AV Scans Slowing Down Your Machine? Think Again

By Roel Schouwenberg

As a technology enthusiast — or geek — I always enjoy looking into new technologies. Although it’s no longer directly cutting edge, I recently started exploring the wonderful world of Solid State Disks (SSDs).

SSDs may, to some extent, influence how anti-virus (AV) programs use resources on the system and I’ve been curious to see how we can exploit that fact as SSDs are slowly getting more mainstream. Imagine my surprise when I came to the shocking discovery that, under certain circumstances, an SSD may actually perform better during an AV scan than when it’s idle.

By Roel Schouwenberg

As a technology enthusiast — or geek — I always enjoy looking into new technologies. Although it’s no longer directly cutting edge, I recently started exploring the wonderful world of Solid State Disks (SSDs).

SSDs may, to some extent, influence how anti-virus (AV) programs use resources on the system and I’ve been curious to see how we can exploit that fact as SSDs are slowly getting more mainstream. Imagine my surprise when I came to the shocking discovery that, under certain circumstances, an SSD may actually perform better during an AV scan than when it’s idle. Take a look at the following results coming from an ASUS UL30-A2 laptop outfitted with an SSD.

These results represent a system in idle. Explanation of the results:

Seq stands for sequential performance. 512k/4k stand for random reads/writes of 512KB and 4KB chunks of data respectively. 4KQD32 stands for read/write of 4K chunks with a queue depth of 32.

Now let’s have a look at how the drive is doing while an AV scan is in progress.

While the results are generally poorer than when the system is in idle the 4K results are definitely clearly better. Numerous experts claim that 4K results most accurately reflect drive ‘snappiness’ and is equal to the default allocation size that most operating systems assign to a drive when formatting it.

Naturally, I reran these tests a number of times to see if I could reproduce these results — and I could each and every time. After giving this some thought I decided to run this benchmark while having the CPU run at maximum frequency.

These are clearly the best performance results yet. Since then I’ve tested the same scenarios on a number of different platforms together with different benchmark tools and got similar differences in performance though some chips performed significantly better than the ICH9-M chipset which the screenshots are from.

The culprit seems to be related the C1E (HLT) state which is used in the vast majority of modern CPUs to save power. When the CPU is in this state the majority of chip sets will have significantly poorer I/O results for SSDs. ASUS and Gigabyte have independently confirmed this problem while other hardware manufacturers are also suffering this issue. The issue persists on both the Intel and AMD platforms and across SSDs, though not all chipsets may be affected to the same extent.

So what does this mean? Well, marketing slogans could now read that AV will make your system feel smoother. On a more serious note I do believe it shows that the SSD platform as a whole isn’t there yet from a technology point of view. It’s things like this that determine how fast we can utilize new technologies to scan for malware in the most efficacious manners.

I’m definitely hoping that BIOS updates will be able to tackle this problem so people will be getting full SSD performance not just when the CPU is under load.

Testing notes:

* The disks used were a second generation Intel 160GB SSD and the partition was aligned.


* The SSDs were also tested as non-OS disk and the same issue persisted. Disks were also connected to different SATA ports to rule out some known compatibility issues.


* All systems tested were running Win7 x64 with the Microsoft AHCI driver. One run was performed on XP to somewhat rule out OS issues. TRIM was enabled though the disks were manually trimmed after each run using Intel’s SSD Toolbox.


* Roel Schouwenberg is a senior anti-virus researcher in Kaspersky Lab’s Global Research & Analysis Team.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.