Antivirus antiperformance

Nothing is free - an observation sometimes known as the Second Law of Thermodynamics and sometimes referred to as TANSTAAFL (or TINSTAAFL), standing for "There ain't (is) no such thing as a free lunch." This certainly applies to fighting viruses.

I run an excellent antivirus program on my main system and on my portable, which I keep synchronized so I can work either at my home office, at the university or on trips. The operation, using LapLink, takes only a few minutes to synchronize over 18,000 files.

A friend of mine was watching as I started the operation and asked me why I disabled my antivirus (AV) on both systems while synchronizing. I explained that the AV, although immensely useful when handling files coming in from outside the systems, is not necessary when transferring between two computers both of which are protected by the same program. "But what difference does it make?" my friend asked.

Well, it turns out that the AV is consulted on every file-open operation; even if the file type is not scanned, there's a momentary pause in the I/O that does not matter if you're only doing a few operations - for example, opening a file and then working on it with your word processor. But if you intend to check thousands of files, each additional fraction of a second can add up to significant differences in the time required to complete the job. The file synchronization is about three times faster without the AV.

Similarly, if a process opens the same files over and over, using an AV can contribute enough delay that you can see the results yourself. For example, I have an e-mail client that can rebuild its database to clean out purged items or correct bad pointers and index values. While it is doing so, it repeatedly opens and closes the same files.

While preparing this article, I timed the rebuild operation on a small database and found that with the AV operational the build took 25 seconds; without the AV, the same operation took 7 seconds. Does it matter for such a small database? No. Could it matter with a larger one? Quite likely. Nobody minds 25 seconds instead of 7 seconds, but one might get offended at 25 minutes instead of 7 minutes.

Besides, the definition of "availability" is a function of habit. I like 7 seconds and become impatient with 25 for this operation; for other operations, I might be happy with 25 seconds and impatient with 75 seconds.

On that topic, I recall that when programmers used to put their new database programs into production with a test group of a half-dozen data-input clerks, I urged them to insert a timer in the program to ensure that response time was not _faster_ than the service-level agreement stipulated. The point was that clerks who got used to quarter-second response time might be offended at 2.5 second response, even though the contract stipulated that acceptable performance under load was to be quicker than 5 seconds per transaction. Setting reasonable expectations was much simpler than trying to recover from disappointment.

So let's remember TANSTAAFL. Running an AV is necessary and useful, but there may be times when a skilled user will choose to disable the AV while doing I/O-intensive operations.

Just remember to re-enable the AV before you leave your computer.

Join the newsletter!

Error: Please check your email address.

More about Laplink

Show Comments