One of the things I've noticed about antivirus software in general is that it uses a lot of disk I/O, and creates lots of intermittent CPU spikes. It appears that most AVs do background scanning of filesystems and RAM for malicious code. Is there any antivirus software that does not do this? i.e. - Assume the system starts out clean - Hook system calls for opening files and creating processes - If a target file's modification time is different from the last time it was scanned (or if it was never scanned before), then scan it - Otherwise don't do anything Is this in any way a reasonable approach to dealing with malicious software? What are the caveats? Could performance problems with large files be mitigated by e.g. only examining the portions of the file cached in RAM? If I'm not making sense here, let met rephrase the question: can an AV product be designed - or has one already been designed - that does not cause significant I/O or CPU usage on an idle system?