Microsoft recently started installing its Microsoft Security Essentials (MSE) free antivirus product via the Operating System update mechanism to computers which don’t already have an antivirus installed. Basically Microsoft is saying they are worried about the security of its users and they need to make sure they are protected. Perhaps Microsoft is trying to position itself as a provider of secure Operating Systems given the market perception of Linux, Apple and potentially Google as having more secure alternatives to Windows OS, but that’s a different story.
We agree with Microsoft; it’s better to have some protection than not having any at all. However the way the guys in Redmond are executing the idea is risky from a security perspective and could very well make the malware situation much worse for Internet users. That’s why we encourage Microsoft to continue using Windows/Microsoft Update but instead to push all free antivirus products available on the market, not just MSE.
These are the reasons why pushing only MSE from Windows/Microsoft Update is a very bad idea:
1. MSE is not a good solution to the malware problem. While the argument of protecting users who do not have AV is commendable, the reality is that MSE only installs on computers with a valid Windows OS license (paid to Microsoft).
o The problem is that an estimated 40% of worldwide computers connected to the Internet are running pirated software and spreading viruses, especially in China, Latin America, Asia, Southern Europe, etc. So while Microsoft wants us to think it is doing this out of the goodness of their hearts, the reality is that the measure will have little impact as millions and millions of unlicensed Windows PCs will continue spreading viruses and infecting the rest of us.
o Even Microsoft itself acknowledges that malware infections are more prevalent in illegal copies of Windows: “There is a direct correlation between piracy and the malware infection rate” said Jeff Williams, the principal group program manager for the Microsoft Malware Protection Center. If that’s correct and the objective is truly to protect users from malware, then why doesn’t Microsoft allow MSE to install in pirated copies of Windows OS?
2. Monocultures are a hacker’s paradise. If pushing MSE via Windows/Microsoft Update is very successful it will end up creating a monoculture of hundreds of millions of users having the same antivirus product. Right now hackers have to worry about bypassing multiple antivirus products and protection layers every time they release a new piece of malware. Having to bypass only one AV product makes their life so much easier. This alone will allow hackers to push more new malware that bypasses MSE exclusively and infect many more users with every new variant. Alternatively, reverse engineering of MSE and related Windows components will boom, potentially discovering zero-day vulnerabilities which could cause infections in tens of millions of PCs with a single attack. Monoculture in Operating Systems is in and by itself bad. Monoculture in security is A VERY BAD THING.
3. Insufficient Detection. Even though MSE is a good basic product, from a detection perspective it has not proven itself to provide sufficient protection according to the latest independent comparative studies:
o AV-Comparatives.org’s latest On-Demand Test ranks MSE 15 out of 20 in signature detection while vendors with alternative free antivirus products were ranked well above that.
o In AV-Test.org’s latest Real-World Test MSE could not achieve the minimum score to obtain certification, while vendors with alternative free antivirus products did. MSE was ranked as one of the worst three products.
4. Not Enough Prevention. There are other free antivirus alternatives on the market which offer much more than just reactive signature detection. These more advanced (and still completely free) products have multiple security layers which provide users with proactive protection, such as web filtering, behavior blocking, instant messaging filters, etc. MSE provides very basic antivirus protection, certainly not enough to protect users against today’s malware threat landscape.
5. Secure the Operating System itself. Even though Microsoft has made significant improvements in securing the OS in recent years, there is still a long way to go as witnessed by the constant zero-day vulnerabilities that are published every month, such as the incredibly dangerous LNK vulnerability that Stuxnet exploited. Microsoft’s security resources should work on making the OS more secure, not just putting a band-aid on it. Who knows, maybe someday if Microsoft manages to really make their OS secure, antivirus products won’t be needed anymore. But until that day comes, Microsoft should make a serious development effort to secure the OS from the ground up and not limit the security tools currently available to its users.
In summary, while it’s commendable that Microsoft is trying to protect users, offering only “their” basic MSE antivirus provides neither sufficient protection against today’s threats nor does it solve the malware problem of millions upon millions of pirated PCs who will continue spreading viruses. In fact, it can easily achieve the contrary by making it easier for hackers to infect users. Microsoft should offer the complete portfolio of more advanced and secure alternatives of free antivirus products and time-limited versions of paid security suites, allowing users to choose any of them from the Optional Windows/Microsoft Update.
Note: this post is being published simultaneously in Panda Research, PandaLabs and PandaInsight blogs.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
37 comments
Really good articles, you covered all points. The most important one being: monocultures are a hacker’s paradise.
I thought that the updates were optional, not forced as the article implied. I honestly think giving users too many options would just confuse them and then they would choose Microsoft regardless.
Why does the browser ballot come to mind? It had no real impact on other browsers but instead angered a lot of people. This is dumb.
So basically you mean that people is dumb, and no options should be given, is better taking decisions for them. Of course I cannot agree with that.
I think if people want an option they will just google for one. Forcing options into peoples faces is annoying and as the browser ballot showed, doesn’t really change anything.
What part of Options are given and have been given for years. What is your real problem? The fact that not many people choose Panda? Did Pandalabs get together with The Opera browser and cry on each other’s shoulder about the bully Microsoft on how no one chooses us to use on their computers? If people clicked on the security center/action center warnings they would have been taken to a page with plenty of options including one from Panda. Microsoft should not have to put Panda or anyone else in their update system. Is Panda going to offer anything Microsoft in their updates? Or put advertisements for Microsoft or any of their competitors on their page. You are so clueless.
You should read the blog post carefully.
And we won’t be offering anything, as we are not allowed by Microsoft to do that
I agree. This blogger is filled with misinformation and is twisting truths to fulfill his own agenda. Panda is just like Opera complaining about Internet Explorer. Because they make an inferior product or it is not as popular it must be Microsoft’s fault that no one is choosing it.
Actually we have more users with our AV that with Microsoft’s, but that’s not the point. Again, please spend some time reading the blog post.
Oh I read it and I read your post on ZDNet and it sounds like a poor me sob story because the only choice from Microsoft’s update service is a Microsoft Product. Get over it.
I don’t think that there is much doubt that MS doesn’t really care about security (as noted in Richard Clarke’s book) and/or is generally incapable of, or unwilling to commit resources to developing an inherently secure system. The first thing they would have to realize is that a fully patched system is not a secure system; it’s only a less vulnerable system.
Stepping back a bit, which came first; systems that have a brain aneurysm and cough up root privileges if software is used in some unintended fashion, or buggy code?
Until we have systems that are inherently secure even when systems have identified vulnerabilities, (that have no patch, or can’t be patched), then we will not have high assurance in infosec.
I agree with you up until point #5.
The assumption is that Microsoft is not already working to patch vulnerabilities as they are discovered. This is a problem with all large code bases, including Linux, OS X, Firefox, VLC, Flash, Adobe Reader, etc.
Software will always have bugs an vulnerabilities, and attackers are more criminally minded these days so their incentive/reward is higher.
>”Microsoft should make a serious development effort to secure the OS from the ground up”
You mean like by adding PatchGuard, ASLR, and DEP? Problem is that requires vendors to actually use those features: http://bit.ly/bXUmY4
However, I’m with you on the other 4 points, especially the monoculture. Diversity in vendors *is* a good thing.
Mark is right, no one can deny that Microsoft has been doing efforts to make its O.S safer, you may argue that too late or not enough bit cant denied. Some know examples are the features: UAC, PatchGuard, ASLR, and DEP.
But while MS has been changing his ways, it’s hard to get third-party software vendors (like antivirus software) to do it so.
You should include DEP and ASLR protection in the PANDA protection to stay “One Step Ahead”
BR
As you probably know, we have some proactive technologies that have been in our products way earlier than DEP, etc. And they work pretty good 🙂
Great then let people choose them. The problem is they are not and are not choosing anything despite the years of warnings and the security center taking them to pages of options from 3rd party companies for years. You claim that MSE is not very good but I beg to differ. It works very well and in a very short time will receive some major improvements.
You should differ using data, as I have done. You can tell what you want, and if you think that Microsoft’s product is the best for you go ahead, but first read what results they are having:
http://www.av-comparatives.org/comparativesreviews/main-tests
http://www.av-test.org/certifications.php
Again, please read carefully the blog post, as these links are in it.
I went to the links and I stand by my statement and the results there show that MSE still scores very well. Maybe not number one but still far from last. I think that when MSE 2.0 comes out soon it will even be better. I am not knocking Panda as it seems like a good solution but all I am saying is that you or anyone has no right to complain because Microsoft does not offer 3rd party solutions as part of their own in house update services. They CLEARLY advertise it on their own page which comes up if the user acknowledges the security alerts. This is also an optional download just like many other downloads. Just because it shows up in Microsoft’s services is no reason to get bent out of shape. Maybe Panda’s marketing team needs to do a little work and get the word out.
I won’t talk about marketing as I really don’t know anything about it 🙂 I can talk about security, and that’s what this story is about.
You must be talking about TruPrevent (released in 2004) and the Genetic Heuristic Engine. They are really good technologies but aren’t enough, otherwise you wouldn’t launch the Collective Intelligence.
DEP (also released in 2004 with XP SP2) + ASLR (released June 2005 with LINUX kernel version 2.6.12), etc are extra layers of protection, that could complement TP (for example it would be a TP rule that a suspicious file blocked by DEP, could be quarantined and send to PandaLabs for analysis)
Collective Intelligence maximizes the capabilities of the TruPrevent technologies (as well as some other things…)
No security solution is perfect, and no technology is enough, that’s why we keep improving 🙂
I have used Panda for more than a year on XP, Vista, and Windows7, and have not been infected even once. Great product – low overhead, no huge AV signature files to download, and it’s free! What more could anyone ask for?
I agree that Microsoft should list available AV software. The only way I found out about your great product was by a review of numerous products, probably on ZDnet.
Ditch the “insufficient protection” argument and focus on the “it’s not fair!” one.
It’s not like you have people’s best interests in mind or anything, only your bottom line.
If you guys actually did care about the users, you’d be more concerned with making your products ASLR/etc-friendly.
Oh and you wouldn’t be whining and crying about Microsoft’s latest initiative to make millions more safer. On no less than 4 different Panda blogs and I don’t even want to know where else.
And offer other companies’ products in the MICROSOFT Update? Really? Makes perfect sense. To someone. I’m sure of it.
You guys come off as desperate. Trend Micro too, though not as much.
Anyone want my unused license to PCAV Pro? Seriously.
Microsoft should continue giving their AV for free. The point is that they should make *all AVs* available for free via WU, not only theirs. By doing so it will benefit consumers as they will have more options to choose from.
But that brings into the table another problem. The problem of “free AV vs paid AV.” I dare bet you that those brands/companies that solely offer paid solutions won’t be too happy about the decision. To which point does MS have to go to please every single AV vendor out there? Include them all just to be ‘fair’ to all parties and at the same time benefit the end-user? Really? Do you really think that the end-user would bother figuring out which among the many would suit them? Why should they? Why can’t they just pick one of the few (and heck ‘free’) and be done with it? Has the ultimate problem been solved by such a move?
And heck, we have not even mentioned OTHER security software like light virtualization software, HIPS, anti-executable, what-else-you-can-think-of….just to be fair to all parties. Come on….diversity and making every single user aware of all those options is a good thing, isn’t it? After all, not everyone is in favor of AV software….some people think it’s outdated technology so we do have to consider those users too just to be fair. Am I not right?
To take your words into your mouth:
Quote:
No security solution is perfect, and no technology is enough, that’s why we keep improving
Same goes for MS and whatever they’re doing. So, why the double standards? I see…the worry here may be of ‘monopoly’ or ‘monocultures’ but let’s face it this way: MS OS itself is in one form or another and perhaps arguably a monoculture in it’s own class. I don’t see security software vendors complaining about that…
I wouldn’t argue against you being right that “Microsoft just doesn’t get it… Security is about diversity”…you do have very valid points there which I truly agree and respect to. However, you also have to bear in mind that:
“Security isn’t just about diversity, other factors play a role too”….
I don’t think we need to discuss those other factors…or do we?
@safeguy That’s a good one! The problem with a paid solution is that it will be some kind of shareware, but if it is specified there shouldn’t be a problem.
Regarding other kind of solutions, here is where we see the real face of Microsoft: I’m afraid we have to wait until they develop -or buy- any of those technologies, then they will be happy to offer their solution -and only their solution- to the user because it “improves security.”
And I’m glad to discuss all the factors, it’s a pity that we don’t have a forum here… yet 😉 That would be a good one, it is a pleasure to discuss with people like you
Wow, I can not believe Panda does not get that OS security, which there is not one and never will be one, has nothing to do with stopping virus. A secure system can still get rogue software installed.
Really will make me think 100 times before I renew my license , at this point I will never purchase any more anti-virus/ security product from panda. they really do not get it There update method is the worse out there, kills the CPU unlike any other.
Please, read again the blog post. Microsoft says it does this to improve security. We say we agree in the need of improving security, but that this is not the best way, and we give a number of reasons, being one of them “Secure the Operating System itself”, which is exactly what you are saying. So we agree. Then, where is the problem? 🙂
Rarely do we see AV products that don’t drain your CPU but with the transition to the cloud, we should see some great things coming. As for Panda’s performance, the latest AV-Comparative’s performance reports shows Panda at #1 with a benchmark score of 104 out of 115. //Not Bad!
All these rants by Panda and TM aren’t going to solve anything.The black hats are way ahead of all you guys.
I strictly suggest you make your product standout from Microsoft in terms of usability,low resource usage,detection,etc. etc.
Then I am sure many will think of trying shareware AV’s otherwise why disregard a free one that has good detection,low resource usage.Also there is no hassle of yearly subscriptions.Yes I am aware of those tests that you provided are good reference to choose a satisfying security but for normal users they not much of a help.
Cloud is the future but if the products don’t deliver the necessary and the essential goals then free AV’s will have their say.
In my personal experience Panda has been buggy and high on resources(on XP),you guys definitely have your work cut out.
For any security company its always improve and keep on improving or else perish.
Regards
It seems you don’t really know well Panda, as Panda Cloud Antivirus is free, detects more and takes less resources than MSE, plus some other features (proactive technologies, autorun protection, etc.)
Hello there! Do you know if they make any plugins to safeguard against
hackers? I’m kinda paranoid about losing everything I’ve worked hard on.
Any suggestions?
Many of the free AVs now come with a toolbar, web blocker, etc. that changes your search engine, start page, etc. or does something else (sets up the user for some kind of advertising?) in return for additional protection. In fact, I believe Panda free Cloud is in this camp. So, these AVs only provide “basic” protection–just like Microsoft Security Essentials. In addition, Microsoft has lots of resources behind it that most AVs do not have. If there is a widespread piece of malware that is infecting lots of users, I am sure that Microsoft will protect against it just as well as any other AV. Finally, Microsoft seems to care more about protecting its users that it cares about detecting the latest/greatest piece of malware in tests.
Regards,
Microsoft itself recognizes that their product is just the baseline in tests, that’s why it is usually at the bottom in all reputable antivirus tests
A formidable share, I just given this onto a colleague who was doing a bit similar analysis on this. He actually bought me breakfast because I discovered it for him.. smile.
Glad we helped you have a free breakfast!
Thanks for reading us!
Best regards,
Panda Security.