I’ve heard one reason Macs are so secure against viruses and system crashed is that the kernel address space is virtualized, and apps can’t access it directly, like programs essentially operate in separate containers.
Is there any framework to harden Windows in a similar manner?
(I know Windows has VBS and HVCI, but that that can cause significant performance decreases. Windows KDP partially virtualizes the kernel, but evidently not designed particularly to resist malware. And while there’s something called Wubes to replicate Qubes using Windows Sandbox, it seems more like a proof-of-concept than a robust framework suitable for a daily driver.)
Is there anything effective to protect and virtualize Windows apps that I haven’t found yet?
For context on my specific use case, I had to reset my PC recently so before installing a bunch of apps again, I’d like to know if there’s a more secure way to go about this. And please don’t recommend Linux; I have a separate Linux device and it’s wonderful but I need to have Windows on this particular PC, so I’m specifically looking to harden Windows 11.
Update: I did just find this Privacy Guides PR for hardening Windows, which is somewhat informative.
So, is Sandboxie the thing I’ve been searching for, then?
Author of the PR here. There is an option to virtualize kernel as you asked.
Search for Exploit Protection in Windows search. It will lead you to Windows Defender settings. In that, Flip the switches for Force randomization for images (Mandatory ASLR) and Randomize memory allocations (Bottom-Up ASLR) as On By Default
For Containerized apps, I would suggest you to wait though because Microsoft is bringing an API for tradition Win32 programs so it runs sandboxed similar to the UWP (MS Store) Apps or go for Sandboxie.
This guide could also be useful. It’s in french but you could probably translate it easily.
See https://hotcakex.github.io/ for a possible hardening option. Also think about using wdac or at least applocker, if you don’t want to deal with wdac.
What are the pros and cons of wdac and applocker, in your view? I’m not familiar with either