Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What is my antivirus doing when scanning if cpu below 30% and hdd below 5%?


  • Please log in to reply
10 replies to this topic

#1 siramods

siramods

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 19 February 2013 - 12:37 PM

Before spring file cleaning, I have downloaded and run Avira Free Antivirus v.13 to check my almost full 2 TB of files.
 
I have armed myself with patience, as I wasn't expecting a full system scan to complete in less than 5 hours, and here I am, 6 hours and 38 minutes later at 81% of the task.
 
As (6x60+38)/81 x 19 equals an 1.5 hours left, I have decided to use this time to investigate a rather mysterious issue: how come during this scan is my hdd idling around 10 MBps (3%) while my cpu is also comfortably at rest at 30% with 0 peaks. Where is the bottleneck that causes such abysmal performance? Maybe someone could give me an answer. Isn't 10 MBps a little low?
 
I have a Q6600/2.4GHz CPU, 8GB DDR2/1066, 2 X 1TB hdds in raid 0, able to read between 100 and 300 MBps.
 
And this is my first post.  Hi everybody!

Edit: Moved topic from All Other Applications to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Nanobyte

Nanobyte

  • Members
  • 431 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 19 February 2013 - 10:16 PM

I can't speak for the actual data rate from your equipment.  One factor is file size.  You can scan a few large files way quicker than a load of small files.  When I do my backups, the data rate can fall to 1/10 of the max.  Certain folders have lots of small files.  I'm sure it takes a lot longer to scan zip and cab files too.  No doubt there are other files in that category.  If you have set your scan to skip large files or certain file types that will affect overall time.

 

You can throw in file fragmentation too.  If one section of files is highly fragmented it will take longer.


Edited by Nanobyte, 19 February 2013 - 10:25 PM.


#3 siramods

siramods
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 24 February 2013 - 02:39 PM

Well, lets not start by blaming the small files, shall we?

 

I know many people would just skip to the end, so I will do just that and jump to the conclusion:

 

AVIRA ANTIVIRUS DOES NOT DO USE MORE THAN ONE CORE ON CPU.

 

Actually the load gets spread arbitrarily by the OS between cores, but the results are the same.

 

That's why on a four core computer like my Intel Core 2 Quad Q6600, the scanning takes more than four times than it should  (by four you can apply your number of cores). As of February of 2013, one the top ranking antivirus is unable of taking advantage of multi-core CPU, and waste user time by a factor of the cores existing in their computers. In my case, a 2 TB worth of files completed in almost 7 hours, when it should have been completed in less than 2, effectively wasting 5 hours to finish it's task. Demonstration below.

 

Obviously, I was unsatisfied with the small files / fragmentation theory. Because no amount of small files can justify only a 2% HDD activity, no matter what. Reasons like preemptive reading, the fact that small files do not get fragmented as they don't take many sectors (and at the time of space allocation there always are small spaces found of sufficient size), the huge files do get fragmented but excepting for archives, they tend to be excluded from search by 'smart extension' scanning or are scanned just partially etc, all contribute to my unwillingness  to believe in the before mentioned theory. Folder fragmentation also isn't a huge issue as most of the folders gets created without a lot of concurrency writing, so we can expect linear or minimal jumping of the HDD heads ahead.

But lets not get into a never-ending story on HDD performance and take those crunching bricks out of the equation. So, with the help of  ImDisk Virtual Disk Driver for Windows by Olof Lagerkvist and a half of my 8 GB total system memory, I have created a 4 GB ramdrive emulating a local hard disk and formatted it as an NTFS volume. Full formatting this drive took 5 seconds, and I have assigned it the letter X.

 

Then I picked 59854 files organized in 2574 folders, by copying the contents of a 'SmallGames' folder to this ram-drive until full. This operation took 67 seconds. Then I took my time and split those files onto four subfolders, namely Q1, Q2, Q3 and Q4, but not directly on ramdrive's root, but having the following structure:

X:/DAT/HALF1/Q1
X:/DAT/HALF1/Q2
X:/DAT/HALF2/Q3
X:/DAT/HALF2/Q4

 

So, we have a 'DAT' folder on the root, a HALF1 and HALF2 subfolders, and have Q1 and Q2 in HALF1 and Q3 and Q4 in HALF2.

 

The splitting was made in such way that it took the antivirus almost the same exact time to scan every one of those Q1 to Q4 folders individually. This step took me a while, and once done, a mirror (copy) was also made of the /DAT folder to my HDD root as well.

 

As for the file diversity, they were from over 40 games released in the last 5 years, and you could find almost everything in there, being for that an excellent worst case scenario. All of them were clean of viruses.

 

The antivirus was set to skip all non-relevant scanning like system files, memory, boot sectors, etc, only plain file scanning, no extension or other 'smart' type of file filtering, that means all files, with scanning inside archives.

 

The scanning tasks were launched by running prepared batch command files, to automate the process.

 

For reference, my system configuration is IntelCore2Quad6600 cpu / stock 2.4 ghz, 8 GB DDR2 1066 Mhz, MB Asus P5Q Deluxe, Intel Raid 0 from 2 1 TB Seagate drives. Operating on Win 7 Ultimate x64. No other HDD churning services were running, like indexing, updates or whatever. When not testing, my CPU and my HDD load were below 1%.

 

All tests were performed twice, with a computer restart between rounds. The results were almost identical between the two round of testing., with worst result being recorded.

 

The test results:

 

First some preliminary testing:

 

Full formatting the 4GB RamDrive - 5 seconds
Copy all files from HDD to RamDrive - 67 seconds
Copy all files from RamDrive to HDD - 53 seconds
Archiving all files from RamDrive to HDD, winrar, no compression, with encryption - 66 seconds

 

Antivirus scanning tests results, performed on files on the RamDrive:

 

Scanning Q1 folder alone - 27 seconds
Scanning Q2 folder alone - 29 seconds
Scanning Q3 folder alone - 28 seconds
Scanning Q4 folder alone - 27 seconds
Scanning HALF1 folder alone - 57 seconds
Scanning HALF2 folder alone - 57 seconds
Scanning DAT folder alone - 122 seconds

 

In all the above tests, the total CPU load was between 25 and 30% at all times, with only one core peaking or balanced between 2 cores.

 

Now, some parallel scanning:

 

Scanning Half1 and Half2 at the same time - 59 seconds, CPU load on 50% flat
 

Scanning Q1, Q2, Q3, Q4 at the same time - 36 seconds, CPU load on 100% flat

 

Obviously in this latest test, the CPU bottlenecked the whole thing, but I bet that if I  over-clock it to 3.6 GHz the result will drop of around 30 seconds.

 

Then I had repeated the same scanning tests with the files on the actual physical HDD. The results were IDENTICAL.

 

That's it. The conclusion is crystal clear and I would ask on Avira forum for an explanation. If I get an answer I'll keep you posted.

 

What do you think, people? Your AV does a better job?



 



#4 jburd1800

jburd1800

  • Members
  • 565 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 24 February 2013 - 06:32 PM

Ok, so I'm confused...did you post your issue on the Avira forum? And if so, why are you posting here?


“May the sun bring you new energy by day, may the moon softly restore you by night, may the rain wash away your worries, may the breeze blow new strength into your being, may you walk gently thorugh the world and know it's beauty all the days of your life.”


#5 siramods

siramods
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 24 February 2013 - 08:35 PM


Ok, so I'm confused...did you post your issue on the Avira forum? And if so, why are you posting here?


This site was my first choice for posting, because I believe an open community would give me a more objective answer than a corporate forum. I only posted in Avira forum because I was unsatisfied with the answer I got here, and because after I provided myself with an explanation I felt that the Avira needs to answer also. And I wasn't aware of a 'post in one forum only' rule on internet. If you consider this to be a waste of your time, I'm sorry but I found it to be a very interesting topic, that affects countless users. And if I find that answering my own question in here is not a waste of time, is because I think it will benefit others.

Edited by siramods, 24 February 2013 - 08:39 PM.


#6 jburd1800

jburd1800

  • Members
  • 565 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 24 February 2013 - 08:40 PM

You are reading way more into my post than needed. My question was just that, a question...


“May the sun bring you new energy by day, may the moon softly restore you by night, may the rain wash away your worries, may the breeze blow new strength into your being, may you walk gently thorugh the world and know it's beauty all the days of your life.”


#7 siramods

siramods
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 24 February 2013 - 08:48 PM

Sorry if I was overreacting. But what can you comment on the topic?

#8 jburd1800

jburd1800

  • Members
  • 565 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 24 February 2013 - 09:12 PM

I'm just trying to learn. What other antivirus have you put through this test ?


“May the sun bring you new energy by day, may the moon softly restore you by night, may the rain wash away your worries, may the breeze blow new strength into your being, may you walk gently thorugh the world and know it's beauty all the days of your life.”


#9 siramods

siramods
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 24 February 2013 - 09:41 PM

None other, since the point was not to compare antivirus software, but to elucidate how come an antivirus that pc magazine rated as fastest on demand scanner available as of 2012, does such lousy job at it, as my test show that the scanning speed could easily be doubled on a dual core cpu, quadrupled on a four core and so on, by simply scanning more files at once.

Actually on the Avira forum I did get an answer from someone that pointed to me that by activating a 'optimize scan' option in preferences I will get exctly that I was looking for, multicore scanning optimization. Besides why such an option would be disabled by default, it seems that is not really working. After activating 'optimized scan', the load on cpu not only did not increased, but it dropped a few percent, making the scanning slower. The mistery deepens.

Until solved, I reccomend that all who are in a hurry, to skip system scan and scan multiple subfolders in parallel using for instance the contextual menus, until they see their cpu to 100%. It requires more user interaction, but will cut your scanning time dramatically.

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 AM

Posted 25 February 2013 - 05:11 PM

Until solved, I reccomend that all who are in a hurry, to skip system scan and scan multiple subfolders in parallel using for instance the contextual menus, until they see their cpu to 100%. It requires more user interaction, but will cut your scanning time dramatically.

 

I would assume that with this method, Avira will only scan files, and not other important parts of your disk like the MBR. So you might need to start a system scan to have the MBR scanned, and cancel it afterwards.


Edited by Didier Stevens, 25 February 2013 - 05:12 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 siramods

siramods
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 28 February 2013 - 01:59 AM

Mr. Didier, you are completely right, thanks for pointing that out.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users