Win10 app without network access

On windows 10 I’m aware of few options how to deny internet connection to a software. My concern is, similar to the one on android, that the apps communicate with each other and the one particular app I want to block could still spill the tea.

What would you recommend as the safest approach?
Firewalling the outbound traffit may not be future proof to all changes.
Dns filtering may not catch all the queries.
Dual boot without internet is overkill and not so sure about second user privileges on how to administer network permission.

I’m open to all suggestions, thank you in advance.

if a piece of software is that untrusted you should be using either windows sandbox or a full vm without networking if you need to store some data across uses for that software

The scenario I have in my mind is to get it sandboxed and only allow specific traffic outbound - do a whitelist/allow list and block everything else.

Sandbox is disposal in contrast to VM that can be loaded again, right? So in my use case, I prefer not to download the soft everytime I need it. VM could require specs I don’t have. Dual boot maybe? Although not that practical

Sandbox isnt strictly disposable. Its meant to keep the cat poop (the malware) inside it. You do eventually throw it away when there is malware in it but the point is doing proper sandbox keeps the bad things inside the sandbox, unless it is a malware specifically designed to break out from it.

The only reliable way on Windows right now is to use a VM without network access. Alternatively use Windows Sandbox (which is a VM under the hood, too) and disallow execution on the host for example with WDAC.

1 Like