BUFFERZONE® Endpoint Container

The Old Way: A Never-Ending Battle

For years, cybercriminals have been playing a game of cops and robbers, with the criminals usually staying one step ahead. There’s always another type of malware or evasion technique on the horizon. Much of the security industry now realizes that it’s time to move away from security that’s based purely upon discovery and detection.

Changing the Paradigm

BUFFERZONE safe browsing & endpoint isolation keeps access to external, untrusted content such as unknown internet sites, external email messages and removable media in a virtual container, along with anything saved or downloaded. Contained browsing sessions and applications cannot reach the native endpoint or organizational resources such as an intranet; those are accessed only by uncontained browsing sessions and applications, which can’t have accessed untrusted sites.
The advantage of this approach is clear: When malware strikes, no matter how new it is and what evasion techniques it implements – it cannot cause any damage to native endpoint or organizational resources. And, the container is periodically emptied, so even there malware can’t last.

Source-Based Auto-Containment (Enterprise edition)
For each type of source, BUFFERZONE determines whether to consider it untrusted or internal. Untrusted sources, such as general internet sites, removable media, and email message attachments from non-organizational senders are contained; internal resources are isolated from contained processes and data. Containment criteria are configurable. See separate Source-Based Auto-Containment data sheet.

Business Continuity
BUFFERZONE SafeBridge® securely disarms downloads and attachments and/or submits them for analysis & detection. Bridging occurs automatically, or, by policy, users can submit files for bridging. BUFFERZONE can provide integrated disarming and analysis solutions, or you can integrate with your own deployed service. See separate SafeBridge® data sheet.

BUFFERZONE Key features:

Virtual container: Secure environment for accessing risky sources including websites, removable media, and designated untrusted network locations.

BUFFERZONE viewer / editor: Access a wide range of document and media types without removing them from the container.

Office containment (optional): Edit downloads inside the container with full Office functionality.

SafeBridge®: When needed, disarm and extract data from the container. By policy, downloads can be automatically bridged.

DLP: To support Data Leak Prevention, hide valuable files from the container and block uploading from outside it.

High-performance, small footprint: The BUFFERZONE agent is lightweight and is supported on a wide range of endpoint hardware.

How it Works ?

The BUFFERZONE agent creates a virtual container on endpoints, isolated from the endpoint operating system’s native resources. The container isolates the following system resources:

File System


Memory / Processes


Network access isolation (optional) prevents uncontained applications from accessing untrusted destinations such as the internet, and prevents contained applications from accessing trusted IP ranges of organizational network destinations.
BUFFERZONE patented containment technology is transparent to contained applications, providing them with read-only access to native files and registry by using a kernel driver that resides in the operating system kernel. The driver transparently monitors application-level I/O requests, allowing read access to native resources but directing write actions (and subsequent read actions to the new content) to the container in a different disk area.

Seamless User Experience
The BUFFERZONE agent manages switching between contained and uncontained browser instances according to accessed sites. Several management paradigms are available.
The versatile BUFFERZONE Viewer / Editor displays contained files (downloads, attachments), supporting a wide range of document and media file types. From the Viewer / Editor, for uncontained editing or long-term use and distribution, users can intuitively create a PDF or click ‘Save As’ to bridge the original file:

MS Office containment is also available.

Centralized, Policy-Based Management (Enterprise edition)
BUFFERZONE can run independently with default containment policy (Standalone edition – see separate data sheet). For centralized policy management and agent deployment, you can integrate BUFFERZONE with existing endpoint management systems (for example, McAfee ePO); or, for complete management capabilities, use the BUFFERZONE Management Server to manage BUFFERZONE agents across your organizational network, to gain visibility to relevant organizational endpoints, and to assign organizational policy by endpoint and/or user.

Supported Applications

The following applications are supported for containment:

Internet Explorer, Chrome, Firefox, MS Edge: Full containment and zone management

BUFFERZONE Viewer / Editor: Displays a wide range of contained document and media file types

MS Office: Available

Chat & Conferencing (beta): WhatsApp, Zoom, Teams, Line, WeChat