Edited by Javier Guerrero, March 2010

One of the things users most often complain about regarding antivirus solutions, is their resource consumption and the system slowdowns they cause once they are installed. In this article, we will offer you a straightforward and reasonable explanation as to why this occurs.

tecnologica_blog_la_piazzaA virus -or any other malware- is an element that launches malicious actions on operating systems. These potentially dangerous actions are diverse, and can range from infecting a file (operations on files) to running a Trojan (process operations) or installing a worm (registry operations). We won’t even mention network operations, which would take up an entire article on their own.

On the other hand, an antivirus is a security solution that adds additional functionality to the operating system in order to protect it from such malicious operations. Consequently, the product must install a series of components on different parts of the system in order to detect the actions in real time. This is known as an ‘on-access’ scanner.

Many of these events are ruled out and others are checked using several scanning techniques to determine whether they are (or could be, which is an important point) caused by malware. However, in order to have “on-access” protection, all actions must be intercepted in real time.

Please note the words “in real time” have been underlined in the previous paragraph. The importance of this will be revealed as we go into figures and data obtained from a small test we have conducted, which will provide further understanding of performance problems:

  • On a computer running a recently installed Windows 7 operating system with no third-party applications installed, in a 90-second period during which we only ran the Calculator and Paint, 481 process operations, 26,012 operations on files and 45,885 registry operations took place. These 72,378 operations must be checked in real time and denied if they are considered to be malicious.
  • In order to determine whether a file is infected, each file must be checked in real time against a large signature file database made up of hundreds of thousands of virus definitions.

The problem seems to be clearer, doesn’t it?

But there is more: antivirus solutions must also protect themselves against common malware attacks, which can reduce or block their functionality. This means they need to carry out additional controls, which can once again cause the system slowdowns.

tecnologica_blog_la_piazza_2Software performance is optimized to the maximum. However, as long as there are “on-access” scans, real-time processing is inevitable and will affect system performance considerably, reasonably, or transparently, depending on the type of product installed (the effects of a simple scanner and of a complete suite including a firewall, an antivirus, self-protection, behavior scans, parental control, etc. are not the same). However, there will always be a penalty.

In the end it all boils down to reaching a reasonable balance between performance and security, and this, is, has been and will be one of the biggest challenges of antivirus solutions, particularly considering that security solutions are always at a disadvantage compared to malware… but we will explain this in another article.

Note: in this article I am talking about the “classic” antivirus analysis approach. The new Cloud analysis approach it’s a different thing. For more information, please check this post at our Panda Research Blog: http://research.pandasecurity.com/arguments-against-cloud-based-antivirus/

Javier Guerrero Diaz
Development department – R&D