Symantec: No hard timeline on Windows XP support

Alone among the major AV companies, Symantec won't commit to a specific period of time for Windows XP support, and they have good reason not to.

As we learned yesterday,  nearly all major anti-virus companies are committing to continue support for Windows XP  users for at least a year after this April's end of life for the operating system.

The one big missing name was Symantec, makers of enterprise security products and the Norton line for consumers. Last night Symantec contacted me with a statement on the matter:

    Symantec's Norton products will continue to support Windows XP for the foreseeable future, and we also offer enterprise products that lock down applications, configuration settings and resources so that malicious code and vulnerabilities cannot be exploited. However, customers need to know that in addition to running the most up-to-date security products, another important aspect of protecting their systems is keeping them current with the latest OS service pack and patches. Because Microsoft has announced they will no longer publish patches beyond the formal end of life for Windows XP, these systems may become targets for cybercriminals, particularly if new vulnerabilities are discovered in the OS. Therefore Symantec strongly recommends Windows XP customers to upgrade to a more current OS as soon as possible.

Very carefully worded, and they are careful to say that they "...will continue to support Windows XP in the foreseeable future..." But they still don't give a time frame, and I don't blame them. Committing to support Windows XP after April is a big risk. It's difficult enough to protect current, supported products; continuing antivirus support for an operating system which doesn't get vulnerability updates is arguably dishonest to the user.

It's reasonable to believe that after April's Patch Tuesday malicious actors will roll out XP vulnerabilities that they have been holding back, because after April users will be defenseless against them. It may become impossible to keep XP users safe on the Internet, and it may become that way quickly. In such an environment, claiming that you have a supported security product for Windows XP is a good way to make a bad impression with your customer.

I don't generally approve of the enthusiasm with which most other vendors are continuing support for XP. Basically all of them will accompany their support announcements with an admonition that it's a bad idea to keep running XP, and that you'd be much better off moving up to Windows 7 or Windows 8 or pretty much anything else that's currently supported. But when they say that they'll continue to support their products for 2 years or more, they are still giving their customers permission from an expert to keep on using XP. That's just not right. It takes some courage to say no (sort of) to your customers, as Symantec does, but you can always do worse than to do the right thing.