Expired security software an open door to malware

The latest version of the Microsoft Security Intelligence Report shows that users without updated anti-malware are far more likely to become infected.

To many it seems patently obvious, but not to all: Windows users who do not run updated anti-malware software are much more likely to be infected with malware.

Microsoft released research this week to prove the point in the most recent version of its Security Intelligence Report. They also highlighted the data in a blog entry from the MMPC (Microsoft Malware Protection Center).

The data in the report is collected from telemetry from the Malicious Software Removal Tool which runs each month with Windows Update. The MSRT collects the information from the Action Center API.

Microsoft defined several categories of unprotected systems:

  • Expired: the computer had an anti-malware trial subscription which ran out
  • Off: The computer has anti-malware, but it is disabled
  • Out of date: The computer has anti-malware, but the definitions are not up to date
  • No protection: The computer has no anti-malware
  • Snoozed: This means the product is up to date, but not performing monitoring, probably because it is updating itself. This is generally temporary.

See the chart below, which is based on data from the second half of 2013 and the first half of 2014. The data is all for Windows 8 and 8.1 and so shows an interesting effect: The percentage of systems with expired anti-malware grows rapidly in the early months of 2013. Note that Windows 8 became generally available in October 2012, so one would expect the expirations to begin one month or later. The climb rapidly and then peaks at 10.1 percent of all systems in August 2013. The number has dropped some, but leveled off just below 10 percent.

Image via Microsoft Security Intelligence Report, Volume 17

So the total body of unprotected non-domain systems is 17.3 percent, more than half of which are expired. (On domain-joined computers it is 9.1 percent, nearly all Out of Date and Off.) How much malware did the MSRT detect in these systems compared to the ones with active protection? A lot more.

See the graph below, which shows infection rates for systems of the various categories.

Image via Microsoft Security Intelligence Report, Volume 17

There is much to be said about this graph. First, it needs to be said that it only speaks of malware that the MSRT is capable of detecting. Microsoft focuses on the more popular families of malware and, since it is updated only monthly, won't find anything new. Second, perhaps the most shocking number is the one for systems with active protection: About 0.6 percent had an infected that the MSRT could detect. It's this sort of failure that leads many people to overreact and conclude that anti-malware is worthless. Other people may think that out of date anti-malware still provides meaningful protection.

But of course, as the other numbers show, it is not at all worthless, just imperfect. They also show that out of data protection is only slightly better than no protection at all. 2.4 percent of systems with no protection at all were infected. That's four times as many as those with protection. 2.2 percent of systems with protection off or expired had infections as were 1.9 percent of those with out of date protection.

Half of the unprotected systems may have been expired, but only two vendors were responsible for 87.9 percent of all expired trials. Unfortunately, but understandably, Microsoft refers to them only as "Vendor A" and "Vendor B." It follows that they must be two companies with a great deal of market share among OEM trial versions.

The difference in infections between systems with active protection versus no protection is a significant one, and should justify paying up to keep your protection up to date. Remember, almost everyone sells multi-system annual subscriptions, so the cost may be less than you think.