You make some excellent points.
When talking about users in the aggregate, they actually do dumb things like intentionally visit sites that expose them to malware, usually for reasons like (1) they don't believe it; or (2) they want to test their anti-malware software, and believe this is the way to do it. Usually without any backups, but that's another topic.
Oh, anti-malware software is only a small part of the security stack. It's an important part, but I'd argue that keeping the operating system up-to-date and developing some defensive computing skills (being suspicious of social engineering attacks, etc.) is equally as important.
Microsoft actually makes, well, I'm not sure, but I'd have to guess in the low hundreds of millions of dollars from Windows Defender. While the consumer and small business (1-10 PCs) version is free, businesses have to license it if they are going to use it on more than ten PCs, where, if memory serves, it is licensed as System Center Endpoint Protection (it has had several names over the years). It's the same engine and detections as the consumer version, just with a different UI and some additional management features. I'm guessing probably somewhere between
$100-300M, but that's just a guess on my part; I really don't know the financials on it. That's enough to put them into the top ten vendors in the endpoint security space, and I would imagine that there is some marketing around it commensurate with that, but it's probably mostly geared at existing enterprise customers who use other parts of Microsoft's system management stack, so it's not the kind of thing you'd see advertised in, say, a computer magazine or general technology website.
Microsoft's reasons for having an anti-malware program are many-fold, and the definition of why has changed a few times over the years. One of the reasons they do, and one I happen to agree with, is ecosystem protection and clean-up. A large amount of Microsoft's value is in the Windows brand, and having malware affecting Windows diminishes equity in the brand. At the same time, Microsoft has had to take a very nuanced approach to deal with the download ecosystem (bundlers, potentially unwanted applications, potentially unsafe applications, unwanted software, deceptors, toolbars, registry cleaners and all the companies which are involved in that chain of downloading and monetizing software). Because those people are Microsoft's business partners, too, and they have a large number of customers. For years, the anti-malware ecosystem has had to deal with them without much explicit support, although there's always been a kind of tacit understanding about dealing with the bottom-feeders in that space. It's the reason Microsoft started the Clean Software Alliance
and it's also the reason Microsoft has finally been taking a more aggressive stance against things like PUAs. As best as I can figure it, someone over in Redmond finally decided the reputation damage to the Windows brand from those wasn't worth it.
I believe the issue you are referring to is when Microsoft announced that 64-bit versions of Windows Vista would be implementing a kernel patch protection solution called PatchGuard, which would prevent drivers from modifying kernel memory structures. Modifying kernel memory generated a stop error (aka BSOD). This was done to prevent a difficult kind of malware that was seen in XP at the time called rootkits, which were difficult to detect, difficult to remove and were often involved in causing financial losses to Microsoft's enterprise customers. From what I recollect, the three companies that you mentioned did start a PR campaign about it, and did things like take out full page ads in the WSJ. It didn't really go anywhere, as I recollect, and eventually they all came around eventually. What Microsoft did here was to improve the security of their operating system to protect their customers, which is something I (and my employer) are on-board with. There were probably 50-60 (or maybe a few more, even) anti-malware companies out there when this occurred, and for most of them this was a non-issue, since the number of companies which performed direct kernel object manipulation was around, oh, three or so. Might have even been double that (six?) but I don't think it was a major issue for the others that did. Like most anti-malware companies at that time, my employer didn't do any DKOM, and I recall us generally being quite supportive of Microsoft's efforts in the press.
As far as I know, Microsoft never had any plans for a bundled anti-malware solution on Windows XP. They had an anti-spyware program, which addressed a lot of consumers' concerns, and there was even a commercial anti-malware offering to consumers (Windows Live OneCare) for a while. But, there certainly weren't things like versions of Windows with and without Microsoft anti-malware on them, like the Windows N and K versions (no Media Center, no Media Center + Messenger). See https://support.micr...-professional-n
The main reason malware flourished through XP's lifetime was because criminals monetized it. With low risk and high reward, it became a great way from criminals to make a dishonest living.
Microsoft has done a lot of things to improve the security of its products and services, and that's good. It improves the overall state of security, and that's a net Good Thing®. At the same time, Microsoft has occasionally made some very poor decisions about certain things. In quite a few of these cases, the things did not come to fruition, so they never affected the public, but there were some things that did, or came about in some weaker, debased form that did not do anything to improve the operating systems' security posture. I can't get into specifics, but you might want to take a look at Kaspersky Labs complaints to the EU and FAS.
The issue with bundling anti-malware software with the operating system is a very complex one, and involves a lot of discussion using terms like "level playing field, "OEM preload market" and so forth. I can't really get into specifics here, but I can at least state it has historically not been an issue for my employer. Keep in mind that there are perhaps six or seven dozen anti-malware companies out there, as well as hundreds of companies in related areas, so it's really hard to say "they all did this," "they all reacted this way," and so forth. There's at least one company which had contractual obligations that prescribed their ability to do anything legally, so things like that happen as well.
The time when malware could possibly has been dealt with has been long gone... for about 25-30 years or more. So, the idea that Microsoft or anyone else could somehow stop it is analagous to saying the police can stop all crime. If a company--Microsoft or otherwise--were able to "stop all malware" then they would in an instant because they'd become multi-multi-billionaires. But no one, not even Microsoft, can do that. That's why all the companies work together with each other and law enforcement. If you look up some of Microsoft's Coordinated Malware Eradication programs, you'll see how close these "competitors" work together to go after the real problem: the bad guys.
Microsoft does care a great deal about which anti-malware programs their customers use, and they increasingly like it to be theirs, if for no other reason than because they make money selling those products. At the same time, they also have to work within a large ecosystem of companies who compete as well as cooperate with them and each other. As you might imagine, that generates lots and lots of emails and conference calls with each other.
Anyways, to kind of bring this thread back on track, I wasn't really meaning to get into a discussion of anti-malware device drivers or business practices.
Most of the time when I am seeing problems with device drivers under Windows 10, it is with video, sound or USB support, not anti-malware. I had mainly used the latter because that was something I had some first had experience with since I worked at a company which developed those kinds of drivers.
One of the biggest challenges for device driver vendors is making it through Microsoft's compatibility tests. Specifically, how to handle suspend and resume issues (deep sleep, power management, hibernation, waking up, etc.). It's hard to know exactly what a device driver is going to be processing when it gets the signal that the operating system is changing state, so that's where a lot of the testing gets focused. Anti-malware software has this comparatively easy because the cues for what to do with the file system when a state change occurs are understood quite well. It get's a little messier with network drivers, though, as that's a bit more on the non-deterministic side of things.
Digerati, on 03 March 2018 - 11:11 AM, said:
I agree with all of the above. But it is still important to not that all lab testing is simulated. They can call it real-world all they want, it is still simulated. Users in the real world do not intentionally visit sites that expose them to 1000s of pieces of malware. It is not likely to be something someone could accidentally do either.
There is also much more to security than the anti-malware solution alone. While I sure don't recommend it, there are many who claim they stopped using anti-malware years ago and have not been infected. How is that? Well, they use a router, a firewall, they keep Windows updated (so there's nothing to exploit), they are not "click-happy" on unsolicited links, downloads, attachments, and popups - the same things people need to do regardless their solution of choice.
These tests remind me of the old browser wars - where every browser claimed to be the best one, then they would produce some award that sure enough, put their product at number 1. It was a big marketing ploy. Browser A was indeed best - at speed. Browser B was best - at resource consumption. Browser C was best - at add-on management. And on and on.
...there's a lot of money and egos involved in this multi-billion dollar industry
This point is HUGE!!!! Even without any cheating. But it is critical
to remember that Microsoft does not make a single cent from Windows Defender. They make $0.00 from Windows Defender sales. It includes no advertising and it does not nag users to upgrade to some pro version. Therefore, Microsoft does not need to score well on any of those simulated tests! They don't need the advertising fodder to make WD stand apart from ESET, Avira, etc. It's not going to increase sales for Microsoft.
So why does Microsoft bother with an antimalware solution then? Because they are going to get blamed by the MS bashers anyway! Just as they did relentlessly for years after XP.
A couple points in history to remember. Microsoft wanted to put antivirus code in XP. But Norton, McAfee, Trend Micro and the others whined and cried to Congress and the EU that Microsoft was trying to rule the world. They were, but not the point. Norton and the others cried "monopoly"; that Microsoft was trying to put them out of business and that it was their job to rid the world of malware (we see how well that went!
). Congress and the EU ordered Microsoft to remove the antivirus code (as well as to include support for alternative browsers) or risk a forced breakup of Microsoft.
So they did and what happened?
The explosive growth of broadband to the home that NO ONE predicted happened.
The explosive growth and proliferation of the bad guy that NO ONE predicted happened.
The demand by the corporate user base (Microsoft's biggest customers) demanded legacy support for less secure legacy hardware and software happened.
The result? Malware flourished! But who got blamed? Did Norton, McAfee etc. get blamed for failing to do what they themselves claimed was their job? Nope!
Did users get blamed for failing to keep their systems updated and away from risky Internet practices? Nope!
Did the bad guys get blamed for perpetrating all those offenses? Nope!
Microsoft got blamed - relentlessly.
So Microsoft bought Giant Antispyware, rebranded it as (the original) Windows Defender and gave it away for free.
They greatly enhanced security in Windows 7 and put security ahead of legacy support (and received, and still receive, a lot of criticism for that lack of legacy support too.
They developed MSE and gave it away for free.
They improved MSE, rebranded it as (the new) Windows Defender and included it for free in W8.
They improved security in Windows 10 and continued to improve Windows Defender to where it is today (with more and more enhancements coming).
Now ask yourselves this. Why aren't Norton, McAfee, TrendMicro, Avira, ESET and the others crying and whining to Congress and the EU that Microsoft is trying to rule the world again? Why are Congress and especially the EU (which has been much harder on MS in terms of monopoly issues) allowing Microsoft to include WD in W8 and W10?
The answer is simple - because Norton and the others know they failed at their own stated mission. And Congress and the EU know they blew it by not letting MS put AV code in XP when there was a chance to at least partially mitigate the severity of the security state we are in today.
Another question to ask yourselves. What financial incentive do Norton, ESET, Bit-Defender, and all the others (except Microsoft) have to defeat and rid the world of malware? The answer is obvious; NONE!!!! If malware went away, all those companies would go out of business. They need malware and the bad guys to thrive in order for their companies to continue to exist and make money!
Now what incentive does Microsoft have for malware to go away? That answer is simple too - they will stopped getting blamed for a security mess they did NOT create!
For all those reasons Microsoft has no need to code Windows Defender to score well on those "simulated" tests. So it doesn't. It codes Windows Defender to protects its users from today's
"real-world" (not simulated, but actual real-world) threats.
And it works. Because if it didn't, forums like Sysnative, Bleeping Computer and other sites that provide malware removal services would be inundated every day with new WD users who just became infected - at least if we are to believe what the MS/WD bashers, some of those questionable test sites, many in the IT Press, and many alternative solutions fans want us to believe.
Windows Defender is probably not for you if any of the following apply:
- If you don't keep Windows updated,
- If you don't keep your security solution updated,
- If you are "click-happy" on every unsolicited download, link, popup, and attachment you see,
- If you visit illegal pornography or gambling sites,
- If you participate in illegal filesharing via Torrents and P2P sites,
- If you connect to public "hotspots" with admin level accounts,
- If you let undisciplined users use your computer with admin level accounts.
But if those scenarios don't apply to you, then Windows Defender is just fine. I like to say we don't need an Abrams Tank to be safe while driving around. We just need a recent model car that is properly maintained to current standards, and most importantly
, we need to drive defensively - the same things required regardless our solution of choice.
And note Microsoft does not really care which solution you use. Again, they are not in it to compete for your anti-malware solution dollars. If they were, why would Microsoft provide this list of "reputable security companies
" who provide Windows compatible security products? Again, they are not in it for the money! They just want happy (and secure) Windows users so they don't keep getting blamed for a security mess they did not create!
And for the record, regardless our security solution of choice, we all should have a secondary scanner on hand for on-demand scanning just to verify our primary scanner (or we, as users and ALWAYS weakest links in security) didn't let anything slip by. I generally recommend Malwarebytes for that.
And for the record, I don't care which solution people use either. If you don't want to use WD, that's fine. Just don't buy into the inaccurate excuse that it is not good enough.