The Expert's View with Jeremy Kirk

Fraud Management & Cybercrime , Legislation & Litigation , Next-Generation Technologies & Secure Development

Microsoft Defends AV Handling After Kaspersky Antitrust Lawsuits

Software Giant Says It Disabled Some AV Programs Because of Windows Incompatibilities
Microsoft Defends AV Handling After Kaspersky Antitrust Lawsuits
Microsoft's Rob Lefferts in a Tuesday blog post emphasizes the company's work with its "anti-virus ecosystem partners."

Microsoft has sought to get in front of a brewing controversy over whether it unfairly disables third-party anti-virus products in Windows 10, which one competitor, Kaspersky Lab, has alleged is an anti-competitive practice.

See Also: Webinar | Mythbusting MDR

On Tuesday, Microsoft published a lengthy blog post defending how it approached the Windows 10 Creators update, a feature-oriented refresh released in April. Although the post doesn't mention Kaspersky by name, it seeks to dampen charges that are reminiscent of its years-long legal tangles with global antitrust regulators.

The Windows 10 Creators update riled Kaspersky Lab, the Russian anti-virus developer. It disabled Kaspersky's anti-virus program and subsequently turned on Windows Defender Antivirus, which is Microsoft's homegrown application.

As a result, Kaspersky said earlier this month it filed two antitrust suits against Microsoft with the European Commission and Germany's Federal Cartel Office. Those lawsuits contend that Microsoft pushes users away from using third-party security products in order to favor its own (see Kaspersky Files Antitrust Complaints Against Microsoft).

In November 2016, Kaspersky filed a complaint against Microsoft with Russia's Federal Antimonopoly Service. In a statement earlier this month, the FAS warned Microsoft of antitrust violations, but the case is continuing.

Whether there are merits in Kaspersky's allegations is unclear, and neither company is eager to make executives available to discuss them. Microsoft turned down a request for an interview. Kaspersky officials largely pointed to previously released statements. But the showdown shows the stakes have never been higher in the lucrative anti-virus industry.

AV Incompatibility

The blog post from Microsoft's Rob Lefferts, who is a partner director in the security and enterprise unit, sheds some light into the technical issues. But it's far from a full explanation of the root of the conflict between the two companies.

Lefferts explains that anti-virus software is "deeply entwined" within operating systems, so Microsoft took steps to ensure that products from AV vendors were compatible. AV applications usually have access to an operating system's kernel, the most sensitive and highest privileged part of the operating system. It's also a place where if something goes wrong, it can have a drastic effect on a computer.

To help prevent incompatibility mishaps, Microsoft runs two programs, the Windows Insider Program and the Microsoft Virus Initiative. Both are designed to give third-party developers access to technical information related to new Windows updates, Lefferts writes.

"Months before a semi-annual update is delivered to customers, interested parties can get easy access to fully running and deployable versions of the release, stay current with updates as the release progresses and becomes feature complete and provide timely feedback on issues and bugs," he writes.

But Kaspersky has alleged that Microsoft has reduced this period, making it more difficult for it to have a product ready before an update's general release, often referred to as RTM, or release to manufacturing.

"Earlier, Microsoft would give us the RTM version in good time, but of late this has been reduced to a couple of weeks before releasing to the public," writes Kaspersky Lab CEO Eugene Kaspersky in a June 6 blog post.

Windows Defender On!

Microsoft didn't deny that it flicked off some third-party AV applications because of incompatibilities after users upgraded to Creators. But 95 percent of security applications were fine, Lefferts writes.

"To do this, we first temporarily disabled some parts of the AV software when the update began," Lefferts writes. "We did this work in partnership with the AV partner to specify which versions of their software are compatible and where to direct customers after updating."

Eighty vendors participate in Microsoft's Virus Initiative, including Kaspersky.

Once Microsoft turned off a third-party product, it turned on Windows Defender Antivirus so users won't run a machine without any defenses. That's the same behavior that happens in Windows if an AV subscription lapses.

Microsoft also allows third-party developers to create a notification that prompts users to either renew their subscription or download a new, compatible version of an application. Kaspersky has alleged that those notifications, which are displayed in the Windows Action Center, are rarely read by users.

Who's in the Wrong?

Key questions remain to be answered. Why didn't Kaspersky have a compatible version ready when that wasn't a problem for most vendors? Also, is it anti-competitive for Microsoft to turn on Windows Defender Antivirus absent another security application on a machine?

At least on the latter question, there's a clear answer: No. It just makes common sense. As we've seen the attack landscape become more aggressive over the last two months with ransomware worms such as WannaCry, it's morally right to ensure users have at least some level of protection.

Plus, Microsoft has little financial stake in consumer security software. Windows Defender Antivirus is free and ships with the operating system. Unlike past antitrust concerns, such as the browser battle, it's easily recognized that security software isn't just a feature anymore. It's an essential component for safer computing.

Whether Microsoft can convince regulators of this, as well as refute some of the other more granular Kaspersky allegations of how the company boxes in third-party applications, remains to be seen.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.