Wednesday, November 19, 2008

possible downsides to morro

if you haven't heard the news microsoft is killing onecare and replacing it with a free anti-malware tool probably using the same engine as the current product...

i've written about microsoft's entry into the anti-malware space before and i wasn't very positive about it's chances... microsoft surprised me though, i have to give them credit, and i think it really came down to wooing some of the brighter minds in the av industry away from their then current employers to work on the new microsoft offering (of course ms has also wooed some less scrupulous minds as well)...

that being said there are still some issues to consider... both rich mogull and graham cluley feel this is a positive development for a variety of reasons but rich puts forward the possibility of microsoft bundling the anti-malware software into the OS at some point and basically gobbling up the consumer av market... i doubt you need to be a rocket scientist to see the parallels between that scenario and what microsoft did back in the mid-90's with internet explorer, and i don't think i need to remind anyone that that was actually not good for users (it resulted in microsoft winning the first browser war and then, in the absence of credible competition, they literally stopped development/innovation for years)...

what we don't want or need is for microsoft (or anyone else, technically, though microsoft has the most potential due to their position) to win the consumer anti-malware war in any comparable sense... it's bad on a number of different levels - not only is it likely to hurt innovation by taking out the little guys (who tend to be more innovative and less constrained by the this is the way we've always done things mindset), but it also creates another example of a technological monoculture... granted we're only talking about the consumer market, but the consumer market is the low-hanging fruit as far as bot hosts go and while it may sound good to increase the percentage of those machines running av (as graham cluley suggests) if they're all using the same av it makes it much, much easier for the malware author to create malware that can evade it...

i'm really not sure trading technological heterogeneity (and all the benefits thereof) for a somewhat broader coverage (or even complete coverage) of the consumer market would actually be a good thing, but i am sure i don't want to find out... let microsoft give away their technology if they must, but keep it out of the operating system itself... there are other, safer ways to get anti-malware more broadly deployed...

3 comments:

Cd-MaN said...

I don't think that MS will make much of a dent in the malware "scene". If they get some considerable marketshar, the people behind malware will simply start to test their creation against it.

As for shipping with the OS: as you mentioned, they already do that with the MSRT, so from a technical perspective it wouldn't be all that different. Of course it would be very different from a perception point of view.

kurt wismer said...

"If they get some considerable marketshar, the people behind malware will simply start to test their creation against it."

exactly, but that won't stop them from continuing to accumulate market share (it certainly didn't stop symantec)...

maybe (probably) the worst case scenario won't happen, maybe microsoft won't gobble up the entire consumer av market... but from a strategic point of view it's a possibility that must be considered or else we may not manage to avoid it...

"As for shipping with the OS: as you mentioned, they already do that with the MSRT, so from a technical perspective it wouldn't be all that different."

i disagree... MSRT has a very limited scope and is primarily a recovery tool, not a protection tool...

Cd-MaN said...

"MSRT has a very limited scope and is primarily a recovery tool, not a protection tool..."

Yes, that's what I'm getting at: if the MS AV products gets that kind of distribution, it will play catchup (detecting many strains of malware after they've already executed - because malware authors will make sure that their creations are not detected beforehand), so it will essentially be a cleanup product.

From a psychological point of if it is an other matter (because most users don't know about the MSRT but know about their AV software).