Making Avast the lowest overhead AV available

Discussion in 'other anti-virus software' started by Kees1958, Jan 27, 2010.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Okay, I run Limited User and have this tweak applied see first three post of https://www.wilderssecurity.com/showthread.php?t=262475 This post includes a reg file to set this protection ON and OFF.

    So in stead of removing the warnings as described in this post http://smallvoid.com/article/ie-attachment-manager.html I have used it as a defense layer see Microsoft explanation http://support.microsoft.com/kb/883260

    Together with my Limited user this protects against 95% of the threats (effectively an anti executable), downside is that I still can download zipped files (not considered and anti-executable), see pictures
     

    Attached Files:

  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Disappointingly I still need an AV in real time
    I can tell Windows to consider archives also high risk attachments, but this is not what I want, so I still need an AntiVirus for downloads and attachements.

    Avast has an incredible intelligent cache to speed up on-execution and boot scan, but I want even less overhead, so I will use the ScanWithAntiVirus setting in the registry to achieve this (not every AV does confirm to this Windows IAttachmentExecute protocol, but Avast does since ages)

    Using the ScanWithAntiVirus trick
    Only thing I have to do is open REGEDIT and toggle to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    Add Reg Dword rename it to ScanWithAntiVirus and give it a value 3, it should show
    ScanWithAntiVirus REG_WORD 0x00000003 (3)
    (3 means scan and block access when malicious)

    As you can see I have only the bahvioral shield and the file shield of Avast installed. But look at the file shield settings: all checks are OFF! :eek:

    When I double click the eicar.com in the zip file AVAST appears :) because Avast is invoked by my operating system :thumb:
     

    Attached Files:

    Last edited: Jan 27, 2010
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    So the round up:

    - I have the behavioral shield of Avast monitoring with near zero system overhead
    - I have the optimised/cached boot scan with with near zero boot delay
    - I have a smart/selective execution protection from the file shield with near zero CPU overhead and I/O access.


    Avast thank you :thumb: :thumb: :thumb:


    My suggestion to VLK: make a special Avast gaming edition with some registry tweaks as available settings in the behavioral shield. Avast consumes so little overhead and only kicks in when I need it.
     
    Last edited: Jan 27, 2010
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    For a reference MSE has an option to disable on execution scan and only check for downloads and attachements (it displays the icon in red colour), but with this optimised setting MSE uses 3 times as much CPU and 11 times as much I/O than Avast in this setting.

    For people not having a couple of SSD's in RAID0 configuration disk I/O is the most important 'feel' factor for performance
     
  5. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Hi Kees1958

    Wanna ask something for you: I'm using LUA w/ SRP and no autorun too in my machine. In the case of this setup (similar to your setup) is not more easy install Avast without the resident shield and maintain the others? because this setup restrict creation/modification and execution, so after a full scan of the system (and resulting in a clean system), you only need monitor the threat gates not is? the system resources consume in this case increase much? I not see any slowdowns (i setup all settings in the shields for high). What is your opinion about?
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    S23,

    That is the beauty of Avast, on one hand it tries to intercept as early as possible (web, internet, internet messenger, p2p) on the other hand it provides old fashioned file access protection (which some think is the only thing you need).

    I do not have a full SRP deny (just related to internet and e-mail), so I need an AV for compressed executables. I also like the automated check when double clicking a downloaded executable. This also achieves entrypoint check only a later stage as the WEB, IM, P2P and MAIL shields provide. Like I think you have installed. I am pretty sure the web shield causes the largest chunk of the I/O and CPU of the complete freeware version, that is why I looked for a leaner setup.

    Regards
     
  7. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I'm not really sure what do you want to achieve here. All the shields are there for a reason. File System Shield doesn't check archives because that creates a massive performance hit. However, to compensate that, Web Shield, IM Shield and P2P Shield do scan inside archives. This way you barely get any performance hit while keeping security at very high level.
    I don't get it why ppl want to strip avast! down when it runs super fast on crappy netbook. Any other system is better than this.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Near zero CPU load security with th elowest I/O overhead possible

    Yes, but I have most entry points fixed (no execute and no admin rights), my ISP allready checks e-mail.


    Well that is not my point, my point is that the download protection/execution protection through the ADS bits do not consider an archive a high risk, so it can be downloaded. That has nothing to do with Avast. The file shield does it job well for me, when a downloaded archive is opened, because it is triggered by the OS.

    Regards
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    There's hardly any effect on Atom N270 and we all know these CPU's are weak like hell. So, unless you're using an AMD K6 or Intel Pentium Pro from 2 decades ago, i don't really see a problem.
     
  10. pjb024

    pjb024 Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    351
    Location:
    Leeds, UK
    I think it's more of an intellectual exercise than anything useful for the average user. ;)
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Also true, same reason I adapted an old Laverda triple so it runs on unleaded gasoline for street use. This 26 year old bike has some enhancements which were far ahead of its time (see pic, orange is the Laverda factory colour, not because I am Dutch :D ). Pitty this model never went into production, problably the same will happen to the suggested Avast Gaming edition :'(
     

    Attached Files:

    Last edited: Jan 27, 2010
  12. captainron

    captainron Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    77
    Like Kees said the main impact is the AV scanning every single read/write to the slowest part of your computer, the hard drive. Not CPU usage. Your idea of fast or good performance is different than others. My old laptop had a 5400rpm drive where performance was clearly impacted by having an AV read every single read/write to the hard drive. Even on a new desktop with a raptor games stutter less and you hit the pagefile less when multi-tasking.

    regardless, thanks Kees good post
     
  13. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Silent gaming mode does not throw a pop-up when you are gaming, it is a standard feature of Avast.

    The tweak shuts down nearly all I/O of the AV engine, because it only checks downloaded executables and script like files, when you execute them, not when they are written to disk. This check is triggered by Windows, not Avast real time monitor. So the trick is you still have realtime protection, only for a selected number of files. Together with the excellent cache of Avast this might be a trick for hard core gamers. Hard corre gamers can overclock their CPU, have screaming GPU's bursting out incrediable frames rates, but often do not buy Solid State Disk in raid, simply because the money ran out. On a typical gaming rig the harddisk is the weakest link. So it is not an every day tweak what is posted.

    An another reason: it is snowing and freezing in Holland so I can't ride my motorbike and there is little news in Security land, so . . .
     
  15. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
    Here in the UK the last bout of snow/cold has caused so many potholes in the roads that motorbikes/other 2 wheeled things are being banned from some city/town areas:blink:
     
  16. Technic

    Technic Registered Member

    Joined:
    Aug 31, 2005
    Posts:
    428
    So this is like on access scan (when file is executed)?

    No when write or read? If so, there is a2-AntiMalware for that. :D
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes, and only the files downloaded from the internet, received by mail, when they are not in Avast's cache

    Note I have unticked check when opening documents and check when writing (see post #2, also includes execution in the advanced settings), other wise Avast would have worked just like any other AV.

    Avast really has an excellent caching mechanism (see pic, options enabled by default) to reduce on access (on execution) checks
     

    Attached Files:

  18. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I didn't know Avast 5 has this cache thing! I will probably switch to it.

    Right now i have (last column is I/O reads. The result of no such cache...)

    http://img85.imageshack.us/img85/5600/65821541.png

    Normally you don't think about it. But if you are torrenting, encoding in x264 and watching HD video at the same time, while browsing sparingly, your HD performance starts to matter. And consider that i 've put Vipre not to check files on open or copy. Not to add that for video encoding even the last CPU drop is priceless.

    I think i ll put Avast tomorrow. Without Kees' tweaks though, seems a bit of overkill and overcomplicating life for me. :D
     
  19. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    avast! 5 is balanced perfectly for out of the box usage. My netbook is running slow 5400RPM 8MB cache WD Scorpio Blue drive with 160GB capacity. And i can't really tell a difference between avast! 5 and no avast! 5 operation.
    With such slow drive, it should take much longer with avast! 5, but it doesn't. Maybe right after installation where scan cache is still not populated. But over time, the drag just goes away. You can speed that up with full system scan after installation. But it will eventually be done by itself.

    avast! 4.8 created a significant noticeable drag on the netbook. And i wasn't too happy about it. But with avast! 5, no such think. Like i don't even have it installed. I've really never experienced such insane performance with anything else. There were always some issues with performance in one or another part. But not here. ALWIL guys truly did an amazing job with optimizations in their scan engine.
     
  20. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753

    You have me convinced. :D I was reluctant to try Avast 5, because i read about problems with XP. But since i am on Win7 and after these nice news, i am going to install it tomorow. :D I must say, in Avast 4.8 i was using only the standard shield and at least in CPU time, it was the lightest AV i had seen. In Avast 5 i will install standard shield and behaviour guard and that's it.
     
  21. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Why just File System Shield and Behavior Shield? All the shields now run under one process (regardless of which ones are installed). And you're really compromising security by not installing at least Web Shield and Network Shield along with those two that you initially wanted to have.

    Essential shields:
    File System Shield
    Web Shield
    Network Shield
    Behavior Shield

    Non essential but recommended:
    IM Shield
    P2P Shield
    Mail Shield

    You can skip Mail Shield if you're not using POP3 or IMAP local mail client, but i recommend installing all the others.
     
  22. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Hi Kees

    Thanks for the explanation. Understood the point of this "trick". Will recommend this for a friend that is a game freak.

    Thanks for the efforts.
     
  23. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I never liked the idea of something interfering with my internet connection. I simply don't believe the story of "zero lag". Some don't understand it, but it must be there when you use internet. Some security expert (i think Kurtzhals?) in this forum once also wrote that there is no web shield with zero impact on web speed. That's why i don't like web shields and the like. When Sandboxie x64 will be out, i will add that.

    If i get infected for that, well... I will restore an image. But i doubt it. I 've never used webshield in an AV, ever and never got infected from the lack of it to this day.
     
  24. Technic

    Technic Registered Member

    Joined:
    Aug 31, 2005
    Posts:
    428
    Could somebody explain the REAL advantage of web traffic scanning?

    If you have real time file scanner, isn't that enough? :doubt:

    Thank you.
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Rezjor,

    Answer this for me, please

    Effectiveness of the Network shield
    Since network traffic comes in packets, it is very hard to fingerprint malware, since it comes fragmented through the filter. As a result such a filter can only distinguish a limited number of 'worm' spray patterns. With the wobbly OS-ses from the late 90-ties, the benefit of such an add-on would marginally equal the drag of filtering all network traffic. For these types of counter measure a software firewall and a filter on office documents and e-mail is much more effective. Since Avast has a standard check on office documents in the File Shield, I would advice to use e-mail shield and this default option of the File Shield in stead of the network shield (also the mail shield only actswhen it receives/sends mail, so is better in terms of operating efficiency)

    Effectiveness of the WebShield
    Our whole web experience is based on code mixing with data. First developers thought it would be ideal to load and execute code through the browser (no need to install software). Security was a lesser issue because this corporate model assumed that we were NOT running admin. Since Vista IE8 runs in protected mode on Vista and Windows7 as long as you keep UAC on.

    I do not know how effective the Avast (or Avira) web shield is, but I am more inclined to an AVG Linkscanner approach. Most browsers have options to stay out of trouble (like IE8 Cross Site Filter, Phising Filter and SmartScreen FIlter), which are cloud based (look up before actual visit), rather than client side based black lists. Also some DNS providers provide additional services to prevent visiting these pages.

    So do the webshields of Avast and/or Avira provide extra protection? Certainly. Can the same obtained with alternative, more effective means? Certainly also. So it depends on the user setup whether you perceive the Web Shield as vital.
     
Loading...
Thread Status:
Not open for further replies.