Microsoft Live OneCare – May Need More Care

A number of news resources have already shown interest in Virus Bulletin’s [1] recent comparative test of antivirus scanners for Vista: for instance, the Register. [2] Not surprisingly, the inclusion of Microsoft’s own Live OneCare antivirus package received particular attention, and maybe its failure to achieve the VB100 award attracted more criticism than was strictly fair, simply because of the Microsoft brand name.

This morning, however, my attention was drawn to another item [3] about Microsoft’s plans to expand its security response and research operations into Europe and Asia. No-one – except maybe the company’s competitors – is likely to regard it as a Bad Thing for Microsoft to increase its investment in security, and the acquisition of AV luminaries like Jimmy Kuo and Katrin Tocheva won’t do their credibility any harm. It would be ungracious to stress that OneCare is not, in fact, Microsoft’s first excursion into antivirus scanning – a minimally rebranded version of Central Point Antivirus was supplied with the last versions of MS-DOS – since it seems to have been CNET that overlooked that fact, not Microsoft. MS was, however, probably hoping that no-one else remembers that particular fiasco – sorry, guys. :)

While the VB review tables show that OneCare missed 37 samples from the In the Wild (ItW) test set, Vinny Gullotto was quoted by CNET as saying that “We missed one virus in their collection. ” In fact, Gullotto seems to be correct: close examination of the original review shows that the product lost out on the VB100 award because it missed “numerous samples” of a W32/Looked variant from the WildList set. Still, the numeric disparity does illustrate once more the complexities of interpreting – let alone conducting – antivirus testing. And with its Forefront business range of security solutions starting to loom, it’s reasonable to assume that MS will indeed be thinking more carefully about meeting the testing criteria for industry standard detection testing…

[1] http://www.virusbtn.com/vb100/archive/2007/02

[2] http://www.theregister.co.uk/2007/02/05/vista_security_criticisms/

[3] http://news.com.com/Microsoft+to+expand+security+research+teams/2100-7355_3-6157331.html?tag=nefd.top

Share
  • http://security.eweek.com Larry Seltzer

    It’s worth notiing that Forefront offers a menu of engines. Typically a choice of 4 from among (I believe) 7 engines, including KAV, Sophos and other respectable ones (as well as the CA engine)

  • David Harley

    Which should make testing interesting, but doesn’t actually guarantee a VB100. The quality of the engine(s) doesn’t tell you all that much about the capabilities of a third party app that calls it.

    I don’t think ItW detection is the only issue here. Leaving aside those 37 samples, OneCare’s detection seems to have been reasonable, though by no means stellar. But reading the details of the test, there do seem to have been a number of installation/usability issues (not only with OneCare) that the popular articles about it haven’t made any clear reference to, and MS are likely to be thinking very hard about those issues. However, there is a long string of comments to that article that suggests (apart from the usual “everything that MS do sucks – use Linux/use a Mac” stuff) that CNET readers have taken away an impression of the test results that aren’t really supported by VB’s own article, or the realities of testing.