Microsoft admits Security Essentials offers bare-bones protection by design

The company has exerted little effort in advising vulnerable users to look to third-party offerings for greater protection

A Microsoft official has gone on record stating that the company's free Security Essentials software, by design, offers mere "baseline" protection for Windows PCs and users should turn to third-party offerings for more comprehensive security.

The admission should come as little surprise to professionals in the IT security field. After all, Microsoft markets this bare-bones, no-cost antimalware offering to home users and small businesses, and though product has garnered favorable reviews, it also has twice failed to earn AV-Test certification.

The less security-savvy PC users out there, however, may find themselves scared, frustrated, or angered by the revelation that Security Essentials isn't the be-all, end-all solution to immunize their PCs against security threats. PC owners do need to accept some level of responsibility in understanding the basics of securing and maintaining their systems (which goes well beyond installing antimalware).

Microsoft has failed its customers in an important way: Through vague marketing speak and generally poor communication, the company hasn't adequately communicated to users the fact that Security Essentials, by design, is intended to be the most bare-bones of antimalware protection and users would be well served to investigate alternatives.

Backing up for a moment: The whole hubbub began after Holly Stewart, a senior program manager of the Microsoft Malware Protection Center, told Dennis Technology Labs that Security Essentials -- by design -- will "always be on the bottom" of antivirus software rankings.

The reason, per Stewart, is that in 2011 Microsoft decided it didn't make sense to fixate on developing the best antivirus software in the industry -- which at times relies on effectively gaming third-party tests that don't necessarily reflect real-world threats. Per Stewart, Microsoft had previously channeled a chunk of its resources toward this very end. "We used to have part of our team directed toward predicting test results and figuring out what might be in someone's test. There's always a cost to that," she said.

The company shifted toward focusing on "prevalent threats," Stewart said. "We developed this new telemetry to look for emerging threats -- sort of an early notification system that new threats were emerging. We had this group of folks start focusing on those threats and we saw that it increased our protection service level for our customers."

Microsoft shares that emerging-threat data within the security industry; third-party security vendors in turn use the Microsoft-supplied data to make their own offerings more robust and comprehensive.

"We're providing all of that data and information to our partners so they can do at least as well as we are," Stewart said. "The natural progression is that we will always be on the bottom of these tests. And honestly, if we are doing our job correctly, that's what will happen."

Microsoft's tact may make its third-party security partners happy, in that it means one less major competitor. That's good for Microsoft, because happy partners are less litigious partners who won't threaten to play an antitrust card. Were Microsoft to bundle best-in-class security software with every Windows license, security heavyweights would understandably cry foul. (Microsoft denies that antitrust concerns were the impetus for its Security Essentials strategy.)

But are users best served by Microsoft's strategy of aiming low with its homegrown antivirus software? By Stewart's account, the approach fosters a competitive environment among third-party security vendors, which means greater choice for users. At the same time, users who are  unwilling or unable to acquire third-party software can enjoy at least some level of basic protection. Besides, she said, "baseline does not equal bad. We provide a high-quality, high-performing service to our customers and if they choose not to buy [antivirus] on Windows 8. ... We want to get those people protected."

The problem is, Microsoft's strategy is confusing or misleading for users. If you peruse the Security Essentials Web page, you have to read deeply between the lines to glean the necessary takeaway that the product offers little more than basic antimalware protection. There's no indication that users would be well served to investigate third-party alternatives, and no link to the list of security partners tucked away on the Microsoft site.

That's the kind of information Microsoft should present up front to users who lack an understanding of PC-security basics, not mention during a chat with Dennis Technology Labs.

This story, "Microsoft admits Security Essentials offers bare-bones protection by design," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.