The Blame Game
Remember the days of Windows 98, when CPUs ran at triple-digit MHz speeds and slogged along with less than a gigabyte of RAM? Installing a resident program like a virus scanner often meant committing performance suicide. And heaven forbid a scheduled scan start up while you were actually at your desk. Productivity could literally grind to a halt. At least that’s how I remember things through the fog of time.
Today's personal computers are much more powerful than they were a few years ago, so perhaps the notion that an anti-virus application will still have a debilitating effect on performance is obsolete. Still, folks who began using computers after multi-core CPUs and gigabytes of RAM became the norm have likely never used a PC without a virus scanner installed. They'd have no way to relate to the days of running lean and mean to keep speed manageable. Now we have resources to spare. Cores sit idle, waiting for a task to execute, while low prices on memory make 6 GB and 8 GB kits affordable for even mainstream users.
We should make this perfectly clear: while it’s undeniable that an active virus scan can cause a heavy performance burden, what we’re really curious about is whether or not performance is affected when a system scan is not running. Does it take longer to open files when you have a resident virus scanner installed? Does the presence of the software tax CPU resources while you’re running other programs? What kind of tasks are most affected by security products, if any?
When faced with these sorts of questions, it’s only natural that we’d run some tests to unearth the real answers—this is Tom’s Hardware, after all. So let’s look a little deeper into quantifying the anti-virus conundrum.
What Does A Virus Scanner Do?
Before we begin our tests, we should at least consider how virus scanners work so that we can see if the results are in sync with our expectations.
There are two main mechanisms that most virus scanners use in order to keep your system safe: file checking and behavior monitoring.
File checking is by far the most prevalent technique. The idea is simple: the virus scanner examines the files on your PC for known threats, a threat being a signature of code that is associated with a particular virus. Because new viruses are being released all the time, most virus scanners will periodically download updates containing the new threat signatures.
How could file checking affect performance? Typically, a virus scanner will examine files for threat signatures every time a file is written, opened, closed, or emailed, or when a virus scan occurs. It thus makes sense to predict that applications accessing files on a regular basis might be slowed down by anti-virus software. Conversely, programs that don't involve a lot of file access might then remain relatively unaffected by the presence of a virus scanner.
Behavior monitoring is the second technology that anti-virus software employs to identify threats. This is a pre-emptive strategy to deal with viruses that have not yet been identified or added to the threat-signature dictionary. The virus scanner monitors the system for suspicious behavior, such as the alteration of executable files. This virus-prevention technique probably has very little effect on system performance, since suspicious behavior is probably somewhat rare.
That should be enough of a top-down overview to get us started. Let's get on with the tests!