Can Microsoft Security Essentials beat Norton?

Darien Graham-Smith
29 Sep 2009

What do Microsoft and Symantec have in common? The obvious answer is that both are offering a new security package. In Symantec’s case it’s Norton Internet Security 2010, which I looked at a few weeks back. Microsoft, meanwhile, is today due to release Security Essentials, its free replacement for OneCare, formerly codenamed Morro.

They’re also both companies dogged by the sins of products past.

The Norton brand is still widely associated with bloated and buggy software, even though NIS has been a slick, lightweight package for several years now.

And Windows is continually ridiculed for its supposed susceptibility to viruses – even though platform security has been enhanced beyond recognition since the bad old days of Windows 98. Only a tiny minority of “in the wild” malware will even run on a fully-patched Windows 7 system.

Malware abounding

That’s not to say malware is dead: earlier this year the Conficker worm infected more than five million Windows PC worldwide. At first glance, that might suggest that Windows’ security is still sub-par. Yet the truth is that when Conficker was released, it spread via a vulnerability that Microsoft had already patched through Windows Update.

And that’s partly the point of Security Essentials. If everyone kept their Windows installation up to date, it would hardly be necessary. But they don’t, and, since Microsoft has a reputation for lax security hanging around its neck, when an epidemic does strike it’s all too easy to point the finger at Redmond – something Apple salespeople in particular do with glee.

So alongside the excellent work the company has done in tightening Windows’ security, it’s now offering a fallback line of defence – a traditional antimalware application, based on an independent database of malware signatures, to intercept any viruses that may stray onto careless users’ PCs.

Yellow scorn

Symantec is well-placed to empathise with Microsoft’s plight; but since the two companies are now rivals, the Norton team has been quick to talk down Security Essentials.

“The security industry has moved on from the product Microsoft is launching,” declared Con Mallon, Symantec’s marketing director, yesterday. “Unique malware and social engineering fly under the radar of the traditional signature based technology employed by free security tools such as Microsoft’s.”

And he does have a point. Signatures aren't much help against a malicious website that offers each visitor their own personalised Trojan. Nor can they protect you against social engineering, such as phishing attacks that trick you into giving away your credit card details. It’s unarguable that if you rely on Security Essentials you’ll be vulnerable to certain types of attack.

“We believe the false sense of security provided by this tool is almost as dangerous as having no security at all,” cautioned Mallon.

Back to basics

But as the name clearly indicates, “Security Essentials” doesn't try to protect you against every possible threat. It’s a basic defence against basic malware – the stuff that’s prominent enough to succumb to signature identification. And personally I think that limited ambition is a smart move on Microsoft’s part.

Because, unlike Symantec’s software, Security Essentials isn’t a money-making venture: that’s clear from the free, perpetual licence. As I hinted above, to me it looks more like an attempt to shake off Windows’ reputation as a virus-ridden platform.

And to an extent, it helps that effort simply by existing: no longer can it be said that Windows needs third-party software to protect it from malware.

But the real success would be if it could forestall future epidemics like Conficker.

Less is more

And that’s the crux of the matter. To make that sort of difference, it’s not enough for Security Essentials to compete with other suites: somehow it needs to get onto the millions of PCs out there that currently have no malware protection.

That could be achieved by pushing it out via Windows Update (and setting the malware database to update automatically thereafter). In light of the recent furore over browser bundling, though, that might be a risky approach.

So Microsoft is wooing users who don’t use full-featured security software by offering them something easier, lighter and less intrusive: a security client stripped down to the basics, with a so-simple-it-hurts interface. With no nagging and free updates for life it’s a pretty compelling proposition.

Next week, when I’m back in the office, I’ll investigate whether Security Essentials really is lighter than established suites. But in the grand scheme of things that's not actually the important issue. It's the perception of simplicity that could help the software reach machines that would otherwise be unprotected.

If it does, every Windows user will benefit. Microsoft will come away looking very clever indeed, while Mr Mallon may have to eat his words.

But then who can blame Symantec, or any commercial security developer, for dismissing Security Essentials? Their industry is founded on the imperative of offering ever more comprehensive protection. It will be quite an upset if the most effective security package on Windows turns out, in fact, to be the one that does the least.

Read more about: