Antivirus performance characterisation: system-wide view

It is well accepted that basic protection against common cyber threats is important, so it is recommended to have antivirus (AV). However, what price do users pay in terms of performance and other usability factors? Although it is important for security researchers and system developers to understand how exactly the AV impacts the whole system, in this study the authors take the approach of tracing operating system (OS) events. The authors' goal is to shed some light on this. To the best of the authors' knowledge, this study is the first to present an OS-aware approach to analyse and reason about AV performance impact. The authors' results show that the main reason for performance degradation in the tasks the authors tested with AV software is that they mainly spend the extra time waiting on events. Sometimes AV does cause some central processing unit overhead, but events such as hard page faults (i.e. those that require disk accesses) are the main contributing factor to AV overhead. Owing to the AV's intrusive behaviour, the tasks in the authors' experiments are caused to create more file input/output operations, page faults, system calls and threads than they normally do without AV installed.