Alex makes a couple of interesting points in his comment on Randy’s blog yesterday about Microsoft’s "Security Essentials" antivirus (as does Randy, of course, but there’s no surprise there.) Alex is suggesting, I think, that Security Essentials isn’t so much a freebie as a value-add to something you’ve already paid for (i.e. Windows).
That’s a pretty interesting, because it puts us right back to 1993, when Microsoft bundled an anti-virus program, bought in from Central Point, with MS-DOS version 6, and the 2006 Virus Bulletin paper quoted in Randy’s blog makes a similar point. And many others worth revisiting: if you haven’t read the paper, I’d suggest you check it out now. In some ways it’s even more relevant than it was then.
But I’m going to introduce a more personal note. In 1993 I was working for a medical research organization in the UK, and was tasked with evaluating reliance on the MSAV as a defensive strategy for the organization. If I’d been aware at that time of a review by Yisrael Radai, it would have saved me some time, but I didn’t come across it until later. Still, I came to somewhat similar conclusions, and we bought in a commercial product. No, not ESET’s: I wasn’t aware of the company at that time.
I’ve said publicly since that this was probably one of the most useful jobs I ever did for the organization: MSAV was, from the user’s point of view, a disaster. Declining support and development and a consequent and dramatic fall-off in detection rates seriously disadvantaged DOS and Windows users who believed they were using a product with functionality equivalent to full-strength commercial anti-virus. (The same happened with Mac users and free AV when macro viruses hit a year or two later).
But are we looking at a similar scenario now? Not exactly. Microsoft has not left the security arena, and bought in some significant anti-malware talent a few years ago, and some of that expertise is likely to trickle down to this product. It’s likely, therefore, to benefit the same sector that currently benefits from a number of free but limited products that don’t have full multi-layered anti-malware functionality, but do cover a subset of threats quite adequately.
This isn’t full-strength anti-malware (and is unlikely to be when it leaves the beta testing stage) any more than the Windows firewall is a full-strength firewall system, which means that it isn’t going to render the anti-malware industry redundant.
Ah, you might say, surely it’s going to hit your sales? Let me lapse into another personal anecdote. In the past few years I’ve done a lot of writing for Syngress and Elsevier. When the "AVIEN Malware Defense Guide " came out, more pirated PDFs were distributed in a week than legitimate copies were sold in months. Not a very nice feeling for those of us who put in a lot of work on putting the thing together, but not a big deal either, because the people who grabbed a pirated version would probably never have bought the thing.
Similarly, there are a lot of people who don’t see why they should buy antivirus software. (Not much of an incentive to those of us who try to scrape a living out of the industry – God bless you ma’am for putting a 5-penny piece in my hat – but why they think that way is another discussion entirely.) Not to mention those who’ve never even thought that security software might be a good idea.
If Microsoft’s free product is actually used by some of these people, that’s not only good for them, but for the rest of us who have to struggle with an avalanche of malware-related issues on a daily basis. That is, as long as Microsoft have learned that you can’t give people a free anti-malware product and then drop support for it and be considered a responsible and credible player in the security market.
David Harley BA CISSP FBCS CITP
Director of Malware Research