Microsoft is the creator and sole owner of the Windows' source code. I'd say
that "a big advantage due to their in-house knowledge" is an understatement.
They have total control of how Windows works.
>And leaving antivirus to outsiders also presented a big risk, in that a
>particularly virulent virus could shake customer faith in Windows and
>encourage switching to other systems.
That's already happened to a limited extent, particularly with browsers, but
obviously the inertia of the huge installed base is nearly impossible to
overcome to switch to a different platform. If Microsoft fails to gain new
markets as the PC fades in importance, then its computer industry dominance will
also fade.
>I've read that there are some antitrust complaints about current
>automatic Windows antivirus protections, but I don't think there have
>been any serious legal challenges, and it would seem like security has a
>strong case for being well integrated into an OS.
Strong case for integration or not, I don't think that's relevant in anti-trust
matters.
>I'm sure there was some kind of cost-benefit analysis which led them to
>cede so much of the market to McAfee and Kaspersky and the rest, but it
>still seems a little hard for me to understand why they didn't include
>antivirus protections much earlier, similar to the way they do today.
I think part of the reason is as has been mentioned elsewhere -- there is a big
secondary industry for Windows' security add-ons, and Microsoft has chosen to
restrain itself in that market.
But your post begs a couple of other questions:
1) Given Microsoft's "advantage" in being sole owners of the source code for
Windows, why don't they simply secure it from intrusions in the first place?
2) If #1 has not been achieved, given the long-time existence of "patch
Tuesdays," and especially now that online updates are mandatory for consumer
versions of Windows 10, why aren't most Windows systems secured from
vulnerabilities shortly after they're discovered?
In short, why is there any need for A/V products and the like in the first
place, given that Microsoft could/should choke off the avenues of malware
propagation literally at the source?
I do not hew to all of the received orthodoxy in the affairs of computer
security. My views are based on many years of professional experience in either
software development or IT environments.
As I mentioned elsewhere, my observation is that starting somewhere in the late
'90s, Windows, and more specifically Outlook Express and Internet Explorer
(i.e., Lookout and Internet Exploder), were responsible for spreading the large
majority of virii and other malware. That situation persisted for more than ten
years, and only recently has began to subside. IE has consistantly ranked far
behind other popular browsers in both the number and the delay in patching known
vulnerabilities.
So in my opinion, expecting Microsoft to be able to provide more effective A/V
software is like putting the local arsonist in charge of the fire department.
Either Microsoft is revealed to be willfully ignoring security problems with
Windows, or it is demonstrated to be incompetent in designing and implementing
secure software. So far, Microsoft has been able to deflect attention by
blaming the creators of malware and sysadmins and users who don't follow "best
security practices." Also implicit in their position is the notion that "gee,
computer security shure is complicated," which relies on ignorance that many of
these problems were solved decades ago in the era of shared mainframes and
minicomputers, and persist through design flaws because of Windows' legacy as a
single-user system.