AV-Comparatives: balance between performance (low speed-impact) and real-time detecti

[harlan4096]

In the past, a common complaint about antivirus programs was that they had a major impact on system performance, i.e. made the PC run more slowly in everyday use. Nowadays, anti-virus products use different optimization techniques to reduce system impact and disruption of everyday tasks.

In this blog post we want to answer the question as to whether any of the performance-enhancing measures taken by anti-virus vendors might have an impact on products’ ability to detect malware under some circumstances. To this end, we checked whether anti-virus products consistently detect malware in specific scenarios.
 
Finding the right balance between real-time malware detection and performance is challenging. Anti-virus vendors optimize their respective products in various ways to reduce the impact on system performance. Below are some examples of optimizations that could theoretically be implemented in some products. All of them could have a positive effect on performance, but might reduce the detection rates of any malicious files. We do not guarantee any completeness or correctness for the following list, as there are many unknown variables and different implementations which we cannot consider. Only the respective anti-virus vendor could provide exact answers and technical details about an individual product.

• Exclude analysis of specific file types: the anti-virus often excludes specific file types (or even file extensions) from analysis.
  
• Exclude analysis of files signed by known developers: the anti-virus might exclude files signed by known developers from being analysed.
  
• Exclude analysis of files whitelisted by the security program: the anti-virus might exclude analysis for a list of specific, predefined, whitelisted programs.
  
• Exclude fingerprinted files or programs: the anti-virus might skip re-analysing files that have already been analysed, or have not changed since the last analysis or update. Furthermore, files which are accessed by the user in the current Windows session might be analysed just once, and re-analysed only after a system reboot or signature update. Some programs might suggest or run a full on-demand system scan immediately after being installed, in order to fingerprint certain files on the system.
  
• Different heuristic analysis levels: depending on the origin of a file (e.g. from the Internet, on local disk), the action a user performs on a file (e.g. copying, archiving, or launching), or how many files are processed, the anti-virus might apply different heuristics methods during its analysis. With some heuristics models, the analysis might take less time to complete, thus consuming fewer system resources.
  
• Exclude analysis of specific targets: analysis might not be performed when files are written to specific target locations (e.g. USB drive) during copying, unarchiving, downloading, etc.
  
• Exclude analysis of files on large media or network shares: the contents of media with potentially high storage capacity (e.g. USB external drives) or network shares might not be analysed.
  
• Exclude analysis for different partitions of the same disk: analysis might not be performed when files are copied/moved between different partitions on the same disk.
  
• Exclude analysis of files while they are created/read/moved/copied: the anti-virus might only analyse files when they are executed.
  
• Exclude analysis of specific file names and/or locations: the anti-virus might exclude files with specific names and/or in specific locations on the system from analysis.
  
• Exclude analysis for specific actions: analysis of files during operations that often take some time to complete (e.g. archiving or unarchiving files), might be disabled.
  
• Start analysis after specific actions: analysing might start only after the current operation (e.g. copying or unarchiving files) has been completed. In that case, the user might not notice any performance drops during the operation itself.
  
• Limit number and size of files to analyse: when multiple files are copied (either loose or in folders), the anti-virus could analyse only up to x number of files and then stop its analysis for the remaining files. Likewise, the anti-virus might skip analysing large folders or files, or might just run spot checks on some files, rather than analysing all of them.
  
• Different default analysis levels depending on the hardware: by default, the anti-virus might perform a more in-depth analysis on high-end machines, but a less-comprehensive analysis on weaker hardware, in order to reduce pressure on the limited resources.
  

How did we test?Several different typical user actions were carried out on a clean and up-to-date Windows 10 21H2 system, with the respective consumer security software installed (keeping default settings). The test system had an active Internet connection to allow for the real-world impact of cloud services/features. These activities might be seen in day-to-day operations of users, but with the addition of malicious files to the respective scenario. To get a more complete picture of the detection mechanisms offered by each program, we used various techniques to carry out these actions. For example, with the file-copying check, we used different tools and procedures to copy the files. We also considered different locations and directions.

• File copying: we copied a set of files that consisted of multiple clean files and one malicious file.
  
• Archiving/unarchiving: to test archiving, we archived a set of files that consisted of multiple clean files and one malicious file. To test unarchiving, we prepared an archive containing one malicious file and several clean files; this was then unarchived using the respective test PC.
  
• Installing applications: we installed an application that drops a malicious file on the system disk during the installation process.
  
• Launching applications: we opened a malicious document with the corresponding application.
  
• Downloading files: we downloaded malicious files from various web servers on the Internet.
  

The malicious samples used in this test would be detected by all the tested programs in a simple on-demand scan. The test checks whether these same samples would be detected in the additional specific scenarios listed above.

Please note that the scenarios used for this test are only a subset of the possible scenarios that could be tested. It is not practicable to test every conceivable scenario, given that there are a number of variables (file types/locations, numbers/sizes of files, folder structure, drive type etc.), and that the possible combinations of these variables are unlimited.

Findings

The following products were checked in April 2022 (with default settings): Avast Free Antivirus, AVG Free Antivirus, Avira Prime, Bitdefender Internet Security, ESET Internet Security, G Data Total Security, K7 Total Security, Kaspersky Internet Security, Malwarebytes Premium, McAfee Total Protection, Microsoft Defender Antivirus, NortonLifeLock Norton 360 Deluxe, Panda Free Antivirus, TotalAV Antivirus Pro, Total Defense Essential Antivirus, Trend Micro Internet Security, VIPRE Advanced Security.

The table below summarizes the results for each scenario, showing whether the security programs analyse files for malware during common operations such as file copying or downloading.
...

Full Report