Microsoft Engineer Attempts Daring OneCare PR Rescue

In a short span of time, Microsoft's new OneCare anti-virus service has been faced with a barrage of reports and blog posts remarking about how it failed a Virus Bulletin test that several of its competitors passed, along with consumers' complaints that OneCare deleted their Outlook e-mail files in the act of disarming viruses they may have contained. Now, a key engineer on the company's anti-virus team finds himself in the awkward position of defending the reputation of a firm he's only worked with for a few months, after having spent ten years at McAfee, and some time at Symantec before that.

"When we think about priorities we put our customers first and in doing that we ask ourselves, 'What do our clients want? What do they need?"' writes Jimmy Kuo, a respected anti-virus engineer who joined Microsoft last September along with some McAfee colleagues, in his inaugural blog post for the Anti-Malware Engineering Team yesterday.

"In my years in this business," Kuo continues, "the answer to the first question is some form of, 'I want to be able to sleep soundly each night knowing that when I wake up, my world hasn't fallen apart. And if something does happen, I can rely on my vendor to easily resolve it for me."'

Kuo may have been showing sympathy for consumers' recent complaints, such as this one which was posted to Microsoft's support forum on Tuesday: "The irony of the antivirus issue is that viruses simply exploit defects in the operating system. So if Microsoft would produce a zero-defect OS, we wouldn't need anti-virus software. Not only do we get a defective products from Microsoft and all other software manufacturers, we, the end-users, get to pay directly and indirectly for these defects. We need to buy security software subscriptions to hopefully safeguard our systems and if we have a problem with the software due to these defects, we get to pay tech support to provide marginal technical assistance. Oh, and then I get to waste my time and have to load potentially system breaking software to prove that I have a genuine copy of Windows to get some of the updates and security patches to fix my defective software! And there are so many other situations like this one."

Some OneCare customers have theorized that the Outlook e-mail deletion disaster may have arisen from a bug that was detected in an early beta of version 1.0, that was identified and corrected in later betas - according to reports from testers - although it may have crept back into the source code of the final build. Much of the product's testing took place before Kuo and others on his team came on board.

After the first reports of e-mail deletions were made known last January, Microsoft officials did little to acknowledge the problem until last week, leaving a volunteer MVP to apologize to customers on behalf of the company, when an official finally announced the deletion bug would be fixed in an engine update. That update was apparently rolled out last Tuesday, though IT managers and consultants continue wrestling with the damage the bug originally caused.

Kuo's post yesterday did not address the Outlook deletion problem directly, choosing instead to characterize OneLook's performance issues as a kind of discrepancy that arises when the methodology an anti-virus program uses to detect threats doesn't mesh with what someone else - someone like the industry journal Virus Bulletin - expects. Virus Bulletin hands out the "VB100" seal of approval to anti-virus programs that pass its battery of performance tests.

"We missed capturing a VB100 in the last test because we missed one virus," Kuo writes, perhaps hoping that readers will see a "99%" in their minds and remember that a 99 score is still an "A" in elementary school.

"So, as a result we have adopted new methodologies to remedy that," he continues. "The methodology we adopted is to look more closely at families of viruses that have been found to be 'in the wild' (ITW)...This means someone working off the same code base is actively spreading the malware of this family, and thus more of the same family will likely become ITW in the future. And we want to be able to detect them with signatures we write today rather than after they've been loosed upon the public."

If we're interpreting Kuo's words accurately, he appears to be saying OneCare attempted a methodology that attempted to locate future viruses mutated from earlier ones, based on the signatures of those earlier ones - and it was that methodology that made it fail to find the critical virus in the VB100 test. Virus Bulletin has previously maintained that its battery of tests are geared toward the detection of existing, common viruses.

Microsoft's goal, Kuo maintains, is to leapfrog from here over its competition. "So while we concentrate on what's truly important (malware actively being spread ITW), we will also be bringing up these other test detection numbers," he writes. "You will see our results gradually and steadily increase until they are on par with the other majors in this arena. And soon after, they will need to catch up to us!"

Kuo's comments may have been read by many IT managers and consultants who weren't getting any sleep last night, desperately scrambling to recover their clients' and employers' e-mails.