Windows IT Pro
Connect With Us
Home > Windows > Microsoft Strongly Refutes Yet Another Antivirus Test

Microsoft Strongly Refutes Yet Another Antivirus Test

Jan. 17, 2013 Paul Thurrott | Windows IT Pro

Microsoft’s antivirus technologies—used in the consumer-oriented Microsoft Security Essentials (MSE) and business-focused Forefront Endpoint Protection products—have pretty much always performed poorly in formal AV tests. But after yet another drubbing, this time by AV-Test, the software giant is finally pushing back. And for good cause: Those tests prove nothing.

In its most recent test, AV-Test refused to grant MSE and Forefront Endpoint Protection its vaunted AV-Test Certified status because the products didn’t detect 28 of its zero-day malware samples, and 9 percent of its recent malware samples. It sounds damning. But Microsoft says these tests are flawed and do nothing to show the real-world effectiveness of its antivirus products.

“We take the protection of our customers very seriously, and the investments we make to do these reviews is an example of that commitment,” Microsoft’s Joe Blackbird writes in a post to the Malware Protection Center blog. “It is difficult for independent antimalware testing organizations to devise tests that are consistent with the real-world conditions that customers live in … We prioritize our work on customer impact.”

How far off are AV-Test’s results?

According to Microsoft, although AV-Test’s results indicated that Microsoft’s antivirus products detected only 72 percent of all “zero-day malware,” Microsoft knows from its telemetry data—from hundreds of millions of systems around the world—that fully 99.997 percent of its customers hit with any zero-day attack did not in fact encounter the malware samples tested in this test (basically a 100 percent success rate in the real world). AV-Test’s sample size was just 100 pieces of malware.

Related: Anti-Virus Vendors Prepare for War with Microsoft ... Again

Furthermore, though AV-Test’s results indicated that Microsoft’s antivirus products missed 9 percent of “recent malware,” the firm knows from telemetry that 94 percent of these missed malware samples were never encountered by any customers in the real world. So, in the real world, it’s possible that Microsoft antivirus products missed 9 percent of 6 percent of recent malware, although Microsoft doesn’t admit to that.

According to AV-Test, Microsoft scored just 1.5 out of a possible 6.0 for the protection component of its test, and it scored fully 0 out of 1.5 in both zero-day malware and recent malware protection. But according to Microsoft’s usage data, the missed samples affected just 0.003 percent of customers in the real world. Looking past telemetry, the firm used “retrospective analysis” to determine whether any customers had actually encountered malicious files it had missed. And it found that only 2 percent of these files existed across 0.003 percent of customers.

The conclusion: “The other 94 percent of the [AV-Test] samples don't represent what customers encounter,” Mr. Blackbird writes. “When we explicitly looked for these files, we could not find them on our customers’ machines … [But] we're committed to reducing our 0.0033 percent margin to zero.”

The message here is simple. You can conduct tests that prove almost anything. But in the real world, Microsoft’s MSE and Forefront Endpoint Protection products don’t just work, they work very, very well. And this isn’t based on anecdotal data—though this certainly mirrors my own usage and explains why I continue to recommend these products—it’s a fact.

See also, "Q: Where can I download real viruses to test my antivirus solutions?"

Discuss this Article 13

nightkiller
on Jan 17, 2013
All well and good. But on Tuesday Microsoft took 12 hours to update their virus definitions. We work with vendors who will deny access to their systems if we cannot show that our systems have been updated in the past 2 hours. We had to send people home as a consequence. We have dropped Microsoft as a supplier.
nightkiller
on Jan 17, 2013
I apologize if this is Double posted. The site appeared to accept my initial submission but has not displayed it. All well and good. But on Tuesday Microsoft took 12 hours(!) to update their virus definitions including their Forefront services which we use. We normally retrieve the updates directly from Microsoft as their 66Mb+ mpam-fe.exe file since the updates can appear up to 4 hours later through WSUS. We work with vendors who will deny access to their systems if we cannot show that our systems have been updated in the past 2 hours. We had to send people home as a consequence. We have dropped Microsoft as a supplier.
gannebraemorr
on Jan 17, 2013
MS does nothing in this article but complain about the tests not using real-world samples. I have a real-world sample for you. I've been using MSE for several years at home on four very active PCs, two of which are teens on facebook and who knows what other weird sites. MSE never once complained about a malicious site or piece of code. It just sat in the system tray, green icon and updated, on completely updated Win7 computers. You'd think that means we are protected, right? Think again. Just two days ago my wife called me at work and said that she was browsing travel and hotel sites when something called "Win 7 Home Security 2013" hijacked her browser (fully patched IE9). I asked if MSE was still running and yes, it was sitting in the system tray, green icon, happy as ever, completely oblivious to the hijacking activity. I had her shut down until I got home. I researched the best anti-virus products and several reputable sites listed Avast and AVG at the best, with Avast a slight nose ahead of AVG. I know from experience that multiple active-scanning anti-virus programs on the same computer can cause conflicts between them, but I went ahead and tried again anyway just for fun. Avast and AVG have both been running fine together for two days now. BTW, I've been doing IT support professionally since 1990 and have used every major AV to come along since F-PROT and Thunderbyte for DOS. I'd probably recommend Symantec or McAfee for solid commercial solutions, but I haven't compared reviews on them in years since some of the free ones are very good.
n2cheval
on Jan 17, 2013
I can totally appreciate, understand and agree with Microsoft's point of view, but (there is always a but) they (and I) are totally wrong. This is like insurance. Most people pay and never claim on it, so with that reasoning why do we need insurance!?! Because on that terrible day when we *NEED* to claim on it. Antivirus is pretty much that same thing. If you keep out of the nasty places of the web, perform common sense email and file management and do the same with any other computer on your network; yes you will be problem free whether you have an anti-virus app or not. The problem is if you unfortunately are one of those 0.003 percent of people who are affected, then you *NEED* the antivirus to work, just like you need your insurance company to pay up. Sorry, but mostly good isn't good enough; no matter how much you pay.
osilayer3@gmail.com
on Jan 17, 2013
I am not arguing that MSE is fine, but why did MSE not stop the "FBI" ransomware that just came through 2 of my associates systems. What entry vector bypasses MSE and allows this to happen?
andrewtechhelp
on Jan 17, 2013
I forget where I saw this, but a few weeks ago, I saw an article that gave a good explanation about all this. It essentially said, these tests are flawed, because they test Microsoft Security Essentials/Windows Defender in an isolated environment, without factoring in the other pieces of the security puzzle that Microsoft provides (such as UAC, Smart Screen, IE protected mode and Windows Firewall). So yea, Security Essentials might not pick up a certain piece of malware, but who really cares if Smartscreen pops up HIGHLY recommending you don't run this program and then UAC pops up also warning you about running such program? These companies have got to start putting ALL of the pieces in the puzzle before trying to work out what the picture is. Test everything together (as it was designed) instead of pulling out one piece and slamming it.
nztjbv
on Jan 17, 2013
For what its worth, I've been using MS security exclusively since I first installed Windows 7 and I'm now using MSE with Windows 8. To date I have had no security problems.
gannebraemorr
on Jan 17, 2013
@ Lemon Saucy: You said, "God only knows what she actually did, I wouldn't blame Microsoft." Aside from that sounding rather insulting, I'd like to hear what type of action you think a responsible web user might have done to get infected by malware that removes the blame from MSE, which was sitting green in the system tray and reporting no abnormal activity. I should be able to install MSE then browse shady sites INTENTIONALLY and feel comfortable that the software is protecting me. No, only a fool would do that, but I should be able to if I wanted. Like I said, she was only browsing travel and hotel sites. If you can't believe the criteria people on forums tell you, then what's the point of you replying at all? You may as well reply to everyone, "God only knows what she actually did."
paulusar
on Jan 17, 2013
I use MSE on all my home machines. It works well with low overhead and updates itself. It also reminds you if you didn't do a scan recently.
LemonSaucy
on Jan 17, 2013
@ Nightkiller Wow @ gannebraemorr God only knows what she actually did, I wouldn't blame Microsoft. @groberts116 Similar here, Microsoft folks are doing a good job. @ paulusar That's what I like about MSE .. doesn't tax the system. @ Andrew Tech Help Right, if one uses a bit of comon sense it is hard for the malware writers. But very little on earth is going to stop someone bent on letting their system get infected.
fryer01
on Jan 23, 2013
I work for a school district with almost 3000 PC's. Several years ago we changed licensing models and as a result also changed to Forefront through SCCM. The marketing seemed very well done and we believed that it was an apples-to-apples type product. It is simply not the same. We are running Windows 7 Enterprise with full protection enforced by group policy (firewalls, UAC on, even software restriction policies), updates applied and managed through SCCM. Unfortunately, malware infection on at least one PC a day appears to be an almost daily event here since the switch. Quite simply, Microsoft Forefront is very poor to useless in it's level of protection compared to Symantec. I can't specifically comment on other AV vendors, but I am not impressed. BTW, I have heard almost the exact same thing from other districts that have switched from Symantec to MS - that they now have infection problems or that MS only detected the issues AFTER the machine was infected instead of proactively addressing the problem. I haven't seen the problem with slow updates as others reported, but my feeling is that if a fully updated PC cannot prevent infection it doesn't really matter how fast the update is deployed if it doesn't prevent the infection.
nightkiller
on Jan 17, 2013
All well and good. But on Tuesday Microsoft took 12 hours to update their virus definitions. We work with vendors who will deny access to their systems if we cannot show that our systems have been updated in the past 2 hours. We had to send people home as a consequence. We have dropped Microsoft as a supplier.
forkieboy
on Jan 18, 2013
gannebraemorr. It support ? Then you would understand that anti-virus, malware etc software is reactive as it currently functions. Sadly, most infections are caused by user actions. There is no software that can stop that happening. You can however, mitigate the effects. Run frequent backups, check emails on the server before reading them onto your computer, set your browser options to maximum protextion, don't use java, the options are endless. But in the end, it comes down to being careful. And not everyone is.

Please or Register to post comments.

Related Articles
IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• The Microsoft
Technology Roadmap
• Office 365 Implementation
• Hyper-V Optimizing
• Windows 8 Deployment
and much more!

Come See Paul Thurrott & Rod Trent in Person!

Early Registration Now Open

Upcoming Training

Mastering System Center 2012

During over 6 hours of training you can join John Savill from your computer as he will walk you through the key components and capabilities of System Center 2012, what’s involved in using the components, and the benefit they can bring to your environment.

Register Now

Current Issue

May 2013 - The NameTranslate object is useful when you need to translate Active Directory object names between different formats, but it's awkward to use from PowerShell. Here's a PowerShell script that eliminates the awkwardness.

CURRENT ISSUE / ARCHIVE / SUBSCRIBE

Windows Forums

Get answers to questions, share tips, and engage with the Windows Community in our Forums.

Featured Products
Windows 8 Tips
Windows 8 Tips

You’ve been told that Microsoft has somehow compromised the beloved desktop environment and ruined it with Metro...

VIP - Premium Membership
For the IT Professional that needs access to training, premium content, discounts, and more, joining our VIP group just...
Testing with Visual Studio 2012

June 25th
Presented by: Brian Minisi

EARLY BIRD DISCOUNT -...

View CatalogView Shopping Cart

WindowsITPro.com
Related Sites
Copyright © 2013 Penton Media, Inc