How to use Bromium Application Isolation to Secure Microsoft Edge Downloads

  • Microsoft Edge browser does not isolate web file downloads
  • Learn how to use Bromium to isolate your Microsoft Edge web file downloads
  • Bromium works with all Microsoft virtualization-based security (VBS) technologies

Microsoft jumps on the application isolation bandwagon.

In December 2017, Bromium welcomed the arrival of the Windows Defender Application Guard (WDAG) for Microsoft Edge, Microsoft’s long-awaited entry into application isolation.

While acknowledging significant benefits for security-conscious Windows 10 Enterprise users, WDAG does not allow any file downloads during untrusted (isolated) browsing. Microsoft’s focus is to secure Edge against browser exploits and file-less malware, thus preventing any files from entering through the browser and coming down to the host PC.

However, most employees need access to web downloads to do their jobs, at least occasionally. And those downloads must be safe, both initially and on each subsequent file access, even when off the network.

Read: Browser Isolation with Microsoft Windows Defender Application Guard (WDAG): What It Does, How It Works and What It Means

Edge does allow file downloads during trusted (non-isolated) host browsing, even though those downloads might be malicious. Microsoft relies on detection for download security—typically a quick scan by Windows Defender on the desktop—before allowing the user to access the file or quarantining it.

We’ve even seen ransomware run to conclusion and encrypt all the victim’s files before Windows Defender “detects” the outbound communication with the remote command and control server and quarantines the file. Yes, the malware was detected—eventually—but the PC still got owned.

How to secure Microsoft Edge downloads with Bromium.

Bromium’s approach is fundamentally different, relying on application isolation instead of detection:

  • Designate Microsoft Edge as an “ingress application.”
  • Every file download originating through the Edge browser during trusted browsing will be marked as “untrusted” when it is saved onto the host.
  • Every time the user opens any of these file downloads, it opens inside an isolated, disposable micro-VMs run by Bromium Secure Files.
  • This protection also extends to files that are emailed between Bromium users.
Designate Microsoft Edge as Ingress Application for Bromium
Designating Microsoft Edge as a Bromium “Ingress Application” marks all files downloaded through the Edge browser as untrusted so they will open in isolated micro-VMs


Video: Easily Isolate Downloads and Executables So Threats Can’t Escape

Bromium hardware-isolates each supported file from the host operating system and from all other user tasks while it runs in its designated application—Word, Excel, PowerPoint, Adobe Reader, Media Player, Notepad, etc.

With a wide-ranging native support for the most common application attack vectors—plus legacy and custom application support through Bromium Secure App Extensions—Bromium isolation picks up directly where Edge browser isolation leaves off.

So, go ahead and let your users safely download, save, and use original files using Edge. Bromium’s got you covered, even if Microsoft doesn’t.



The post How to use Bromium Application Isolation to Secure Microsoft Edge Downloads appeared first on Bromium.

*** This is a Security Bloggers Network syndicated blog from Bromium authored by Michael Rosen. Read the original post at: