Security, or lack thereof, has dogged Microsoft Windows since the mid 1990s. This was bad news for consumers who were fond of risky practices like sharing 3.5-inch floppies and downloading unknown files from services like AOL, UseNet Groups and, later, the web and file-sharing services. It was a boon, though, for a legion of security software companies that all dove into the breach to protect us from a vulnerable operating system and ourselves.
[More from Mashable: Skype for Windows 8 Is Full of Win [REVIEW]]
For years, Microsoft did all it could to shore up its own defenses. In the Windows XP era, patches showed up almost constantly. Eventually Microsoft settled on Patch Tuesday and security software firms saddled consumers with bloated applications that, while making PCs more secure, made computers operate as if they’d taken a double dose of Xanax.
In the last five years or so, the biggest names in security -- Symantec, Trend Micro, McAfee -- all got their act together and made their security solutions lighter, faster and more effective than ever. Microsoft, however, never stopped working on its own security. Each version of Windows made critical changes to harden the operating system's defenses (they also had to do the same thing with Internet Explorer, which had some of the biggest, gapping security holes of all Microsoft’s software).
[More from Mashable: Xbox 360 Cuts Facebook and Twitter Apps, Adds Internet Explorer]
Building a more secure platform wasn’t enough. Microsoft eventually made the leap into full-blown protection. Thus, in 2010, was born Microsoft Security Essentials (MSE). Microsoft pitched it as simpler and lighter than other security options. It was also free.
The app promised to block viruses and malware. It installed incredibly fast and just seemed to work. For those who didn’t believe they should pay for a protected system, this was a viable alternative to other popular security freeware, including Avira, Comodo, Adaware, and AVG.
There existed, I would say, a detente between MSE and the big boys (Symantec, McAfee, Trend Micro), because most offered far more functionality than MSE. The aptly named Norton 360, for instance, includes, along with virus and malware protection, anti-spam, anti-phishing, parental controls and password management. Many people are willing to pay for those features.
Windows 8 shuffles the security deck by pulling MSE inside, rebranding it Windows Defender (actually adopting the name of a security feature already inside Windows Vista and Windows 7).
Redefining Windows Protection
In Windows 8 RTM (and the General Release set for later this month), this full-blown security platform is the default security service. No need to download and install, it’s already there. If you upgrade to Windows 8, you’ll have to, ironically, 1) uninstall Microsoft Security Essentials -- if you installed it –- and 2) you may have to uninstall incompatible third-party security software.
The decision to place security protection inside Windows 8 is obviously pragmatism at its best, but it’s also surprising considering all the trouble Microsoft got into in the '90s when it placed Internet Explorer inside Windows. Security software is an even more competitive space. Even if Windows Defender is not a full-service security product, Norton, McAfee and TrendMicro executives must be beside themselves.
They’re not, but they’re also not shy about pointing out Windows Defender’s deficits.
Windows was “a leaky siv” when it came to security, says Gerry Egan, Symantec’s Senior Director Product Management for Norton by Symantec. Windows Vista improved it and Windows 7 “raised the bar” further. However, Egan is quick to dismiss the “myth” that Windows 8 does way with security attack surfaces.
Egan acknowledges that Windows 8 has added some powerful more system-level protection, including memory changes that make it hard to attack memory-buffer overflow, and boot-sequence updates that, with the right hardware (read: new), can afford additional protection against boot-level attacks.
Microsoft has actually gone further than just adding Windows Defender and these system-level protections to Windows 8. There’s also the somewhat controversial Smart Screen; an Internet Explorer security feature that pops up a warning screen before that malicious web site installs unwanted software. Now it’s part of Windows 8.
Norton’s Egan worries Windows 8 Smart Screen’s pop-up-like behavior could become as annoying as Windows User Access Control (UAC).
Vendors like Norton, however, are being careful about directly criticizing Windows 8 or Microsoft. They’re partners, after all.
Good Friends or Frenemies?
When I asked Microsoft partner, Trend Micro about Windows 8’s new security chops, the company offered, in part, this cautious response:
“While we applaud Microsoft for including some minimal level of antivirus protection in its new Windows 8 OS and are proud to be a trusted Microsoft partner, we all know from experience that additional protections beyond the basic level of security to be provided by Microsoft are needed. Microsoft Windows 8 paired with Trend Micro is the better choice for security users.”
Note the use of the words “basic level of security”. Trend Micro and Symantec insist that Windows 8 is not equipped to fully protect users from today’s threats. Trend likens Windows 8 security to “the traditional security technologies (anti-malware and signature-based detections) [that] are rapidly becoming ineffective in protecting users from today’s threats.”
Those new threats target social networks like Facebook and Twitter, and attack Windows' (as well as the Mac’s) weakest security link –- the user –- directly. Symantec's Egan told me cyber criminals are increasingly turning their attention to social engineering attacks. So it's no surprise that they're on the rise. Egan grants that Windows 8’s new sandboxed architecture can slow down such attacks once the user has let them in the system door, but adds that the necessity of backwards compatibility in Windows 8 also means that older, less secure apps get to live in the more traditional Windows 8 desktop, right alongside the more secure Windows Design ones.
And there’s this, “We don't see any new anti-social engineering features in Windows 8.”
Trend Micro and Norton both offer social media protections.
Windows 8 users apparently cannot uninstall Windows Defender, but you can disable it in the settings, which should allow compatible security solutions coming from Symantec, Trend Micro and others to handle the security chores on their own. Microsoft also told me it can work alongside these security suites. Even so, Microsoft has changed the game in other ways that may push aside these partners.
One obvious example is Internet Explorer 10. The version that lives in the Windows Design area of Windows 8 (yes, there are two) does not accept plug-ins (IE10 for the Desktop does). As a result, Norton and Trend Micro’s browser extensions that can, for example, pre-check links and store passwords, won’t work. Norton is developing its own browser, which will use the Internet Explorer engine underneath, but support Norton’s security plugins.
This is the kind of kludgey approach consumers are least likely to embrace. There’s also the simple fact that many of them may simply choose to use Windows Defender because it’s already there and running.
Only time will tell if that will be enough protection.
What’s your Windows system protection strategy? Let us know in the comments if you use MSE, or a third-party app and if you’d let Windows Defender do all the dirty work in Windows 8.
Bonus: Dell Offers Three PCs With Windows 8
XPS 12 Convertible Ultrabook
This story originally published on Mashable here.