Emsisoft Anti-Malware 8.xx Sammelthread

benchmarked "SATA HDD speed approx. 180 Mb/s."

If you consider that "slow", what is your opinion of normal or fast?

 

I didn't say your disk is slow. I said it's the limiting factor or bottleneck. 180 MB look good on paper (realistically transfer speeds during scan are a lot lower because of disk seeking), but when the scan engine is able to handle a few GB per second on your modern multi-core CPU, it doesn't get data nearly as fast to the CPU as would be necessary for the cache to have a large impact.

 

I agree but I contend that your software as far as scanning goes is not "properly tuned" for multi-core processors; at least AMD. I illustrustated that by setting the thread count to the currently maximum allowed - 12. Hopefully later releases will improve in this area. Again, the average user should not be expected to have to "tune" his AV scanning software. This "tuning" should be performed at software installation time.

 

Please download Process Explorer and run it. Go to "View", "System Information". Switch to the CPU tab and enable the "Show one graph per CPU" option. Then start a Deep Scan and watch the CPU graphs. What you will see is that EAM will distribute the work across all your CPUs. So how exactly does it not use your multiple cores properly?

 

Since we are getting technical here, you are correct. EAM on all scans uses all of my 6 cores.

However on my PC with no other activity, it is only effectively using two cores. This is what I meant originally. The overall core usage is much higher on a deep scan than it is on a smart scan; don't know why that is. Of the two cores being effectively used for a smart scan, I never saw core usage exceed 16% and the average was around 10%. For the remaining four cores, the usage was negligible - 2 to 5%.

My suggestion is this, add a throttle parameter to the performance options settings. Most AVs have this in the form of an abstract setting that gives priority to scanning over applications, etc.

-EDIT- I also ran a smart scan with thread priority set to "high." It knocked 1 minute off the previous smart scan time 20:53 at "normal" prioity. That's a 5% improvement.

 

Most likely due to the fact that Deep Scans have the archive scan enabled. That keeps CPUs more busy as you essentially increase I/O efficiency (you may read 1 MB from the disk, but it can blow up to 10 MB for the scan engine to scan through).

That has nothing to do with multi-core support. It simply means that data can't be read fast enough from the disk to keep all your cores even remotely busy.

You can already set the scan priority. In addition scans are throttled automatically if you send EAM to the background. EAM assumes that you want to do something else when you switch to a different application and reduces both its CPU as well as I/O priority. That does not necessarily mean that the scan will be slower though. It will still consume all the resources that are available and not needed by the rest of the running applications. It just means that the application you switched to suddenly requires a bunch of CPU power or wants to read a lot of data from the disk, EAM will dial its scan down a bit to make more resources available for your application in the foreground.

 

Again, those are CPU priorities. We already established that CPU isn't the bottleneck. Reading the data is on your system. So that option will have almost no impact on scan times.

 

Well, i believe we have exhausted this scan performance topic.

Emsisoft stance is that the "bottleneck" as it was put is my overall system configuration. I don't agree. If I had an issue with system configuation, it would have surfaced on scan times for a number of other AVs I had installed on this system. I had no issues in that regard.

Time to move on to another topic ..............

 

Funny thread.

 

Guys,
any comments about this test?
http://www.shadowserver.org/wiki/pmwiki.php/AV/VirusWeeklyStats

Bitdefender@81%, Emsi@54%

 

These statistic sites are seriously messed up. We already tried to contact them to find out what is going wrong, but so far we got nowhere. Their argument is, that nobody should trust those data anyways and that they are not a comparison. Same with CRDF.

 

Finally received a response from Trusteer Rapport:

 

This does bring up a question I have.

Bitdefender has a rather aggresive hueristics feature, Active Virus Control, which probably explains their high rankings in 0 day tests.

Any AV I have ever used that had a hueristic feature had features to adjust detection sensitivity with an inverse relationship to false positives, set exclusions, etc.

I see no evidence that a hueristic feature exists in EAM? All I see is present in EAM is Bitdefender's realtime AV scanner which is signature based. This also syncs with EAM's much higher rating on the above retry test results.

Now a valid argument can be made that EAM's behavior blocker "should" catch the 0 zero day on execution but the malware has already been installed on your PC?

 

Active Virus Control is not a heuristic. It's a behavior blocker like the behavior blocker in Emsisoft Anti-Malware or Mamutu. It only works in real-time.

They are present. There is no difference between on-demand scanning as performed by EAM compared to on-demand scanning as performed by BitDefender.

The retry test is bonkers as well. If you look into some of the daily results, the BitDefender retry test score is lower than the day0 score, which according to their proposed methodology should be impossible.

The same argument could be made for every behavior blocker. No matter what its name is: AVC, Sonar, PDM, or Mamutu.

 

Thanks for the clarification. I was a bit concerned on that issue.

Some employ sandbox technology which would prevent any installation.

Other hueristic scanners do the following:

http://www.pctools.com/security-news/heuristic-virus-definition/

I use the above to differentiate between hueristics and behavior blocking.

Pertaining to the Shadowserver tests, wide variations have been shown in prior testing. The one that comes to mind was Avast's ranking a while back where their results went from the bottom to top in a few days. I beleive that if one wants to use Shadowserver tests for ranking analysis, they have to look at the results over a set time period such as 30 days and develop an average ranking based on those results.

Oops - I just reviewed the stats for Emsisoft for 30 and 60 days and they mirror the recent weekly test.

 

I have to commend Fabian in how hard he works answering everyone's questions regarding Emsisoft, nothing seems to much for him. Good job

 

Your argument was that behavior blockers are useless if the malware infects the system before the behavior blocker is installed. The same applies to sandboxes. Or how do you propose would a sandbox help you prevent a malware from infecting your system, when the sandbox isn't even installed or running on your system at the time of infection?

I would suggest to just stay away from using any of these automated statistics. Especially if they are full of blatant inconsistencies like in this case. There is a reason VirusTotal removed all statistics from their homepage.

 

What makes me laugh is that CRDF is generating "tests" reports using VT reports...what da...

 

I agree. And not only within the thread itself. When I was experiencing some unexpected issues with the most recent version of EAM, Fabian helped me to suss them out and get things working again.

 

More on Shadowserver testing:
http://kevtownsend.wordpress.com/2011/09/07/shadowservers-new-anti-virus-test-suite-%E2%80%93-how-good-is-it/

And a confirmation of the above article:
http://www.scmagazine.com/shadow-boxing/article/211381/

The general consensus - their results are not suitable for comparative analysis.

There are also a few threads on Wilders stating that Shadowserver is just doing mass harvesting of whatever is in the "wild" and that their samples are not exclusively 0 day.

On the other hand there is the "rogue versus establishment" theory. In this case the rogue is Shadowserver and the establishment is AMTSO.

 

This is what my logs show over the last 24 hours. However, yesterday around this time I did receive a 23Mb download.

 

I dont have any problems with the big updates, as long as they are not in the 100MB+

 

I got File Guard to run well with zip impact performance wise by setting scan settings to read but only using default extensions. This should block most bad guys from even downloading. I did try unchecking the default extensions but it slowed browser speed and I starting getting apps hanging up.

I do like the web protection privacy detection. It might be a bit to aggressive for some people but I hate being tracked and this option catches many things no other AV I used ever did.

 

I have a question about behavior blocking aka Mamutu. Do Internet facing trusted apps such as your browser be manually added in monitoring mode? Or does the BB automatically monitor all apps for all checked behaviors?

 

i think it is system wide behabiour watcher kind of thing