> Currently the service uses both McAfee and Tanium software packages to scan and protect service-issued endpoints like laptops.
The problem isn't hardware, it's that they're using the worst antivirus known to mankind. It's not throwing money at the problem, it's about what can be removed.
I'm currently on an engagement at a retail bank for a project that went entirely off the rails (they brought me in to right it). All of the following are currently running simultaneously:
* McAfee
* Tanium, which is constantly firing off massive Python scripts
* Aternity
* Windows Defender (which is well-behaved as expected)
... wait for it ... on an SSD that has no DRAM. Yes, a cacheless SSD. Performance isn't much better than a cheap USB flash drive, which is expected when an identical SSD costs $18 on NewEgg.
The system is effectively I/O bound all the time. The quad-core (8th gen Intel core) idles at 70% utilization, constantly spiking to 100%. The commit charge for getting into the Explorer shell is 13.8GB of the 8GB of physical memory. The laptop itself appears to have a street value of about $240 on eBay. Quality unit with a 1366x768 TN display.
-----
The 30 day discovery period is about to end. I am not supplying an SoW for any further work. I told them the reason nothing gets done by their teams is because the hardware they give everyone is trash, and I can't solve their architectural issues when IT doesn't supply tools to get work done. I wish them the best of luck.
Seems about right. I've done engagements will multiple financial clients and they seem to make it their job to make every engineer as unproductive as possible.
Makes me think of the oft-repeated joke on MobileTechReview about bottom-of-the-line thinkpads with low-quality screens: "The laptop the IT department gets you when they hate you"
At my last job IT had tanium installed on our machines. It would make your computer nearly unusable for hours. Sometimes I felt like we had computers that were completely consumed by the overhead it took just for us to have them.
Yep, we had the misfortune to have both Mcaffee and Tanium installed. And then after they got ransomwared, they added even more endpoint crap onto every endpoint.
From the time Windows started, my laptop fans would spin like an aircraft taking off. Utterly ludicrous amount of wasted CPU time and energy.
To be clear, I think AV and EDR are valuable tools - but Mcaffee is just shit, and Tanium has really high CPU usage.
Aside from the above, all the security crapware made actually doing work difficult. Want to install software? Nah, nobody gets admin rights, instead submit a request on our shitty help desk, and if you're lucky and very perceivent, you'll get it in a month. Need to run something elevated? Nope!
And the worst of it was that Mcaffee, Tanium, PAM etc was all just glitter on a turd - general, more mundane stuff was a security joke. For example, at least 10 internal spam emails would be sent each day, to let you know about boring and irrelevant shit going on around the company - and every one looked like an actual spam email! Full of spelling errors, silly subject lines, and often the whole body was text rendered as an image. Internal web apps were hacked together by shit devs, and stuffed with security vulnerabilities. The general theme was "more shit on endpoints". Bah.
> At my last job IT had tanium installed on our machines. It would make your computer nearly unusable for hours. Sometimes I felt like we had computers that were completely consumed by the overhead it took just for us to have them.
Trend Micro is the same way. The only thing that eventually made it bearable was getting an SSD, but it still sucks.
Then Tanium needed tuning. There's no reason any of it's processing should have taken 1 core for more than 2 minutes...and that's the highest load task. Mostly it sits in the background, capped at 5% cpu.
But there's only so much you can do with a 7th gen dual core mobile i7
Now...McAfee? a)Was a pig, but b)did we really need to scan the entire disk every Friday afternoon?
I used to help Tanium manage their stuff for the US Navy on NMCI.
I stand by my statement.
But it’s not personal at all. Neither you nor I made Tanium, and I’m sure your deployment is the gold standard of Tanium deployments that would change my mind.
Windows admins are some of the worst, especially in government. They don't understand how computers work, and so they pipe on anti-virus, anti this and that, hoping a product will magically solve the issue. But they won't move the default browser, or install an ad blocker. They won't put in policies preventing running the software in the first place or isolating its abilities.
After years of having terrible, exploitable software on windows, it's the natural result. Some manager gets a pdf exploit, and on windows there's simply nothing you can do about it. But IT has to do something, so to make them look good they throw another anti-virus on.
Oh wow. And here I thought they were one of the relatively clean ones among the crowd of McAfee and Avast!. Agreed with the top comment there that the whole industry is reeking. Seems like the only reasonable one is Windows Defender, with the only Linux alternative being ClamAV (non-shady but questionable if it's effective at all for a workstation)
The problem is definitely hardware. If you actually read the linked sources, it sounds like the Air Force bought a ton of spinning rust HDD machines in 2018 for the lowest possible price they could. They probably only have 4GB of RAM too, then, given what low end specs were like at the time. Good luck getting anything done today with those specs.
That's not actually such "low end spec" that would cause logins and mails to take an hour to process.
To me, the whole ordeal screams: software bloat, software misconfiguration, background service overload. You could snappily send mail 15 years ago, and the computational task itself hasn't grown much, besides bloated browser login windows.
Try booting a 2 GB RAM machine to some RAM-preloading Linux thumbdrive and you'll see why the problem is not "spinning rust HDDs" and "only 4 GB RAM"
Have you tried using Windows 10/11 with on-access and behavioral AV (not defender) on 4gb of RAM and a 5400rpm spinning disk? I find it entirely plausible that they have to wait an hour plus for the machine to become remotely responsive.
No one thinks the performance problems are implausible. But hardware can only do so much to make up for the worst excesses of antivirus. Behavioral scanning doesn't require huge amounts of memory and has negligible need to touch the hard drive. On-access scanning by definition barely needs to increase the number of I/O operations. It shouldn't bottleneck the machine if it's done competently. So then you're just loading outlook off a hard drive, which took several seconds the last time I tried it.
I probably have experienced something close to this. You're right; it doesn't take many steps to make a modern machine slow.
Reading the article was indeed surprising and depressing - it certainly is a plausible scenario! The question is: is such a disfigured desktop experience an acceptable result, given that the physical hardware enables much, much more productivity?
When NASA switched from internal IT to a third-party contractor, their laptops and desktops got replaced with worse hardware that somehow cost more. This is the Republican way.
> Try booting a 2 GB RAM machine to some RAM-preloading Linux thumbdrive and you'll see why the problem is not "spinning rust HDDs" and "only 4 GB RAM"
They're absolutely running some sort of modern Windows so I don't see how this is relevant at all. MS-DOS2.0 would also work like a dream on those specs, who cares?
Yes, they're running Windows, and Windows is also software, contributing to the bloat. My point is that the resource overhead of just running an idle OS doesn't need to be humongous compared to the actual workload.
Seriously, they could be running on thin clients like a chromebook. No need to give everyone top-end machines to run MS Office and some webapps. It's mind boggling this is even a debate on HN.
Why wouldn't it? That's how long it takes to swap memory on an HDD, it doesn't surprise me, especially with how many resources today's browsers and sites consume.
Ha, you're blaming hardware yet the likely reason that those systems are slow isn't because the hardware can't do things quickly, but because the modern software they run on it is bloated and slow.
You both are correct. Its a combination of shit hardware, shit software, and poor timing on daily scans that should be run after hours instead of on login. I use AF computers on a daily basis and can attest to bringin in my own laptop and using alternatives to login on my personal.
I've decided that anti-virus and other security software slowing down the computer is a feature. If the software was super-efficient, people would think it wasn't doing anything. The slowness provides the appearance of work being done.
Oh man ... the cruft that corporate IT installs slows down the computers so much. Its better if companies start handing out linux machines if they cant afford macs. I would trade my windows laptop with IT cruft any day for a linux machine.
IT will cruft it up no matter the OS. I’ve had to run TrendMicro on AWS linux instances because of the gov’ts settlement with Sony re: “North Korean hacking”.
It destroyed performance. Also it was poorly configured by the checkmark-brigade in their “security & compliance” department.
Can confirm: got Symantec End-Point Protection rolled out on macs here and it has turned them in slow crashy pieces of ... garbage; I've had to restore my machine from backup a couple of times already when a macos update with this thing running would result in an unbootable machine.
It would have been more cost-efficient and secure to smash our machines with sledgehammers than force us to run this ... junk.
The problem isn't hardware, it's that they're using the worst antivirus known to mankind. It's not throwing money at the problem, it's about what can be removed.