Tuesday 25 November 2008

OneCare – Don’t Care

On November 18th Microsoft announced that the Windows OneCare product is being killed off (http://www.microsoft.com/Presspass/press/2008/nov08/11-18NoCostSecurityPR.mspx ). Instead of OneCare they are going to make available a free Windows client protection product code-named “Morro” which has been designed to provide a similar level of protection while managing to reduce the impact of this protection on the computer (1).
This change won’t be happening until June 2009 and support for OneCare is likely to continue until June 2010 but it has raised a lot of questions about how seriously Microsoft is taking consumer malware protection. I believe part of this confusion it driven by a misunderstanding in what is required now in the world of malware protection and I honestly believe that Microsoft has got it right here, let me explain how.
Without a doubt the face of malware protection has changed massively it is no longer a part-time hobby for bored students it is now a multi-million dollar industry funded by criminals making money from spam and stolen identities. The malware protection industry is dealing with masses of new malware daily (SophosLabs claims to receive 20,000 suspect samples everyday*) some of these are sophisticated new attacks but most of them are simply reworked examples of previous attacks which are simply dealt with once a signature has been developed. However this message does not help the malware protection vendors sell their product so in an attempt to make their products look better than the rest (and justify the ongoing costs of their products and subscriptions) we have seen the products bloat with extra features and elaborate user interfaces that look impressive but change little of the underlying security of the product.
Microsoft bought into this approach as well by adding features like “OneCare Circle” where home users can manage up to 3 home computers from one place and easily share printers between them. The trouble with these enhancements is that they increase the size and complexity of the product and for the most part they are an inconvenience to the average end user. No one wants to sit and watch a security scan slow their computer down while they are trying to get work done (even if it does look pretty) and the ongoing messages and reports that these product present are just irritating to most of us. We all want, and should get, a safe and secure computer that allows us to get on with the tasks we want or need to do on them with the minimum time and fuss.

Back to Basics with Morro
So how will Morro change things? Well Microsoft is going back to basics and ripping out all the unnecessary clutter and getting back to what matters; the scanning engine, or "Protection Engine" as Microsoft now calls it, and the signature updates.
The protection engine promised in Morro is based on the same engine used in OneCare, Forefront Client Protection, and the Windows Malicious Software Removal Tool (MSRT, the one that comes free already via Windows Update). This engine has a long pedigree as it was originally developed by a company called GeCad that Microsoft purchased back in 2003#, it has been updated by Microsoft as they have modified it to meet their own rigorous Security Development Lifecycle (SDL) coding process but it is still built on the same concepts. You will hear many discussions about just how good this protection will be and yes, there is an argument that other products like Kaspersky or Nod32 can provide better protection but this is like auguring that a BMW is better than a Ford when most of the world doesn’t even own a car and let's be honest would you turn down the option of a Ford if it was free? ;-)
By going back to basics and making Morro free Microsoft has taken a huge step forward in making it harder for malware to spread. Over time I am sure this protection will simply be rolled into the operating system (law suits allowing that is!) as this is where this protection belongs now. No serious operating system can function in today’s online world without at least this level of protection. The industry that has formed around Windows client malware protection will have to evolve or it will follow OneCare into history. With Morro, Forefront codename "Stirling", and Windows 7, 2009 is going to be an interesting year for Windows Security to say the least!

(1) Microsoft have also stated Morro is "a PC security solution tailored to the demands of emerging markets" but for this read "markets that want free client computer protection" I don't see why Microsoft would try to limit Morro to emerging markets if they are also getting rid of OneCare.
* Quote from Sophos Security threat report 07/2008
# http://www.microsoft.com/presspass/press/2003/Jun03/06-10GeCadPR.mspx

No comments: