The balance between performance (low speed-impact) and real-time detection
In the past, a common complaint about antivirus programs was that they had a major impact on system performance, i.e. made the PC run more slowly in everyday use. Nowadays, anti-virus products use different optimization techniques to reduce system impact and disruption of everyday tasks.
In this blog post we want to answer the question as to whether any of the performance-enhancing measures taken by anti-virus vendors might have an impact on products’ ability to detect malware under some circumstances. To this end, we checked whether anti-virus products consistently detect malware in specific scenarios.
Finding the right balance between real-time malware detection and performance is challenging. Anti-virus vendors optimize their respective products in various ways to reduce the impact on system performance. Below are some examples of optimizations that could theoretically be implemented in some products. All of them could have a positive effect on performance, but might reduce the detection rates of any malicious files. We do not guarantee any completeness or correctness for the following list, as there are many unknown variables and different implementations which we cannot consider. Only the respective anti-virus vendor could provide exact answers and technical details about an individual product.
- Exclude analysis of specific file types: the anti-virus often excludes specific file types (or even file extensions) from analysis.
- Exclude analysis of files signed by known developers: the anti-virus might exclude files signed by known developers from being analysed.
- Exclude analysis of files whitelisted by the security program: the anti-virus might exclude analysis for a list of specific, predefined, whitelisted programs.
- Exclude fingerprinted files or programs: the anti-virus might skip re-analysing files that have already been analysed, or have not changed since the last analysis or update. Furthermore, files which are accessed by the user in the current Windows session might be analysed just once, and re-analysed only after a system reboot or signature update. Some programs might suggest or run a full on-demand system scan immediately after being installed, in order to fingerprint certain files on the system.
- Different heuristic analysis levels: depending on the origin of a file (e.g. from the Internet, on local disk), the action a user performs on a file (e.g. copying, archiving, or launching), or how many files are processed, the anti-virus might apply different heuristics methods during its analysis. With some heuristics models, the analysis might take less time to complete, thus consuming fewer system resources.
- Exclude analysis of specific targets: analysis might not be performed when files are written to specific target locations (e.g. USB drive) during copying, unarchiving, downloading, etc.
- Exclude analysis of files on large media or network shares: the contents of media with potentially high storage capacity (e.g. USB external drives) or network shares might not be analysed.
- Exclude analysis for different partitions of the same disk: analysis might not be performed when files are copied/moved between different partitions on the same disk.
- Exclude analysis of files while they are created/read/moved/copied: the anti-virus might only analyse files when they are executed.
- Exclude analysis of specific file names and/or locations: the anti-virus might exclude files with specific names and/or in specific locations on the system from analysis.
- Exclude analysis for specific actions: analysis of files during operations that often take some time to complete (e.g. archiving or unarchiving files), might be disabled.
- Start analysis after specific actions: analysing might start only after the current operation (e.g. copying or unarchiving files) has been completed. In that case, the user might not notice any performance drops during the operation itself.
- Limit number and size of files to analyse: when multiple files are copied (either loose or in folders), the anti-virus could analyse only up to x number of files and then stop its analysis for the remaining files. Likewise, the anti-virus might skip analysing large folders or files, or might just run spot checks on some files, rather than analysing all of them.
- Different default analysis levels depending on the hardware: by default, the anti-virus might perform a more in-depth analysis on high-end machines, but a less-comprehensive analysis on weaker hardware, in order to reduce pressure on the limited resources.
How did we test?
Several different typical user actions were carried out on a clean and up-to-date Windows 10 21H2 system, with the respective consumer security software installed (keeping default settings). The test system had an active Internet connection to allow for the real-world impact of cloud services/features. These activities might be seen in day-to-day operations of users, but with the addition of malicious files to the respective scenario. To get a more complete picture of the detection mechanisms offered by each program, we used various techniques to carry out these actions. For example, with the file-copying check, we used different tools and procedures to copy the files. We also considered different locations and directions.
- File copying: we copied a set of files that consisted of multiple clean files and one malicious file.
- Archiving/unarchiving: to test archiving, we archived a set of files that consisted of multiple clean files and one malicious file. To test unarchiving, we prepared an archive containing one malicious file and several clean files; this was then unarchived using the respective test PC.
- Installing applications: we installed an application that drops a malicious file on the system disk during the installation process.
- Launching applications: we opened a malicious document with the corresponding application.
- Downloading files: we downloaded malicious files from various web servers on the Internet.
The malicious samples used in this test would be detected by all the tested programs in a simple on-demand scan. The test checks whether these same samples would be detected in the additional specific scenarios listed above.
Please note that the scenarios used for this test are only a subset of the possible scenarios that could be tested. It is not practicable to test every conceivable scenario, given that there are a number of variables (file types/locations, numbers/sizes of files, folder structure, drive type etc.), and that the possible combinations of these variables are unlimited.
The following products were checked in April 2022 (with default settings): Avast Free Antivirus, AVG Free Antivirus, Avira Prime, Bitdefender Internet Security, ESET Internet Security, G Data Total Security, K7 Total Security, Kaspersky Internet Security, Malwarebytes Premium, McAfee Total Protection, Microsoft Defender Antivirus, NortonLifeLock Norton 360 Deluxe, Panda Free Antivirus, TotalAV Antivirus Pro, Total Defense Essential Antivirus, Trend Micro Internet Security, VIPRE Advanced Security.
The table below summarizes the results for each scenario, showing whether the security programs analyse files for malware during common operations such as file copying or downloading.
Always analysed: the product consistently analysed files (and therefore detected malware) in the specific test scenario and with the techniques used. The test results show that all products analysed files for malware at least on “Installing applications” and “Launching applications”. Those are the scenarios where malware could directly infect the system.
Sometimes analysed: files were sometimes, but not always, analysed, depending on the circumstances (e.g. program/method used, total number of files, file location) and optimization logic.
Never analysed: the product did not analyse files in the specific scenario and with the techniques used, and so no detection of malware occurred in that case. Malwarebytes and McAfee never analysed files during “File copying” and “Archiving / unarchiving”.
As can be seen in the table above, two of the vendors never scan during copying or archiving. A further seven only sometimes scan during archiving/unarchiving, and a further four only sometimes scan during file copying. However, all vendors scanned on installing and launching applications (meaning that all files are scanned on execution, thus protecting the system). Where we have shown that files are sometimes analysed, this means that scanning is dependent on factors such as file location, program/method used, and whether a single file or multiple files are copied.
Negative Side-Effects of Speed Optimization
The results show that in some circumstances, files might not be analysed – and thus malware not detected – while being processed by the user. This might give the user the incorrect impression that if files they have downloaded/copied/unarchived to their system have not been automatically detected as malware by their anti-virus program, then it’s safe to pass them on to other users.
We understand that users are looking for very fast anti-virus products, and that vendors try to optimize performance as much as possible without affecting security. However, we feel that vendors could be more transparent, where possible, on how detection-performance trade-offs are implemented, so that users can take this into account. If an AV program does not monitor some file operations, as a means of achieving better performance, we suggest that vendors could communicate this to users clearly (this could be done e.g. during the program’s installation process). Some products are able to find the right balance between security and performance.
We suggest that ideally, AV programs should have default settings that put more emphasis on detection than performance, so as to improve security for non-expert users. Clearly explained, granular configuration options could then allow power users to disable detection in some specific scenarios.
As the test results show, some products might not analyse files consistently, or even at all, during e.g. certain file copying scenarios. Therefore, we recommend running an on-demand scan of any files that might be malicious (or even your entire system). While this might also have its limitations, an on-demand scan usually analyses files in greater depth than the real-time analysis used when files are e.g. copied, downloaded or unarchived. If possible, the scan should be run with an active Internet connection, so that the AV product can access its cloud services, thus often greatly improving detection rates.
The information given in this article can help users to put results from performance tests in relation, which use common real-world scenarios. Please visit our website for protection and performance tests.