Symantec’s Plea : Protect our Protection Racket

 

I must emphasize that these are my thoughts as an individual and do not necessarily reflect those of Microsoft, or MSN, or any of the teams I happen to work with.  While some of the notions in this article may be provocative, they are consistent with my charter of provoking thoughtful discussions and look at issues from different angles.

I’ve been reading the public rhetoric from Symantec concerning Windows Security Center like, Symantec Calls Out Microsoft Over Vista Security Center, where they say:

“Our concern is that Microsoft is fundamentally limiting customers’ choice,” said Rowan Trollope, Symantec’s vice president of consumer engineering.

Oh.  Is that their concern?  Who knew?  Customer choice, hmm.  I personally hold to a different theory for one of the reasons Symantec might have for wanting WSC disabled.  Okay, let’s explore WSC and see what we can see. 

To undestand the basics of Windows Security Center (WSC), read this overview and the Microsoft WSC FAQ.  For more detailed discussion of positive motivations for Windows Security Center and improvements in Windows Vista, be sure and read Stepto’s blog.  Even if you don’t do that, you’ll get a good sense of WSC from our explorations further on.

Consumers and Antivirus Subscriptions (aka “the protection racket”)

 

Let’s say you are a large, American, antivirus company that holds a significant marketshare for business and home computers.  You put your boxes on the shelves at Best Buy and Wal-mart and the Kaufhaus.  Another key sector is corporate businesses, which is why that is where the primary focus is in terms of channel and direct sales.  However, that’s a story for another time.  Today, let’s look at those “trial subscriptions” that frequently accompany new PCs.

Many PCs come pre-installed with “internet security” software when they ship with a 6-week (or something similar) trial version of your software.  At the end of six weeks, the software enforces entitlement and stops updating virus signatures unless the user comes to your web site and pays for a subscription.  (this also basically describes what happens at the end of any normal subscription as well)  If they don’t pay, they’re not protected.  And of course, if they get attacked, they’ll be more likely to subscribe next time anyway.  Quite a “protection racket”, eh?

Prior to Windows Security Center, this was pretty much standard operating procedure.

WSC Beginnings

How did WSC come to be?  In the post-blaster efforts to define requirements for Windows XP SP2, the team realized that the home user ecosystem was a key area where security readiness of PCs could be raised.  I literally remember sitting in meetings and discussing issues that led to the introduction of WSC. 

  • Home users weren’t necessarily aware of even basic protective steps the could take.
  • The perception that many home users did not have Antivirus or did not have it up-to-date or did not realize their “trial” had expired.
  • You can’t evangelize 17 things, so we should focus on the 3 most important issues, which led to the original “Protect Your PC” site a Microsoft – focusing on Firewall, Antivirus and Updating.

Note that implementation went well beyond these basics and incorporated a lot of customer feedback.  For example, if the security is being centrally managed by an organization using group policy, then the UI above isn’t necessarily ever seen by an end user.  However, in an unmanaged setting, a user will see a yellow icon when it is time to download and deploy a new security patch.  If one of the kids turned of the AV to play a game, the home admin (Dad or Mom) got notified via WSC so they could re-enable it and protect the system.

Levelling the Playing Field

With WSC in Windows XP SP2, the “protection racket” changed.  At the end of a subscription, AV vendor nagware would pop up and prompt users to subscribe for signatures like usual.  However, if WSC was enabled, the user would also see the WSC icon and ballon like this in the task tray and when they click on it, they would be brought to a WSC dialog similar to this:

 

You might not be able to see it in this small screenshot, but there is a  button for a customer to push, which will open a dialog with guidance to take one of 2 options:

Make sure your antivirus is up to date, or

 

Get another antivirus program. How’?

If the user clicks onthe How’? link on this dialog, it takes them to the Microsoft Windows Security Center Antivirus Partners WSC landing page, which offers them free antivirus from other vendors.  This Windows Security Center is levelling the playing field and helping customers find more options for “protection.”  Please take a brief look at that page.

NOTE: Take a close look at that landing page.  See anything missing?  OneCare is nowhere in sight, even though it made it’s debut over 4 months ago.  Hard for me to reconcile that behaviour with accusations being made by “some” security vendors… 

Ultimately, OneCare is a Red Herring that Symantec has found useful, in order to paint Microsoft as a competitor.  As they’ve said themselves, OneCare is a blip, and they’re not afraid of it.  It is very convenient though, when they want to apply pressure against Microsoft to support their position…

What a set of choices, eh?  There is Panda, McAfee, Symantec, and Trend Micro with offers for 90 days of free antivirus, F-Secure offers 6 months free and Computer Associates offer a full year for free.  Altogether, over 2.5 years worth of free antivirus options. 

Customer Choice

One can easily see how Symantec might consider this “confusing for customers.”  Before, they had one easy, clear choice: re-up their subscription or have no protection.  Now they have choices, and that can be so confusing.  I can certainly see why Symantec might dislike a change in Windows Vista that stops them from disabling WSC and, incidentially, ensures customers can easily find several choices for protection.

According to an article in the Guardian, it seems that not all security vendors share Symantec’s concerns about Windows Security Center:

Does Sophos, a leading British security software company, have any problems with WSC? Graham Cluley, its senior technology consultant, replies: “Oh no, absolutely not! We’ve had some niggles in the past, but as it stands, we’re very happy with it now.”

Maybe Rowan Trollope, Symantec’s vice president of consumer engineering didn’t understand this completely when he expressed his concerns about customer choice…

Symantec versus Panda, Sophos, F-Secure, Other AV Vendors

Perhaps I am in a tiny minority that see the irony of the market-leading, dominating, American AV vendor, taking a public stance “on the behalf of customer choice” to demand the removal of Windows Security Center, a component that:

  • informs customers in ways they were not previously informed
  • offers customers multiple choices for AV, many with long free options
  • exposes some of the smaller AV vendors to customers that might not otherwise find them as an option

More than almost any other addition to Windows, WSC has helped level the playing field.  In spite of public comments to the contrary, why in the world would the market leading AV vendor want a level playing field?  And I’m not talking about OneCare, I’m talking about smaller, high-quality, AV vendors like Sophos, Grisoft, Kaspersky or F-Secure.

It is much more important to Microsoft that customers get some antivirus protection than it is they get it from Microsoft.  If the antivirus is from someone other than Microsoft, it is still good for Windows, Windows security and ultimately customer satisfaction with Windows. 

Think about it.  Cut it with Occam’s Razor. Does it make more sense that Symantec wants Windows customers to have “choices” for security or that Microsoft wants Windows customers to have “choices” for security?  Why would Microsoft care, as long as some protection is there, preventing bad security experiences for Windows customers.

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »