5-Nov: Updated to include more details on conditions that trigger updates as well as statements from Symantec, McAfee, and Trend Micro. Symantec and McAfee declined to comment on anti trust issues. Trend Micro, however, says the company is "obviously concerned and studying this matter further." See full statements at end of this post.
You want a good, solid, free antivirus program? Microsoft Security Essentials fills the bill nicely. Unfortunately, even though it was officially released more than a year ago, it's still one of the best-kept secrets in personal computing. Its installed base of 30 million users worldwide might sound big in raw numbers, but it's a drop in the bucket compared to the billion-plus Windows PCs in use.
All that's about to change, as Microsoft has now begun delivering Microsoft Security Essentials via Microsoft Update to customers in the United States (a pilot program in the UK started earlier this year). If Windows detects that you're currently running without up-to-date antivirus protection, this is what you'll see in the Optional Updates section [see update following figure below]:
Update 4-Nov 10:00 PDT: A few clarifying notes on the above description. Two caveats are worth noting that affect whether this Optional update is offered. First, the Action Center in Windows (Vista or 7) has to detect that no antivirus solution is currently available. That will certainly be true on a clean installation of Windows from retail media (OEM installations often include trial versions of security software), and it might also be true in the unlikely case you are using an antivirus program that doesn't communicate its status to Windows. If you have security software installed but have out-of-date definitions, it's up to that security software to prompt you to update. In addition, the Microsoft Security Essentials Optional update is only available on PCs that are running what Microsoft calls Genuine Windows. Properly activated systems or those that are still within the initial grace period after installation meet this criterion and should see this update if Windows can't detect an installed antivirus program. A copy of Windows that has not been properly activated after the grace period (including pirated copies of Windows that fail activation) will not be offered the MSE update.
Although this development might seem like a logical one for Microsoft, it's actually a big step—and a potentially risky one. Security software vendors have their antitrust lawyers on speed dial in anticipation of the day when Microsoft begins bundling antimalware protection directly into Windows. As a result, this long-overdue development is moving at glacially slow speeds.
Earlier this year, on the 10th anniversary of Microsoft's landmark antitrust defeat, I noted:
Microsoft Security Essentials is available to any Windows PC as a free download, but it’s still not available as part of Windows itself. The Windows 7 Action Center will warn you if you don’t have antivirus software installed, but clicking the Find a Program Online button takes you to this page, where Microsoft’s free offering is one of 23 options, most of which are paid products.
In this case, I think the mere threat of an antitrust complaint from a big opponent like Symantec or McAfee has been enough to make Microsoft shy away from doing what is clearly in its customers’ best interests.
So Microsoft moves slowly, deliberately, one step at a time. Previously, you had to seek out and download this free (and very effective) software on your own. Now it shows up under Optional Updates, if you know where to look. And Microsoft has upped the stakes by altering the license terms so that small businesses can install up to 10 copies of the software free of charge,
The logical next step, of course, is for Micosoft to classify this update as Important, where it will be offered as an automatic update on unprotected PCs (similar to the way the Malicious Software Removal Tool is delivered monthly). At some point, it can and should be fully integrated into the operating system itself.
As the screenshot above makes clear, this update was released roughly two weeks ago, on October 19, but it's only now beginning to appear on update screens across the United States. (Lee Mathews at Download Squad spotted this update in the wild last week. It wasn't available on my system then or even earlier today, when I checked for updates manually. Ironically, I was in Redmond at the time, meeting with the Microsoft Security Essentials team and discussing this very issue. It appeared on my system for the first time just a few minutes ago.)
I'm willing to bet that lawyers for the big security software vendors are looking at this development very carefully. Will they actually threaten legal action? Stay tuned.
Update 4-Nov: I asked Symantec, McAfee, and Trend Micro for any comment on this new decision by Microsoft. A Symantec spokesperson provided the following statement:
It's clear that today's threat landscape requires more comprehensive protection than what Microsoft Security Essentials offers. From a security perspective, this Microsoft tool offers reduced defenses at a critical point in the battle against cybercrime. Unique malware and social engineering tricks fly under the radar of traditional signature-based technology alone - which is what is employed by free security tools such as Microsoft's.
Norton Internet Security and Norton 360 offer protection that is proactive, real-time and proven. Our Norton Insight technology automatically identifies new spyware, viruses and worms without relying on signatures alone and prevents threats from being installed on the system in the first place. In recent testing conducted by AV-Test.org, Norton 2011 led a pack of 12 competitive security offerings in both detection and remediation while Microsoft Security Essentials came in second to last. In addition, based on top results across a combination of protection and repair tests, AV-Comparatives awarded Symantec the "Best Product of 2009."
A McAfee spokesperson sends the following comment:
McAfee wants consumers to be safe online. Options that provide an elementary level of security are free products including Microsoft Security Essentials, however these mostly rely on traditional protection mechanisms. McAfee products offer not only more features but most importantly, McAfee products offer real-time protection using cloud-based Global Threat Intelligence to combat even the most sophisticated threats thus ensuring complete protection and peace of mind. Availability of free options on the market has not had any impact on McAfee's Consumer business as evidenced by years of growth and all time record revenue in Q3 2010.
A Trend Micro spokesperson provides the following comment:
We support the overall movement among players in our industry -- including Microsoft -- to encourage the use of security software to protect the consumer's computing experience.
But Microsoft's apparent moves to begin delivering up to 10 free copies of Microsoft Security Essentials via Microsoft Update to customers in the United States have us obviously concerned and studying this matter further.
Commercializing Windows Update to distribute of other software applications as a de facto extension of Windows in our opinion raises significant questions about unfair competition and how best to serve the interests of consumers. Windows Update itself is not a choice for users, and we believe should not be used this way.
We believe we have the best, competitive product with strong loyalty from our customers, and welcome competition on a level playing field. That is why we are concerned that Microsoft may be using its OS-based market leverage to drive its solution into the market as a so-called "optional" update, essentially boxing out other choices.
If that were to happen, it would not be good for consumers or the industry, and would warrant a second look.
I will have a more detailed look at the current state of security software in a follow-up post.