AV execution speed
Results 1 to 7 of 7

Thread: AV execution speed

  1. #1
    Member
    Join Date
    Aug 2004
    Posts
    36

    AV execution speed

    I am surprised looking at the speed of most AV scanners. Let us say there is a 1 MB file which may potentially have one or more of 89000 viruses. All their signatures have to be searched in the entire content of the 1 MB file, as I understand it. Then, how is this done so fast, where the 1 MB file is scanned in less than a second?

    Hope I could get hold of an opensource AV solution so that I could read the code to understand the excellence behind.

    Any information on this topic will be helpful.

  2. #2
    Banned
    Join Date
    Apr 2006
    Posts
    2
    Hi kautilya, if you think virus scanners are fast then just take a test of the open-source AV called "clamwin". It's really slow, I think it really does scan every file in its entirety.

    Why I think that most AV's are fast is that they are probably smart enough to exclude many files from requiring a complete scan. I would guess that with certain file types (say a wav file for example) it would be sufficient to just verify that the file-header matches the file type correctly and then just declare it safe without further scanning.

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    OK,

    It works something like this:

    1. There are probably about 350,000 malwares by now.
    2. A lot of them are obsolete and will not run on a modern system.
    3. A lot of them will only work in a certain way, so an executable file infector is useless with an MP3 file................and so on.

    What is happening is that your file types are getting scanned for known infection types that suit that file. That cuts the scan down a lot.

    Also, look at if you are doing "deep scanning", "heuristic scanning", and if you arescanning within "compressed/archived" files?

    Those options significantly change your response time. Anyways, how cam Google give me 60 Million results in under two seconds?




    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Junior Member
    Join Date
    Nov 2005
    Posts
    10
    Hmmm.

    With google I think it's different. They already have an index of keywords and stuff like that, and this cuts the time tremendously. It's not like they crawl sites only when you serach for something. They do it before and prepare an index of keywords and based on this index your results are displayed. One can try searching for some akward phrase or word and it will turn up zero matches. The same is true fro certain misspelt words.

    Plz correct me If I'm wrong.
    /* darkcod3r */

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Hi darkcod3r ,

    Yes, that is true, but somewhat similar to the AVs "pattern" or "dat" files which are preconstructed.

    You can also use "quick" or "intelligent" scanning options as well. Here you know if a malware is "stand alone" or an "infector". Obviously if it is stand alone you would only have to scan a very little to recognise it. In the case of the infector (virus) you would know if it replaced a valid file, appended or prepended itself or inserted itself.

    Using that knowledge you can minimise the amount of the file that needs to be scanned. Also you would scan only "favourite" targets like executables, and tend to ignore e-mails, pictures, music and the like which would only get looked at in a full scan. You might particularly take this option if you are interactively scanning downloaded items anyway.

    Another method is to calculate checksums for the files. The scan would then only look at files that had changed since the last checksums were set, or that were new.

    Obviously setting your AV to do a full scan with updated pattern files, heuristics turned on and running in safe mode would be the most reliable.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    This is how google works you tards. LOL.

    http://www.google.com/technology/pigeonrank.html

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Senior Member
    Join Date
    Mar 2005
    Posts
    400
    Originally posted here by thehorse13
    This is how google works you tards. LOL.

    http://www.google.com/technology/pigeonrank.html

    Geezzz...

    And I thought it had something to do with squirrels searching for nuts.

    How come I didn't see this at first? Pigeons, I should of known all along.
    *smacks forehead*
    ZT3000
    Beta tester of "0"s and "1"s"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •