Security Software – The Ivy Around the Tree

Most mornings I go for a walk trying to get my 10,000 steps in for the day. Many of these walks take me through a local wood. This wood isn’t heavily managed, it’s pretty much left to nature to decide what happens.

In the middle of the wood the trees are looking a bit ramshackle. They are reasonably tall adult trees, but a number of them have come down over recent years. Each one of them is covered in dense ivy foliage; the ivy is slowly killing its host.

I regarded much of the security software that we carry around on our devices like the ivy. It wraps itself around everything sapping its energy and providing little in return.

Eric Lawrence recently wrote an article about Browser Benchmarks in which he made this claim:

Every year for Microsoft’s annual AV summit, the IE Team puts together a chart of the impact of AV on browser performance, showing the variation across the top 20 AV products (the variation is huge). They don’t want to publish this data, but the impact ranges from “bad” to “absurdly unbelievably bad.” The best products impact performance by ~15%, the worst slow the browser by 400% or more. Several of the products crash the browser entirely and can’t be benchmarked fully. Conducting these benchmarks correctly is difficult—you need to account for every piece of software running on the machine and ensure that the test conditions are entirely fair (hardware, software, updates, etc); as a consequence, many of the “public” benchmarks are rather inaccurate.

I’m taking Eric at his word that this is really what happens at the AV Summit each year. Eric is a former member of the IE team after all and I have no reason to doubt him, but likewise I have no other evidence to corroborate it either.

Eric then goes on to talk through anecdotal evidence of his own which confirms the benchmarks. My own anecdotal evidence would parallel with the benchmark experience also. The home laptop with a simple security configuration renders browser pages much faster than my corporate machine with lots of security software even though the corporate machines has significantly more power.

Google, Microsoft, Apple, Opera and the Firefox Foundation are investing thousands of hours in optimising the performance of their browsers. The IT press write thousands of lines of material commenting on those optimisations and their impact on benchmarks. Millions of people use devices every day that get nowhere those benchmarks because of the ivy wrapped around their devices. Or to put it another way:

Mobile devices offer “Desktop Class” performance only because your desktop has been wrecked.

Eric concludes with a phrase that I’ve used a lot over the years:

Antivirus software is too often a cure that’s as bad as the disease. The business model of AV rewards noisy products, and the desire for “checkbox parity” leads to a race to shove its tentacles in all sorts of places they don’t belong (e.g. the internal data structures of the browser). Unfortunately, even beyond antitrust concerns, Microsoft is very limited in its ability to deal with horrible AV products due to court precedents that say that AV can pretty much get away with doing anything it wants in the name of “protecting the user.”

The concern for Microsoft has to be that while they try to grow their tree while carrying the ivy, other trees in the wood do not have the handicap of the ivy and can grow more freely. Those other trees have been left mostly unscathed by the impact of ivy. There was a time when the ivy was required, but the Microsoft tree now has good enough protection of its own. Let’s face it, the protection that the ivy provided was never really that good anyway. It’s time to start chopping back the ivy and to stop feeding it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: