Microsoft "Morro": explicitly explained, fact from fiction

"Morro", Microsoft's new anti-malware solution has baffled many. Why? What? How? When? Most of your questions answered in explicit, uncut and occasionally graphic detail. Article
Written by Zack Whittaker, Contributor

Update: this post is considered out of date and incorrect. Please follow this link to an explanatory post.

Microsoft's decision to pull the plug on Windows Live OneCare was, let's face it, one of the best ideas the company has made in a long while. The anti-virus and firewall solution was just plain awful; with high expectations from users and the media, and the inability to deliver the goods, or in this case, prevent the bad's from getting in. It was a bad first attempt at making an operating system secure.

There is a lot floating around at the moment, and as a younger, more naive user as a number of my most eminent readers quite regularly point out, there are some interesting things yet to discover about Morro.

I may as well point out now, with my research and understanding, Morro will be more of a web anti-virus than a file anti-virus. Most threats come in from the Internet nowadays, with broadband connections keeping the web juices flowing constantly. The bandwidth issue mentioned later on will make this more apparent.


"Morro", the codename for the new anti-malware solution which Microsoft will be plugging to the world by the end of the year, and is Microsoft's second attempt at an anti-malware solution for Windows. However, unlike Windows Live OneCare which can be bought as a subscription, or Windows Defender which is included as a basic anti-spyware solution in Windows Vista onwards, Morro is almost entirely cloud based.

Instead of scanning every file or network packet as they arrive into the computer from the web or an external device, it creates a virtual tunnelbetween your incoming Internet pipe at the back of your computer to a Morro data center, which scans every byte and packet for malware.

Now, if you had a 5MB image which was laced with an amyl-nitrate virus of doom, would this mean that the image would be uploaded, scanned in the cloud (almost instantly due to the vast computational power) then flagged as OK afterwards? This would surely use up a lot of bandwidth, but we simply don't know yet.

With some anti-virus products on the market costing around $40 for an annual subscription, Morro will be provided for free. It will almost certainly not be part of Windows 7, as this will kick off a storm in Brussels and potentially spark a million lawsuits.


We do know, on the other hand, that it will be a software+services solution which uses the cloud computing power to check for malware instead of using your computer's processor to do the work. But instead of using local computing power, it'll surely just substitute this for bandwidth? Try and imagine this though:


On an ordinary setup, the website you visit has malware embedded into it. It flows across the Internet, into your pipes in your house and gets picked up by your anti-virus software on your computer, before it gets chance to access anything on your hard drive. This process can be slow, by scanning packets flowing in and out (mostly in), detecting bits of malicious code in programs and services.


Morro works by utilising mass data center power, with networked and meshed computational power which surpasses that of God him/herself. By acting as a barrier in the cloud between your computer and the rest of the web, it scans your traffic before it reaches your computer... I think. Blame anyone but me for misinterpreting the information, because there's a lot of speculation at this stage.

Considering I did these diagrams whilst I was hammered last night, it's not a bad representation if I'm honest.


It'll be around for the release-to-manufacturing of Windows 7, so by the time you get your copy of Windows 7 installed, it should be out there ready to download and use.

In the meantime, it will most likely be released for beta testing this summer or towards the autumn. It seems Microsoft is doing a relatively good job of aligning other releases which compliment Windows 7 as much as possible; Office 2010, the next-generation office suite as well as Morro seem to be thrown out into the big bad world all at the same time.


Morro will be slimmed down to provide simple anti-malware features, including anti-virus, spyware scanner, whilst detecting and removing rootkits and trojans. It may well include a firewall, or if all Internet traffic is channelled through the cloud data center first, it will be included behind the scenes. I don't really have the necessary technical skill to know whether this will work effectively or not though.

Some claim that Morro won't be enough to satisfy the need for threat-management on computers today. In one report, Janice Chaffin of Symantec, said:

"Microsoft's free product is basically a stripped down version of the OneCare product Microsoft pulled from the shelves. A full Internet security suite is what consumers require today to stay fully protected."

My previous post explained Microsoft's cloud computing strategy - what it is, how it works, and more importantly why it is there. Part of the cloud computing component, Morro will be the first anti-virus in the cloud, in theory, but Panda got in there first by releasing theirs before Morro was even formerly announced.

How it will remain free is beyond me. The only viable way Microsoft makes money out of these things is by providing advertisements to their programs and applications. This is not only why Windows Live and other Microsoft products are free, but you'll find it's why the Internet as a whole is pretty much free.

As always, feel free to leave your comments and questions below and I'll give it my best shot in answering them.

Editorial standards