Vincent Steckler

2 October 2009

And what about Microsoft Security Essentials—MSE?

As many of you many know, Microsoft released their free security product earlier this week. Called MSE (Microsoft Security Essentials), it is a replacement for their One Care Product. It has been interesting reading the press coverage and the reaction from competitors. Some declare it will transform the security business and solve all security problems. Some equate it to a bad movie sequel. And some think it is Shakespearean—"Much Ado about Nothing".

Ourselves, we are pretty ambivalent about Microsoft entering the free security space. We have long believed that security protection should be freely available. And there are already several top-notch free security products available (including avast of course). But, we don't think that MSE is in the "top notch" category. In the last AV-Comparatives (I wrote about it in a previous blog entry), Microsoft's One Care did not do very well. While it tied with us for 2nd in false positives; out of 16, it was 14th in detection and 13th in speed. And of course, MSE's performance is the same as One Care's. So while MSE is better than nothing, and even Microsoft describes it as basic protection, it is not yet up to the standards of the paid products. And, it is even further behind the performance of the top free products (including avast) that handily outscored the paid products.

Microsoft also seems to think that 60% of users have no security protection. I do not know where this number comes from as they do not cite any sources. But, it does not make much sense. There are about 500 million consumer computers in the world (Gartner and IDC data). From published numbers, Avast, Avira, and AVG protect about 250 million; maybe closer to 300 million now. Also from published numbers, Symantec, McAfee, Trend, and Kaspersky, and a few others protect just under 100 million. This leaves 150 million but I would guess that a good 50 million of those are protected by local products (K7/SourceNext in India and Japan, Rising and Kingsoft in China, Ahn in Korea, etc.). So it seems there should only be about 20% (100 million) unprotected. Now of course, that is still too many to be without protection, especially when good security is free. But it sounds like a case of Microsoft offering a solution in search of a problem.

It was also interesting to read how most journalists just recited the Microsoft story. I saw very few mentions of the large free providers. One even dismissively referred to the current free vendors as "no-name" vendors. How can three companies with 250 million users be called "no-name" companies? I have to chalk it up to ignorance and great PR from Microsoft and the traditional security vendors.

A legitimate concern I saw expressed from Symantec and McAfee was something about a "level playing field". That sounds like whining but it refers to how the product is distributed. Symantec, McAfee, and the traditional vendors distribute through retail, OEMs, etc. The free vendors (such as us) distribute through download servers. Microsoft tried the traditional distribution route with One Care—and failed. They are trying the download server route with MSE. But, they have an ace up their sleeves if they distributed MSE as part of Windows—or if they try to force OEMs to install MSE on new computers as a condition of getting Windows 7. It is monopolistic distribution like this that caused the large anti-trust suits of past years with Netscape and others.

Security is a highly competitive business—it probably has more competing titles than any computing segment other than games. That competition is invaluable. Without it, none of us improves. Having many healthy large companies drives the security industry forward and provides better protection for users. We all learn for each other—and even copy (legally) each other at times. I could name many examples of where a given product has influenced other products. We even share malware samples with each other. Having just a couple of dominant players (such as the recent past with Symantec and McAfee) can lead to stagnation and lower protection for users.

Also, security these days goes far beyond a layer of protection for the operating system (Windows). Many threats have nothing to do with the underlying operating system. They are in Firefox, Mozilla, browser plug-ins, infected web sites, social engineering, other applications (such as Adobe), etc.

So it is healthiest for the security providers, and the users, if Microsoft is on the same playing field—distributing through similar channels and not taking advantage of their almost monopolistic domination of operating system distribution.

MSE is not the silver bullet but it is also not the bad sequel to One Care that some claim—it is just another average security product. It has probably been hyped much more than deserved and thus the Shakespeare comparison may be the best. A recent review by Neil Rubenking of PCMag (http://www.pcmag.com/article2/0,2817,2353699,00.asp) probably says it best:

So should you rely on Microsoft Security Essentials for free protection? I'd say no, unless you strongly value the Microsoft name. My own testing suggests that you'll do better with one of the other free anti-malware solutions such as AVG Anti-Virus Free or avast! antivirus Home Edition.

Ultimately security is about trust. The user has to trust that the product (and the company behind the product) will protect them, their computer, and their data. We are glad we have earned the trust of over 90 million users. We aim to keep and enlarge that trust.

Who do you trust?

Tips, Corporate News, Security News