Less than ten years ago, security companies cared about one thing, and one thing only: protecting customers against viruses and malware. That might not sound like a problem, but in a way, it was. That focus on protection meant security software kept getting bigger and bigger as threats multiplied. It got to a point where many computer users felt like they had to choose between adequate protection and reasonable performance.
“2008 is when we got very serious about performance,” says Viral Mehta, a Senior Director for security products at Symantec. “At that time, there were very few security vendors who really prioritized focusing on performance. Everyone had internalized the idea that protection and performance are both trade-offs.”
That’s because the antivirus technology of the time checked absolutely everything — every URL, every file, every program a user ran. It was always running, always analyzing whatever was happening on a system in real time. And because it ran while the user was actually using the computer, there would inevitably be competition for processing resources.
“Doing all of those things at once has a cost attached to it,” Mehta explains. “There is a tax that the device has to pay for using the CPU, using the memory and using the disk itself to do all this scanning. Your security software could be competing for the same resources, which means your computer may be running more slowly than it should.”
Since nobody in the security business thought that weakening protection was a good idea, that cost Mehta mentioned was always paid out of the performance side. For years, this trade-off was just an accepted cost of doing business — until it wasn’t.
“In 2008 or 2009, Norton began to put a lot of focus on this question,” Mehta remembers. “We determined that there doesn’t have to be a trade-off at all.”
Of course, it wasn’t quite that simple. In theory, there was no reason the trade-off between performance and protection had to exist. But in practice, there was at least one very good reason: the technology to fix the dilemma hadn’t been invented yet.
As it turned out, that was just a minor inconvenience for Symantec and its STAR team. The engineers and researchers working on strengthening and improving Norton found ways around the trade-off challenge, and in the process they even invented a few new technologies.
But where to begin? Ultimately, the team decided to focus first on a universal, high-profile process that often marked a user’s introduction to Norton: installation.
“Everyone noticed the installer’s performance,” Mehta says. “Our installer used to take five to seven minutes to complete its work. We managed to reduce that to just 60 seconds in 2009.” He points out that this improvement wasn’t achieved by compromising the level of protection Norton users enjoyed; instead, it was the result of completely re-thinking how the installation process worked.
And that approach — re-thinking the conventional wisdom about how people use their computers — led to other breakthroughs, like idle-time scanning.
Idle-time scanning is based on the idea that computer users don’t actually use their computers constantly throughout the day. Sometimes they sit idle for long stretches of time during meetings or lunch hour, for example.
“What Norton does is detect when the user is not using the computer,” Mehta explains. “When there is an idle window when they are not using it, that’s when we let Norton do its work.”
Idle-time scanning goes a long way toward resolving the performance–protection trade-off simply by waiting for those times when more resources are available. Users never see any performance loss because they’re not actually using the computer while Norton scans it. And if the user comes back from lunch during the middle of a scan, Norton relinquishes control of the machine and finishes scanning later.
But what’s even better than scanning when a user won’t notice it? Not scanning at all, of course.
“If we can avoid doing work, we should,” Mehta says. “There is nothing faster than not scanning a file.”
While that might sound like an open invitation for viruses and malware, it’s not. In the old days of antivirus, security software would routinely scan every single file on your hard drive, looking for threats. But some of those files are known quantities.
“There is a set of files on your device that you can trust,” Mehta says. “We look at a file and we may decide that we’re not going to scan this file based on any of several attributes.”
What kind of attributes? Mehta says the process starts by considering a file’s reputation. If a file on your computer came from a safe, well-known and trusted source — like Symantec or Microsoft for example — there’s no need for Norton to scan it, as long as that file comes with the correct digital signature. The same holds true for certain operating system files — Norton can just skip those as well.
This kind of selective scanning means that Norton can secure your computer more quickly, using fewer resources than it did in the past.
“If we can guarantee that this is a safe file, then we don’t need to scan it,” Mehta says. “The overhead significantly reduces when you know the file is trusted.”
Mehta says another performance breakthrough occurred when Norton began to rely on threat definitions — or detailed, code-based descriptions of viruses, malware and other threats — in the cloud, instead of on the user’s computer.
“The performance gains are huge,” he says. “For one thing, you never have to download 250 megabytes of updated definitions at a time. And the memory usage is much lower, since Norton never loads a large definition set directly from a user’s machine.”
Norton is also able to capitalize on the tendency of malware writers to reuse concepts and code from older attacks. Often, it’s used as a way to sneak past security tools that are only looking for exact matches when they scan. So Symantec’s engineering teams decided to focus on the recycled sections of code instead — the lines that actually make viruses and malware so dangerous.
“This way, instead of having hundreds of nearly identical signatures, there is one signature that stands in for all that,” Mehta explains. “If that signature is recognized, then Norton queries the cloud for more information.” This approach saves time, memory and processing power — all of which gives Norton a noticeable performance boost.
Symantec’s engineers are passionate about performance, but they’re also sticklers for security. They’re committed to maintaining the highest level of protection in the industry while constantly looking for ways to improve performance. And Mehta says the best way to make sure they’re doing that is to test.
“We always know how our products perform before we ship. We might do 150 builds of a product before we ship it. Almost all those iterations go through a performance test,” he explains.
“We start with setting a target to meet, and our dashboard will tell us if we get it or not. If we are looking at fine-tuning the installation process, we might see if it went from 60 to 120 seconds. Someone immediately starts looking at it and figures out how to fix it.”
But Symantec doesn’t just rely on its own internal testing procedures. Norton regularly squares off against competing products in public tests conducted by impartial, third-party testing laboratories.
“That’s how we find out from an outside perspective that we are the best,” Mehta says.
But test results alone aren’t everything. The real test is whether Norton users notice the improved performance during everyday use. In fact, Mehta says that’s the only reason to do it at all.
“Winning tests is great, but at the end of the day you’re trying to make the software better for your users,” he says. “The gains are real, and customers will notice. For example, take installation. Almost everyone notices this because in general, installing software can take a long time. But if yours installs in less than a minute, then that is a significant improvement.
“We want our software to stay out of the users’ way as much as possible,” he adds. “That’s the goal — they shouldn’t think about it at all.”
It takes a non-stop operation to stay one step ahead of the more than 80,000 new malware threats that appear every day. Meet the seasoned security experts on our STAR team, who spend their days battling on the frontline of digital crime.
With a team of over 1,700 customer care experts dotted around the globe, Norton ensures easily accessible support no matter your location. In fact, we’re so confident in our award-winning protection and quality support services that we offer a money-back guarantee.
We have an extensive security history and our pioneering spirit continues today. Our digital world is constantly changing, so at Norton we never rest. We’ve protected our customers and their data for 25 years — and we’re going to keep doing just that.