Antivirus "hiding" it's true RAM usage

Hello..

I remember a thread here previously about some one that upgraded from NIS 2009 to NIS 2010 and complained that his XP machine had 120MBs of RAM less available after the upgrade. However the processes that NIS 2010 installed didn't seem to consume a lot of memory.

If I recall correctly it turned out that "Svhost.exe" was consuming the extra RAM with NIS 2010 installed. Uninstalling it would free that RAM again.

Last night I was reading some AV reviews and it seems to me that every one just checks these processes for RAM and see like a very low number and are very pleased but I'm starting to wonder. It was obvious from this person's experience that NIS 2010 consumed a lot more resources then NIS 2009 through the Operating System's own process.

I believe this should be investigated more as we might be looking at potential smoke screen attempt to hide resource usage.

Your professional and objective comments are appreciated.

 

something like ProcessExplorer comes in handy when reviewing ram usage
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

some AV like to help the user be monitoring and controlling WU and when that is active Svhost.exe usage will increase for the duration of the check or update. It is its normal operation.

 

Surely all that matters really is the impact to the user, assessed by how slow the system is after the antivirus is installed. If the system remains fast, it's good, if the system is slowed down, it's bad, regardless of what RAM usage says.

 

Simple logic:

more features -> more resources
new advanced technology -> more resources
more threat gates to control -> more resources
more etc. -> more resources

.. it simply requires more computing power to handle all the new features and technologies, though computers are also getting faster and compensates that.

Same applies to cars: fast cars with lots of security features and electrical equipment use more gasoline. However fuel, tire, material and engine technology is compensating that.

 

Yes, this is actually the point. Its not about RAM or CPU. Its how you feel the system before and after and this changes virtually for every machine you use

 

You can add Threatfire's latest editions to this. I used Threatfire with XP for quite some time without any problems. Months back when they had a semi big program update I had problems with it auto updating, meaning it wouldn't. Final fix was to uninstall old version, cleanup and install new version which I didn't want to do but I had to. After installation, I checked mem usage with taskmanager and Threatfires mem usage for the few processes running was actually a little lower than with previous versions but Rainmeter on my desktop showed the overall total mem usage had increased over 100mb's. I never could track down which process it was that caused the increase and reported this on Threatfire forums with no useful reply. After a long run with Threatfire in XP, I sidelined it and haven't went back whilst running XP. Now then, I am dual booting Win 7 and decided to give it try with Win 7. Long story short, it's the same thing. Threatfires process show small mem footprint but overall mem usage has increased over 100mb's. Only thing that looks different in task manager is that it seems as though a few more svchost's have been added but when hovering over them in taskmanager(with Prio installed) I don't recognize any of the child processes attached to the svchost.exe's. I still have it running in Win 7 for now, but Eaz-Fix is a click away from removing it.

 

Good analogy but in light of this

I agree with Templar, at least in my case with Threatfire. TF folks insist that it's lighter than previous versions when it's not. They also have no answer as to why or even acknowledge that the overall mem usage(not their ID'd processes) has increased over 100mb's, at least they hadn't the last time I visited the forums which has been awhile back so I will leave room for error on my part/comments since I have not checked lately.

 

Hi and thanks for the posts.

1) About the system being fast so it's not about how much RAM is consumed.
== You're absolutely right it's about the system remaining responsive and secured at the same time. However keeping an eye out on resource consumption is an issue that should remain in focus, does any one want the old Norton back? Importantly developers shouldn't be able to claim one thing or insinuate one thing rather and then do another.

2) More features and improvements do often need more resources but speed gains through software and improved code can leapfrog software. Every one that's done any programming knows this. This is about balance and when to rewrite code etc. many variables that developers have to weigh in and consider.

I would like to see a performance test like the one that recently was done by AV comparatives but include in that a startup script that would execute process intensive and HD intensive operations that would need, say, 300 seconds to run on average. Check to see how long it would take the computer to run those operations right from startup. This would give an indication of how much "startup gap" is created by each AV solution.
Also just how much RAM is "available" before and after, not checking the process.

Simon

 

Templar,

RAM usage is less relevant nowadays. Total CPU time and disk I/O are far more relevant for the effectiveness of an AV, see picture

Windows Defender (without check on execute) and Avast (only file shield check at write) use very little CPU (1 sec in one hour) and have 50MB disk access in one hour (which is a second on older disk, half a sec or less on more modern disk like a Samsung F3). Remember this is on an Athlon single core 3700+ running 20% overclocked with 2048 MB ram (old fashioned 8x/400Hz=3200 dual).

 

I'd like to hear an explanation of how Norton hides memory usage in svchost.exe when there's nothing Symantec/Norton related in any of the svchost.exe running on my system. Someone educate me.

 

Well, I don't know about Norton but now according to the folks at TF forums when asked yesterday said this,

but as I mentioned earlier, for me it's well over 100mb overall and never drops back down. The two always running TF processes are never over 5 or 6mb combined but the overall mem usage is always seen as being over 100mb extra and never drops back down.

 

Me too. Also for Threatfire. I use process explorer and don't see any svchost.exe related to any of my anti-malware apps.

Looking at "overall ram use" with one program installed versus another seems like a very unspecific, unscientific way to gauge a programs usage.

 

Very good point about IO/disk usage and CPU time. However less might mean less secure so it's not as straight forward as bean counting.

I'm sure we'll see future "performance" tests mature as we go as there are several interesting points raised here already.

Important to realize tho that a product resource usage does matter and as such should be open for review. We cannot just dismiss it and say I need to be secure so I don't care how much RAM or HD my AV uses. A product is defined by several variables and one of them is how much it weighs down your system.

Any one with more tests or experience about certain Suites weighing computers down but showing process with very little ram usage?

Simon

 

yep, ram usage does not tell its true ram usage, or rather its true pc performance.

i mistake alot of PC users truly make indeed.

 

Hello there, Its me, i was the one who found out that norton used more memory than what they claimed, I posted my findings to this forum and guess what, I got whammerd from major norton maniacs.. I now use eset, and i'm very satisfied with it.

Some here told about performance , let me tell you i was running a background scan with norton 2009 and was browsing, suddenly my os got jammed, my cpu was at 100% and was used by norton2009. It only happened twice .i have a atom 230 + 1gb ram

Now i'm using eset, the process show's 53MB usage (still 100+Mb lighter than nis2009) and while scanning eset SS only takes around 100MB at max while NIS 2009 took around 300+MB and that my friends is 120MB+300++ = 420+MB .

This is not a comparison, Just pointing out the fact that i found

I've tried with process explorer but i cannot find the extra memory usage by nis but i can sure find the difference in my taskman>physical memory usage (just note the memory before & after installing nis, see the difference)


Also 1 more thing, I've heard a statement above that pc's are getting faster, Yes i agree my friend they are. But what shall we do for virus protection for old pc's, we cannot just throw out all the old p3's & p4's.


Antivirus sw are like an essential packages for windows and only windows. The vendors must find a way to make there packages light to be resource friendly with old pc's too. Why can't they make antivirus optimised for system configurations..

 

i personally use whichever feels quicker on my machine, regardless of Ram usage.

i have 8gb of the stuff, why does it matter if one uses 50, and some other uses 100-200mb or whatever, i dont notice it anyway.

the speed of the product is what is more important, not scan speed, but PC Performance speed.

 

Good question -- and, I don’t have an answer.

The two ways to inspect the memory usage of Norton Internet Security 2010 of which I am aware are:

• Use Process Explorer, which reports 50 MB of virtual memory (private bytes) and 9 MB of physical memory (working set) usage during normal (non-scan) periods for ccSvcHst.exe on my PC. There are no other Symantec components reported.
• One can also examine the Memory tab in the Performance display of Norton Internet Security 2010. On my PC, it’s so negligible that that it is barely visible on the graphic display of memory usage over time, even when zooming in and viewing by 10 minute intervals.

If I’m missing something, please do clarify and explain.

P.S.: For a good explanation of memory usage, please see The Memory Shell Game.

 

Some people are not as fortunate. I do have 2gigs and I mostly agree that it doesn't matter but if a product is pushed as being lightweight in the mem usage and overall it isn't, then I'm curious as to why.

 

Disk I/O ?

Disk speed (RPM ?) is more or less standard for consumer grade PCs, with enterprise versions sometimes being faster.

Solid State drives may be faster, but they are also more expensive.

Quite some time ago I looked at the various speeds of HDDs of consumer grade computers, and the speed was usually the same. I don't remember the numbers.

There are many sizes of an HDDs, but the speed is usually the same.

Is there a good way to find a faster HDD, without spending A LOT ?

I'll have to replace this old machine sooner or later.

 

I run a HP Workstation with 15K SAS drives, using a LSI controller. Certainly it’s more expensive than SATA, but it is not as expensive as you might think.

 

Process Explorer - Peak Working Set...

 

Peak working set is just that.. peak. It is not in any way relevant to the average working of the computer.

I find this thread to be somewhat of a witchhunt motivated by some security vendors who are feeling the heat from Norton's recent performance as well as effectiveness improvements. Its amazing to see how the smaller players like ESET, BitDefender etc have full marketing campaigns based of off "is your internet security bringing your computer to a crawl ? Try MY product". This is ofcourse a poorly disguised dig at Norton's poor performance in previous years. Ofcource when the target of these remarks is now faster than your product your whole campaign falls flat on its face. So what does one do ? Make up stuff.

Now that Norton is well on its way back to establishing its dominance, they are trying to do everything to find something amiss. How about focusing on improving your products instead.

 

With a clean slate (no AV) check Task Manager's Commit Charge at the bottom, right after a reboot.

Then install and configure your AV as you want it, reboot, and re-check Commit Charge.

 

I really can't see why people care about ram so much. I could understand if this was 2001 and 256 - 512 was the norm but now ? Unused ram is useless using a tiny percentage is not hurting your computer, other then having bragging rights. I got 4 Gigs of ram and Windows boots up and uses just 100 megs yeah look at me. People need to let the Ram subject go and start getting on stuff that really does affect the computer now CPU and Hard Drive access.

 

People that are annoyed by other people that care about RAM use should "just let it go".