GPU accelerated Antivirus

Discussion in 'other anti-virus software' started by VectorFool, Jan 10, 2013.

Thread Status:
Not open for further replies.
  1. VectorFool

    VectorFool Registered Member

    Joined:
    Oct 21, 2012
    Posts:
    280
    Location:
    India
    http://www.kaspersky.com/news?id=207575979

    i remember late in 2009 Kaspersky announced that they would release an antivirus which would use the GPU cores to accelerate the speeds by almost 360 times.
    did they actually release a product with this feature?

    are any other antivirus vendor's working in this direction?
    are there any Antivirus products presently available in the market that use GPU to accelerate scans?
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    avast! virus lab is also using similar tech:
    http://blog.avast.com/2012/12/03/new-toy-research-lab/#more-11102

    I think using GPU for local processing is too complicated and risky. Too many variables with drivers and frameworks. If they use it in the lab to process stuff they are in full control all the time. Locally, they aren't... So don't expect local GPU acceleration anytime soon. At least not until GPU acceleration becomes an universal standard like x86 did. Because even at the moment, OpenCL doesn't work exactly the same on all hardware that supports it.
     
  3. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    49
    The GPU stuff is mostly interesting for backend applications, we have a quite powerful GPU cluster for some stuff here at Avira as well (the fabled AI System that Stefan has been dropping tidbits about here and there, which was created during the last 3 years by my former team in the Avira Research Department).

    The usefulness of GPU tech in a consumer AV product is near zero.

    Quoting myself from an article in 2010 (http://techblog.avira.com/2010/11/09/gpu-acceleration-in-the-malware-scene/en/)

     
  4. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    This breaks down to simple math.

    Disk time : CPU time

    If disk time is 95% it does not matter if make CPU time 2 times faster, you wont notice much of a change. If you are streaming data at maximum efficiency it wont change anything at all as the CPU is mostly just waiting for more disk data while the disk is cranking away sending constant data.

    On the other hand if disk time becomes 2 times faster scan times will drop dramatically.

    The fastest I can get MBAM to do a quick scan on 7 64 ultimate is 17 seconds but that is on a ridiculous raid setup. On this setup I do actually see scan time drop if I overclock indicating that there is a point where disk throughput starts to make processing time relevant but consumer systems are not there yet and wont be for a while.
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Yeah well it depends. 1MB big sample will be read from disk quickly (even on a slow HDD) but if then needs 15 seconds in the emulator, you have a CPU bottleneck, not a HDD bottleneck...
     
  6. VectorFool

    VectorFool Registered Member

    Joined:
    Oct 21, 2012
    Posts:
    280
    Location:
    India
    so is GPU acceleration is not of much use right now because:
    1)HDD bottleneck?
    2)GPU cores are meant to perform simpler tasks than CPU ?
     
  7. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Multicore and hyperthreaded CPUs would already deal with this if it was possible. I have done testing myself and OCing only helps if I have massive drive throughput. If I scan a 5400 rpm drive from a few generations ago there is no amount of OCing or cores that will help scan times.

    This is a simple test for enthusiasts. Clone your OS drive to the oldest and slowest drive you have and then underclock your CPU to 1ghz and then disable all but 2 cores (leave 2 so OS actions do not impact scan time that much).

    Run a scan with a scanner of your choice and then compare the gains from swapping out to a SATA 600 SSD to OCing the CPU to its max and see which one actually changes things by the greatest percentage. A SSD can drop your scan times by 75% or more and there is no amount of fancy processing that can in any way compete with this.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    GPUs for client side AV stuff just doesn't make much sense. It might be different for some cloud based thing where they've got a database but there's not much to offload to the GPU for an AV that would make much sense - maybe for comparing files or some such thing.
     
  9. Bodhitree

    Bodhitree Registered Member

    Joined:
    Dec 5, 2012
    Posts:
    567
    Actually it does make sense, many of us have massive GPU's, sometimes with 4GB of DDR3 on them as well that are essentially unused on our PC's unless we are in a high end game, but most of the time they sit idle, and unused. That's tremendous horsepower - doing nothing.. GPU's are now used in clusters to brute force breaking passwords.

    http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/

    But as pointed out, many of us struggle with throughput issues more then processor. I need at least 1 terabyte of storage, so SSD isn't practical, so my PC bottleneck is easily identified as my hard drive. Which is why I offload as much as possible onto a ramdisk (such as entire portable browser). Ideally I would move to a speedy SSD but size and price are still way behind the curve.
     
  10. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    As Marcus said - GPUs are useful for simple (or somehow specific) algorithms - bruteforcing passwords may be a good example. But today's scanning engines perform rather complicated operations when processing a file - and that would be rather hard to implement in GPU (or would be slow). So you may have a massive GPU power on your machine, but it wouldn't really help with antivirus scanning - even if the scanner had a GPU implementation.
     
  11. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    The is issue is not what the GPU is capable of, its what the GPU can contribute when processing is already not the bottleneck.
     
  12. andylau

    andylau Registered Member

    Joined:
    Jan 27, 2006
    Posts:
    679
    GPU acceleration for unpacking/scanning packed(packer) files must faster than just using CPU a lot.

    I have seen WinZip added GPU acceleration for archiving/unzipping files.
     
    Last edited: Jan 11, 2013
  13. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    If this was true for security software then a quad core would be faster than a dual core, just like it is for compression/decompression software. The reason the number of cores does not help is that the CPU is already idle while it waits on the disk. You can make it get to idle faster but that does not make the scan faster.

    You have to remember that the vast majority of files scanned will be ordinary files that process almost instantly and certainly MUCH faster than it takes to pull them from disk.

    Think of a job that starts at 9AM. If you leave at 8 and then it takes 45 minutes to get there you still cant start before 9. If you double your driving speed you still cant start until 9.
     
  14. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    It doesn't make sense for a variety of reasons including those already mentioned. GPU acceleration has it's issues - it's fine for specific tasks, but on a general purpose product it is flaky at best - for example, how do you make a generic implementation that works just as well on an NVIDIA GPU as it would on an AMD and Intel GPU?

    With Firefox and IE, it's easier - use the Direct2D API. But that's only for rendering. Rendering graphics is the least of any Anti-malware product's concerns. Do you use OpenCL? OpenCL support varies between vendors - I switch my development build and it may have issues on a specific vendor's product and I have to wait until they get a new driver out.

    An anti-malware product shouldn't have to depend on drivers - "Please update your video drivers" isn't really a good solution in FAQ for any issue related to an anti-malware product. As such, they remain fast as it is, and if it works well this way then so be it :)
     
Loading...
Thread Status:
Not open for further replies.