Has Microsoft shot itself in the foot with Security Essentials?

4 Feb 2010

Davey Winder explains why he thinks Security Essentials could fail, despite being a decent product

Back in 2007, Microsoft was humiliated when its Live OneCare antivirus product failed to pass VB100 certification, spawning jokes about “OneCare” being an apt name if pronounced with a strong French accent.

However, the security world changes fast, so when AV-Comparatives published its tests a few months later, OneCare performed better than Kaspersky Anti-Virus 6.02 and AVG Anti Malware 7.5 (not that an 18% detection rate was anything to boast about). In 2009, Microsoft ditched OneCare and replaced it with a free, totally revamped offering: Microsoft Security Essentials.

“Free” and “revamped” are both important here: free is important because anything that gets some kind of security onto more PCs has to be a good thing. I know there have been free AV offerings around for years, and that some of them are actually quite good, but I’m not your Man on the Clapham Omnibus, and average Windows users are far more likely to install a freebie from Microsoft than hunt down a third-party application.

Indeed, part of the rationale for launching Security Essentials was to mitigate the current malware epidemic by getting protection to those who need it most – people in developing countries; people on low incomes; people who might otherwise be tempted to click on a rogueware pop-up for a free online scan.

If this were merely a “stripped-down OneCare”, as some security folk have suggested, it would all be for nothing

All of which makes the “revamped” bit more important because if this were merely a “stripped-down OneCare”, as some security folk have suggested, it would all be for nothing. It’s been suggested by those who probably know better that Security Essentials is OneCare rebranded, and it uses exactly the same core engine – no different and no better.

My main concern isn’t that this is a bad piece of security software, since my testing so far suggests that it’s actually pretty similar in performance to the other free offerings. The simplicity of the product is refreshing and helps it to remain unobtrusive, both as far as system resources and user attention are concerned. Sure, it lacks the bells and whistles of fully fledged commercial suites, but the basic detection methodology it employs is solid enough.

The engine that powers Security Essentials isn’t brand-new – which would require years of real-world testing to mature – but rather one that’s been field-tested already in Microsoft’s enterprise-level Forefront product, which has been receiving decent reviews and has achieved ten VB100 passes. I’m concerned that it lacks basic email AV functionality, less so by its lack of a firewall since the Windows built-in firewall is adequate for average users (especially the new and improved one in Windows 7).

I tested Security Essentials against my private malware zoo of some 1,000 examples captured from the wild, and it detected every single one and blocked them all. I understand that AV-Test.org has undertaken similar tests with a WildList zoo of 3,732 malware samples, and again, Security Essentials found and blocked them all. On an XP machine using a full zoo of more than half a million samples it manages a detection rate of 98.44% with no false-positives, which isn’t to be sniffed at.

Spyware testing was less impressive with a 90.95% success rate, but what really let down Security Essentials is its inability to dynamically detect newly released threats. AV-Test.org admits that the same applies to most antivirus-only products, most of which lack the heuristic detection mechanism you get in full-blown security suites. Security Essentials has a relatively small memory footprint, consumes few system resources, and is pretty much silent in day-to-day operation.