We Need to Rethink PC Security Software

And instead of getting better, things are getting worse.

I remember a time when PCs didn’t need any protection at all, and even when the first viruses hit the scene, protection came from practicing safe sectors and putting a little bit of tape over the write protect notch on 5.25 inch floppy disks. But then, at around the end of the 1980s things started to get more complicated.

In 1988 the excellent Dr. Solomon's Anti-Virus Toolkit was released (which was the first AV product I bought, and the only one that I’ve used that I can honestly say that I liked and actually enjoyed using). By the end of 1990 there were nearly two dozen antivirus products on sale, including Norton AntiVirus and McAfee VirusScan, both of which have continued to this day (but alas, Dr. Solomon's Anti-Virus Toolkit is long gone, the company bought out by McAfee). In recent years antivirus applications have become out-of-control monsters, devouring free system resources. But if it stopped with just needing to have protection against viruses, things wouldn’t be too bad. Problem is, viruses are only part of the problems.

Nowadays we are told (mostly by firms selling security products) that we need protection against all sorts of threats – adware, spyware, spam. On top of all that we’re supposed to run firewalls and carry out deep scans of our systems on a regular basis. This not only represents a lot of money, installing and updating this software is a lot of work.

But to top it all off, all these programs running can make a new PC feel old, really fast. In fact, I know several people who bought new PCs because their old one was slow only to discover that the new system became just as sluggish once all the protection was loaded onto it.

Now, don’t get me wrong. I know that you can’t get something for nothing, and scanning all the packets that flow to and from your PC, along with all the files and applications that are accessed, isn’t a trivial workload. I don’t expect all this work to be done with no overhead at all, but given the drag of performance that almost all the current suite of security products have on PCs, something is drastically wrong somewhere. Any software that runs in the background is going to have an effect on performance; I just don’t think it should have as much of an effect as it has.

But the problems go much deeper than performance issues. Over the past few years I’ve noticed a disturbing trend where security software is constantly clamoring for your attention – telling you that updates are needed, that updates have been installed, that your system is protected, that your system needs more protection, that your system has been scanned, that you’ve sent an email, that you’ve received an email.

In fact, I’m amazed just how many prompts and messages a security suite can generate. The only message that I’ve yet to see is that the program has done its job and caught some nasty bit of code trying to get a foothold into my system.

I’m guessing that the reason for the vocal nature of security software is that it wants to keep reminding the user that it’s there so that come time to renew the subscription, the user actually pays up for another year. And now we have reputable security firms such as Lavasoft, now in talks with Ask to bundle toolbars with the application. Yeah, let’s burden the user’s PCs further with unwanted junk.

Does it have to be like this?

Well, yes and no. While it’s possible to shift a fair amount of the security workload off individual PCs and onto routers and hardware firewall devices, this still leaves systems open to infections via CDs, DVDs and flash-based devices. While it’s true that the Internet represents the greatest threat (and when you have employees spending time in the darker, seedier corners of cyberspace that threat is much greater), you can’t overlook the risks that USB keys and iPods represents.

My take on the situation is that security companies have done a good job of convincing people that their products are essential if you are to keep your system free of badware (that’s not true, but I’m not going to get into that argument right now), and as such the incentive to develop a good, solid product is lost. The fact is that there isn’t a single product that stands out as being better than the others; instead, they’re more trying to maintain the status quo (or stagnation).

I’ve gotten to the point where I think I’d rather take my chances with the bad guys myself rather than bother with so-called security software.