Why antivirus uses so much RAM – And why that is actually a good thing!
To give you some numbers to work with: An old school hard disk with spinning disks (HDD) usually allows for transfer rates of around 80-160 MB/second. A newer, solid state disk (SSD) that uses memory chips similar to those of the SD-card in your camera or smartphone, provides speeds of around 200-400 MB/s. But your RAM, that can’t store memory without power on, allows for 10-20 GB/second. That’s more than 100 times faster than the hard disk!
If you were an operating system architect, where would you preferably run programs from? RAM is the obvious choice.
How Windows uses RAM
When Windows starts up, it reads all the programs that are part of the system from the hard disk and puts them into RAM. That’s the place where the CPU can access them most efficiently. The working data that is created by your programs, along with other programs, are kept in RAM. That means the more programs you start and the bigger the data you’re working with, the earlier your RAM gets maxed out.
As RAM is typically between 2 and 16 GB nowadays, it may happen that Windows requires more RAM than you physically have installed. No cause for alarm, as the developers at Microsoft were aware of that risk and introduced something called Page File. The principle is simple: Programs or data in RAM that aren’t used frequently get written down to a ‘virtual RAM’ file on the hard disk (hidden at c:pagefile.sys). That way, you get some free extra RAM space. However, any data required from virtual RAM needs to be read from the slow hard disk before it can be used again.
This is when your computer gets significantly slower and you start scratching your head, asking yourself what happened and if your computer is maybe about to bite the dust. Don’t be concerned, it has merely started swapping data to the page file.
Good high memory usage vs. bad high memory usage
Let’s conclude what we have learned so far: RAM is fast, make use of it! Reducing memory usage from e.g. 70% down to 40% doesn’t get you any advantage, as free RAM is wasted dead material. It doesn’t save you any power nor does it provide any performance improvements. From that point of view: Make sure you’re using as much RAM as possible to get the best overall system performance.
But there’s a tipping point when it’s maxed out and Windows starts to use the page file. You can avoid Windows hitting this point frequently by making sure you have enough RAM installed. RAM is cheap to buy and a bigger RAM module is probably the easiest way to extend the lifetime of your old computer for another year or two. For example, I’m a heavy computer user but I rarely need more than 4 GB of RAM.
Why does antivirus/anti-malware software need so much RAM after all?
We often hear customers blaming our software for using too much RAM…
Well, we want to detect malware. To do that, we need recognition/search patterns to compare files with our database of known threats. Those patterns (sometimes called fingerprints or signatures) are not really that big, but there is a really huge number of threats out there, and therefore we need many signatures too.
At present, the Emsisoft protection software uses more than 7 million malware signatures. To load them all into RAM, it needs a bit more than 200 megabytes. That sounds like a lot, but keep in mind that this equals a short sequence of 28 bytes on average that we can use to confirm whether a file is good or bad.
To illustrate that: Imagine a text sequence of just 28 letters that must be found in a library of 1 billion books, and you are not allowed to come up with a single false detection. A malware scanner has to check 7 million signatures against each of roughly 300,000 files on your hard disk…
All within a fraction of a second!
Technically there is no way to make 7 million signatures suddenly disappear. They must be:
- Stored somewhere if you want a really good detection rate instead of an absolute minimum (as seen in Windows Defender).
- Accessed somewhere quickly so they can scan every new and modified file that enters the computer.
- Fast enough so you don’t even notice that something was scanned in the background.
The place to do this is the RAM.
The challenge with RAM usage doesn’t only affect Emsisoft, it’s an industry-wide issue. All signature-based antivirus or anti-malware scanners naturally require a significant amount of RAM to protect your computer effectively.
An insider’s secret: Antivirus programs tend to hide their RAM usage
High memory usage is bad for marketing, but what do you do if you can’t avoid it? You hide it. There are two major techniques to make a big program look like a small one:
- Use the page file: As described earlier, Windows puts less frequently used parts of programs onto the slower hard disk. Programs can also force that process and ‘ask’ Windows to swap them to the pagefile in regular intervals. Then the Windows Task Manager shows a very low memory usage, but the price for that is regular 1-3 second ‘thinking-periods’ when you access the program. That’s the amount of time needed to read the data from the hard disk again.Reduced memory usageIn Emsisoft Anti-Malware and Emsisoft Internet Security, you have full control over that feature. When you turn off “Memory usage optimization” in main settings, the software doesn’t initiate swapping to the page file. This means overall system performance is likely to increase if you have enough RAM.
- Use system drivers: Windows Task Manager only shows active programs and services, but not drivers. Drivers are code modules that are loaded directly by the operating system for certain core functionality. Some anti-virus vendors load hundreds of megabytes of data in their drivers to create the illusion of low memory usage. You can spot these by summing up the memory usage of all active programs and compare that with the value of total used RAM. If there is a huge difference, something is probably hiding high memory usage from you.
As the number of threats doubles every year, why doesn’t memory usage double at the same rate?
The good thing about malware is that many samples appearing in the real world (outside labs) are very similar. There is a limited number of malware families and often samples just differ in a few bytes of data. That means we can detect large numbers of threats with fewer, but smarter signatures. Using that method, the number of required signatures for best detection don’t grow as fast as the total number of threats out there in the wild.
Conclusion: Make use of your RAM
Take some time to open the Task Manager (right-click the taskbar, select “Task Manager”) and check how much RAM you effectively use during a busy computer day. If you’re not somewhere near the physical maximum, disable the “Memory usage optimization” feature in Emsisoft protection software, to make sure you get the best possible performance.
Emsisoft protection software settings
Don’t select your antivirus/anti-malware software based on memory usage reviews, unless you are really short of memory (less than 2 GB).
Emsisoft founder and managing director. In 1998 when I was 16, a so called ‘friend’ sent me a file via ICQ that unexpectedly opened my CD-ROM drive, which gave me a big scare. It marked the start of my journey to fight trojans and other malware. My story