How good is Microsoft's free antivirus software?

How good is Microsoft's free antivirus software?

Summary: Microsoft has officially unveiled its long-awaited free antivirus program. Formerly code-named “Morro,” it’s now been christened Microsoft Security Essentials (MSE), and it will enter public beta testing next week. I've been taking MSE for a test drive for the past few days. Here's my detailed report, with plenty of closwe-up screen shots to help you see exactly how it works.


Microsoft has officially unveiled its long-awaited consumer antivirus offering. Formerly code-named “Morro,” it’s now been christened Microsoft Security Essentials, and it will enter public beta testing next week. If you have a licensed copy of Windows XP (Service Pack 2 or above), Windows Vista, or Windows 7, you’ll be able to download and install the software at no additional charge. No subscription is required for ongoing definition updates, either. The final release is scheduled for this fall. (My colleague Mary Jo Foley has more on what beta testers can expect next week.)

The public beta will be limited to 75,000 downloads, Microsoft says, and the targets are global. The initial beta release is limited to the United States, Israel (where a core development team is based), and Brazil. Next month, the beta will open up for users in China. It’s no coincidence that Microsoft is rolling out early in Brazil and China, which are large-scale vectors of malware infections because of the sheer number of Windows users running without antivirus protection. According to Microsoft, barriers to adoption of paid security software are especially high in developing markets, where internet access is slower and credit cards are unavailable to a large percentage of the population.

Microsoft Security Essentials requires validation, which means it won’t be available to anyone using a pirated copy of Windows. But it won’t require registration or personal information of any kind. In an interview last week, Theresa Burch, director of product management for Microsoft Security Essentials, confirmed that decision in no uncertain terms: “We collect no information from you at all,” she told me. No Windows Live ID, nothing. You agree to the EULA, validate, download, and you’re done.”

Over the past few days I’ve been testing recent builds of Microsoft Security Essentials on two machines, one running a 32-bit edition of Windows Vista, the other running a 64-bit copy of the Windows 7 release candidate. The software I describe in this post is a more recent build than the current beta that has been floating around back channels on the Internet. Here’s my report:

Page 2: Microsoft Security Essentials in action -->

If you get a sense of deja vu when you see Microsoft Security Essentials, that’s no accident. It’s a pure superset of Microsoft’s antispyware product, Windows Defender, which was publicly released nearly three years ago and is included by default with Windows Vista and Windows 7. Microsoft Security Essentials adds antivirus protection—both real-time protection and on-demand scanning—to the mix. It shares the same engine and signatures as other Microsoft antimalware products, including the enterprise-focused Forefront and the monthly Microsoft Malicious Software Removal Tool.

The MSE download is impressively lightweight. The x64 copy I installed on Windows 7 was 3.8 MB in size; x86 copies are 4.8 MB for Vista/Windows 7 and 7.7 MB for Windows XP. Installation (including the most recent definition updates) took less than four minutes and, as promised, the initial setup didn’t require any personal information or registration. After I accepted the license agreement, the software informed me that it needed to update its virus definitions and then proceeded to get the most recent updates on its own.

After that it launched a quick system scan that took another 5 minutes or so and predictably found nothing out of the ordinary.

Microsoft says the program is, not surprisingly, Windows Logo Certified and updates its virus and spyware signatures daily through Microsoft Update. New signatures are published three times a day, which means that clients will never get a new update that is less more than eight hours old. [Updated previous sentence to correct minor error.] The core antimalware engine, with new features and bug fixes, is scheduled for updates on a monthly basis. If Automatic Update is enabled, this process will be completely transparent to the user, Microsoft claims.

The first thing I noticed about MSE is how quiet it is. A single tray icon (hidden by default in Windows 7) is the only indication that it’s running. It doesn’t add any browser toolbars or desktop gadgets, and the associated service AntiMalware Service used between 35 and 50MB of RAM on my two test machines. Microsoft’s Alan Packer explained that the company has made “a major effort in terms of performance, in terms of both memory management and CPU.” Except when I deliberately tried to download a test virus, the program didn’t send up any notifications of updates or scans. Iif there’s a problem with updates or another action is required, notifications will show up in Windows (Security Center in XP or Vista, Action Center in Windows 7).

Page 3: How well does it work? -->

The main user interface follows the “red is bad, green is good” metaphor that Microsoft has adopted across its security software in general.

Like most of its peers, MSE offers real-time protection and an on-demand scanning engine. I noticed that the scanning engine throttled its use of the CPU to 50% or less, which lessened its impact on other tasks. When I tried to download the industry standard EICAR test virus, the real-time scanning intercepted the download immediately:

A quick click of the Show Details button opened this informative, "red is bad" warning from Microsoft’s malware database.

The cleanup process is designed to get rid of the immediate thread and then to immediately run a more detailed scan. As Packer explained, “Malware travels in packs, so we look for other stuff when we detect a problem.”

Like most modern antivirus software, MSE relies on up-to-date signatures, but adds its own cloud-based twists. Contrary to some recent reports, this isn’t a cloud-based service. Instead, it offers a dynamic signature service that pushes signatures on a daily basis, but adds the ability to query the signature service when need to reduce the window of exposure to new malware. By monitoring for suspicious behavior,  the service can query for a sample when necessary. Rootkit detection features target kernel-mode malware and can detect the sort of tampering in the kernel that is typical of rootkits.

How good is the coverage? Microsoft scored dismal test results in the early days of OneCare, hitting a nadir in 2007, but its record has improved dramatically since. A new study (May 2009) by the independent AV-Comparatives group gave Microsoft OneCare (which shares the same engine and signatures as MSE) its highest (Advanced+) rating. Only 3 of the 16 products in the test earned that rating. Microsoft’s technology scored second in the accuracy ratings, behind AVIRA but ahead of AVG, Symantec, McAfee, and a dozen other products. And on the crucial measure of delivering the fewest false positives, Microsoft stood far ahead of the pack, delivering the fewest false positives of any program tested.

In the most recent round of tests from the independent ICSA Labs, Microsoft’s technology passed, while McAfee’s VirusScan family joined several smaller competitors on the FAIL list.

You can bet that the beta release will be seriously tested by independent labs and especially by Microsoft’s for-profit competitors in the coming weeks. If it has any weaknesses, expect to see them heavily publicized. Meanwhile, I'm sufficiently impressed by MSE in operation to give it a more in-depth workout on multiple systems here.

Would you put your trust in a Microsoft-run antivirus product? Leave your opinion in the TalkBack section below.

Topics: Operating Systems, Malware, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is too funny... Conficker ;)

    Conficker worms & viruses!

    • Especially...

      ...since MS offered a patch *6 months before* Conficker came out to anyone using Automatic patching.

      The only people who got infected were the paranoid and the pirates. Talk about irony...
      • Or complete idiots that can`t let Windows Update on its default ->ON(nt)

      • I know several who didn't get infected.

        I secured 300+ computers ahead of time.

        Oh, and the first iteration of Confickr actually came out days after Microsoft issued the patch. The variant that everyone loves didn't come out until 6 months later.

        As for the pirates, only the majority got infected.
    • Oh look, the broken record is here.

      Give it a rest, troll boy.
      Hallowed are the Ori
    • Moderators: Why are posts like that allowed to stand?

      Can you provide some explanation why Apple blogs are scrubbed clean of all posts that aren't 110% pro-Apple but Apple folk can come, post a spam message like this, and nothing gets done about it? 50% of the replies to this blog are just garbage and it truly makes it impossible to discuss the pros and cons of MSE when every second post is by some anti-MS troll.

      Some answers would be much appreciated.
      • This is zdnet, they let all sorts post

        And what makes you think Apple blogs are scrubbed?

        After all, you've posted at length about Apple on Apple blogs. And it's not as though you have a pro-Apple bone in your body.
        • Post about copy and paste and watch it get deleted

          Don't you dare make any posts about how WM had copy and paste years ago because your post will get deleted within minutes.

          However, feel free to write "Conficker ;)" on every Windows blog and watch it stand. I'm only trying to make ZDNet a better place unless you think that writing "Conficker ;)" was a useful addition to this thread?
          • ZDNet..

            long ago became a haven for Apple fanboys, and trolls of all sorts. It is impossible to have an intelligent discussion about anything MS related, because every other post is an Apple-head, professing his superior intelligence for owning an Apple, and your ultimate stupidity for not. If you want an Apple, go for it, but leave the rest of us alone!
          • Or post anything exposing the inherent weakness of .NET

            ...and watch it disappear. It happens to everyone NZ, not just Apple critics.
          • Conficker ;-)

        • I would hope so!

          If they didn't let all the freaks like me post, I couldn't start a stink on every blog! : )
      • Couldn't agree more

        The ABM nutjobs will cast the most serious aspersions against Bill Gates or Steve Ballmer, but if you point out that history of violence of open source programmers and advocates, bingo, post deleted. The Linux file system was programmed by a murderer, and there is a long history of open source being used to track the movements of unwitting users for criminal purposes. This post will probably be gone within minutes, but whatever.
        • Actually...

          I assume you're referring to Hans Reiser. There is no "Linux Filesystem". He was the programmer who developed the ReiserFS, which is one of many filesystems you can choose as your filesystem for linux.

          But I do agree with the fact that folks shouldn't be anti-microsoft just because it's Microsoft. I'm using MSE now in a virtual machine, but it's been so long since I've seen a virus I'm not sure how helpful it's going to be. I suspect if you're up to date on patches, you're probably fairly safe. Just keep an eye on those kids and those USB sticks..:)
  • Question re: crucial measure ...

    [i]And on the crucial measure of delivering the fewest false positives, Microsoft stood far ahead of the pack, delivering the fewest false positives of any program tested.[/i]

    By false positive, do you mean files that tested positive in the AV as being infected that really weren't? Or files that tested as being clean that really were infected?

    I care about the former [b]far less[/b] than I care about the latter.
    • The former

      False positives are a real problem, as they scare people, cause unnecessary calls to IT (in business) or to a repair person (for consumers).

      MS scored second in accurately detecting files as viruses and first in not detecting clean files as infected. AV-comparatives uses both measures for their ratings.
      Ed Bott
      • False Positives

        Not to mention the times various AV products have falsely detected, then quarantined or deleted system files, resulting in unbootable PCs and servers.
        • Or my favorite....

          when it quarantines an exchange or sql transaction log... ugh.

          I know I know exclude, but we all know that doesn't always work.
        • Nothing more entertaining than ...

          watching a person who thinks the removal of a virus is easy load and AV with out understanding the software an hose their system on a FP.
      • Thanks for the clarification ...

        I agree they are both important, and it's good to know that MS is scoring highly in both regards. That's very surprising to me, since the name "Microsoft" doesn't really make the word "security" pop into your head.