Microsoft Security Essentials: Aiming low?

Microsoft has offered a free consumer security product for years, but is it good enough for you? It's certainly better than nothing, but it's way short of the best products.
Written by Larry Seltzer, Contributor

A recent interview in PC Pro (UK) is raising some eyebrows about Microsoft's goals for Security Essentials, their free antivirus/antimalware program.

The story quotes Holly Stewart, senior program manager of the Microsoft Malware Protection Center, to the effect that Microsoft does not try to be a top-notch solution to compete with established companies in the field, like Kaspersky, Symantec and Bitdefender. Rather they try to block the most important threats and pass their research on to others in the security community.

All this is done in the service of security for the whole Windows ecosystem. The point of Microsoft Security Essentials is not to replace more comprehensive products (many of which are also free), but to set a baseline for security for Windows users. Much better that users run Security Essentials (and the Windows Firewall) than that they run nothing at all.

So there's no real excuse not to run a security program and keep it up to date. Unlike the other free ones, at least Security Essentials doesn't nag you with an upsell.

But better still that users run a product like Kaspersky Internet Security, which protects against a vast variety of threats and is updated many, many times a day. Products like these are the ones that do well in comparisons by labs like AV-Test, which throw hundreds of thousands of malware samples at them, including many for which the products have no specific protection.

AV-Test actually uses Microsoft Security Essentials as the baseline in their scoring system; Security Essentials gets a score of 1.0 and all the others are relative to that.

So it's unfair and beside the point to say that Microsoft designs Security Essentials to be at the bottom of the pack. Microsoft wants the Windows ecosystem to be secure and to be perceived as being secure. The best way to improve protection in this, or any other market, is through competition, and the security field is extraordinarily competitive, far more than perhaps any other major category of software. Not only are there many major players, but market shares are fluid and many products do well in particular countries but not others.

Microsoft's enterprise product (System Center Endpoint Protection) is similarly unambitious, but there's less of an excuse for customers there. Businesses with enough resources to run System Center should be spending money on a better antimalware engine.

The point Microsoft makes about sharing with the other companies is an important one about the security industry. Sharing information about threats has been SOP in the antimalware and other security businesses for a long time. Even if they're not building top-notch product, Microsoft still has massive reach around the world and can make important contributions to security intelligence. This too is in their interest to the extent that it makes the Windows ecosystem more secure.

Remember, the security suite you run isn't the only important step you should take to secure your system. Keeping Windows and your applications patched up to date is potentially far more important (some security products will check to see if you have applied patches and nag you if you haven't, but Windows does this too).

You should also pay close attention to browser plugins, and that means all browsers, not just IE. Many of these can cause problems but aren't necessarily marked as malicious.

Do you run Java? Remove it. Make sure to remove all installations of it, because you may have more than one. If you have to run Java, run only the most up to date version and set your web browsers not to run Java applets by default (this is default behavior in some browsers now).

Even good spam filtering can be important. Many threats are spread by spam, generally through web links in the message, and a good filter will block nearly all of these. 

Don't lose track of the fact that all the commercial security suites do a lot more than antimalware:

  • They usually have a better, more flexible firewall than the Windows Firewall
  • They'll have much better anti-spam protection
  • As I already said, some will flag unpatched programs
  • They include IPS (Intrusion Prevention System) functions, which means that they can block certain malicious behaviors even when the program has gotten through initial checks and executed
  • Many will check the code for web pages before your browser runs it
  • Many include anti-phishing features
  • Many include parental controls
  • Some include other useful security features like password managers and file encryptors

So if you're wondering if you can get away with only Security Essentials (and Windows Firewall) and good practices like prompt patching, you probably can. Configured in this way, and boosted by some common sense, you will block the large majority of attacks you're likely to encounter. You’re still going to be vulnerable to many a real world attack, especially in the early days of that attack, and you'll need that common sense, that ability to recognize the threats that get through. But you're not a sitting duck anymore, like you would be with no AV. The price of being cheap, in this regard, is not what it used to be.

Editorial standards