not only on sandboxing, but can also restrict the sandbox with anti-exe features, blocking read/write access to disks or folders, etc. Furthermore, no one bothers bypassing Sandboxie because it is rarely used in Enterprises.
So, the attack surface in the Sandboxie sandbox can be much smaller than in sandboxes based on Hyper-V technology.
In the Home environment, the properly restricted Sandboxie sandbox will be probably as safe as Windows Sandbox or Application Guard for Edge. But anyway, the compatibility issues on Windows 10 can put Sandboxie at disadvantage.

Edit.
Windows Sandbox allows installing drivers (if the reboot is not required). Sandboxie denies installing drivers by default (but there is a way to allow driver installation).
 
Last edited:
Jun 26, 2019
75
Although @Veloce is right about Sandboxie's technology and compatibility issues, the answer is not as simple as it seems.
I'm right about all of it.

The answer is as simple as I've been making it out. There's no need to over-complicate this.

Microsoft's sandbox technology is using a privilege level that's reserved by the firmware for Type 2 hyper-visors (ring -1) which behaves identically to ring 0 in the eyes of the code running under it, but is controlled by the host environment. The host environment's kernel is running with a Current Privilege Level (CPL) 0 and the guest environment's kernel is running with a CPL of -1. Whenever the guest environment's kernel executes a privileged instruction, the host environment is allowed to control what happens, and many instructions from the x86/AMD64 instruction set which are not privileged instructions can also be controlled.

Sandboxie is entirely dependent on the host environment. There is no real isolation between the program being put in the sandbox and the rest of the host environment, it's merely an illusion.

Windows Sandbox allows installing drivers (if the reboot is not required). Sandboxie denies installing drivers by default (but there is a way to allow driver installation).
This isn't an issue and it is no different to if you had done this on a VM using VMware.

Sandboxie might deny the installation of drivers, but what about vulnerable drivers that might already be on the machine?

Windows Sandbox is literally the same as a VM except it's been designed to be more convenient; there's no need to install OS media because it takes the system files from your host environment.

This conversation can go on for decades but the obsession of Sandboxie being more powerful than Microsoft's sandbox technology when Microsoft use dedicated CPU features designed for isolation is shocking.
 
Last edited:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
For a short time on v1809 (Pro), I tested out WDAG for Edge, but it was not practical enough to keep it due to it's severe limitations. On v1903 (Pro) neither had access the Internet and I looked online to no avail.
Had same experience, also because I have only 6GB RAM it loaded slow. . I also was disconnected from the internet when it had loaded and could not i find a solution for it on the web either..
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top