Rivals skirmish with Microsoft over Vista security

Competitors say they should be able replace a Windows feature that tells people about the security status of their PC.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
7 min read
Microsoft and its security rivals are feuding over a key piece of Windows Vista real estate.

The fight is over the display of technology that helps Vista owners manage the security tools on their PC. Symantec, McAfee, Check Point Software Technologies and other companies want Microsoft to change Vista so their products can easily replace the operating system's built-in Windows Security Center on the desktop. But Microsoft is resisting the call.

"By imposing the Windows Security Center on all Windows users, Microsoft is defining a template through which everybody looks at security," Bruce McCorkendale, a chief engineer at Symantec, said in an interview. "How do we trust that Microsoft knows what all the important things about security are to warn users about?"

Windows Security Center, introduced with Windows XP Service Pack 2, pops up on desktops to alert PC owners if their firewall, virus protection and other security tools need attention. The version in the Vista update, set for broad release in January, will add new categories and management tools.

It is possible to run third-party security consoles in Vista, said Stephen Toulouse, a program manager in Microsoft's Security Technology Unit. However, people have to manually disable the Windows Security Center if they don't want to use it. And the software giant has no plans to give other companies the ability to turn off the Windows Security Center, Toulouse noted.

"Our main concern is to provide customers with a fall-back option if there is no other security center running," he said.

If the differences aren't worked out, it could spell annoyance for consumers, the rival security companies say. People who choose to use Microsoft's console alone will get a limited view of their Vista PC protection, they suggest. Those who buy competing software will have to run it alongside Microsoft's dashboard, which could report conflicting information. Rivals have charged that the Redmond, Wash.-based software giant is hurting consumers, raising the specter of more antitrust complaints for Microsoft.

"Microsoft's Windows Security Center demonstrates fairly limited sophistication, and having (it) control the console could take away the consumer's visibility into the threats he faces," said Siobhan MacDermott, a spokeswoman for McAfee. "Ultimately, it's something the consumer should decide, not Microsoft."

Jostling for position
Tensions are flying high in the security space after Microsoft, with its $34 billion war chest, entered the market. It launched Windows Live OneCare for consumers and is readying enterprise security products. With its huge presence on desktops, the software giant has a built-in advantage--one that is making other security companies nervous. European antitrust regulators are closely watching Microsoft.

Security companies have already fought several battles over Vista similar to the one about Windows Security Center. Some they won. Most recently, Microsoft added the ability for third-party products to turn off Windows Defender spyware protection in Vista, rather than requiring the PC user to do it. Earlier, it provided the same functionality for the Windows Firewall. In both cases, Microsoft has asked security companies to re-enable the Windows defenses if their products are removed from a PC.

Security centers

A dispute still exists over "PatchGuard," a security feature that Microsoft says is designed to guard core parts of the 64-bit version of Vista, but which critics say locks out helpful software from security rivals.

And then there is Windows Security Center, which sits in the Windows Control Panel and pops up any time there is a security alert, such as when antivirus protection is disabled or the firewall is turned off. Microsoft is beefing up the console in the successor to XP, and refers to it as the "voice of security for Windows Vista."

In Vista, the security dashboard will add reports on spyware protection, Internet security settings, and Windows security technology called "User Account Control."

Another change in Vista is that Windows Security Center will be used to manage the security software, in addition to reporting on it. For example, a PC user could update antivirus definitions or disable a firewall directly from the Windows Security Center, according to a recently published Microsoft document on the feature.

This could give rivals the opportunity to change tack and focus on developing products that plug into Microsoft's security dashboard, rather than continuing to produce their own, Toulouse suggested. "They might not need to have their own security center anymore," he said. "It is our hope that they build products that connect into Windows Security Center."

Microsoft agreed that multiple security consoles on a single PC could confuse users, especially different information is displayed, but said that this is an argument in favor of funneling all security software management via the Windows Security Center.

"It is a fundamental lack of clarity for the user," Toulouse said. Microsoft's dashboard is "neutral" and "vendor agnostic," Toulouse added.

But Symantec and Check Point chuckle at the notion that Microsoft is neutral. For example, both companies doubt it is a coincidence that the company added an anti-spyware category to the Windows Security Center only after it introduced Windows Defender, an anti-spyware tool that will ship as part of Vista.

"Who is Microsoft to define the right way to think about security?" asked Laura Yecies, general manager of Check Point's ZoneAlarm division. "Microsoft does not have the track record or expertise in this space. They have not earned it."

Best view
McCorkendale said Symantec's own security center will give its customers the best view of the status of Symantec products, so people should have the option to use the Symantec dashboard instead of Microsoft's. "Customers should be allowed to choose their security product suites and therefore the security console to go with them," he said.

Symantec's console is called the "Norton Protection Center," and Check Point has a management console in ZoneAlarm Internet Security Suite. McAfee, one of the top players in the consumer security space, also has a security console. Trend Micro and CA declined to comment.

Competing consoles

Microsoft's Windows Security Center will appear in the Vista update. Here's a list of rival technology, which ships in the maker's security suite product.

McAfee: McAfee SecurityCenter

Symantec: Norton Protection Center

Check Point: ZoneLabs' ZoneAlarm Security Suite management console

Trend Micro: PC-cillin Internet Security console

Michael Cherry, an analyst at Directions on Microsoft, also questioned the software maker's neutrality when it comes to Windows Security Center, wondering whether Microsoft's developers would respond quicker to a request from the OneCare team then to Symantec's Norton AntiVirus team.

"I am not comfortable yet that that information is being shared equally and that all partners are equal partners," Cherry said. "It is only neutral when they can prove that OneCare, or Windows Firewall, or Windows Defender does not get a more favorable review or a more favorable access to technology."

There is something to be said for a central point in Windows that has security information, Cherry added. But if a user picks a third-party security suite, that product should be able to turn off Windows Security Center, he said.

"If I choose to use a third party's tools, then I would want to use a security center from them. So I'd be much more comfortable if Microsoft's could be uninstalled in favor of the one I want to use," he said.

Restricted Vista?
Symantec, Check Point and McAfee also argued that Microsoft's Windows Security Center risks giving consumers a limited view of security.

"If we were to just cede the dashboard console view of security to Microsoft, we could only talk to users about firewalls, antivirus and anti-spyware," Symantec's McCorkendale said

Check Point's Yecies said that Microsoft's console looks at security with blinders that are surprisingly convenient to its own product lineup.

"The modules, as Microsoft has currently defined them, are incomplete in an environment of zero-day exploits," she said. "Setting up those terms really limits the view consumers have about what is possible and potentially what they need. It might lead a consumer to think that they are fully protected, when in fact they are far from it."

But Natalie Lambert, an analyst at Forrester Research, argued that Microsoft is helping PC users. "The Windows Security Center is helpful, it really does provide a quick view into security," she said. "Consumers need to have security handed to them on a silver platter."

Vista is the first major update to Windows since Microsoft shipped XP in 2001. Back then, Microsoft was not a player in the security arena, and things went much smoother, McCorkendale said

"It is really hard work and we have had to be very, very persistent and over a very long period of time, which is different from how we used to work with Microsoft before they got into the security space. They have really changed the rules of the game; we used to have a lot more pleasant dialogue," he said.

Ultimately, Symantec hopes all the differences can be resolved nicely, McCorkendale said.

"All our concerns are about consumer choice. Consumer should be allowed to choose their security solution and if they are not allowed to make that choice?you risk a monoculture in security, which reduces innovation and diversity."