Windows 8 'doesn't move the needle' on security, says Symantec
Plans to issue several 'Modern' apps in October
Symantec said Windows 8 "doesn't move the needle much" on security as it rolled out new versions of its antivirus software and promised to provide users with several so-called "Modern" apps for the new operating system.
On Wednesday, the security developer released new versions of its consumer titles Norton AntiVirus, Norton Internet Security and Norton 360.
The new programs are optimized for Windows 8's traditional desktop environment -- the side of the new OS that looks much like Windows 7 -- said Gerry Egan, senior director, product management, in an interview. When Windows 8 ships in late October, Symantec will offer a trio of apps specific for the tile-based user interface (UI) once known as "Metro" and now often referred to as "Modern."
Those apps, which have not yet been given final names, will include one that connects to Symantec's cloud-based back-end management system to give users a view into the security health of Windows and the hardware; another that uses the company's "whitelist" technology to sniff out suspicious data and files, including corrupted Modern apps; and a third that uses Internet Explorer 10's (IE10) engine inside a customized browser that Egan said will let customers "surf online securely."
The Modern apps will hit the Windows Store -- Microsoft's regulated app store for Windows 8 and Windows RT software -- on or just after the Oct. 26 debut of the operating system upgrade.
Initially, said Egan, those apps will be available free to everyone, hinting that at some point they could be restricted to customers who had purchased the traditional Norton desktop security software and had an up-to-date subscription to Symantec's services.
"It's a way to explore [the new UI], and introduce customers to our presence there," said Egan of Symantec's move into Modern.
"But we need to see where that [malware] flows, what the problems are for our customers, before we do more [on Modern]," Egan continued. "What we do will depend on the attack surfaces in Windows RT and Windows 8. Microsoft has laid down some very stringent guidelines on what's allowable [on Modern], which also ties our hands. So if there is more to do in the future, we may not be able to because it would infringe those guidelines."
Egan was mostly referring to policies set by Microsoft that "sandbox," or isolate, apps from each other and from the traditional desktop in Windows 8 to provide a more secure environment.
Microsoft is relying on sandboxing, as well as the curated Windows Store -- it reviews each app prior to approval, looking for everything from malware to undisclosed rights -- to secure the tiled side of Windows 8, and all of Windows RT, the touch-first, tablet-oriented spin-off.
Not surprisingly, Egan didn't think much of Microsoft's security moves in Windows 8 as he set up several "myths" about the new OS only to then knock each down.
"We're just not seeing any significant improvements in Windows 8 security ... it doesn't move the needle much," Egan said, ticking off everything from the new Secure Boot feature to a beefed-up Smart Screen anti-malware filter.
"It's partially true that Windows 8 is more secure," said Egan, pointing to the concept of the Windows Store and its approved apps. "But underneath is a traditional Windows-Intel desktop, which is backward compatible with both the good code and the bad."
Much of Egan's disparagement of Windows 8's security can be traced to Windows 8's bundling of Windows Defender, an old name for a heavily reworked product.
In Windows 8, Windows Defender combines characteristics of both the earlier anti-spyware program of the same name, and the free Security Essentials, the antivirus program that previously was offered as a separate download.
Windows Defender serves as the operating system's default protection against malware, and will switch itself off only if it detects an active third-party antivirus program that's receiving signature updates.
Although Security Essentials has stirred third-party antivirus vendors in the past to complain that Microsoft wasn't playing fair, the move to bundle Defender with Windows 8 hasn't prodded them to go public with similar beefs.
Egan argued that Symantec's software does a better job of protecting users than Windows Defender. "We believe we add so much more value over and above [Defender]," he said.
But John Pescatore, a Gartner analyst, said Symantec has bigger problems than Windows Defender.
"They're all going after a shrinking pool of machines," said Pescatore of stalled PC sales as smartphones and tablets consume discretionary dollars. "The percentage of devices running Windows is dropping. And there are more players going after that shrinking pool."
Symantec may play up the Windows 8 angle for its new titles, but the truth, said Pescatore, is that Microsoft's decision to mimic Apple and Google by offering an app store means traditional antivirus vendors have an unclear future.
"There's never been a market for security software on iOS," Pescatore observed. "So if Microsoft pushes the whitelist idea of an app store, there's less and less need for the [antivirus] commodity."
Egan's complaint that the hooks into the boot process -- dubbed "Early Load Anti-malware Driver," or ELAM -- doesn't allow software makers to deploy their full set of weapons is actually a good thing, Pescatore argued.
"It's better that the [Windows 8] platform doesn't let security software's root kits work, because that means it also cripples the bad guys' root kits," Pescatore said.
The 2013 editions of Norton AntiVirus, Norton Internet Security and Norton 360 are available at retail stores and from Symantec's online store. Norton AntiVirus costs $39.99 for a one-year license for a single PC; Norton Internet Security runs $79.99 for one year of protection for up to three Windows machines; and Norton 360 costs $89.99 for a three-PC, one-year.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about application security in Computerworld's Application Security Topic Center.