Will Windows 8's Security Suite Kill the Anti-Virus Industry?
Microsoft founder and chairman Bill Gates in the early 1990s.
This is the first story in a multipart SecurityNewsDaily special report on the future of digital security.
In the 1990s, Microsoft bundled the Internet Explorer browser into Windows and used a combination of ubiquity and financial muscle to crush Netscape Navigator, its biggest competitor in the Web-browser market.
Nearly 20 years later, Microsoft plans to bundle a full-featured security suite into Windows 8, which is due to arrive this fall. It's never done so before. Will the seemingly heavy-handed move crowd out third-party anti-virus software makers, who've leveraged Windows' security weaknesses into a multibillion-dollar industry?
Analysts aren't so sure. This time, they say, even Microsoft's might probably can't kill off the competition so easily.
How to beat free on price
Several brands of free anti-virus software, including Microsoft's own Microsoft Security Essentials, have been around for years — yet they haven't had much of an effect on anti-virus sales to consumers, and have made even less of a difference on the corporate-sales side.
Take Symantec, for example. It's one of the best-known makers of security software, thanks to its consumer-oriented Norton software suite.
In fiscal year 2009, in the midst of a global recession, Symantec pulled in $1.746 billion in revenue from its consumer products alone, according to its annual reports. In 2011, its consumer revenue was up to $1.953 billion.
Brian Freed, an analyst at Wunderlich Securities in Memphis, Tenn., estimates that Norton's 2012 numbers will be even better, at $2.11 billion.
"Microsoft Security Essentials has been out there a long time," Freed said. "It hasn't made a dent."
(Similar numbers for McAfee, Symantec's equally huge main competitor, are not available. McAfee stopped breaking out its consumer revenue separately after it agreed to be bought by Intel in 2010. Neither Symantec nor McAfee would agree to comment for this story.)
Hook 'em early
Another reason for Symantec's continued success is the way the company sells its products. It pays PC manufacturers about $3 per unit to preinstall a trial version of Norton Anti-Virus or a similar Norton product on consumer-market computers.
The Norton software is free to use at first, but after a few months, it asks you to buy a year's subscription — ranging from $50 to $80 — for continued protection. Not surprisingly, many people take up the company on the offer.
Microsoft, on the other hand, offers its Microsoft Security Essentials as a free download, but then doesn't do anything to publicize the product. An individual user has to first learn it exists, then hunt for the download page on Microsoft's enormous website, then install it.
But once you've already paid for a yearly Norton subscription, Freed noted, there's a cost to switching, whether it's to Microsoft or any other brand. The same applies to other companies that preinstall trial anti-virus software, such as McAfee or Trend Micro.
McAfee, for example, doesn't disable the trial version, but instead makes users pay before they can continue to receive virus-definition updates. Other companies offer free bare-bones AV software, but constantly try to "up sell" customers to more expensive products.
Few customers are likely to switch to a free alternative until the year's subscription is almost up — in which case, their anti-virus software maker can offer a discount to renew.
"It's sort of sticky even in the face of competition," Freed said of the paid subscription model.
Once Windows 8 begins to roll out with the Windows Defender suite (the new name for both Microsoft Security Essentials and the existing anti-spyware Windows Defender), Microsoft will to have to contend with an established channel for Symantec and other large AV vendors getting to consumers first.
Microsoft will also need to offer a way for consumers or even PC makers to remove Windows Defender from Windows 8 so as not to run afoul of antitrust rules.
Part of the settlement signed in the wake of the United States v. Microsoft antitrust case in 2001 was that Microsoft would agree to allow the removal of Internet Explorer and provide other browser developers enough information to write software fully compatible with Windows.
Preinstalling Windows Defender won't mean more money for Microsoft. It will mean that users who wouldn't otherwise buy anti-virus software will be protected anyway, thus making Windows 8 less of a target for cybercriminals and malware writers.
Is free not good enough?
Then there's the perception that free anti-virus software is substandard. That's not always true, noted Kevin Buttigieg, an analyst in the New York office of the British brokerage Collins Stewart.
Still, consumer lack of confidence is one reason Microsoft is bundling its security suite into Windows 8 — the optional-download model didn't get the market penetration for Microsoft Security Essentials that Microsoft wanted.
That doesn't mean that Microsoft Security Essentials, even as an optional download, has had no impact on the paid market at all. Buttigieg thinks it has, but in a more subtle way than by just taking a sale away from Symantec or McAfee.
"The security market for consumers is bifurcated," Buttigieg said. "There are those that want the free product, and then there are those who say you get what you pay for."
This doesn't mean that Microsoft isn't competitive, said Lawrence Guerin, vice president of marketing at Islandia, N.Y.'s Total Defense.
"Anyone would be naïve to say there's not a threat from Microsoft," Guerin said.
A starter suite?
But Microsoft may be competing in a different arena than Symantec and McAfee.
For example, Microsoft Security Essentials, good as it is, doesn't offer the same kinds of protection that many other commercial products do.
"It's not just viruses," Guerin said, referring to the larger threat landscape that end users face every day. "There's more threats from more places, like phishing scams and social media."
In some cases, malware operates via "social engineering" — by fooling someone into installing it. In other cases, malware will burrow into the browser or into hidden parts of the hard disk, making it tougher for antivirus software to detect.
Microsoft also isn't offering anything yet to protect smartphones and other mobile devices such as tablets. That is another area, Guerin said, that the various security vendors will be moving into.
Chet Wisniewski, senior security advisor at the British anti-virus firm Sophos, tested Microsoft's security suite in the Windows 8 beta and echoed Guerin's observations.
"What they build into Windows 8 as a pure play is pretty good," he said. "But the threats are changing dramatically, and viruses are only one piece of the puzzle."
The consensus among experts seems to be that because Windows Defender in Windows 8 will be a free product, there won't be any incentive for Microsoft to spend a lot of money on improving it. In business-school terms, it'll be a cost center rather than a profit center.
So the expectation is that Windows Defender in Windows 8 will offer a basic kind of protection that might be good enough for casual Web surfers, but won't satisfy power users who are more concerned about security.
If that does turn out to be the case, it will be ironically similar to the aftermath of the browser war between Internet Explorer and Netscape Navigator.
For several years after the bundling of Internet Explorer with Windows 95 and 98, few Windows users bothered downloading a second Web browser.
That gave Internet Explorer a market share of more than 90 percent in 2002 and 2003, after Netscape had been dispatched. But that share has been slipping ever since Mozilla, and later Google, introduced faster, lighter and safer alternatives while Microsoft failed to improve its own browser.
According to Statcounter, Internet Explorer had only a 47 percent market share in December 2010 and a 39 percent share in December 2011.
Internet Explorer still has a plurality of users, but more technically savvy users tend to prefer Firefox or Chrome, which are perceived as offering better security and privacy. Macintosh users — a growing piece of the personal-computer market — haven't been able to use Internet Explorer since Microsoft abandoned the Mac version in 2003.
Since all the major browsers are free, Microsoft can't compete on price. That leaves it to compete on features and stability, and in those respects, it's failed.
That ties into another aspect to the competition for security software: hearts and minds. People see Microsoft as a maker of a good operating system and a good office suite — but not as a company that's any good at providing security, as countless exploits of its core products in the past 10 years have indicated.
This is very different from the browser wars, or the earlier victories over every other competing word processor or PC operating system (which resulted in MS Word and Windows becoming the de facto standards). In each of those cases, Microsoft was an acknowledged leader in the field.
Microsoft's poor reputation for security isn't entirely the company's fault. Hackers have been going after its products ever since it became clear one could use malware to make money.
Since Windows and Internet Explorer was on the vast majority of machines, there are likely centuries worth of man-years devoted to cracking their security.
"Once we all got on the Internet, there was a way to profit more," Wisniewski said. (He noted that back before the Internet was in almost every home, a popular platform for hackers was the Amiga).
Microsoft has thus ended up with a partly undeserved reputation for being less safe, and for some people that pushes them to other software makers.
"We've seen some resistance from those that don't want to pay Microsoft to protect a Microsoft product," Buttigieg said.
The world has changed since the 1990s. Then, Microsoft could count on being everywhere and having enough financial muscle to kill off its competition.
This time, it will be facing companies that are themselves as entrenched as Microsoft once was, with software that runs on Windows. Microsoft simply doesn't have Netscape to kick around anymore.
Other stories in this series: