Skip Links

Why antivirus software is slow

By John Viega, PC Advisor UK
February 09, 2010 12:21 PM ET

PC Advisor UK - Even a bad AV technology can be valuable, because protection against, say, 30 percent of all threats is still a lot better than protection against 0 percent of all threats.

However, besides the lousy protection, there's still plenty not to like about old-school AV technology.

The average person may not know whether AV software really protects her or not, but she generally knows that it is slow. This is certainly the most common complaint I hear about the technology from average consumers.

So why is most AV so slow?

Let's start by looking at the time people notice it most - when their computers are starting up.

Yes, any software that's going to protect you proactively needs to load up when the computer starts, and that could take a bit of time.

But AV products seem to feel the need to check the files on your computer for signs of bad stuff, and that is often what takes up the time.

The idea behind scanning your computer for bad stuff on bootup is that there might be things on your machine that have been newly determined as bad.

So, maybe there's a screensaver you downloaded a week ago, but your AV company just decided today that it is bad.

Or, in some cases, you might have got bad stuff on the computer when the AV software wasn't running.

For instance, you might have a dual-boot machine, meaning you have a second operating system on the machine that can write to the same disk drive. Maybe you run Windows and Linux, and downloaded some Windows virus while running Linux (where you're unlikely to be running AV).

The typical thing for AV software to do is to look at each file on your filesystem, determining whether or not it's bad. With most AV software, that process of judging a single file is stupidly inefficient.

For instance, many vendors rely heavily on a technique called cryptographic signature matching, but do so in an unintelligent way.

Antivirus software reviews

First, let's look at what cryptographic signature matching is. AV vendors would like to do exact matching and say, "This file we're looking at is an exact digital copy of this bad file we saw yesterday."

However, they don't want to have to put every piece of malware ever seen on customers' computers - that would take up too much space and would put even more ammunition in the hands of the bad guys.

Instead, they use some cryptography that takes the file as an input and spits out a number that is a fixed size.

The interesting thing is that the number that comes out appears to be purely random, but every time they enter the same input, the same output pops out.

The numbers that pop out of this algorithm are big numbers - so big that they won't ever see two different inputs that give the same output.

This algorithm lets AV vendors say, "If a file's cryptographic signature is 267,947,292,070,674,700,781,823,225,417,604,638,969, it is bad."

Now, they just have to store this number, not the whole file. The bad guy might like to try to produce bad software that gives the same results as popular good software.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News