The desktop AV debate

I knew that Jim Allchin's comments about allowing his seven year old son to use a Vista box without antivirus software installed would cause a bit of a stir.  After all, it goes against the grain.  It challenges a way of thinking that's become the norm.  What's become quite apparent from the conversation that this caused is how antivirus companies have Windows PC users over a barrel - the accepted thinking has become that every desktop PC needs to have antivirus software installed on it.  Period.

The reality is that desktop antivirus, for better or worse, is here to stayI don't totally agree with this view.  There are better alternatives.  Allow me to explain why.

Over the past decade I've watched the antivirus industry (and the whole security industry) grow and change dramatically.  The main reason behind this growth has undoubtedly been the Internet.  The access to and from your PC that the Internet offered meant that users needed to put in place a ring fence around their PC to protect it from everyone else out there.   Threats such as viruses no longer came from shared floppy disks, they can come from anywhere in the world.  As you can imagine, this sort of change meant a bonanza for security firms. 

But ten years on, are we safer for having all this security software installed on desktops?  Nope.  Why?  Because security firms have actively encouraged that users resort to software for protection rather than falling back on common sense.  A huge number of people operate a PC with the idea that if a piece of software gets by the antivirus scanner or if an email gets past the spam filter, then it must be OK.  In an ideal world where all software was 100% reliable then this kind of thinking would be fine, but in the real world where software is far from being reliable, this kind of thinking can get your PC taken over or trashed.  Heck, just look at the wording used by security companies to promote their products, most give the impression that their software provides the ultimate defense against all threats.  No extra thinking required.  I wonder how many systems have been compromised or trashed because of security companies encouraging that kind of sloppy thinking.  On top of that you have software which gives users confusing, jargon-loaded feedback they can't understand and aren't really in a position to find out about.  All this adds to the overall confusion.

Another serious problem is the amount of system resources that AV consumes.  Each new feature that companies add to their product means that the end user sees an ever increasing performance hit.  Fellow ZDNet blogger George Ou estimates that this performance hit slashes the performance of your PC four fold - I think it depends on your system.  But what's certain is that there's a serious performance hit which is there all the time - even at times when you need the power - when you're playing games, rendering video, manipulating photos.  AV companies have been slow to respond to criticism that their products take too much system resources and put too much of a strain on systems.  Add a software firewall on top of that and you have a serious load for the PC before anything else is run on it.

The idea of running security software on a gateway PC makes a lot of sense.  First off, you're offloading all the work of scanning files and Internet traffic onto a dedicated machine where a performance hit isn't going to be felt.  Also, if you have a handful of PCs at home you're going to be saving yourself a fair bit of cash every year - AV software isn't cheap and using a gateway PC is a good way to save money.

But I'm also a realist at heart.  I know that gateway PCs aren't for everyone.  In fact, they're a tool that only a small fraction of PC users can hope to make use of.  The reality is that desktop antivirus, for better or worse, is here to stay.

What I'd like to see are more streamlined security apps.  Throw away the fancy graphics and eye candy interface and write code that's fast, tight and lightweight.  Some security vendors are heading in that direction (for example, the latest offerings from Symantec are better – performance wise – than they've been for years) and releasing products with a smaller system footprint, but they have a long way left to go.  If Vista is as secure as Microsoft claims then this might force security companies to rewrite their software because they'll need to tighten up the code so that they themselves don't become the focus for attack - antivirus and software firewalls present a huge surface area for hackers to attack and a more secure OS is going to mean more pressure on other applications, especially deeply embedded applications such as antivirus and firewall software.  

On the question of whether I trust the defenses built into Windows Vista, I remain open-minded.  It's a new OS that hasn't had much in the way of real-world testing.  I'm optimistic that Vista brings a greater level of security to the desktop, but I'm also cautious.