Q: How essential is Microsoft Security Essentials? A: Does your door have a lock?
Today Microsoft released Security Essentials for free. I've been testing the software for the last month, and I'm nearly at a loss how to really review it. Either the software doesn't really work and my laptop is a malware whore, or Security Essentials works so well you just set it and forget it.
The software has never warned of any malware infection. It works silently and doesn't hog resources -- typically less than 6,000k memory, according to Task Manager. Next to perhaps AVG 8.5, I've never used anti-malware software that asked so little of me or my computer (Read Scott Fulton's take on Security Essentials).
Security Essentials is another example of Microsoft improving software UX (user experience). Among Joe's six principles of good software design, Security Essentials embodies the two most important. Good software: Emphasizes simplicity and hides complexity.
By comparison, Windows Vista and Internet Explorer 7 violate these two principles at seemingly every opportunity. User Access Control prompts in Vista and security warnings in IE 7 demand too much from end users. Rather than drive 120km per hour, users must slow down for Windows Vista or IE 7 speed bumps. It's terrible product design because:
- End users get angry about waiting and they so develop bad feelings about the software and Microsoft.
- Most people don't understand enough about security or the prompts to make the best decision. Confusion makes some people feel stupid, and so they also feel unhapppy about the software and Microsoft.
- Numbness sets in, so that end users ignore the security prompts. They develop bad click-through habits, increasing risk from ignoring prompts or mindlessly clicking through a browser generated-malware pop-up.
Good security UX is about balance, by providing the best protection without being too intrusive. My favorite analogy is the street-side shop, where goods are displayed in the window and on the sidewalk. People need to see the goods to buy them. But as the economy has declined, sidewalk thievery has increased, so the shopkeeper moves the goods inside. That turns out not to be enough. Someone breaks into the shop through the big window and steals the goods, so the shopkeeper puts up bars and a gate. Each new security measure limits the shop's ability to conduct business with legitimate customers, just to keep out a few criminals. At some point, the security measures sacrifice commerce for safety. That's exactly the kind of security approach Microsoft applied to Windows Vista and IE 7.
Windows 7 and IE 8 reduce the security complexity, but there is still too much of it. That said, there is lots more balance than before. The defaults are just about right but security prompts still a few too many. Microsoft's approach is more like a car prompting when the driver hits the left-hand signal: "Remember to look over your shoulder for oncoming traffic before making the turn." Such audio prompts would drive drivers crazy. Hehehe, maybe it would be a good green tactic. Riding a bicycle would be preferable to the constant nagging while driving.
So, it is refreshing to find Security Essentials to be so silent and unassuming. Good security software should protect, not ask if you want to do something that might be risky or whether you really want to be protected. But this unassuming simplicity makes a review, other than perhaps purposely infecting my laptop, difficult because there isn't much to say.
An Essential Utility
As such, I'll talk strategy and what the software means for Microsoft's former security software partners. The question: Should Microsoft offer free security software to consumers? Absolutely. There is no choice, and Microsoft would do customers better by fully integrating security software into Windows 7. But Microsoft has enough antitrust problems in Europe to make including antivirus risky business.
Integrated or separate, I see four reasons why free security software from Microsoft is a must:
- Windows brand
- Customer safety
- Shadow ecosystem
- Corporate responsibility
Windows brand. Security problems have damaged the Windows brand. Who wants to drive an unsafe car? Apple has enjoyed much success by ragging on Windows security in advertisements, such as "Get a Mac" commercials. Additionally, offensive third-party anti-malware -- meaning annoying and resource hogging -- detracts from the end-user experience, which also hurts the Windows brand.
Worst of all: Malware infections, where people feel vulnerable and invaded before a torrent of porn popups or other malady. Who gets the blame? Microsoft and Windows. It's funny how little the criminals are accused. When the bank is robbed, despite its security measures, who do people blame? The bank or the robbers? You know the answer.
Customer safety. Windows is Microsoft's product. The primary responsibility for protecting it from marauders should be Microsoft's, not third parties like McAfee or Symantec. Microsoft's first obligation is to the customer who buys Windows with the reasonable expectation of using it safely. Microsoft must do everything possible to ensure customers' privacy and identities are protected from criminals. Who wants to move into a bad neighborhood, where muggers and murders roam the streets and house to house? Just one worm, Conficker, has infected millions of PCs. But experts dispute the number, which could be as low as 3 million or as high as 10 million, when considering variants.
A second obligation: The PC manufacturer who sells a computer with Windows. Security problems tarnish brands like Dell and HP, too. There, many OEMs have failed their customer responsibilities, by shipping consumer PCs with anti-malware software that typically expires in 30-90 days. Microsoft is doing right by both customers -- OEMs and PC buyers -- by taking more security responsibility.
Shadow ecosystem. OK, this is going to start the flamethrowers. Calm down, commenters for what you are about to read. I assert that Microsoft has got an undeserved bad security rap. Windows XP is pretty secure from Service Pack 2 onward. Windows Vista and 7 are even safer, mainly because of changes to user rights privileges and the hardened kernel. IE is still a bugger, but it's safer today than two versions ago.
Microsoft's security problems are more a byproduct of its success than poorly written code.
Microsoft describes its Windows partners and their products and services as an ecosystem. Third parties greatly profit from this ecosystem. But there is what I call a shadow ecosystem that profits from exploiting Windows rather than extending it. Third-party anti-malware providers operate in the shadow ecosystem fringes, by fixing security bugs rather than exploiting them; their assistance is vital to Microsoft and its customers and partners.
But the shadow ecosystem is mostly made up of parasites. They attack the Windows ecosystem and would destroy it by profiting from it. Microsoft can't escape the shadow ecosystem. The ecosystem of developers, resellers and other partners make money from Windows platform strengths. The shadow ecosystem profits from the platform's weaknesses. Because both ecosystems come from Windows, Microsoft must take responsibility for them.
Corporate responsibility. But Microsoft's security responsibility is bigger, because most PCs connecting to the Internet run some version of Windows. Microsoft's responsibility to protect then is about 1 billion PCs and the commerce that takes place on them.
Every botnet puts the entire Web community at risk. For years, I've recommended that companies should provide all employees with free anti-malware software. Actually, use of the software on personal PCs should be a requirement of employment. If your employee's personal PC is infected by malware and participates in a botnet spewing spam or other maladies, he or she is the enemy. To Microsoft I say this: You should make free security software available for personal use a part of corporate volume-licensing contracts. Competitors will cry antitrust fowl, but they could offer similar option. Microsoft, do the right thing.
Security Essentials' release isn't enough, however. Microsoft should take a bigger risk of offending third-party anti-malware developers and even European or US trustbusters: Advertise. Microsoft should make Security Essentials a part of Windows advertising, as the company has done with Windows Live Photo Gallery. Microsoft should build brand awareness like it has with Bing. "There's a safer Windows. Windows 7. It's safer still with Microsoft Security Essentials. It's so simple. Set it and forget it. Security Essentials will remember to lock the Windows so you don't have to."
For the consumer market, Security Essentials is the kind of product Microsoft should have released long ago. Is it good enough? That's the question millions of users will answer over the coming months.