Proof that Antivirus software makes your PC crawl

Proof that Antivirus software makes your PC crawl

Summary: Everyone has always suspected antivirus software of slowing computers down (at least through anecdotal evidence), but no one has ever been able to really quantify it precisely. A young English gentleman in the UK who goes by "Oli" has posted this wonderful analysis on "What really slows Windows down" and posted some detailed measurements on the effects of typical desktop software and security suites

TOPICS: Security

A few months ago I declared: "It's time to toss out your (desktop) antivirus software!"  As far as I was concerned, running desktop antivirus software was a liability in and of itself because "Running antivirus on a personal computer is like having the bomb squad inspect a suspicious package inside the house right next to you."  The effectiveness of antivirus software is also questionable since it won't work at all for zero-day exploits that haven't been updated yet.  Well now there seems to be another good reason to toss out that antivirus software.

Everyone has always suspected antivirus software of slowing computers down (at least through anecdotal evidence), but no one has ever been able to really quantify it precisely.  A young English gentleman in the UK who goes by "Oli" has posted this wonderful analysis on "What really slows Windows down" and posted some detailed measurements on the effects of typical desktop software and security suites.

The desktop Antivirus suites all appear to make your PC run slower than a 5 year old computer when it comes to slowing hard drive I/O down which is the biggest factor in PC wait times.  Norton Internet Security 2006 was the worst resource hog, McAfee VirusScan Enterprise 8 was the second worst, but Norton Internet Security 2007 seemed to have improved to the third worst resource hog.  Trend Micro PC-cillin AV 2006 was the fourth worst resource hog and Microsoft's Live OneCare had significantly lower overhead.  Surprisingly, AVG 7.1 free antivirus software came in with extremely low overhead compared to any of the other Antivirus suites so if you must run something, AVG might be the way to go and you certainly can't argue with the price.

As anyone who knows me would know, I personally never use Antivirus or Anti-spyware software and neither has most of my expert friends or colleagues and we never get viruses even while running as full administrator.  When my family members use the computer, I set them to standard users and the worst I'll ever need to do is nuke their account and recreate it if something bad happens.  I'm also careful to only give them read only access to family photos and files so that they can't ever accidentally delete them or click on some Malware that would delete them.  Now how do I know I don't have any viruses?  I do manually conduct occasional scans of the hard drive for viruses and spyware and I never find any.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hide and Seek

    Question George..

    Now I do agree that the AV-suites are using an awfull lot of memory and cpu capacity and that could be a reaseon not to use them, but what about those rootkit virusses with stealth ability.

    Do you find them too?
    Arnout Groen
    • AV won't find those things either

      "but what about those rootkit virusses with stealth ability."

      A locked down desktop is the best strategy to defend against those. AV/AS won't help you with targeted and undocumented attacks.
      • Manual scans and rootkits

        I have a really big question about manual scans and rootkits: How do you know what to look for when many viruses, malware, and all rootkits are intended to be hard to find or plain invisible to even an Admin? I understand that there are tools you can use, but how does any one person keep up with the variety of attacks, files, cookies, and other cr*p that goes around. At least with a AV suite, you can keep from downloading stuff to begin with. My Norton deletes/quarantines/cleans infected files as soon as they are downloaded. I don't have to chase after anything that gets loose, as I have had to do on other computers. Sure it takes memory, CPU, and even HD space, but so does an OS. Does that mean we should revert to a minimal OS, like DOS, and just run apps? I don't think so. It may be more secure, but most people wouldn't like to do things manually again. I thought that having a GUI and let alone having a computer was supposed to free the average person of doing everything manually. Forgive my laziness, but if I had to manually scan for malware, I'd be doing almost nothing but manually scanning for malware. Also, the "average" PC user know that it is almost impossible to do anything in a locked down account, so why bother. As I read in another article, many pieces of malware/viruses don't even care what policy you are running under, since they know how to get around it. I guess if all you do has nothing to do with the internet, and you aren't even connected to it, you might be ok. In the "real world," business have servers dedicated to removing malware/viruses before it hits a users computer, and plenty of other policies for forbiding and restricting access to websites that are known bad, but things still get in. If it weren't for AV on a users computer, we wouldn't even know there was a problem. Besides, at the speed of current and future computers, who cares of the AV takes up some resources. Anyway, Vista will require enough resources to cast a very large shadow over anything an AV program requires, even if you don't run Aero.
  • Tripwire

    At least one problem with antivirus is that it's based on knowing all of the mosquitos instead of using mosquito netting. Lost cause.

    Alternately, it's possible to simply identify the files that [b]belong[/b] and make sure that nothing changes. Any new executables, any changes to files in protected directories, or any changes to protected files (identifiable by a short list of rules) and you have an alarm.

    The whole process runs at a low priority and can be scheduled when disk activity is low. Besides, it's free.
    Yagotta B. Kidding
    • The problem with IDS

      There is an issue that you don't look for in IDS. The only problem with them is they can be implemented two different ways. I think Tripwire is the one where it is set to look for what is considered suspicious. Which is fine and dandy except if some one decides to pull a new exploit that Tripwire doesn't detect.

      The other method is to only watch for what is considered out of the norm. Which for some IT networks such as the one I work with. The norm doesn't really exist.

      I am still considering an IDS, but this would probably be with a HoneyPot Network.
      • Normative

        [i]I think Tripwire is the one where it is set to look for what is considered suspicious.[/i]

        Tripwire registers signatures for the components of the system. Any change in a protected area is a violation.

        This kind of approact is admittedly vulnerable to things like scripts user files such as MSWord documents, since they're changing all the time and are "executable" by design.
        Yagotta B. Kidding
        • Problems with Tripwire

          Tripwire is all fine and dandy for any hacker that doesn't do his homework, but if you are defending something more than your personal bankstatement, say something like company creditcard information, I would go with something a little more robust. One of Tripwire's main problems is that it hasn't been ported to anything other than UNIX/Linux. All of us Windows Junkies are left in the dark. Next, the kernel can be compromised and set to report false data to Tripwire. After that, who cares, because Tripwire thinks that everything is fine and dandy.

          As you said though, if they can get a script running that doesn't have to report to the OS such as a MS Word Macro, then you might as well consider your defense worthless.

          I still like the idea of a Honeypot network better.
    • yes, good point

      Having a hash of a known good system allows you to verify undocumented backdoors.
  • For once George.. I agree 100%. (NT)

  • Just foolhardy

    AV software is like insurance. You can say that because you have never had a car accident, that you don't need insurance. You can give other people instruction in driving techniques, and they too don't need insurance. Just in case though, you don't let family members drive the new car (administrator), they have to drive the junkers (user mode) - which can be junked if something happens.

    Trying to use yourself as an example of a "typical PC user" is just dishonest. You are an expert administrator that maintains his equipment (and for others) in tip-top condition (I would expect no less). How many people set proper permissions on folders and maintain user accounts for the family? You must love being hassled to install ALL software, as those limited accounts will just frustrate those family members (and friends).

    Just what applications do you need to run faster that are SO critical, that you a willing to throw caution to the breeze?
    Roger Ramjet
    • My wife is a malware magnet.

      If it's malware, she's just got to have it. You name it... Weatherbug, Kazaa, she's installed it, usually at the instigation of some online friend. I've tried locking down her desktop, but that was intolerable for her.

      I'm gradually breaking her of it, but for her, anti-virus isn't enough. Every time I've installed something to prevent her from shooting herself in the foot she's found a new body part to willingly and eagerly shoot.

      AVG scans her ports for viruses. Spybot prevents unwanted changes to the startup files. I put the SiteAdvisor extension on her browser so she could see warnings before she downloads. And the browser is Firefox. Her email client is Thunderbird. Scripting is turned off. SandboxIE has been excellent. Name notwithstanding, it will sandbox [i]any[/i] program to protect your system settings.

      The very best tool has been to give her her own PC then save an image and keep all the important stuff off of it. Fortunately, as a result of all of the above I rarely have to re-image the machine anymore.

      Sadly, after having had to revive scores of clients' machines with the same sort of crapware installed, I've come to the conclusion that THIS is the "typical PC user", at least in the home market.

      I, on the other hand, am like George in that I never get malware. But then, I'm particular about what I run.
    • 2nd (nt)

    • Re: Just foolhardy

      He really isn't throwing caution to the winds. Quite the opposite. He refuses to rely on anti-virus software because they aren't foolproof; then he adopt computer-use habits that _are_ foolproof. That isn't relinquishing caution. To my taste, it requires an excess of caution. There are many things that you or I might download that George would not -- in fact, could not.
    • Here's a thought.

      It is interesting that AV scanning does have such a major impact on performance. At the same time many feel safer doing the high-wire thing with a net. Like all things in life compremise is required. Picking the lesser of two evils sometimes means thinking outside the box.

      Here's a thought.

      Disable active scanning of the work station. Schedule a full scan during a time the end-user won't be there (try lunch-time, I run mine at 5:30 and leave the system on over-night during the week) and keep the firewalls, e-mail scanning and network level security practices in place.

      Of course the REAL solution would be to stop the cretins and hacker that cause the problem from having a way to get in in the first place, but that would take cooperation within the software industry, and the hackers all know that isn't about to happen.
    • Hey Roger You know what I tell my family and friends...

      I tell them the best anti-virus software is to disable his network card and don't allow the kids on the computer. Failing that, buy the kids their own 2 generations back used $99 computer and when they fill the computer with viri, Trojans and worms, wipe the partitions and teach them to re-install the software, all of it. The next time they do it, tell them they have to do it all themselves and hide the DSL router until they do it. Finally the next time they will have to do the installs over again and buy their own anti-virus software. I never had to go past step 3.
      You teach them to stay off the porn and teen sites and game cheat sites, most of the virus problems go away. Their friends send them a virus, they block that guy from their email service.
    • Er...a whole whack of apps!

      [i]Just what applications do you need to run faster that are SO critical, that you a willing to throw caution to the breeze?[/i]

      Well...let's see: games, a word processor, a spreadsheet application, a programming application, a text editor, a digital photo editor, a draw program, calculator...there are SOOO many...too many to fully mention.

      The real question is what are you doing that you have to constantly run a virus scanner? I mean, I do start mine up (using Starter..great free app) when I go onto the internet or open email, but I don't have the thing running 24/7.
  • Good use for Dual Core / DP machine

    I have a few progggies that detect unwanted changes or new executables. I still worry about Trojans and other types of malware, though.

    I typically run all my background processes of my second proc, and set the affinity to my first proc for programs that I typically run in the foreground.

    My machine never crawls with this setup. CPU intensive tasks like Nero ROM burning also get shuttled to the second CPU, so not even my browsers slow down when I burn a disk !
    • That doesn't help with boot time or I/O

      I/O overhead is the BIGGEST factor in slowing a PC down. Dual core won't help you with I/O.
  • Where did CA's ETrust Rank?

    I use this at work, and I think the only overhead we ever have is if we let it check the network drives. If we keep it off of there, it seems to do quite well. Norton 2004 I think was the version where I had enough of Norton AV. I had to remove it from my Transmeta Laptop out of sanity. That laptop which was slow to begin with was to the point where I wanted to destroy it.
  • Wrong: With EZ Antivirus 2005 running, our test system scored a remarkable

    100--with no reduction in overall system speed

    Look at the table. This is why I run eTrust AV on my laptop.