For any PC antivirus is one of the programs you must install as soon as your operating system installation is done. It gives you high security that needed from different threats and malwares, but it doesn’t mean that antivirus will stop each threat that’s there in space.
How anti-virus works?
Let me tell you how anti-virus works in a simple way. Antivirus stores signature or also called finger prints of the malware and if any file is matched with those signatures then it is marked as malware or as a safe file. Simply this is how antivirus works.
There are around ten million signatures that exists in space and increasing day by day.
What is signature?
Anti-virus signature is nothing but a string. Usually anti-virus vendors store first 28 bytes of a program but differs as per their requirement. If any of the file first 28 bytes are matched exactly then it is marked as malware but if we changed any byte in those 28 bytes it won’t match so it’s not considered as a malware. This is how Antivirus Evasion works.
Why antivirus software requires that much RAM?
Antivirus must compare a file in your PC with the millions of signatures and retrieving those from hard disk is slow process, but RAM is very fast and all 10 million signatures (let’s consider) needs to load into RAM which is around 250MB. This is a lot, but it must do it and there are other ways which can also be done
Using page file(Neutral)
Usually paging is used to store the RAM data which is not used frequently but stored in RAM. This page file is stored in hard disk some antivirus vendors use page file to store their signatures and retrieves data from that file. This process is slow and uses much more RAM which makes PC unresponsive and sometimes shuts it down.
Using drivers(Bad)
Some of the antivirus vendors use drivers to store signatures. In task manager only, active services and programs are stored but drivers are the modules which are used for core functionality of the program when high RAM usage is inevitable these vendors store signatures in drivers which hides RAM usage from task manager
How to find hidden RAM usage?
When signatures are used then antivirus complete RAM usage is not showed in task manager so just calculate the total RAM used by services and running programs check the value with actual RAM usage if there is a significant difference then there is something wrong.
If number of threats increases does the memory?
In malware there are certain types of families, if any malware belongs to that family then there is no need to store all signatures of the malware. There are some smart signatures which detect malware belongs to the family.
It doesn’t matter how large the signature database is, but the antivirus must serve purpose of protecting PC. It must show effect faster than malware.
Leave a Reply