Windows' Security, Mobile, Competitors
In your opinion has Windows gotten any better security wise in the past five years?
Marcin: To some extent. Clearly from XP to Vista to Windows 7 there have been attempts to make machines more secure, with the introduction of User Access Control, for example. It was buggy in Vista and kept asking users over and over again if they wanted to allow a certain program to run.
I think it wasnt very clear to users what User Active Control really was. When people keep seeing the same prompt they dont think twice, they just click yes. It got to the point that users either disabled it or just clicked allow and got going. And thats why malware is so successful, people dont want to be bothered with every little thing, they just click yes and keep doing what they are doing. Windows 7 fixed some of this.
When people think Microsoft they dont necessarily think security. A lot of people prefer to rely on a third party solution -- especially in a corporate environment.
Microsoft has been bundling more and more software to help protect users machines, such as Security Essentials and Windows Defender. So, I think thats been a great leap forward. I dont feel those products are mature enough as some third-party security solutions, but they are moving in the right direction.
Another thing is that when people think Microsoft they dont necessarily think security. A lot of people prefer to rely on a third party solution -- especially in a corporate environment.
Same with Internet Explorer. Microsofts browser has been moving in the right direction and becoming more secure. You remember Internet Explorer 6. Well, 7 and 8 are far better. But people that are worried about security still use Chrome or Firefox, and for good reasons. A lot of people just choose to use third party software, versus relying on Microsoft software.
Do you see a future for Malwarebytes outside of Windows and on alternative operating systems like OS X and Linux, maybe mobile?
Marcin: We have a website blocking module that basically blocks your computer from ever accessing servers that can contain malware. So, if you visit a website that was hijacked and has an iframe in there trying to pull a malicious executable and get it on your system, Malwarebytes will let the page load but block access to the executable from a malicious server. Were hoping this website blocking module can be ported, weve actually started the process to get it on Linux, Mac and mobile platforms.
We expect to have at least that part of our technology available by the end of this year, if not sooner, because it is a very valuable piece of technology that lets users block malware from the source.
The Flashback malware that hit OS X a few months ago, for example, that wouldnt have been an issue for someone with this blocking module. We would track servers pushing the malware and block them. So, this is just a part of our technology and its a start. It could evolve into a full security product for those platforms, but thats a bit of a tougher issue.
To clarify, this module works only within the browser or is it more like a firewall that monitors your entire network stream?
Marcin: Its not a browser add-on. It works at the lowest possible level. If you are in your browser, if youre in Skype. Ive actually had it block a torrent transfer -- a legitimate download of LibreOffice -- because I was downloading from a peer that had been involved in malicious activity.
There are two more things I want to add here. Lets say you download a sketchy piece of software, and once you start the installation process, it starts installing malware as well because they get paid money for every installation that people do. This is not an uncommon issue, whether its adware or toolbars, some free applications make their money this way. In those cases our IP blocking module detects that connection and blocks it. So you can actually continue your install without installing any malware. So, thats number one.
Number two is lets say you download malware from a specific server that we failed to detect. Thats our miss and unfortunately the malware is now installed. However, we can still mitigate part of the problem, because as soon as it starts pulling other malicious software from a server that we do know, we will block that transfer. This can prevent vital components of the malware to be downloaded, thus lowering the risk for you.
How do you think closed ecosystems like Apple's iOS or Microsoft's Windows Phone, which try to proactively filter out malicious software from making it into their stores, will affect your ability to get into the mobile market?
I personally don't see mobile phones as a valuable market for security software today. Potentially in the future and if thats the case well definitely be in there.
Marcin: Thats a very interesting question. Unfortunately, Im not well-versed in the mobile market. It seems to me that most of the time smartphones get compromised with malware its because the owner installed applications from an unverified source at a third party store such as Cydia or the like. Maybe its for the best that these ecosystems remain closed, whereas for desktops its a different story. So, yeah, I dont have an answer to that question right now but those are some of my initial thoughts.
That means youre not actively looking to get into the mobile market?
Marcin: Not necessarily. It means that we need to find the experience that can help us do that. We've been researching and we do have some prospects. Part of it is porting over some of our technology as I was mentioning earlier. But I personally don't see it as a valuable market today. Potentially in the future and if thats the case well definitely be in there. Ive never bought a security product for iOS, and I dont think many people have. I know theyre already promoting some stuff for Android, though. We need to see where the market is going.
A couple of years ago we heard about an unfortunate incident with another security vendor which took your malware database and used it as their own. Is this the type of thing common in the industry? Were you forced to implement more efficient ways of detecting theft?
Marcin: I wouldnt say thats common in the industry but it did happen to us once. A couple of people approached us saying they had found a rival anti-malware product using our database as theirs. So what we did is plant a fake definition into our database and filtered it out on our end so our software didnt detect it, but theirs did. We called them out publicly. Of course, they played it down and said they werent using our database, that it was just a false positive, but this was a file that we built ourselves, nobody had access to it and their software detected it as malware. So it was very easy for us to verify that they were in fact using our database.
We do have some other protections to make sure people cant easily take a part of the database and reverse engineer how our technology works. So that was a huge wake up call for us and we started taking some additional precautions since then.
Now we do a check every month or so with every vendor just to be sure. But its not a common thing in the industry, it hasnt happened again, not even partially. Reputable security vendors have their own teams and processes and their own way of doing things, so they just focus on that. They dont need to steal from others.
What has been your experience competing against huge established players like Symantec, for example, which have been around for way longer than Malwarebytes, some of them for a decade or two.
I think the very, very huge vendors that have been around for a long time got too comfortable and had to kind of start overhauling their solutions. Speaking of Symantec, for example, it was a great product 15 years ago, a terrible one 5 years ago, and now theyve gotten much better.
Marcin: The first thing Id like to point out is that we dont pitch ourselves as direct competitors to those companies. As I said earlier, we want to complement anti-virus software, not replace it. We overlap in some areas and we do have a great detection rate, but we never position ourselves as a do it all security software.
But to answer your question, I think the very, very huge vendors that have been around for a long time got too comfortable and had to kind of start overhauling their solutions. Speaking of Symantec, for example, it was a great product 15 years ago, a terrible one 5 years ago, and now theyve gotten much better. They are on the right direction. I still think they are a bit resource hungry compared to other solutions out there that are equally or more effective than theirs, though. I mean Malwarebytes is 10MB and can be uninstalled in 30 seconds.
They are doing a good job in some areas. They have 100, 200, or 1,000 times more customers than we have and dealing with all the support and sales part of the business is not easy. We rely a lot in our community. We have people contributing with us freely because they dont see us as the corporate giant thats trying to take all their money -- and were not. Were trying to provide a useful service for our users.
So thats my view. There are a few great products out there, like Avast, ESET, GFI, among others. All of these are reputable companies. Were compatible with all of them, weve even had some business discussions with them about marketing stuff and so on.
Some security vendors get deals with OEMs like Dell and HP to get their software pre-loaded on machines. To be honest, were not big fans of this practice because usually what you get is a limited time trial, or one that we wouldn't have chosen in the first place. But its one way to get market share. Have you considered or are already doing something like this?
Marcin: We do some of this in a very limited fashion. We work with a small distributor in Utah and a couple of others. But were not dealing with HP or Dell, were talking about somebody that installs two or three very reputable products and they actually bought the license on the customers behalf. So its already purchased when the computer reaches the customers hands. The other thing we do is white label rebranding.
Basically, we have some deals in place with a handful of companies that sell rebranded versions of our products. They often remove some features to make it as easy to use as possible for a specific scenario, or make some interface tweaks to appeal a specific demographic.
For example, we license our software to a company that specializes in software for women, and also to companies that sell computers and offer customer support whenever anything goes wrong. Im not saying any of these are our customers but think Geek Squad, Staples, Home Depot, and the like. Thats just one of the opportunities weve taken and it's a growing part of our business.
The most likely source of infection in any computer environment is usually its weakest link: the user. Obviously, that works fine if you are in security software business, but do you think Microsoft and developers of other ubiquitous software like Adobe are doing enough to keep their users safe?
Marcin: I dont think that these companies are investing enough resources into the security of their products. I think security comes first, then usability. You already mentioned Adobe. Java is another good example. I know they try to fix bugs as fast as they can, but come on, you need to bring in consultants, you need bring in the community to help you find vulnerabilities and make it worth their while.
If you look at Google Chrome -- and I think Firefox too they acknowledge people that find bugs within their software and even offer compensation depending on how significant the flaw is. So there are some things they could do to take the security of their users more seriously and to my knowledge they dont always do.
Clearly, Java and Flash have been some of the biggest exploitable tools out there and that hasnt changed much. And people think its Microsofts fault where it may not always be the case.
One last closing question: What's on your desk? Tell us about the platforms you rely on day in and day out for desktop computing, mobile and other any other gadgets
Marcin: Desktop, pen and paper for writing down ideas, iPhone reminders for anything that comes up during the day and I'm not by my computer. Lightning calendar for scheduling, headphones for taking calls. No other real gadgets.
Thanks for taking the time to answer our questions, Marcin. It's been a pleasure chatting with you. Any closing thoughts for our audience?
Marcin: A message that we want to get out there is that anti-malware and anti-virus software work together. Users should be running both to get sort of a layered security system. Were starting a campaign around that. Using only an anti-virus is not enough. Theyre not as fast as they used to be. Were here to help fill the gaps.