Windows Defender Application Guard to Use Virtualized Environment

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
54,107
There are a lot of HardOCP readers that know the value of a virtual machine running on your desktop when it comes to security and now Microsoft seems to be following suit. In an upcoming version of Windows we will be seeing Microsoft isolate its Edge browser in a Hyper V container. This is essentially Microsoft running a virtualized operating environment outside of its own operating system. Since most attacks we see are browser based nowadays on a individual level, this seems like a very smart thing to incorporate into its security goals. Certainly this is nothing that most enthusiasts cannot do on their own, but this delivers a fairly high level of security to the masses.

Check out the video.

We take a look at Windows Defender Application Guard a new capability coming to Windows 10 Creators update this fall to prevent browser-based attacks. You'll see the user experience in Microsoft Edge when navigating to untrusted and trusted sites. How Windows Defender Application Guard leverages virtualization and Hyper-V to isolate the running processes from Windows and how you can deploy and configure application guard in your organization.
 

daglesj

Supreme [H]ardness
Joined
May 7, 2005
Messages
5,681
At least the fall update will have some interesting stuff in it.
 

Sp33dFr33k

2[H]4U
Joined
Apr 20, 2002
Messages
2,481
Or you could use something like Sandboxie which can isolate pretty much any application in a "virtual" environment.
 

Spidey329

[H]F Junkie
Joined
Dec 15, 2003
Messages
8,683
Or you could use something like Sandboxie which can isolate pretty much any application in a "virtual" environment.

This isn't for power users. This is a way to get the virtualization/sandbox ease for every user (using that particular app).
 

nutzo

Supreme [H]ardness
Joined
Feb 15, 2004
Messages
7,380
If they are using Hyper-V to isolate the process, does that mean it will conflict with VMWare and automatically uninstall my VMWare workstation when I upgrade to this version? :eek::mad::depressed:
 

Brian_B

2[H]4U
Joined
Mar 23, 2012
Messages
3,354
At least I know I'll be protected for that one time I use Edge to download another browser
 

dragonstongue

2[H]4U
Joined
Nov 18, 2008
Messages
3,162
you mean the same Windows Defender that keeps failing on update KB915597

Until they can fix crap updates, forced data snooping etc, am using my current Win 7 till am not able to anymore, I have no faith in MSFT since Win7 which has been awesome for me, beyond, have all been terribad in many ways, that is IMO for ME
 

Makaveli@BETA

2[H]4U
Joined
Mar 24, 2004
Messages
2,430
you mean the same Windows Defender that keeps failing on update KB915597

Until they can fix crap updates, forced data snooping etc, am using my current Win 7 till am not able to anymore, I have no faith in MSFT since Win7 which has been awesome for me, beyond, have all been terribad in many ways, that is IMO for ME

Keep fighting the good fight!
 

Bigshrimp

Limp Gawd
Joined
Oct 7, 2009
Messages
305
An isolated web browser sounds ingenious to me. I wonder if any of the virtualization causes a slowdown of any sort?
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,962
you mean the same Windows Defender that keeps failing on update KB915597

Until they can fix crap updates, forced data snooping etc, am using my current Win 7 till am not able to anymore, I have no faith in MSFT since Win7 which has been awesome for me, beyond, have all been terribad in many ways, that is IMO for ME

I presume then you did not install a handful of updates that added all that snopping to windows 7....

Also, can't say I have seen any Defender updates fail, across hundreds of computers across several clients, literally.
 

focbde

Gawd
Joined
Jan 31, 2008
Messages
545
An isolated web browser sounds ingenious to me. I wonder if any of the virtualization causes a slowdown of any sort?

There's always some overhead, but in reality these days it's incredibly minor.
 

Burticus

Supreme [H]ardness
Joined
Nov 7, 2005
Messages
4,794
Interesting thought. If we could make browsing in a VM seamless, where I'm not actually using a VM in a window...

I vaguely recall a presentation about virtualizing ALL elevated applications so if they blew up or became insecure, it wouldn't affect the host. That was like 10 years ago, not seeing any progress made. I do use VMs to test things that might be sketchy, but it's far from ideal since I have to console or RDP into them. Not exactly the same thing as launching chrome / pick a browser.

Oh, additional thought, since the browser and most apps require network/internet access they would still be able to spread/compromise others. If you locked the VM down without network, it wouldn't be very useful for general tasks.

There's always some overhead, but in reality these days it's incredibly minor.

Actually it's very resource intensive. We just don't notice because the usage has stayed fairly static, but our everyday usage specs/requirements have increased a metric shit ton, so we don't "feel" the hit so much. Food for thought.... do you think a web browser runs better/faster today than it did 10 years ago? The answer is no. But you can't/wouldn't want to use a 10 year old system, it would be so slow. Did it get slower? No, it's resource bloat. Think about the computer you used 10 years ago, it was fine. And it probably had 2 gigs of ram and if you were lucky a dual core CPU. What changed? Everything else.

10-15 years ago when the company I worked for started going full tilt into VMs, we were using AMD Opteron servers with 4 CPUs (single core CPUs, I want to say HP Proliant DL585's) with 16gb of ram. These were $10k BEASTS back then, and we could get max 10 VM's per host depending on load. Today, those systems are basically garbage. A $99 FX-8350 desktop with 32GB ram could probably run the same VM load for like $500. And this is what we consider to be a marginal performing desktop system now. The hardware didn't degrade, the software keeps getting more and more bloated and we just accept it.
 
Last edited:

focbde

Gawd
Joined
Jan 31, 2008
Messages
545
Interesting thought. If we could make browsing in a VM seamless, where I'm not actually using a VM in a window...

I vaguely recall a presentation about virtualizing ALL elevated applications so if they blew up or became insecure, it wouldn't affect the host. That was like 10 years ago, not seeing any progress made. I do use VMs to test things that might be sketchy, but it's far from ideal since I have to console or RDP into them. Not exactly the same thing as launching chrome / pick a browser.

Oh, additional thought, since the browser and most apps require network/internet access they would still be able to spread/compromise others. If you locked the VM down without network, it wouldn't be very useful for general tasks.



Actually it's very resource intensive. We just don't notice because the usage has stayed fairly static, but our everyday usage specs/requirements have increased a metric shit ton, so we don't "feel" the hit so much. Food for thought.... do you think a web browser runs better/faster today than it did 10 years ago? The answer is no. But you can't/wouldn't want to use a 10 year old system, it would be so slow. Did it get slower? No, it's resource bloat. Think about the computer you used 10 years ago, it was fine. And it probably had 2 gigs of ram and if you were lucky a dual core CPU. What changed? Everything else.

10-15 years ago when the company I worked for started going full tilt into VMs, we were using AMD Opteron servers with 4 CPUs (single core CPUs, I want to say HP Proliant DL585's) with 16gb of ram. These were $10k BEASTS back then, and we could get max 10 VM's per host depending on load. Today, those systems are basically garbage. A $99 FX-8350 desktop with 32GB ram could probably run the same VM load for like $500. And this is what we consider to be a marginal performing desktop system now. The hardware didn't degrade, the software keeps getting more and more bloated and we just accept it.

Overhead in general for a Hyper-V VM is in the order of about 10% average across compute and storage I/O. Network overhead is usually quite a bit higher though, in the order of around 25-30%. This is still reasonably minor unless you are somewhat network I/O-bound so I'm afraid I don't agree with you. The question also wasn't about how bloated software has become which you seem to be focusing on, rather what the performance impact would be if running the same software in a Hyper-V VM versus native and, there, the answer is 'minor'. You were giving a (very correct) answer to the wrong question.
 
Top