Tuesday, November 30, 2010

Do Virus Scanners Slow Down Your System?

Does the presence of a virus scanner guarantee reduced performance, or does it have a negligible impact? We test 10 different products to see if you’re unknowingly suffering with security software.
Remember the days of Windows 98, when CPUs ran at triple-digit MHz speeds and slogged along with less than a gigabyte of RAM? Installing a resident program like a virus scanner often meant committing performance suicide. And heaven forbid a scheduled scan start up while you were actually at your desk. Productivity could literally grind to a halt. At least that’s how I remember things through the fog of time.
Today's personal computers are much more powerful than they were a few years ago, so perhaps the notion that an anti-virus application will still have a debilitating effect on performance is obsolete. Still, folks who began using computers after multi-core CPUs and gigabytes of RAM became the norm have likely never used a PC without a virus scanner installed. They'd have no way to relate to the days of running lean and mean to keep speed manageable. Now we have resources to spare. Cores sit idle, waiting for a task to execute, while low prices on memory make 6 GB and 8 GB kits affordable for even mainstream users.
Zoom
We should make this perfectly clear: while it’s undeniable that an active virus scan can cause a heavy performance burden, what we’re really curious about is whether or not performance is affected when a system scan is not running. Does it take longer to open files when you have a resident virus scanner installed? Does the presence of the software tax CPU resources while you’re running other programs? What kind of tasks are most affected by security products, if any?
When faced with these sorts of questions, it’s only natural that we’d run some tests to unearth the real answers—this is Tom’s Hardware, after all. So let’s look a little deeper into quantifying the anti-virus conundrum.
What Does A Virus Scanner Do?
Before we begin our tests, we should at least consider how virus scanners work so that we can see if the results are in sync with our expectations.

There are two main mechanisms that most virus scanners use in order to keep your system safe: file checking and behavior monitoring.

File checking is by far the most prevalent technique. The idea is simple: the virus scanner examines the files on your PC for known threats, a threat being a signature of code that is associated with a particular virus. Because new viruses are being released all the time, most virus scanners will periodically download updates containing the new threat signatures.

How could file checking affect performance? Typically, a virus scanner will examine files for threat signatures every time a file is written, opened, closed, or emailed, or when a virus scan occurs. It thus makes sense to predict that applications accessing files on a regular basis might be slowed down by anti-virus software. Conversely, programs that don't involve a lot of file access might then remain relatively unaffected by the presence of a virus scanner.

Behavior monitoring is the second technology that anti-virus software employs to identify threats. This is a pre-emptive strategy to deal with viruses that have not yet been identified or added to the threat-signature dictionary. The virus scanner monitors the system for suspicious behavior, such as the alteration of executable files. This virus-prevention technique probably has very little effect on system performance, since suspicious behavior is probably somewhat rare.

That should be enough of a top-down overview to get us started. Let's get on with the tests!

We begin by selecting the security software to test. We're curious to find out if Internet security suites might contain bloatware that could slow down a system more than a simple anti-virus program would, so we've included not only virus scanners, but also complete Internet security suites offered by noteworthy developers. This means we’re testing AVG Anti-Virus 9.0, AVG Internet Security 9.0, Kaspersky Anti-Virus 2011, Kaspersky Internet Security 2011, McAfee VirusScan Plus, McAfee Internet Security, Norton AntiVirus 2010, Norton Internet Security 2010, Trend Micro Titanium AntiVirus+, and Trend Micro Titanium Internet Security.
Where benchmarks are concerned, we’ve assembled a suite of tests to exercise most aspects of PC performance, from gaming to office work. We’re testing raw application performance and also the time it takes for the system to respond to boot and to program launch requests. In order to do this, we’ve even developed some custom benchmarks, courtesy of our own Andrew Ku.
While we're running the benchmarks on an Athlon II X4 645, we'll be disabling two of the CPU cores for the majority of benchmarks. As a result, most of the benchmarks reflect the performance users can expect from a budget dual-core CPU. On page seven we run more benchmarks with only a single CPU core enabled, and also with all four CPU cores enabled, to see if the performance burden changes based on the number of execution cores available to the system.
With all this in mind, here are the particulars for our test system and benchmarks:
  Test System
MotherboardAsus M4A785TD-V EVO Socket AM3, AMD 785G, BIOS 0410
ProcessorAthlon II X4 645
3.1 GHz, Quad-Core CPU
Multiplier set to 3.0 GHz
*CPU RESTRICTED TO DUAL-CORE OPERATION FOR MAJORITY OF BENCHMARKS TO DEMONSTRATE BUDGET DUAL-CORE CPU PERFORMANCE*
Single- and quad-cores enabled for CPU core comparison on page 7
CPU CoolerCooler Master Hyper TX3
MemoryCrucial DDR3-1333
Dual-Channel 2 x 2048 MB, 669 MHz,
CAS 9-9-9-24-1T
GraphicsRadeon HD 5830 Reference
1 GB GDDR5, 800 MHz GPU, 1000 MHz Memory
Hard DriveWestern Digital Caviar Black 1000 MB
7200 RPM, 32 MB Cache SATA 3Gb/s
Software and Drivers
Operating SystemMicrosoft Windows 7 x64
DirectX VersionDirectX 11
Graphics DriversAMD Catalyst 10.9

And here's a list of the benchmarks:
Benchmark Configuration
3D Games
CrysisPatch 1.2.1, DirectX 10, 64-bit executable, benchmark tool
High Quality, No AA
Audio/Video Encoding
TMPGEnc 4.0 ExpressVersion: 4.7.3.292
Import File: "Terminator 2" SE DVD (5 Minutes)
Resolution: 720x576 (PAL) 16:9
Xvid 1.2.2Display encoding status = off
Productivity
WinRAR 3.90Version x64 3.90, Dictionary = 4096 KB, Benchmark: THG-Workload (334 MB)
Synthetic Benchmarks
PCMark VantageVersion: 1.0.1.0 x64, All Benchmarks
SiSoftware Sandra 2010Version 2010.1.16.11, CPU Test = CPU Arithmetic

We should preface the following CPU and game benchmarks by saying we really don't expect security software to have an effect on them. Anti-virus software typically activates on the creation, opening, closing, or emailing of files, and none of the following tasks are focused on any of these activities. Regardless, we make no assumptions and perform the following tests to check our theory.

We start things off with a synthetic CPU benchmark to see whether or not these products will cause performance differences compared to a computer without any security software installed. As you can see, the presence of this software appears to cause no tangible impact on raw processing performance.
Now let’s see what happens in a real-world encoding application.

Encoding a video with the Xvid codec definitely stresses the processor—in fact, it stresses the whole platform. Nevertheless, there’s no real performance difference to see here.

We benchmarked Crysis to see if any of these security software products would affect game performance. Happily, it does not appear to have any impact whatsoever.

The following benchmarks involve hard drive and file access, which a virus scanner could theoretically affect.

The results are close across the board with our first file access benchmark, the PCMark hard drive test score. It has been our experience that PCMark results have a larger margin of error than what we’d prefer, so we won’t draw any specific conclusions from this close result.

Moving to a real-world benchmark that involves compressing 334 MB of files, our WinRAR test doesn’t expose any obvious weaknesses in file system performance.

It can be difficult to define and measure the general responsiveness of a PC, yet the productivity and communications benchmarks that are part of the PCMark Vantage suite are probably well-suited for this test.

The PCMark Vantage communications benchmark includes a combination of tests that cover common tasks like data encryption, compression, Web page rendering, and Windows Mail searches. Past experience with PCMark shows that the margin of error can be a little larger than what we’d like it to be and the score with no security software running is actually lower than some results when virus scanners and Internet security suites are running. We consequently can’t draw any conclusions from these results, but can see that there isn’t a large difference when any of these products are used.

The productivity benchmark suite includes common tasks like starting applications, editing documents in WordPad, and searching contacts using Windows Search. There is a multitasking portion of this benchmark that runs three simultaneous tasks, including a Windows Contact search and Windows Mail message rules and renders numerous Web pages in Internet Explorer. Finally, this bench includes a number of hard disk stressing tasks, such as a Windows Defender scan and a boot timer.
As you can see, there are definitely some strong trends here that suggest this benchmark is affected by security software to varying degrees, but Kaspersky and Trend Micro products appear to suffer a large performance penalty.
Let’s dig deeper into the PCMark productivity benchmark specifically to see exactly what tasks are running slower when antivirus software installed:

Very interesting. First, let’s look at the productivity tasks that are not affected by the presence of these scanners. All of the hard disk-intensive tasks, such as Windows Vista startup, Windows Defender, and application loading, perform no differently with or without security software installed. This result supports our previous hard drive test results that also demonstrate little or no performance penalties due to a resident virus scanner. Aside from this, text editing a Word document also shows no performance differential.
On the other hand, a Windows Contacts search operation demonstrates a sizable performance penalty when Kaspersky or Trend Micro security software is installed. Note that the Productivity 4 Windows Contacts search occurs during multitasking, but both results are similar. The other operation that appears to be affected by the presence of security software is Web page rendering, also recorded during multi-tasking operations.
On a final note, we should mention that we left one of the PCMark productivity benchmarks out of the above chart. The Productivity 4 Windows Mail copying benchmark provides very inconsistent results in our testing, reporting anywhere between one and six operations per second.

It is our intention to benchmark the boot time with these different security solutions installed, and we spent a lot of time testing this using GreenVantage’s WinBootInfo utility. Unfortunately, the results we recorded show a huge variance from 30 to 60 seconds, even when taken one after the other, and we’re not comfortable releasing these results even after averaging multiple iterations. What we will say is that all of the averages we recorded are between 32 and 46 seconds. With boot times ranging from 30 to 60 seconds, there probably isn’t any significant conclusion to draw.
The response time benchmarks we demonstrate below are much more consistent. We open a document in Word and a LAN-hosted Web page in Firefox. Here’s how long it takes, on average, to open these files the first time after a fresh boot into Windows:


While we do experience significant variance between minimum and maximum load times for each security software package, with six iterations averaged, we see some clear trends across Firefox and Word. Most notably, AVG, McAfee, and Trend Micro products seem to take a little longer to open files than their competitors. McAfee Internet Security, specifically, has a longer wait time to launch the test Web page.
Speaking of McAfee, with this product installed, we notice a colossal lag to launch the timer application we developed to record benchmark results. When I say colossal, I mean it takes the better part of 10 seconds to launch the tiny program—an application that executes instantly with any other anti-virus program we tested. The reason for this appears to be that McAfee’s real-time scanning method is based on checking against known application signatures. Since McAfee obviously can’t have signatures for custom-made applications, it will thoroughly scan the application in question before launch. It does seem to take longer than it should to accomplish this task. We’re asking McAfee about this and hope to have an answer before publication—otherwise, we will follow up in a future article.
Back to the results, though. The bar graphs do make it appear that there is a large variance on first load, but we’re talking about a two to five-and-a-half second spread to open Firefox and a three-to-six-second spread to open a Word document. It sounds worse than it feels, as those extra few seconds don’t seem all that obvious. Admittedly, that’s a subjective argument.
What is objective is that the same application loads much faster the second time it is launched during a Windows session:


The difference in application launch speeds is reduced to less than a second between competing security software solutions on subsequent runs of the same program. This is a short enough time span that it's difficult to notice any change at all during real-world use.

We think it’s important to address one of the variables missing from our previous tests, and that is hardware. As we’ve seen up until this point, most applications don’t seem to show a notable difference in performance, regardless of whether security software is installed or not. But all of the tests have also been run on a dual-core CPU, too. Will the results change on a single- or quad-core processor?
We would expect the raw performance to drop slightly in multithreaded applications. But we're curious about the effect security software has on single-core performance, too. While we don’t have time to run the entire benchmark suite for different processor setups, we run all three CPU options with AVG AntiVirus 9, AVG Internet Security 9, and without any security software installed for a quick test:











While the number of available execution cores can certainly affect the raw results, when it comes to comparing performance on the basis of available compute resources, the only metric that shows a significant performance drop associated with a single-core processor running security software is the time it takes to load Internet pages on the first run. Aside from that, security software doesn’t seem to have an adverse affect on single-core PCs. This is a surprising result, as we expected security software to take advantage of threading. It’s possible that our test scenarios don’t give the software an ideal opportunity to do so, but it’s a surprising result nonetheless.

As mentioned on the first page, I came into this story idea aware that I had a prejudiced expectation. Although I’d never actually tested it for myself, I was under the impression that the presence of a resident virus scanner would have an adverse effect on system performance.
I’m very happy to report that my preconceptions have no place in today’s PC world, as even single-core processors are able to demonstrate comparable performance with or without modern security software installed. This is true not only for basic virus scanners, but also for comprehensive security suites.
Having said that, it’s also true that the presence of security software isn’t undetectable in all circumstances. We do see an increase in application launch times with a virus scanner installed, but the only significant wait time is a couple seconds added on the first launch of a program. Subsequent launches appear to be cached, and the wait time is almost imperceptible.
The only benchmark that shows a notable performance decrease with a virus scanner installed is PCMark’s productivity suite. Even here the performance hit is only notable with two of the 10 tested security products, and in this case, an increase in Windows Contacts search times is the main cause. While I can’t speak for everyone I know, I do not spend a significant amount of time searching Windows Contacts, so for me this isn’t much of an issue.
While these results are encouraging, a couple of questions need to be answered. As we mentioned at the beginning, we’ve limited our testing to performance with the virus scanner installed. However, what is the performance hit during an actual virus scan? This is something we hope to examine in a follow-up review in the near future.
However, for the time being, we’ve learned that a user can confidently install a virus scanner or Internet security suite without being too concerned about performance consequences. It appears that typical tasks we undertake when using our PCs will not be notably slowed by the security software on which we rely. In the end, I’m pleased to admit that my expectation of a decrease in general PC performance when a virus scanner is installed was incorrect and obsolete.






No comments:

Post a Comment