Ferro Backup System - The best Backup Software
Network Backup & Restore Software Solution for SMBs
  EN    PL    ES   

Article ref. no.: FS-FBS-20090926-I01
Last revised: 18 February 2016
Version : 1.1

Anti-virus alert! How anti-virus software affect a computer

Anti-virus alert! How anti-virus programmes affect a computerThis article discusses the operating mechanisms of anti-virus monitors and how they affect workstations and backup servers. It then suggests appropriate ways of configuring an anti-virus monitor for operating in a business environment.

WarningThis article is about any antivirus software, even the Windows Defender service

Anti-virus software is often compared to medicine against viral infection. Extending that analogy, before giving medicine we should consider how to use it and in what dose, since using a tool to fight a viral infection in an ill-considered manner can do more harm than good.

How an anti-virus monitor works
An anti-virus monitor is usually a constituent part of an anti-virus software package. It works either as a kernel-mode driver of the operating system or, more frequently, as a file system minifilter driver. It is called a TSR programme (terminate and stay resident), i.e. it operates continually from the moment when the computer is switched on to the moment when it is switched off. Its task is to continually analyse read and saved data and respond appropriately to any malicious code that it detects. It works like a filter, letting through or blocking data entering it. If an application saves or reads data from the hard disk, the anti-virus monitor intercepts those commands, analyses them, and either allows the I/O operations to be completed or, if it detects malicious code, takes predetermined action usually involving blocking the disk operation and reporting an alert or attempting to "cure" the problem by removing the data containing the code of the virus. If the monitor does not detect any malicious code, data flows freely in both directions. The word "freely" is used here to describe a theoretical model of the operation of an anti-virus monitor and should not be understood literally, for reasons that will soon become clear.

How an anti-virus monitor affects operations involving reading data from a disk
When it is analysing data in transmission, an anti-virus monitor process uses up the computer's resources, i.e. processor power and RAM memory. The quantity of resources used by the monitor depends on the settings of the anti-virus programme (heuristic analysis, archive scanning, etc.) and on the programme manufacturer's optimisation of the algorithms for detecting harmful code. Some anti-virus programmes use more of the computer's resources than others, but even the best have a negative impact on its output. Processor cycles used to search for harmful code cannot be used by the application being used by the user. With the current fast processors, which nearly always have substantial power reserves when office tasks are being performed, the effect of the load placed on the processor by the anti-virus monitor may not be particularly significant. However, another aspect of the same issue is time, i.e. the time required to execute the filtering algorithm. In fact it is the increased duration of disk operations which is most noticeable and troublesome for both computer users and computer network administrators (which will be discussed later in this article). Each I/O operation takes time. Regardless of what disk you have (S-ATA, SCSI or SSD) and its speed, each operation will take more or less time. We always try to have the fastest possible drive because slower disks are more cumbersome to work with. However, when installing an anti-virus monitor one should bear in mind that its operation can mitigate the benefits of using modern high-speed hard disks. When heuristic code analysis options (i.e. the most time-consuming) are switched off, resident anti-virus protection slows down data reading operations by 15 to 100 per cent. When the options for advanced analysis and scanning of archives and mail files are switched on, the time increase rises to 250-600 per cent. This means that with the anti-virus monitor switched on, disk operations can be performed as much as six times more slowly [1, 2, 4].

While it is of little significance when working at home or performing simple office tasks whether a document will be opened in 50 ms or 300 ms, such a difference has huge significance for automatic processes operating on a large number of files, such as data archiving.

Let us suppose that we want to create a backup for the entire hard disk of an office computer. In the case of the Windows Vista Home Basic system, there are 36,000 system files alone, as well as approximately 15,000 user files. The backup of the 51,000 files should be created within around 30 minutes, without obstructing the normal work of the user of the computer. After resident anti-virus protection has been activated, archiving time may increase to several hours, while the user's ease of work will be greatly reduced due to the large burden being placed on the CPU.

Fig. 1 The burden placed on the CPU by the process of an anti-virus monitor during backup (a file server)

Fig. 1 The burden placed on the CPU by the process of an anti-virus monitor during backup (a file server)

For servers of files, which sometimes contain more than 500,000 files, creating a full backup when the anti-virus monitor is active can take several dozen hours. In most cases, for this reason it will not be possible to complete the backup at all.

Besides the problems mentioned above, it is also possible that the anti-virus monitor will block some or all of the files, because in certain situations some anti-virus programmes try to check (or "cure") a file when another application has already started reading the file. Such a situation can lead to system errors occurring such as "Cannot find file", "Cannot open file" or "Incorrect path name". In the case of mapped network disks or compressed volumes, an error in reading file parameters can also occur. For example, when the actual size of a file is 100 kB, interference caused by anti-virus software can lead to zero byte size occurring or a size measured in PB [3]. If one of these errors occurs, the file in question will be bypassed during archiving (though relevant information will be recorded in the Event Log of FBS Server).

The problems described above relate to workstations and can cause a discernible reduction in ease of work for the user (slow operation of the computer) and the administrator (copies take a long time to make or cannot be completed within the expected time) or result in the archiving of a file being bypassed due to a read error. Much more serious problems can occur when the anti-virus monitor affects write operations.

Anti-virus measures on a backup server
Backup servers are responsible for receiving and recording archives sent by workstations, as well as for recording and modifying the database and carrying out additional operations on archives when space is being freed up on a disk and during replication.

As in the case of workstations, as described above, anti-virus monitors slow down I/O operations or block them. Although it may not seem to be cause for concern, slowing down write operations not only reduces backup speed, affects the preparation of tasks after the server core, and affects data recovery. If we are not archiving a large number of computers and backup speed is not of key importance, we can assume that an anti-virus monitor on a backup server on which no one is working (automatic backup on the basis of a scheduler) will not cause anyone any inconvenience. The problem is that in the case of databases, delays of 1-2 seconds, where it is not possible for the server to block a part of the database file, can cause "transaction timeout" errors and lead to the database server stopping or the integrity of the database being compromised. This applies not only to an FBS Server programme databases, but also to databases and mail systems of other manufacturers [5, 6, 7, 8].
Fig. 2 Cyclical scanning of an archive file by an anti-virus monitor during backup
Fig. 2 Cyclical scanning of an archive file by an anti-virus monitor during backup

For the Ferro Backup System, a database only has an auxiliary role: it contains program settings and system logs. These data, however, are not necessary for recovery. Therefore, the impact of an antivirus monitor is greater when saving back-up copies themselves. Workstations send packages containing ZIP archive fragments to the backup Server. The FBS Server receives and saves them on the hard drive. Meanwhile, the antivirus monitors detects the save operation and attempts to analyze the information being saved. (fig. 2). Most antivirus programs recognize a ZIP file and try to scan its contents. Such an operation involves significant CPU load and blocks, for a considerable time, the saving operation carried out by the FBS Server. This may result in an interrupted connection with the workstation and an attempt to resend the last package. If the antivirus scanner detects that the archive being sent contains a file with malicious code and tries to "heal" it, a damaged backup may be produced as a result. For the same reason, damage may arise at a later stage - when replicating backups or when freeing up disc space, when files are moved between differential backups.

To prevent the problems described above from occurring, the anti-virus software must be appropriately configured.

Recommended configuration of anti-virus monitors on workstations
Two options are usually available:
  1. Excluding the FBSWorker.exe process in the options of the anti-virus monitor (Windows Defender also). The possibility of excluding a particular process is available in most anti-virus programmes. After the FBSWorker.exe process has been excluded, the anti-virus programme will not monitor I/O disk operations being executed by that process

  2. Switching off the anti-virus monitor before backup and restarting it after backup. To switch off the anti-virus monitor, the command NET STOP AV_MONITOR_SERVICE_NAME should be executed. To restart it, the command NET START AV_MONITOR_SERVICE_NAME should be executed. Both commands can be executed automatically through the Remote Commands embedded in the Ferro Backup System

Recommended configuration of an anti-virus monitor on a backup server
For an backup server, the following solutions should be considered:
  1. Deinstalling the anti-virus monitor and periodically checking the disks using an anti-virus scanner. Disk checking can be started up automatically by a scheduler embedded in the anti-virus programme or by Windows Task Scheduler (the AT command)

  2. Excluding the FBSServer.exe process in the options of the anti-virus monitor

  3. Excluding the database of FBS Server (the file FBSDatabase.abs) and all the folders in which archives are being recorded from scanning by the anti-virus monitor

Anti-virus programmes which monitor I/O disk operations in order to detect and protect against viruses place a burden on the processor and reduce the speed of reading and writing data. For home use or office tasks, where a small number of files are processed, the effect of an anti-virus monitor is hardly felt. For operations on thousands of files or in the case of an archiving server on which a database is stored and on which large archives are recorded, the operation of the monitor can place a substantial burden on the processor and reduce backup speed. In some situations, the filters of an anti-virus monitor can disrupt write operations. This can both compromise the integrity of the programme's database and damage the structure of backup copy files. In a business environment, anti-virus monitors must therefore be correctly configured so that they do not have a negative effect on processes being carried out automatically. In computers which are dedicated to specific tasks, such as backup servers, deinstalling the anti-virus monitor completely and periodically checking the disks using an anti-virus scanner, started up using an embedded or external scheduler, should be considered. If the anti-virus software is able to exclude particular processes from monitoring, the processes making up the data backup system should be excluded.

[1] Anti-virus software may impact Visual SourceSafe performance

[2] Configuring Antivirus Software

[3] A 0-byte file may be returned when compression is enabled on a server that is running IIS

[4] Performance Tuning Guidelines for Windows Server 2008

[5] Considerations when using antivirus software on ISA Server

[6] Error message when you view a POP3 e-mail account with antivirus software installed: The operation timed out waiting for a response from the receiving (POP) server 0x8004210a

[7] Unable to create a new log file because the database cannot write to the log drive

[8] "The information store terminated abnormally" error message and event ID 447 is logged

Home   Help   Where to Buy    Download    Contact Us   Partners   |  Printable version  |  Language: EN EN   PL PL

How anti-virus software affect the speed of a computer - anti-virus and backup
All rights reserved.
Copyright © 2000-2022 FERRO Software