Windows Defender Application Guard to Use Virtualized Environment

[FrgMstr]

There are a lot of HardOCP readers that know the value of a virtual machine running on your desktop when it comes to security and now Microsoft seems to be following suit. In an upcoming version of Windows we will be seeing Microsoft isolate its Edge browser in a Hyper V container. This is essentially Microsoft running a virtualized operating environment outside of its own operating system. Since most attacks we see are browser based nowadays on a individual level, this seems like a very smart thing to incorporate into its security goals. Certainly this is nothing that most enthusiasts cannot do on their own, but this delivers a fairly high level of security to the masses.

Check out the video.

We take a look at Windows Defender Application Guard a new capability coming to Windows 10 Creators update this fall to prevent browser-based attacks. You'll see the user experience in Microsoft Edge when navigating to untrusted and trusted sites. How Windows Defender Application Guard leverages virtualization and Hyper-V to isolate the running processes from Windows and how you can deploy and configure application guard in your organization.

 

[daglesj]

At least the fall update will have some interesting stuff in it.

 

[Sp33dFr33k]

Or you could use something like Sandboxie which can isolate pretty much any application in a "virtual" environment.

 

[Spidey329]

Or you could use something like Sandboxie which can isolate pretty much any application in a "virtual" environment.

This isn't for power users. This is a way to get the virtualization/sandbox ease for every user (using that particular app).

 

[nutzo]

If they are using Hyper-V to isolate the process, does that mean it will conflict with VMWare and automatically uninstall my VMWare workstation when I upgrade to this version?

 

[Brian_B]

At least I know I'll be protected for that one time I use Edge to download another browser

 

[dragonstongue]

you mean the same Windows Defender that keeps failing on update KB915597

Until they can fix crap updates, forced data snooping etc, am using my current Win 7 till am not able to anymore, I have no faith in MSFT since Win7 which has been awesome for me, beyond, have all been terribad in many ways, that is IMO for ME

 

[Makaveli@BETA]

you mean the same Windows Defender that keeps failing on update KB915597

Until they can fix crap updates, forced data snooping etc, am using my current Win 7 till am not able to anymore, I have no faith in MSFT since Win7 which has been awesome for me, beyond, have all been terribad in many ways, that is IMO for ME

Keep fighting the good fight!

 

[Bigshrimp]

An isolated web browser sounds ingenious to me. I wonder if any of the virtualization causes a slowdown of any sort?

 

[MrGuvernment]

you mean the same Windows Defender that keeps failing on update KB915597

Until they can fix crap updates, forced data snooping etc, am using my current Win 7 till am not able to anymore, I have no faith in MSFT since Win7 which has been awesome for me, beyond, have all been terribad in many ways, that is IMO for ME

I presume then you did not install a handful of updates that added all that snopping to windows 7....

Also, can't say I have seen any Defender updates fail, across hundreds of computers across several clients, literally.

 

[focbde]

An isolated web browser sounds ingenious to me. I wonder if any of the virtualization causes a slowdown of any sort?

There's always some overhead, but in reality these days it's incredibly minor.

 

[Burticus]

Interesting thought. If we could make browsing in a VM seamless, where I'm not actually using a VM in a window...

I vaguely recall a presentation about virtualizing ALL elevated applications so if they blew up or became insecure, it wouldn't affect the host. That was like 10 years ago, not seeing any progress made. I do use VMs to test things that might be sketchy, but it's far from ideal since I have to console or RDP into them. Not exactly the same thing as launching chrome / pick a browser.

Oh, additional thought, since the browser and most apps require network/internet access they would still be able to spread/compromise others. If you locked the VM down without network, it wouldn't be very useful for general tasks.

There's always some overhead, but in reality these days it's incredibly minor.

Actually it's very resource intensive. We just don't notice because the usage has stayed fairly static, but our everyday usage specs/requirements have increased a metric shit ton, so we don't "feel" the hit so much. Food for thought.... do you think a web browser runs better/faster today than it did 10 years ago? The answer is no. But you can't/wouldn't want to use a 10 year old system, it would be so slow. Did it get slower? No, it's resource bloat. Think about the computer you used 10 years ago, it was fine. And it probably had 2 gigs of ram and if you were lucky a dual core CPU. What changed? Everything else.

10-15 years ago when the company I worked for started going full tilt into VMs, we were using AMD Opteron servers with 4 CPUs (single core CPUs, I want to say HP Proliant DL585's) with 16gb of ram. These were $10k BEASTS back then, and we could get max 10 VM's per host depending on load. Today, those systems are basically garbage. A $99 FX-8350 desktop with 32GB ram could probably run the same VM load for like $500. And this is what we consider to be a marginal performing desktop system now. The hardware didn't degrade, the software keeps getting more and more bloated and we just accept it.

 

[focbde]

Interesting thought. If we could make browsing in a VM seamless, where I'm not actually using a VM in a window...

I vaguely recall a presentation about virtualizing ALL elevated applications so if they blew up or became insecure, it wouldn't affect the host. That was like 10 years ago, not seeing any progress made. I do use VMs to test things that might be sketchy, but it's far from ideal since I have to console or RDP into them. Not exactly the same thing as launching chrome / pick a browser.

Oh, additional thought, since the browser and most apps require network/internet access they would still be able to spread/compromise others. If you locked the VM down without network, it wouldn't be very useful for general tasks.



Actually it's very resource intensive. We just don't notice because the usage has stayed fairly static, but our everyday usage specs/requirements have increased a metric shit ton, so we don't "feel" the hit so much. Food for thought.... do you think a web browser runs better/faster today than it did 10 years ago? The answer is no. But you can't/wouldn't want to use a 10 year old system, it would be so slow. Did it get slower? No, it's resource bloat. Think about the computer you used 10 years ago, it was fine. And it probably had 2 gigs of ram and if you were lucky a dual core CPU. What changed? Everything else.

10-15 years ago when the company I worked for started going full tilt into VMs, we were using AMD Opteron servers with 4 CPUs (single core CPUs, I want to say HP Proliant DL585's) with 16gb of ram. These were $10k BEASTS back then, and we could get max 10 VM's per host depending on load. Today, those systems are basically garbage. A $99 FX-8350 desktop with 32GB ram could probably run the same VM load for like $500. And this is what we consider to be a marginal performing desktop system now. The hardware didn't degrade, the software keeps getting more and more bloated and we just accept it.

Overhead in general for a Hyper-V VM is in the order of about 10% average across compute and storage I/O. Network overhead is usually quite a bit higher though, in the order of around 25-30%. This is still reasonably minor unless you are somewhat network I/O-bound so I'm afraid I don't agree with you. The question also wasn't about how bloated software has become which you seem to be focusing on, rather what the performance impact would be if running the same software in a Hyper-V VM versus native and, there, the answer is 'minor'. You were giving a (very correct) answer to the wrong question.

 

[Burticus]

You were giving a (very correct) answer to the wrong question.

LOL that was Professor Shiner Bock lecturing on beer # 7 I think....

 

[focbde]

LOL that was Professor Shiner Bock lecturing on beer # 7 I think....