This is Jimmy Kuo of the Microsoft Security Research & Response team (MSRR). (What a wonderful thing to say and see written down.).
Recently, there have been some tests that have brought into question the detection capability of Windows Live OneCare. Customers and partners have asked us to address these concerns and because the detection capability in Windows Live OneCare is the responsibility of the MSRR team I’d like to address those concerns. (Addendum: The OneCare team has just posted their comments on this issue on their blog at http://windowsonecare.spaces.live.com/ )
When we think about priorities we put our customers first and in doing that we ask ourselves, “What do our clients want? What do they need?”
In my years in this business, the answer to the first question is some form of, “I want to be able to sleep soundly each night knowing that when I wake up, my world hasn’t fallen apart. And if something does happen, I can rely on my vendor to easily resolve it for me.” To that end customers using Windows Live OneCare are supported by Customer Support and Service and the MSRR team. Through those two channels they have the support structure needed to address any service request that comes to us at any hour of the day from anywhere in the world.
What our clients “need” is for us to identify what things are important and be sure to address them before they become an issue for our users. This is why MSRR is focused on adding detections for the most prevalent and active malware in the wild and we do that by combining our breadth of data with experienced malware researchers and automated analysis techniques to rapidly respond to the threats that will have the greatest impact to our customers. To that end, while the recent detection numbers were not stellar, we look to ICSA Labs (www.icsalabs.com), West Coast Labs (www.westcoastlabs.org), and Virus Bulletin (www.virusbtn.com) to make sure we are covering what is most important. ICSA Labs and West Coast Labs are certification bodies (ICSA Labs in the United States, West Coast Labs in Europe). Virus Bulletin is the industry rag, but they have the most highly respected and longest running tests, and in so doing, set many of the industry’s testing standards. We will keep on working with these certification bodies to maintain our certifications, and to acquire the VB100 Award each time we are tested by Virus Bulletin. We missed capturing a VB100 in the last test because we missed one virus. So, as a result we have adopted new methodologies to remedy that. The methodology we adopted is to look more closely at families of viruses that have been found to be “in the wild” (ITW) (found actively spreading among users). This means someone working off the same code base is actively spreading the malware of this family, and thus more of the same family will likely become ITW in the future. And we want to be able to detect them with signatures we write today rather than after they’ve been loosed upon the public.
Furthering on the previous concept, we look to many other feeds that tell us similar things. The MSRT (Windows Malicious Software Removal Tool) is one that can tell us which families are more active so we can anticipate more of those future variants.
That still leaves many samples of malware that the recent tests showed that we still do not detect. As I noted, there is data that can tell us which, if any, of that set is truly important (those actively being spread ITW) and those are added ASAP. The rest are being worked on and as promised, our numbers will get better and better. Because, another thing that I know that our clients want, especially the system admins who use our product, is, “I want you to keep my boss off my back so I can have time to do my job!” And even if the company networks are running smoothly, the boss will see those test results, and bug the admins about them. So it’s also about making sure our customers *feel* better protected when using our products.
So while we concentrate on what’s truly important (malware actively being spread ITW), we will also be bringing up these other test detection numbers. You will see our results gradually and steadily increase until they are on par with the other majors in this arena. And soon after, they will need to catch up to us!
Vinny Gullotto, General Manager of Microsoft Security Response and Research, tells me that he’ll be following up on this post within the next week and talk about some of the additional steps we are taking to continue growing our world class research and response team. He and I are both accustomed to working in, and building, world class response teams and know that Microsoft is committed to creating one that serves our customers, works with the anti-malware community, and supports the eco-system as a whole.
Hopefully, I’ve provided some insight into the workings of how we are prioritizing and focusing on the work we do to support our users, presently and in the future. We know that we are in a service industry. We’re ramping up to be able to handle that and Microsoft is making sure our customers are in good hands by hiring some of the best and brightest in the antivirus industry. For our current users, we have certification bodies that make sure we are doing what’s necessary and important. And we have other monitors to determine what’s spreading and thus are confident that we can protect our users against anything they might encounter in real life. And we will bring our numbers up as we know our customers want that to feel better protected, and, well, to get our bosses off our backs. J