Microsoft warning: outdated security software is as dangerous as none

The latest Microsoft Security Intelligence Report (SIR), which covers the first and second quarters of 2014, warns that Windows users are five-and-a-half times more likely to be infected if they are using an outdated version of their security software – in fact, ‘computers that are “protected” by expired, out-of-date security products fare little better in practice than computers with no real-time security software at all.’

The report explains:

“A number of popular real-time security products are offered in ‘trial’ versions, which provide signature updates for a limited period – typically three months – but require a paid subscription to receive updates after the trial period ends. Even after it stops receiving updates, an expired security program may continue to block and remove threats it is able to detect, which may create the impression that the software continues to provide an adequate, if reduced, level of protection.”

The protection provided by expired security programs is increasingly negligible, however: if a security program stops receiving updates, it can offer no protection against new forms of malware.

Microsoft’s Malicious Software Removal Tool (MSRT) collects data about the state of anti-malware software on computers whose administrators have opted to share the data with Microsoft – including whether the software reports an expired subscription. MSRT analysis of telemetry data found that expired security subscriptions account for 9.3% of domestic computers.

“Computer users who run expired or out-of-date security software may believe that it continues to provide an adequate, if less than optimal, level of protection,” the report says. “…this belief is misguided at best.”

The MSRT removed malware from 2.2% of computers with expired protection – the same as for computers with security protection switched off. And in the case of one unnamed vendor, which accounts for nearly 50% of expired trial versions, computers with expired security software were actually more likely to be infected than those with no security at all. (See Figure 7 and Figure 8.)

Software expiration is as much a problem for the developers of security products as for computer users. As the report says, “Users who experience malware infections because of expired security software are likely to conclude that the protection offered by such products is largely illusory.”

Failing to protect your machines leaves you open to cyber attacks. It is essential that you maintain up-to-date security software both at home and at work.

Secure configuration is vital in any organisation. In fact, it’s one of the five controls used in the UK Government’s Cyber Essentials scheme. To find out more about the Cyber Essentials scheme and our ‘CyberComply’ electronic submission service, click here >>

Click the image below to view our ‘Fighting Cyber Crime in the UK’ infographic.