Nowadays, anti-virus products use different optimization techniques to reduce system impact and disruption of everyday tasks. Finding the right balance between real-time malware detection and performance is challenging. Anti-virus vendors optimize their respective products in various ways to reduce the impact on system performance. Below are some examples of optimizations that could theoretically be implemented in some products. All of them could have a positive effect on performance but might reduce the detection rates of any malicious files. Given the multitude of unknown variables and various implementations beyond our consideration, the definitive answers and precise technical details pertaining to a specific product can only be provided by the respective anti-virus vendor.

• Exclude analysis of specific file types: the anti-virus often excludes specific file types (or even file extensions) from analysis.
• Exclude analysis of files signed by known developers: the anti-virus might exclude files signed by known developers from being analysed.
• Exclude analysis of files whitelisted by the security program: the anti-virus might exclude analysis for a list of specific, predefined, whitelisted programs.
• Exclude fingerprinted files or programs: the anti-virus might skip re-analysing files that have already been analysed, or have not changed since the last analysis or update. Furthermore, files which are accessed by the user in the current Windows session might be analysed just once, and re-analysed only after a system reboot or signature update. Some programs might suggest or run a full on-demand system scan immediately after being installed, in order to fingerprint certain files on the system.
• Different heuristic analysis levels: the anti-virus might apply different heuristics methods during its analysis depending on the origin of a file (e.g. from the Internet, on local disk), the action a user performs on a file (e.g. copying, archiving, or launching), or how many files are processed. With some heuristics models, the analysis might take less time to complete, thus consuming fewer system resources.
• Exclude analysis of specific target locations: analysis might not be performed when files are written to specific target locations (e.g. USB drive) during copying, unarchiving, downloading, etc.
• Exclude analysis of files on large media or network shares: the contents of media with potentially high storage capacity (e.g. USB external drives) or network shares might not be analysed.
• Exclude analysis for different partitions of the same disk: analysis might not be performed when files are copied/moved between different partitions on the same disk.
• Exclude analysis of files while they are created/read/moved/copied: the anti-virus might only analyse files when they are executed.
• Exclude analysis of specific file names and/or locations: the anti-virus might exclude files with specific names and/or in specific locations on the system from analysis.
• Exclude analysis for specific actions: analysis of files during operations that often take some time to complete (e.g. archiving or unarchiving files) might be disabled.
• Start analysis after specific actions: analysing might start only after the current operation (e.g. copying or unarchiving files) has been completed. In that case, the user might not notice any performance drops during the operation itself.
• Limit number and size of files to analyse: when multiple files are copied (either loose or in folders), the anti-virus could analyse only up to x number of files and then stop its analysis for the remaining files. Likewise, the anti-virus might skip analysing large folders or files, or might just run spot checks on some files, rather than analysing all of them.
• Different default analysis levels depending on the hardware: by default, the anti-virus might perform a more in-depth analysis on high-end machines but a less-comprehensive analysis on weaker hardware in order to reduce pressure on the limited resources.

How did we test?

Several different typical user actions were carried out on a clean and up-to-date Windows 10 22H2 system, with the respective enterprise security software installed and configured as in our enterprise main-test series. The test system had an active Internet connection to allow for the real-world impact of cloud services/features. These activities might be seen in day-to-day operations of users, but with the addition of malicious files and phishing websites to the respective scenario. To get a more complete picture of the detection mechanisms offered by each program, we used various techniques to carry out these actions. For example, we utilized different tools and procedures to copy the files. We also considered different locations and directions.

• File copying: we copied a set of files that consisted of multiple clean files and one malicious file.
• Archiving/unarchiving: to test archiving, we archived a set of files that consisted of multiple clean files and one malicious file. To test unarchiving, we prepared an archive containing one malicious file and several clean files; this was then unarchived on the test machine.
• Installing applications: we installed an application that drops a malicious file on the system disk during the installation process.
• Launching applications: we opened a malicious document with the corresponding application.
• Downloading files: we downloaded malicious files from various web servers on the Internet.
• Browsing: we opened phishing websites with Google Chrome.

The malicious samples used in this test would be detected by all the tested programs in a simple on-demand scan. This test checks whether these same samples would be detected in the additional specific scenarios listed above.

Please note that these scenarios are only a subset of the possible scenarios that could be tested. It is not practicable to test every conceivable scenario, given that there are a number of variables (file types/locations, numbers/sizes of files, folder structure, drive type, etc.), and that the possible combinations of these variables are unlimited.

Findings

The following products were checked in June 2023: Avast Ultimate Business Security, Bitdefender GravityZone Business Security Premium, Cisco Secure Endpoint Essentials, CrowdStrike Falcon Pro, Cybereason NGAV, Elastic Security, ESET PROTECT Entry (with ESET PROTECT Cloud), G Data Endpoint Protection Business, K7 On-Premises Endpoint Security Advanced, Kaspersky Endpoint Security for Business – Select, with KSC, Microsoft Defender Antivirus with Microsoft Endpoint Manager, Sophos Intercept X Advanced, Trellix Endpoint Security (ENS), VIPRE Endpoint Detection & Response, VMware Carbon Black Cloud Endpoint Standard, WatchGuard Endpoint Protection Plus on Aether.

The table below summarizes the results for each scenario, showing whether the security programs analyse files for malware during common operations, such as file copying or downloading, and websites for phishing content.

Always analysed: the product consistently analysed files (and therefore detected malware) or websites in the specific test scenario and with the techniques used. The test results show that all products analysed files for malware at least on “Installing applications” and “Launching applications”. Those are the scenarios where malware could directly infect the system.

Sometimes analysed: files or websites were sometimes, but not always, analysed depending on the circumstances (e.g. program/method used, total number of files, file location) and optimization logic.

Never analysed: the product did not analyse files or websites in the specific scenario and with the techniques used, and so no detection of malware or phishing occurred in that case. CrowdStrike, Cybereason, Elastic, Microsoft, Trellix, and VMware never analysed websites during “Browsing websites” because they currently do not include, e.g., a phishing filter.

Summary

The table above highlights that several enterprise vendors currently do not include scanning of phishing website. Additionally, some vendors only sometimes analysed during file copying and archiving/unarchiving. However, it is important to note that all vendors analysed during installing and launching applications, ensuring system protection by scanning the files upon execution.

In cases where we indicated sometimes analysed, scanning depends on various factors such as file location, program/method utilized, and whether a single file or multiple files are being copied.

Negative Side-Effects of Speed Optimization

The results show that in some circumstances, files might not be analysed – and thus malware not detected – while being processed by the user. This might give the user the incorrect impression that if files they have downloaded/copied/unarchived to their system have not been automatically detected as malware by their anti-virus program, then it’s safe to pass them on to other users.

Recommendations

We understand that users are looking for highly efficient anti-virus products, and vendors try to optimize performance while maintaining security. However, we believe that vendors should enhance transparency by clearly explaining how they manage the trade-offs between detection and performance. This would allow users to make informed decisions. If an AV program does not monitor some file operations, as a means of achieving better performance, we suggest that vendors communicate this clearly to users, such as during the program’s installation process. Some products are able to find the right balance between security and performance.

Where possible, administrators should regularly evaluate the settings of their enterprise product to maintain optimal security without excessively impacting system performance. In this regard, AV vendors should assist administrators by highlighting positive and negative effects when changing specific settings.

The information given in this article can help users to put results from performance tests in relation, which use common real-world scenarios. Please visit our website for protection and performance tests of Enterprise products.