How good is Microsoft's free antivirus software?

Microsoft has officially unveiled its long-awaited free antivirus program. Formerly code-named “Morro,” it’s now been christened Microsoft Security Essentials (MSE), and it will enter public beta testing next week. I've been taking MSE for a test drive for the past few days. Here's my detailed report, with plenty of closwe-up screen shots to help you see exactly how it works.
Written by Ed Bott, Senior Contributing Editor

Microsoft has officially unveiled its long-awaited consumer antivirus offering. Formerly code-named “Morro,” it’s now been christened Microsoft Security Essentials, and it will enter public beta testing next week. If you have a licensed copy of Windows XP (Service Pack 2 or above), Windows Vista, or Windows 7, you’ll be able to download and install the software at no additional charge. No subscription is required for ongoing definition updates, either. The final release is scheduled for this fall. (My colleague Mary Jo Foley has more on what beta testers can expect next week.)

The public beta will be limited to 75,000 downloads, Microsoft says, and the targets are global. The initial beta release is limited to the United States, Israel (where a core development team is based), and Brazil. Next month, the beta will open up for users in China. It’s no coincidence that Microsoft is rolling out early in Brazil and China, which are large-scale vectors of malware infections because of the sheer number of Windows users running without antivirus protection. According to Microsoft, barriers to adoption of paid security software are especially high in developing markets, where internet access is slower and credit cards are unavailable to a large percentage of the population.

Microsoft Security Essentials requires validation, which means it won’t be available to anyone using a pirated copy of Windows. But it won’t require registration or personal information of any kind. In an interview last week, Theresa Burch, director of product management for Microsoft Security Essentials, confirmed that decision in no uncertain terms: “We collect no information from you at all,” she told me. No Windows Live ID, nothing. You agree to the EULA, validate, download, and you’re done.”


Over the past few days I’ve been testing recent builds of Microsoft Security Essentials on two machines, one running a 32-bit edition of Windows Vista, the other running a 64-bit copy of the Windows 7 release candidate. The software I describe in this post is a more recent build than the current beta that has been floating around back channels on the Internet. Here’s my report:

Page 2: Microsoft Security Essentials in action -->

If you get a sense of deja vu when you see Microsoft Security Essentials, that’s no accident. It’s a pure superset of Microsoft’s antispyware product, Windows Defender, which was publicly released nearly three years ago and is included by default with Windows Vista and Windows 7. Microsoft Security Essentials adds antivirus protection—both real-time protection and on-demand scanning—to the mix. It shares the same engine and signatures as other Microsoft antimalware products, including the enterprise-focused Forefront and the monthly Microsoft Malicious Software Removal Tool.


The MSE download is impressively lightweight. The x64 copy I installed on Windows 7 was 3.8 MB in size; x86 copies are 4.8 MB for Vista/Windows 7 and 7.7 MB for Windows XP. Installation (including the most recent definition updates) took less than four minutes and, as promised, the initial setup didn’t require any personal information or registration. After I accepted the license agreement, the software informed me that it needed to update its virus definitions and then proceeded to get the most recent updates on its own.


After that it launched a quick system scan that took another 5 minutes or so and predictably found nothing out of the ordinary.

Microsoft says the program is, not surprisingly, Windows Logo Certified and updates its virus and spyware signatures daily through Microsoft Update. New signatures are published three times a day, which means that clients will never get a new update that is less more than eight hours old. [Updated previous sentence to correct minor error.] The core antimalware engine, with new features and bug fixes, is scheduled for updates on a monthly basis. If Automatic Update is enabled, this process will be completely transparent to the user, Microsoft claims.


The first thing I noticed about MSE is how quiet it is. A single tray icon (hidden by default in Windows 7) is the only indication that it’s running. It doesn’t add any browser toolbars or desktop gadgets, and the associated service AntiMalware Service used between 35 and 50MB of RAM on my two test machines. Microsoft’s Alan Packer explained that the company has made “a major effort in terms of performance, in terms of both memory management and CPU.” Except when I deliberately tried to download a test virus, the program didn’t send up any notifications of updates or scans. Iif there’s a problem with updates or another action is required, notifications will show up in Windows (Security Center in XP or Vista, Action Center in Windows 7).

Page 3: How well does it work? -->

The main user interface follows the “red is bad, green is good” metaphor that Microsoft has adopted across its security software in general.


Like most of its peers, MSE offers real-time protection and an on-demand scanning engine. I noticed that the scanning engine throttled its use of the CPU to 50% or less, which lessened its impact on other tasks. When I tried to download the industry standard EICAR test virus, the real-time scanning intercepted the download immediately:


A quick click of the Show Details button opened this informative, "red is bad" warning from Microsoft’s malware database.


The cleanup process is designed to get rid of the immediate thread and then to immediately run a more detailed scan. As Packer explained, “Malware travels in packs, so we look for other stuff when we detect a problem.”

Like most modern antivirus software, MSE relies on up-to-date signatures, but adds its own cloud-based twists. Contrary to some recent reports, this isn’t a cloud-based service. Instead, it offers a dynamic signature service that pushes signatures on a daily basis, but adds the ability to query the signature service when need to reduce the window of exposure to new malware. By monitoring for suspicious behavior,  the service can query for a sample when necessary. Rootkit detection features target kernel-mode malware and can detect the sort of tampering in the kernel that is typical of rootkits.

How good is the coverage? Microsoft scored dismal test results in the early days of OneCare, hitting a nadir in 2007, but its record has improved dramatically since. A new study (May 2009) by the independent AV-Comparatives group gave Microsoft OneCare (which shares the same engine and signatures as MSE) its highest (Advanced+) rating. Only 3 of the 16 products in the test earned that rating. Microsoft’s technology scored second in the accuracy ratings, behind AVIRA but ahead of AVG, Symantec, McAfee, and a dozen other products. And on the crucial measure of delivering the fewest false positives, Microsoft stood far ahead of the pack, delivering the fewest false positives of any program tested.

In the most recent round of tests from the independent ICSA Labs, Microsoft’s technology passed, while McAfee’s VirusScan family joined several smaller competitors on the FAIL list.

You can bet that the beta release will be seriously tested by independent labs and especially by Microsoft’s for-profit competitors in the coming weeks. If it has any weaknesses, expect to see them heavily publicized. Meanwhile, I'm sufficiently impressed by MSE in operation to give it a more in-depth workout on multiple systems here.

Would you put your trust in a Microsoft-run antivirus product? Leave your opinion in the TalkBack section below.

Editorial standards