• Illustration: Antimalware Tools Roadmap

An antimalware client and associated subscription service for corporate customers are on the way, according to Microsoft CEO Steve Ballmer and Security Vice President Mike Nash. Customers and partners anticipated that Microsoft would enter the malicious software (malware) prevention market since the acquisition of GeCAD, a vendor of antivirus software, and Giant Software, a vendor of antispyware. In Oct. 2005 Ballmer and Nash provided a rudimentary antimalware product strategy and roadmap, but important details such as licensing and availability dates are still unknown, and Microsoft still faces challenges as it enters this market.

Strategy Separates Consumer, Business

Like other antimalware vendors, Microsoft will offer separate product lines and services for consumers and businesses.

Consumers. Microsoft will provide free tools for removing malware from infected systems and for protection against spyware but will offer antivirus protection as part of a subscription-based PC management service called OneCare.

Businesses. Microsoft will continue to offer the Sybari Antigen antimalware software and FrontBridge e-mail filtering service that it acquired previously. In addition, it will deliver an antimalware client product and has hinted at a forthcoming service to support it.

Microsoft plans to deliver test versions of both consumer antispyware and business antivirus offerings in 2005 with production versions in 2006. (See the illustration "Antimalware Tools Roadmap".)

Consumer Antimalware Tools

At least two Microsoft antimalware tools for consumers will be free.

Malicious Software Removal Tool. Microsoft's Malicious Software Removal Tool is based on the antivirus technology that Microsoft acquired from GeCAD in June 2003. The first version of this tool was released in Jan. 2005, and a new version is released every Patch Tuesday (the second Tuesday of the month, when Microsoft releases security updates) from Microsoft Update, Windows Update, and the Microsoft Download Center. The Malicious Software Removal Tool is not a full-featured antivirus product—for example, it does not continually monitor a computer to stop malicious software from getting onto a computer—but it does detect and remove a number of current viruses, worms, and Trojans from an infected system.

Nothing prevents an organization from using the Malicious Software Removal Tool—an organization can even use the Windows Software Update Service (WSUS) to distribute the tool—but most organizations typically license a full-featured antivirus tool from a Microsoft partner, such as Computer Associates, McAfee, Symantec, or Trend Micro.

Windows Defender. Windows Defender (formerly Microsoft Antispyware) is based on the antispyware technology that Microsoft acquired from Giant Software in Dec. 2004. In addition to detecting and removing spyware, the program constantly monitors Windows in an attempt to stop unwanted software from getting onto a computer, and it will connects with the Windows or Microsoft Update Web service to get updated signature files that define new spyware threats. If the real-time protection detects a change, such as a program attempting to add itself to the list of the programs that Windows starts automatically, Windows Defender alerts the user and offers an option to allow or block the change, although many users may not understand the impact of accepting or rejecting the change.

The first beta of Windows Defender was released in Jan. 2005, and the beta has been updated at least three times, most recently in July 2005. No final release date is known, but with the product in beta for almost a year, a final version could be available in late 2005 or early 2006.

Microsoft has made its Windows Defender beta available at no additional charge for users who have validated their copy of Windows through the Windows Genuine Advantage program. The final release of the product will be available under the same terms.

Businesses can use Windows Defender, but there are no tools to help deploy the product or the signature files that define which software the tool will detect as being malicious. Microsoft also offers no centralized management (for detecting PCs with out-of-date signature files, for example) and no centralized reporting of detected malware. Therefore, it is best suited for consumers or small businesses.

Subscription Antimalware Tools

Microsoft has announced a forthcoming service for consumers that will combine antivirus and antispyware detection, a firewall that monitors both inbound and outbound traffic (the Windows XP SP2 firewall monitors only inbound traffic), overall health monitoring, and the ability to back up and restore files. This service, Microsoft OneCare, was designed to meet the needs of unsophisticated users—users do not have to learn how to configure or manage OneCare in order to use it. By reducing the number of options that users can change, and automating when OneCare performs its scans or maintenance, there is less chance that the user will incorrectly configure the software or forget to run it.

OneCare is currently in beta, and while its licensing details are not known, it appears that Microsoft will offer it as a Web-based service for either a monthly or annual subscription fee.

Because OneCare has few options that users or administrators can configure, it is not well-suited for organizations, which may need to configure the antimalware software in a variety of ways and ensure that users cannot disable or stop the software.

Future Integration?

It appears that Microsoft will bundle its antivirus and antispyware engines into Vista, but the full details about the feature set and packaging for Windows Vista (expected by the end of 2006) are not known. Microsoft could choose to make the signature files needed to update the Vista-integrated malware removal tools available for free or could charge a monthly or annual subscription fee.

The current products, such as the Malicious Software Removal Tool, Windows Defender, and OneCare, will continue to be available as add-ons for Windows XP SP2 for at least as long as Windows XP SP2 is in Mainstream support (approximately 2008, or two years after the release of Windows Vista).

Business Antimalware Tools

Antigen. Microsoft acquired Sybari and its Antigen software products, which provide both virus and spam protection, in Feb. 2005. Microsoft completed the acquisition in June 2005, and now the Antigen products for Exchange, Instant Messaging, SharePoint Portal Server, Lotus Domino, and SMTP Gateways, and its Advanced SPAM Manager, are available under the Microsoft brand. In July 2005 Microsoft updated these products to include management packs for Microsoft Operations Manager (MOM). Currently Antigen's Multiple Engine Manager (MEM) is an integral component of all Microsoft Sybari AV solutions and integrates multiple virus scan engines, delivering six of the leading scan engine technologies from Kaspersky Labs, Sophos, Norman Data Defense, Virus Busters and two eTrust antivirus engines from Computer Associates. Ballmer and Nash announced that the next version of Microsoft Antigen, available in early 2006, will include support for an additional antivirus engine: Microsoft Antivirus. Antigen for Exchange is available with a two-year renewable license based on the number of end users protected within an organization and is discounted by volume.

FrontBridge. Microsoft acquired FrontBridge, which provides hosted security services for e-mail, including the ability to scan incoming messages for malware, in Aug. 2005. Microsoft continues to offer these services, which work with Exchange, Lotus Notes, and any other SMTP-compatible e-mail server, on a subscription basis. Eventually, however, Microsoft will probably offer these services in conjunction with a hosted version of Exchange in the future.

Client Protection. Microsoft Client Protection is a unified malware scanning product to detect and handle all malware, including viruses, worms, Trojans, adware, and spyware.

It does not appear to have the firewall, health monitoring, or backup-and-restore features of OneCare. Active Directory can be used to select the computers that will be protected by Client Protection and ensure users cannot disable the scanning, and WSUS can be used to distribute updated signature files to the scanning engine. Client Protection will also offer unified reporting to help administrators know which version of the signature file is installed on which computers, when a computer was last scanned for malware, and which malware has been detected and removed. Additional integration with management tools, such as MOM and the System Center Report Manager, is also likely.

Beta tests of Client Protection will begin before the end of 2005, but it is not known when the final program will be available, nor how it will be licensed. Microsoft has several licensing options available: it could require a Client Access License for each protected computer in an organization, or it might use Client Protection to sweeten an existing licensing program, such as Software Assurance.

If Microsoft integrates antimalware engines into Windows Vista, it will affect Client Protection. Microsoft will need to ensure that the integration enables a Vista version of Client Protection to provide centralized management and reporting. Client Protection may not need to deploy or install the engines, but it will still need to be able to update the signature files, ensure that users cannot change the settings or disable the engines, and gather information for centralized reporting.

Malware Market Challenges

Microsoft faces several challenges as it moves into the malware prevention market, a market it has traditionally left to partners—(although Microsoft once bundled third-party antivirus software with a version of MS-DOS). These challenges include integrating the malware removal tools into Windows without alienating partners and drawing antitrust attention, responding quickly to new threats, and creating a viable business model for the products.

Windows Integration

Microsoft will likely continue to provide add-on versions of its malware removal tools for versions of Windows that are already in Mainstream support, including Windows XP SP2 and Windows Server 2003. But as Microsoft finishes the development of future products, such as Windows Vista and Windows Server 2003 (code-named Longhorn Server), it will likely integrate some of its malware detection and removal technology into the OS.

In the past, partners, competitors, and antitrust regulators have objected when Microsoft has integrated functions into Windows that had previously been provided by partners, such as browsers or media players. However, a solid technical argument can be made that malware removal software needs to be tightly integrated with the OS, in the same way that the TCP/IP Internet protocol stack, which was once a separate product, is now included. For example, the malware detection engine should be running early in the boot process, before the network is started, and no other software should be able to interfere with or block the engine from starting. But malware software differs from a protocol stack in that it also requires constant updates to identify new threats, something that is typically done via signature files for which customers pay ongoing subscription fees.

Key to the integration question is whether Microsoft's integration of its malware removal tools will make it impossible for customers to continue to use other tools. Even if customers can install and use other malware tools, if the Microsoft tools are also continuing to scan for malware, performance will likely suffer and customers could get different status messages from two different tools. This would convince many customers to use only the Microsoft-supplied tools, particularly if integration does not allow the Microsoft versions to be uninstalled and replaced by a partner's product.

There are reports that the European Union (EU), which previously fined Microsoft for tying the Windows Media Player to Windows, has asked companies such as Symantec for information about the malware removal tools market, signaling that it may want to examine the impact of Microsoft's integration plans.

Acknowledging this concern, Microsoft has created the SecureIT Alliance to expand security and Internet safety partnerships it currently has with other industry leaders and governments, including the Virus Information Alliance (VIA) and the Global Infrastructure Alliance for Internet Safety (GIAIS), among others. The SecureIT Alliance will enable security ISVs such as Symantec, Trend Micro, VeriSign, and others among the 30 founding members to work more closely with Microsoft and each other to more effectively and efficiently build and integrate their products for the Microsoft platform.

Microsoft could adapt Sybari's server-based Multiple Engine Manager (MEM), which supports multiple virus scan engines, to ensure that desktop customers could run products from both Microsoft and a partner on equal footing.

Timely Response

When a new threat is identified, antimalware tool vendors must respond in a timely manner to determine the threat level and how to detect and remove the threat. This information about the threat needs to be added to a malware signature file and distributed to computers running the malware removal tool. The longer it takes to update and distribute this new signature, the more computers are infected and potentially harmed by the threat.

In order to respond in a timely manner, malware vendors typically staff development centers in various locations around the world to ensure round-the-clock coverage—no matter when a threat is detected, one of the response centers can begin working on creating the necessary signature file to detect and remove the threat.

Although Microsoft has a worldwide presence, Microsoft's traditional software development model is not well-suited for rapid detection, analysis, development, testing, and distribution of signature files. The closest Microsoft comes to this model is the release of patches for vulnerabilities in its software, but it still takes several months to investigate, develop, test, and release patches for these problems.

In addition to needing to respond to new threats as quickly as possible, there is little margin for error. Signature files must be correct the first time, although they are often updated after initial release to handle new threats that are derivatives of the initial threat. Again, the closest Microsoft model is the release of patches, but Microsoft has had to recall or patch several of its software patches after they were released.

Viable Business Model

When Microsoft first acquired GeCAD, Mike Nash said one reason Microsoft was getting into the business was because too many Windows users did not have current antivirus software. However, the problem really isn't the lack of an antivirus software engine, as most OEMs preinstall antivirus software on new desktop and laptop computers, but rather that users do not subscribe to (pay for) the ongoing signature file updates past the initial free period, despite nagging pop-ups encouraging them to buy subscriptions.

Microsoft has two choices in how it handles signature files. It can charge a subscription fee as partners do today, but there is no reason to believe that a user will be more likely to send the subscription fee to Microsoft than they are to partners. Or Microsoft can give the signature files away for free, which would make it harder for the partners to charge for their signature files, denying them a major source of revenue and possibly drawing the attention of antitrust regulators.

Resources

A Microsoft white paper on its security technology investments is at download.microsoft.com/download/5/8/9/58940486-12e4-4bb1-95d3-22945e472dda/TechInvestmentHelpCustomersWP.doc.

Microsoft's Client Protection Web site is at www.microsoft.com/athome/security/spyware/software/enterprise/default.mspx.

More information on the SecureIT Alliance can be found at www.secureitalliance.org.

The Malicious Software Removal Tool can be downloaded from www.microsoft.com/athome/security/viruses/malware.mspx.

The beta of Windows Defender can be downloaded from www.microsoft.com/athome/security/spyware/software/default.mspx.

For background on the Sybari acquisition and its products, see "Microsoft Acquires Sybari Software" on page 19 of the Mar. 2005 Update.

For background on the FrontBridge acquisition and its services, see "FrontBridge to Be Acquired" on page 10 of the Sept. 2005 Update.