Invincea brings you the Windows Browser Deflector Shield, for Real.

Invincea brings you the Windows Browser Deflector Shield, for Real.

Summary: Invincea's Browser Protection uses virtualization technology to provide a secure and isolated Internet Explorer instance for enterprises.


Invincea's Browser Protection uses virtualization technology to provide a secure and isolated Internet Explorer instance for enterprises. (click on the picture to view a video demonstration)

A few weeks ago I wrote a speculative article on the Browser Deflector Shield, a proposed systems architecture for Windows that would allow any web browser to become fully isolated from the main operating system userspace and thus would be able to prevent malware infections and other web-based compromises.

Shortly after I wrote that piece, I was contacted by Dr. Anup Ghosh, the CEO of Invincea, a start-up which has done exactly what I had proposed -- create a virtualized environment for Windows XP and Windows Vista (and soon, Windows 7) which completely isolates an instance of Internet Explorer from the OS.

Fairfax, VA-based Invincea, which was originally Secure Command, began its life at George Mason University's Center for Secure Information Systems, and was funded by the United States' Defense Advanced Research Projects Agency (DARPA), the same folks that brought you the early version of Internet as ARPANET back in the early 1970s.

Invincea has done some very interesting things with their product. They've licensed the run-time version of Oracle's VM VirtualBox software (which I reviewed recently) and have created a stripped-down executable Windows XP environment in a Virtual Machine complete with Internet Explorer 7 and Adobe Acrobat Reader.

To the end user, this VM looks just like a browser launch icon. And when the software is running, it looks just like Internet Explorer 7 and Adobe Acrobat Reader, with only one minor difference -- the apps have red borders in the windows. No virtual environment training is needed whatsoever.

The Invincea VM environment, which uses up approximately 600MB of hard drive space (a 3GB or 4GB dual-core desktop is recommended) is completely isolated from the host's OS, including network and file system.

Should the environment become infected, Invincea is able to proactively detect it using patented technology the company has developed which is able to sense abnormal system behavior based upon the condition and activity of system processes.

Invincea's "behavioral" approach is different from the way other virus/malware scanners operate, which requires signature updates in order to detect an infected file or scripting attack.

Once abnormalities are detected, Invincea actually destroys the VM environment and restores a pristine copy, as if nothing had happened. I recently observed a demonstration by Invincea in which we purposely infected the browser with a malware attack originating from a Russian web site, and the software reacted instantaneously, flushing the environment completely and setting it back to a clean state.

The Invincea software runs completely on the desktop PC, so there's no other enterprise infrastructure to deploy, other than package management in the event specific plug-ins are needed for the browser.

In addition to the VM that Invincea provides for Internet Explorer and Acrobat Reader (which can be extended to other applications, if required) Invincea has a comprehensive forensics utility that ships with the software which logs all the abnormal activity that occurs and allows IT administrators to react proactively to Internet-based malware attacks.

Invincea has not yet provided me with pricing for the software, but has told me that the product is competitive on a per-seat basis with other enterprise desktop security products and volume pricing is negotiable at purchase.

Right now, the software is only available to enterprises and runs only on Windows XP and Windows Vista desktops -- but a Windows 7 version as well as Firefox support is due to ship shortly and potentially, the company is looking to market it directly to end-users as well.

Does Invincea's "Browser Deflector Shield" interest you? Talk Back and Let Me Know.

Topics: Malware, Browser, Emerging Tech, Microsoft, Operating Systems, Security, Software, Windows


Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Locally hosted, Centrally hosted?

    What advantaged does this have over XP Mode/Virtual Application Publish (ala App-V or something comparable)?
  • RE: Invincea brings you the Windows Browser Deflector Shield, for Real.

    It's locally hosted, although potentially it could be hosted in some sort of VDI architecture.

    The main advantage is the real-time process and behavioral analysis and the forensics, and the ability to "flush" itself automatically when a compromise is detected.
  • RE: Invincea brings you the Windows Browser Deflector Shield, for Real.

    No need for this application, we can just dump Microsoft Windows even though we have no proof that is the culprit of web based issues, remember? Just using your logic here.
    Loverock Davidson
  • RE: Invincea brings you the Windows Browser Deflector Shield, for Real.

    That's rich. We've got no need for this app, but apparently, the DoD and DARPA do?
  • How can you be price comptetive with free?

    Isn't Microsoft's own XP mode for Windows 7 basically the same thing other than it uses Virtual PC instead of Virtual box.
    • RE: Invincea brings you the Windows Browser Deflector Shield, for Real.

      @cornpie It isn't the VM that is the value add. It's the real time behavior analysis and auto-flushing and the forensics.
  • Sounds like Palladium (NT)

    • RE: Invincea brings you the Windows Browser Deflector Shield, for Real.

      @PB_z The rare earth Platiunum-family element?
      • Er.. Failed Chemistry, I assume...

        PB is Lead... PT is Platinum.
    • RE: Invincea brings you the Windows Browser Deflector Shield, for Real.

      @Wolfie palladium is in the platinum FAMILY of elements. it has similar properties to platinum. primarily used in catalytic converters.
  • Plugins, Toolbars, Favorites

    Does it support Flash/Shockwave/Quicktime/Windows Media/etc. plugins? What about toolbars like Google? How do you install them to the virtual environment? If you flush the VE, does it retain Favorites?
    • RE: Invincea brings you the Windows Browser Deflector Shield, for Real.

      @Phostenix Yes. You deploy plugins and anything else you need using your existing package deployment tools.
    • Great practical questions! I'm also interested in the reply.

  • Clay tablet and stick

    It's the only thing that's going to protect you Jason - just don't go running around or you might poke your eye out.<br><br>I presume you have barbed wire, laser turrets and mine fields around your house as well?<br><br>I prefer just to get useful work done using modern software on the global OS and if I start feeling too paranoid, then there's medication <img border="0" src="" alt="wink">

    The point I'm trying to make is that you can worry so much about very low frequency events that it prevents you from doing any work - just like you did when you gave up Windows.

    Life is risk, but we can manage it without going over the top.
  • Timely Solution

    The migration towards cloud-based apps is going to mean that browser-based attacks will yield potentially more data to cyber-criminals. That means the number of attacks will increase, and protecting the browser will be more important than ever. This just seems like the right technology for the times.
    The neat trick here is the virtualization component: The problem with doing behavior-based detection on the core OS is that there are just too many different apps running that might trigger an alert and cripple the box. So the behaviors monitored have to be left a little bit loose or the core OS won't run. Anyone who has tried to ratchet down the settings on an IPS/IDS system knows what I am talking about. But this Invincea solution addresses that by running only the browser in the VM. There's nothing else doing anything, so if you see something trying to make registry changes, you KNOW it's coming via the browser and can shut it down. And, in the event of a shutdown, only the browser session is impacted, not the host OS. Very good stuff!
  • RE: Invincea brings you the Windows Browser Deflector Shield, for Real.

    Im realy glad that at leat someone has loked thru ms weakneses ! But this isnt enough ! Look at QubeOS ! The similas aproach for win either implemented or after installed is to be aplied ! No secure userspace virtual environmet for end user in windows ! Sandboxing app isnt enough ! The whole god damn windows should be sandboed/isolated from inside out so the damge to the os is no more possible usual way ! I do not want to have virtual os in os but something similar to iCore Virtual Accounts/secure isolated virtual desktop more than one (not virtualized os in os ) just ordinary desktop but secure virtualized and sandboxed more of them at once if i nedd ! Just like Sandboxie but on OS level !!! That security solution i miss in windows ! It would be even better if in virtualized user acoounts/desktops will underlaying network also be virtualized that means that every user account/desktop created will have its own virtual IP/MAC adress tuneled and binded/mapped to physical ethernet nic ! Got the idea ? When you switch from one account to another it's like you operate in/on another pc, and underlaying network should operate just like in ordinary win with dhcp/manual ip assigment in subnet ofcorse ! That im trying to achive in iCore Virtual Accounts ! Its like having mutiple disposable virtual PC's on one PC operating like virtual/accounts/desktops as layer 2 hypervisor/OS level virtualization solution ! And only one license for win ! I have google a lot and not found similar solution ! Either is owersized hardware demanding no use for end user with aditional licences or not supported by os ! They all forget end user ! It's time for solution that is hardware idependable runs on every pc with enough cpu/memory power and on all win ! Something similar alredy exists on Linux but on linux is onother problem ! No easy instal binary/dependencies you are limited to distro repository and no some sort standardirized installer like in win, and another problem are drivers for GPU ! Full hardware acceleration for graphic card is pain in the a... and you do must have a master degree in Linux to achive 32bit color in user distro choice ! That is only barierre tha limits all win user to use Linux alltouhg some disrtibution are easy to install and use ! And no one is optimizing code any more thus we have so owersid software package demanding more and more space/hardware and offer big space for exploiting thus so many holes ! Look at Slitaz/KolibriOS/ReactOS/ and others how small fast and reliable OS can be and not oversized MS (in Linux you have to some owersized distros) Win should be writed down in assembler/optimized to max possible way ! What MS do with so many IQ Power (how to squize last dolar from user ? ) They sure not securing their product enough ! Thus the need for secure user environment in win - end user solution !!! Maybe someone would grab the idea !