Why Microsoft's free AV won't matter

By John Viega
November 20, 2008 | Comments: 7

Earlier this week, Microsoft announced that they're going to stop selling their consumer security product OneCare, and instead they're going to give away for free an AV product based on the same technology.

I've had several people ask me questions about this move including, "why would they do that?", and "do you think McAfee and Symantec are scared?" I also read an article yesterday that said:

With traditional antivirus protection perhaps becoming obsolete, maybe it's time that Symantec and McAfee start offering free versions of their own antivirus products--something that I've said for years.

That's absurd.

Anti-virus vendors certainly were worried stiff when Microsoft entered the AV market in the first place. They assumed that Microsoft would do the same thing it does in every other market, dominate it and drive everyone else out.

The big vendors started focusing on how they could make up for the revenue loss that they considered inevitable. They felt that, while Microsoft would trounce their consumer business, they would not be in a good position to meet enterprise needs any time soon (and there is some truth to that).

Starting with the Veritas acquisition, Symantec began acquiring its way into adjacent markets to diversify where its revenue comes from, and beef up its enterprise business. While McAfee already had a strong enterprise offering, it focused on protecting its consumer market share by striking big OEM pre-install deals with major PC manufacturers like Dell, where McAfee paid a lot of money up front for this positioning, in the hopes of retaining market share, and making the money back on the back-end.

Yes, the AV industry was running scared for a long time. But what happened? Quite simply, Microsoft's entry into the AV market fizzled.

It's not for lack of trying on Microsoft's part. While they started out not doing well in competitive testing, they did spend an awful lot of money beefing up their signature writing capabilities by hiring the best and the brightest. They hired key people from major competitors. They spent tons of money on marketing.

And at the end of the day, the threat never materialized. While I haven't seen recent market share data, in January of 2007, they were struggling to claim just 1% of the market (.08% according to analyst firm Piper Jaffray). I see no evidence that Microsoft has made any strides since then--the business has been a resounding failure.

In short, Microsoft spent the money, and in relatively short order had a product that was just as good as any of their competitors (not significantly better or revolutionary, just competitive). They built a large team. They spent a lot on marketing. But the people never came.

What went wrong?

First, the world has long held the perception that Microsoft is bad at security. They've been trying hard for most of this decade to change that perception, investing billions in product security. And, I'm sure that they hoped if they could field a competitive AV product, it would help that perception. They certainly didn't make the heavy investment in AV for the money... it was a small market opportunity by their standards, not enough to be worth the large investment just for a business that would have taken at least a decade to grow to be even 1% of their (current) revenue. Yes, the $6Bn AV market is tiny when you compare it to, say, the video game market.

I expect the primary reason why they'd want to keep a scaled down business and give away a free version is for community goodwill, to slowly and steadily continue to build the perception that they are at least competent at security, and not actively bad at it.

But, let's assume for a moment that the end user stops thinking Microsoft actively sucks at security. They still won't positively associate Microsoft with security. Most people won't ever know that Microsoft's anti-virus is on par with most of the big players, and even better than some.

That will always be true, because Microsoft isn't a security vendor. People (particularly consumers) tend to think that dedicated security vendors are going to do a better job than a company whose primary function isn't security. Vendors that do lots of different things are rarely the best at anything, and people tend to know this.

Even when Microsoft came in at low price points, people still thought that security was important enough that they should go with a more trusted name. For those people that were really concerned by price, they started moving to other cheap options, but ones offered by dedicated security companies, like AVG.

It's not that people don't trust Microsoft specifically to do a good job at security. It's that they don't trust anybody to do security well, unless it is their primary business. Even if they go out and buy a bunch of small security companies with good technology, nobody will change their perception, and few people will use their technology.

I think Microsoft never had a chance. And, I think the core objection will hold true when their free product comes out late next year. I certainly wouldn't be quaking in my boots if I were McAfee or Symantec. People who want free AV already have free options (and they have one more coming... today, my company is going into limited beta for its AV product, which takes a far more effective technical approach to the problem, visit our web site to sign up to be a beta tester).

I find the suggestion that big guys like McAfee and Symantec will have to give up on consumer revenue and give away their consumer AV for free to be absurd. If I were those companies, would I want to jump off a cliff by volunteering to cut 40%+ of revenue by giving away something that plenty of people are always going to be happy to pay for? Absolutely not.

Yes, price sensitive people will continue to take customers away from the big vendors, and free AV might start to see enough growth that consumer revenue will shrink for the big companies. I don't see that day as close, however. The growth rate of new PCs is far outpacing the growth of Free AV converts, which means the paid consumer market is still growing.

I do think people will want free AV, even though I believe they'll want it from security vendors. I expect that free AV users will continue to double every year. There will even be some people who would indeed rather get it from Microsoft. But I don't see this as a game changer. Certainly, I don't expect big vendors to respond with something so drastic as eliminating their consumer business before there is proof of a threat.

If I were a big vendor, I'd even be worried about giving away a free, "lite" version of my product. I think people would assume that, since a well-known security vendor produces the product, it must provide them with the core protection they need, and that everything in the paid versions is just bells and whistles. Until the free AV market poses some kind of significant threat, they shouldn't risk giving away money. Instead, they should continue to do exactly what they've been doing since Microsoft's original wake-up call - invest in moving into adjacent growth areas.

You might also be interested in:


Actually is their obligation to provide secure application! You need to pay first for the OS and second for AV? Wtf? not fair!

Hey, thanks for the comment.

There are big anti-trust issues there. They will never touch that.

I agree with you that vendors should be doing something to try to keep the bugs out of their software. Microsoft spends a LOT more than most people to do this. I don't think they owe it to anyone, it just helps their image.

I'd like to know what people are "happy to pay for" their AV software. I realize it's just an expression but it collides head-on with reality so completely that it stands out here.

No one wants AV software. It's not like an office suite or a photo editing package where you can do productive work with it. It just sits in the background sucking up resources and, in some cases if you have a complete security suite, pesters you with questions that your average user has no idea how to answer ("Should I let svchost.exe access x.x.x.x?"). Security software is bitter medicine and to make things worse you have no idea if it's even working. Sure if you're lucky you'll get an event message now and then telling you a trojan was blocked but for most people it just sits there quietly, thrashing your hard drive on occasion and they can't help but wonder if their $100 was well-spent.

Then one day a virus slips through the cracks and suddenly the AV package you were using is a piece of junk. Better switch to another brand. Another $100+ later and you're back where you started: staring at a system tray icon hoping it's doing its job.


Thanks for commenting. I agree with you that traditional antivirus software is a usability horror show... especially when you have the personal firewall turned on, but even without.

Suggesting that people are happy to pay it wasn't meant to imply that people enjoy the AV experience... they clearly do not. It was more meant to mean that people assume if they don't have it, things will be a lot worse, so they don't mind spending the money for that reason...


I don't use any AV software.. to be honest, I don't think there is a point.

Most people get virus's from their own actions. They download them through email attachments or through free software that comes from dodgy websites etc. Very rarely do you get virus's without doing something stupid on your own part to get them.

As for the virus's which are powerful enough to spread through the internet and get onto our computer just by say, for example, viewing an email. Those virus's generally are smart enough to not be detected by AV software too!

So personally, I don't see any point in AV software. I haven't had any installed on either of my computers for 2 years now and I haven't had a single virus, just because I'm smart about what I do on the net. I avoid dodgy looking websites and I'm careful in what things I do.

Best weapon against virus's and best way to defend yourself against them is to just learn about how they work, where they come from and why they exist. Once you know that, you can very easily avoid them.

My 2cents anyway. :P

Is it time consuming to teach yourself this, if one is as illiterate as me?

Quote: That's absurd.
Anti-virus vendors certainly were worried stiff


It's really amazing that I read this same article 30 years ago.. but Anti-virus was replaced by DesQvies.. then again this same article appeared and was replaced by: Netscape, Eudora, Word Perfect, Lotus 123, Winamp, yawn.. I'm getting sleepy.
There is NO ONE left standing for Micro$oft to take over. All "Road Kill" is in the review mirror.

News Topics

Recommended for You

Got a Question?