The news (announced on September 12) that Microsoft will discontinue producing standalone releases of their Forefront-branded anti-malware products will come as a bit of a shock to many, but I think it makes reasonable sense. Here’s why.
First, the world of threat prevention and cure has come a long way since the first wave of email-transmitted viruses hit at the end of the last century. Although some spammers and virus authors might consider using a vector similar to the famous “I Love You” virus that launched an industry for email AV engines, I doubt that their work would make it past the first line of defense of any AV product available today. Much more intelligence (some might say deviousness) is exerted to penetrate the sophisticated AV scanning that exists today.
Second, because threats now operate at a different level, the old race to update AV engines with data that could identify new threats is not really where the action is. It’s still important to keep AV databases updated so that threats can be detected and deflected, but it’s now become more important to recognize the way that threats mutate through social engineering techniques and cloaking.
This work is best left to security professionals, such as the teams employed by the AV vendors – and the results of their work is implemented fastest when deployed in centralized services such as(Google does the same with its Postini service). Few system administrators have the bandwidth to keep a constant eye on emerging threats, nor do they understand the vectors used by viruses to penetrate defenses and propagate payloads. Administrators diligently apply updates to AV engines as they are released, but it’s inevitable that some time lapses between an AV vendor releasing an update and its application.
Third, whereas fighting viruses might have been deemed exciting at the start of the contest, now it’s just one of those mundane and boring everyday tasks that system administrators have to handle. Relieving some pressure by using a cloud-based service should release some time that hopefully can be applied to more productive tasks.
For example, now that Exchange 2013 has modern public folders, time is needed to assess the current use of public folders (if indeed your company uses public folders), figure out how to migrate the old to the new, and then how to manage the new public folders in production. Or maybe time could be devoted to considering how best to use and in terms of site mailboxes, multi-platform searches, and so on. These tasks are in the future as they depend on Exchange 2013, but so is the move to a cloud-based AV solution if that’s what you choose to do.
Fourth, it’s not as if Microsoft has dumped on-premises AV totally. Exchange 2013 includes a malware scanning and suppression capability. Sure, it’s based on a single AV engine (something that would have been deemed to be a “very bad thing” in the past), but the same AV engine is used successfully in other Microsoft products (such as System Center’s end-point protection) and it should be capable of providing good defense against viruses and spam that penetrate a company’s network far enough to arrive on an email server.
It's true that Exchange's code operates within the transport system rather than the Store so any bad stuff that gets through will be downloaded to client systems. This should be a rare event, assuming that your incoming email stream is cleansed before it gets to Exchange. It's also true that you can't swap out the Microsoft-provided AV engine with one of your own choice. However, at the end of the day, if you don’t like Exchange 2013’s anti-malware feature, you can disable it and run something else - or run Exchange's AV engine alongside whatever other product you choose to deploy. Security vendors such as Symantec and Trend Micro will, no doubt, be glad to talk with you.
Last, there still exists a distrust of cloud-based services in some quarters that influences any discussion about moving work into the cloud. It’s right and good to cast a skeptical eye on the claims of cloud vendors when they proclaim that everything is so much better when floating on some vapors. But in this case the hype might live up to the claims. Microsoft’s Office 365 service got off to a very rocky start with fairly severe outages in August and September 2011. Since then I’m not aware of any other major Office 365 outage. Certainly, I haven’t been affected by an outage since and I think I would notice if my email wasn’t flowing.
From what I hear, Microsoft has done a good job running its Forefront Online Protection for Exchange (FOPE) service and has achieved an SLA of over 99.9999% recently (no independent data, just anecdotes). Assuming that this is true and that Office 365 continues to hum along nicely, there doesn’t seem to be much risk in using Microsoft’s online AV service. Those who see the black side of these situations will point to the migration period that Microsoft has to go through soon in Office 365 to deploy the Wave 15 products (Exchange 2013, etc.). This is true. Migrations are horrible at the best of times and we shall have to see how this one goes.
There will be those who hate Microsoft’s decision. To be fair, good reasons exist to ask why Microsoft has chosen to move now away from the investment in on-premises anti-malware technology that they began with the purchase of Sybari in June 2005 (fair disclosure: I was an external director of Sybari - a company that always had a good time at every technical conference at which they had a stand!). It could just be a case that the cost of engineering, marketing, and supporting all the Forefront on-premises products means that there's no profit for Microsoft here.
Customers who have invested in the Forefront product family will ask why they are being let down now. Those who want to have messages scanned on-premises and don’t trust the cloud will ask why Microsoft is apparently forcing them down the cloud route. The lack of a successor product to Forefront Threat Management Gateway (TMG) is another worrying development for customers, especially as TMG's mainstream support will cease in April 2015 (not too far away now) and you won't be able to buy the product after December 1, 2012 (even sooner).
And people who consider that the use of multiple virus analysis and detection engines provides better and more reliable AV protection will hate Exchange 2013’s anti-malware feature. But most of all, I think many customers will feel blind-sided and bruised by Microsoft's sudden change in strategy, if only because any desire to continue to use on-premises servers appears to be railroaded by Microsoft's rush to embrace cloud platforms.
Complaints are made all the time that Microsoft suffocates innovation by incorporating features first seen in other products into new versions of its products. In this case, Microsoft is leaving several gaps for third parties to fill. I hope that innovation duly flourishes. In the interim, this month's MEC should be interesting when customers get to quiz Microsoft about their new strategy for security products. I have the feeling that some strong words will be used.
Follow Tony @12Knocksinna