I’ve heard one reason Macs are so secure against viruses and system crashed is that the kernel address space is virtualized, and apps can’t access it directly, like programs essentially operate in separate containers.
Is there any framework to harden Windows in a similar manner?
(I know Windows has VBS and HVCI, but that that can cause significant performance decreases. Windows KDP partially virtualizes the kernel, but evidently not designed particularly to resist malware. And while there’s something called Wubes to replicate Qubes using Windows Sandbox, it seems more like a proof-of-concept than a robust framework suitable for a daily driver.)
Is there anything effective to protect and virtualize Windows apps that I haven’t found yet?
For context on my specific use case, I had to reset my PC recently so before installing a bunch of apps again, I’d like to know if there’s a more secure way to go about this. And please don’t recommend Linux; I have a separate Linux device and it’s wonderful but I need to have Windows on this particular PC, so I’m specifically looking to harden Windows 11.
Author of the PR here. There is an option to virtualize kernel as you asked.
Search for Exploit Protection in Windows search. It will lead you to Windows Defender settings. In that, Flip the switches for Force randomization for images (Mandatory ASLR) and Randomize memory allocations (Bottom-Up ASLR) as On By Default
For Containerized apps, I would suggest you to wait though because Microsoft is bringing an API for tradition Win32 programs so it runs sandboxed similar to the UWP (MS Store) Apps or go for Sandboxie.
See https://hotcakex.github.io/ for a possible hardening option. Also think about using wdac or at least applocker, if you don’t want to deal with wdac.