That 72 hours of raw-edged panic was quite enough for me to focus on the sins of those who come and ask for help, which can be every bit as difficult as the sins of the fixers. So pardon me while I abuse the Pro blogs to let my friend know how I felt about her approach to the whole sorry matter.

Dear Mildred (name changed to protect the innocent here),

It was delightful to hear about your holiday in Kuala Lumpur, for 20 minutes, before you got around to mentioning that you had brought back a DVD burned for you by a charismatic local photographer and thrown it in that laptop you obtained from me six months or more ago.  It was sadly not surprising to hear that once that DVD had been introduced to the laptop, you had laid yourself wide open to every hacker and script kiddie on the planet. The parts I did find surprising then came so thick and fast that I was barely able to assemble a coherent reply, so let’s unpack all your assumptions and deal with them item by item, now that facts can take precedence over emotional blackmail.

- No, it doesn’t matter how you imagine viruses work: they will not be amenable to persuasion, they will do what they like. Responses like “that seems a bit far-fetched” won’t get your laptop fixed, or keep the hackers away. After the initial, invisible infection has granted the underworld open access to your PC, they are unlikely to steal your personal data – you’re not rich enough – but they will sell off access to your machine, for a relative pittance, to much less accomplished hackers. It’s their lesser efforts you can see, and they’re just evidence of the basic high-quality infection.

- No, you can’t sue AVG. You put a physical piece of storage in your DVD drive and clicked on various dialog boxes, some of which you neither understood, nor can now remember, because you wanted to get at the content on the disk. Once you do that, it’s game over.

- No, I am not responsible for everything that befalls something I once owned. It is now your laptop and your responsibility. Curiously, I am not sitting around at home doing nothing waiting for machines to die, and there is no way that you can cajole, seduce or otherwise influence me to “just spend ten minutes on it”. There are two reasons for this. One is that it’s perfectly clear that if I do touch it, I will never hear the end of the matter for as long as I live. The other is that once you stuck that DVD in there and started saying “yes, OK” to every resulting dialog box, you sank the whole thing. It doesn’t take 10 minutes to sort that out; it requires a complete machine reload to properly guarantee the infection is history.

- No, there is no neat and handy way I’ve been keeping secret that allows you to retain your extensive collection of stolen software licences loaded on that laptop. It’s even possible (but unlikely) that one of those copies you downloaded from total strangers via BitTorrent was actually the source of infection, not the DVD from that far-off and well-known training school for global cybercrime supercriminals. But you don’t believe that possibility either, so that’s me told good and proper. I personally remember all those nights in the 90’s when your standard response to any creative suggestion was “that’s great, but don’t tell anyone else so they can’t steal your idea” – rampant hypocrisy always offends me, especially when the software you’ve stolen is used to maintain your creative business. Perhaps you wouldn’t be in this dire situation if you had actually paid for the things you use (and therefore could reinstall them), even paying for a decent image-based backup program would have saved your bacon. Just because I use one and recommend it to everyone doesn’t mean it must therefore be nerdy and incomprehensible so you shouldn’t touch it.

- Don’t worry. I don’t propose to identify the specific products you don’t have licences for, mainly because I think the whole business of what’s free and what’s not is now so murky and confused that I don’t think you are even doing anything special these days. It’s not something I will involve myself in, though, which is in part why I am more tilted towards the hardware business, than software, these days. I have gone about as far as I can here to make it clear why your approach to the way your laptop drives your business, mixed with your approach to the way that people in the computer business sell things to you, adds up to a disaster waiting to happen. And I do disaster recovery, not disaster participation.

Love and kisses,

Steve

They’re also both companies dogged by the sins of products past. The Norton brand is still widely associated with bloated and buggy software, even though NIS has been a slick, lightweight package for several years now.

And Windows is continually ridiculed for its supposed susceptibility to viruses – even though platform security has been enhanced beyond recognition since the bad old days of Windows 98. Only a tiny minority of “in the wild” malware will even run on a fully-patched Windows 7 system.

Malware abounding

That’s not to say malware is dead: earlier this year the Conficker worm infected more than five million Windows PC worldwide. At first glance, that might suggest that Windows’ security is still sub-par. Yet the truth is that when Conficker was released, it spread via a vulnerability that Microsoft had already patched through Windows Update.

And that’s partly the point of Security Essentials. If everyone kept their Windows installation up to date, it would hardly be necessary. But they don’t, and, since Microsoft has a reputation for lax security hanging around its neck, when an epidemic does strike it’s all too easy to point the finger at Redmond – something Apple salespeople in particular do with glee.

So alongside the excellent work the company has done in tightening Windows’ security, it’s now offering a fallback line of defence – a traditional antimalware application, based on an independent database of malware signatures, to intercept any viruses that may stray onto careless users’ PCs.

Yellow scorn

Symantec is well-placed to empathise with Microsoft’s plight; but since the two companies are now rivals, the Norton team has been quick to talk down Security Essentials.

“The security industry has moved on from the product Microsoft is launching,” declared Con Mallon, Symantec’s marketing director, yesterday. “Unique malware and social engineering fly under the radar of the traditional signature based technology employed by free security tools such as Microsoft’s.”

And he does have a point. Signatures aren’t much help against a malicious website that offers each visitor their own personalised Trojan. Nor can they protect you against social engineering, such as phishing attacks that trick you into giving away your credit card details. It’s unarguable that if you rely on Security Essentials you’ll be vulnerable to certain types of attack.

“We believe the false sense of security provided by this tool is almost as dangerous as having no security at all,” cautioned Mallon.

Back to basics

But as the name clearly indicates, “Security Essentials” doesn’t try to protect you against every possible threat. It’s a basic defence against basic malware – the stuff that’s prominent enough to succumb to signature identification. And personally I think that limited ambition is a smart move on Microsoft’s part.

Because, unlike Symantec’s software, Security Essentials isn’t a money-making venture: that’s clear from the free, perpetual licence. As I hinted above, to me it looks more like an attempt to shake off Windows’ reputation as a virus-ridden platform.

And to an extent, it helps that effort simply by existing: no longer can it be said that Windows needs third-party software to protect it from malware.

But the real success would be if it could forestall future epidemics like Conficker.

Less is more

And that’s the crux of the matter. To make that sort of difference, it’s not enough for Security Essentials to compete with other suites: somehow it needs to get onto the millions of PCs out there that currently have no malware protection.

That could be achieved by pushing it out via Windows Update (and setting the malware database to update automatically thereafter). In light of the recent furore over browser bundling, though, that might be a risky approach.

So Microsoft is wooing users who don’t use full-featured security software by offering them something easier, lighter and less intrusive: a security client stripped down to the basics, with a so-simple-it-hurts interface. With no nagging and free updates for life it’s a pretty compelling proposition.

Next week, when I’m back in the office, I’ll investigate whether Security Essentials really is lighter than established suites. But in the grand scheme of things that’s not actually the important issue. It’s the perception of simplicity that could help the software reach machines that would otherwise be unprotected.

If it does, every Windows user will benefit. Microsoft will come away looking very clever indeed, while Mr Mallon may have to eat his words.

But then who can blame Symantec, or any commercial security developer, for dismissing Security Essentials? Their industry is founded on the imperative of offering ever more comprehensive protection. It will be quite an upset if the most effective security package on Windows turns out, in fact, to be the one that does the least.