A (Not Always Funny) History and Analysis of Web-Based Antivirus and Security Products

When I first read (in 2006) about the “new category for security products” represented by Microsoft OneCare Live, Symantec Genesis and McAfee Falcon, I must admit to a small chuckle.  In my AV days, I saw a few of these web security products launched, each of which did a big belly flop.  Maybe it will be different this time, we’ll have to wait and see.

DISCLOSURE:  Before we go further, I should confess that I ran product management for McAfee corporate antivirus products from 1998 to 2001.  [I never came near the consumer products, I swear!]  This either makes my opinions more informed or simply biased – you pick.

For fun, I went back and researched a little history on Web-base security projects, which I’ll share below along with my own very personal opinions about them, their success, etc.  I did not work on any of these products, though some did use the same AV engine as our corporate products.

Web-Based Antivirus Timeline – 1996 to 2002

1996 – Dr. Web.   I’ll be honest and say I had never heard of these guys before today.  That may or may not say something about their industry impact.  However, they claim to have been providing a free web-based virus scanning service since 1996 and I see no reason to doubt them.  I’m not sure, but I think they allowed you to scan one file.  I’m sure I’ll be corrected if wrong.

1997 (May) – Trend Micro Housecall.  Full on-demand virus scanner, it was also free.  This was a great move for Trend.  If you recall the AV market at the time, Symantec ruled for moving retail boxes, McAfee was the leader in AV for business and Trend had elbowed it’s way in by focusing on being the Internet gateway AV scanner of choice.  Smart move to offer free desktop scans, though it did lack a real-time, on-access ability.

1999 (December) – McAfee.COM VirusScan Online.  In a branding move that confused customers for quite a while (IMO), Network Associates (NAI, the merger of Network General and McAfee Associates) spins out a dotCOM subsidiary, www.mcafee.com, to focus on retail customers with a web-based antivirus product, VirusScan Online.  The stock IPO was very successful, skyrocketing from $12 to $54 in under 2 months, though it is less clear if the business strategy was successful.  NAI retained the corporate antivirus product business and the retail box product business.  The virus offering did include a real-time, on-access scanner that was installed as part of the subscription, which was a first.  In addition to antivirus, mcafee.com offered:

·         Oil Change Online – a service for finding patches and keep all of your components, drivers, etc, up-to-date.

·         Uninstaller Online – self-explanatory.

·         First Aid Online – think Norton Utilities as a web service, at least in concept

You could also subscribe to all of these for a reduced bundle price – NAI was big on bundled subscription pricing.  Very holistic offering, I’m sure you will agree. 

The business did okay, I think largely because they got to leverage the  McAfee AV brand, so a lot of retail and small business purchases, confused by the two companies , purchased from the dotCOM.  Incidentally, they very quickly discovered they couldn’t grow revenue as fast as they wanted by focusing on home users in a largely dial-up world and shifted their strategy to also focus on small business, thus competing directly with NAI corporate, diverting rather than growing revenue.  On the other hand, the (more likely, in my opinion) primary goal of getting some favored Company Officers quickly rich on dotCOM IPO stock options seemed a huge success. 

2000 (January) – myCIO.com VirusScanASaP.  Not having enough self-competition and brand confusion (or possibly to pacify some executive who didn’t get enough mcafee.com stock – who can really know about these things?), NAI sets up myCIO.com, to be run by Zach Nelson (now CEO of Netsuite).  For the trivia-minded, Mr. Nelson had been the NAI Marketing executive that did the sponsorship deal for the Oakland Coliseum (wikipedia info).  This second dotCOM subsidiary was very different from mcafee.com, in that its strategy was to offer web-based security products  with names like VirusScanASaP (ASP … get it?) to … small and medium businesses.  myCIO.com also delivers  PC Firewall ASaP, which is not really a web service, but a web installed product with frequent connections back to a web server for updating and enablement enforcement.

NOTE:  To clarify my previous disclosure, I want to emphasize that I had nothing to do with these crazy multiple self-competitive product strategies.  I can say it wasn’t a ton of fun in the land of Corporate AV with NAI setting up competitors against us in growth markets, but there you are.

2001 (April) – McAfee ASaP.  McAfee ASaP comes into being when Network Associates “spins back in” myCIO.com.  This leaves only McAfee.com as a separate company offering Virusscan Online.

2001 (December) – BitDefender Online Scan.  I don’t remember these guys at that time, but they announced their success 6 months later, so hey, I’ll give them credit.

2002 (March) – NAI to Buy Back Complete Control of McAfee.com.   Bringing back the web-based security products to what was later to be rebranded back to McAfee.

An Informal, Off-the-cuff Analysis of the Web-based AV and Security Success to Date

That brings us up to four years ago.  Trend Micro, as first mover 10 years ago, has not converted any of their core product business over to web services and still uses Housecall as primarily a free tool for marketing benefit.  Symantec has not (wisely, it seems to me) bothered to jump in at all in the past 10 years until Microsoft announced OneCare, which makes one wonder – why now?  Is it only the need to show competition or has something changed about what customers want?

The AV Industry Dirty Little Secret

Antivirus companies make most of their money from selling to businesses in the corporate AV market.  One might compose a compelling argument that supported McAfee treated their retail product more for its marketing value than for net revenue.  You don’t have to look hard to see the signs: who hasn’t seen the offerings from Symantec or McAfee that give you a $30 rebate for a $30 product at Fry’s or Best Buy?  And frankly, there are plenty of free offerings for Personal Use of antivirus products like AVG and AntiVir, even if you ignore products like Trend Housecall or BitDefender free online scan.   Symantec, under John Thompson, has moved from the only AV vendor having some measure of success in the retail business (due to good channel practices and OEM deals) to being a big player in corporate antivirus as well.

So here is the not-so-secret:  the antivirus industry is focused on businesses and not home users.  Home users are just willing to pay so much to keep their PCs healthy, but more, they don’t want to be bothered.  I’m a security guy and when the Symantec nagware kicked in after 6 months for the AV portion of the “integrated security product”, I uninstalled not just the AV, but the personal firewall and other stuff as well – it just annoyed me too much.  Then, I went and downloaded a good free product, that gets VB100 scores and now I’m happy.  I won’t even talk about conflicts or how the retail products don’t measure up in quality compared to their corporate counterparts.  But, why would this change?  Symantec and McAfee are publicly traded companies – if the home user market is limited, in terms of revenue, then it doesn’t make sense to change the strategy much.

Microsoft as Home User Change Agent

NOTE:  I don’t have anything to do with antivirus products at Microsoft, as I focus more on improving core security quality. I don’t even know the OneCare team, so don’t read my opinions as some insider secret – they are NOT!

So, if there isn’t a lot of profit justification to deliver a home user-focused security product, web-based or not, then what is the motivation for these new web-based products like OneCare Live, Genesis and Falcon?

Well, for Microsoft, if isn’t the money, what is it?  Viruses and worms reflect badly on the platforms that they target.  In order to improve the general health of the security ecosystem, there  needs to be a great, integrated, easy-to-install, easy-to-use host security product so that home users will utilize it and keep it up to date.  Improving the security and limiting negative user experience on Windows, Office and Exchange, etc, can only help Microsoft – so that is motivation enough to invest in home user security products even traditional vendors consider it a second priority.  Web-based just makes sense as a quick and easy delivery and update mechanism, given how pervasive broadband is today.

But what would it mean for traditional antivirus vendors if everybody started using a non-McAfee, non-Symantec antivirus product on their home machines and it just quietly updated and worked?  Might those people go to work and when it came time for subscription renewal think, “hey, why not use the same stuff here at work?”  That could be a problem for them, so Microsoft in effect becomes motivation to invest in creating an easier-to-deploy, easier-to-update, easier-to-use, value-added security offering for home users.

Isn’t competition great?

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »