Why antivirus uses so much RAM – And why that is actually a good thing!

Why antivirus uses so much RAM – And why that is actually a good thing!

Lots of computer blogs and magazines give smart advice on how to speed up your computer by reducing the load on your hardware resources. While it is true that having a few gigabytes of free hard disk space is better than no space, the same wisdom usually isn’t true for your RAM (Random Access Memory), your computer’s super-fast short term memory.

RAM is the fastest component of your PC

blog_ram_is_the_fatest_component_of_your_pc_730x200

To give you some numbers to work with: An old school hard disk with spinning disks (HDD) usually allows for transfer rates of around 80-160 MB/second. A newer, solid state disk (SSD) that uses memory chips similar to those of the SD-card in your camera or smartphone, provides speeds of around 200-400 MB/s. But your RAM, that can’t store memory without power on, allows for 10-20 GB/second. That’s more than 100 times faster than the hard disk!

If you were an operating system architect, where would you preferably run programs from? RAM is the obvious choice.

How Windows uses RAM

When Windows starts up, it reads all the programs that are part of the system from the hard disk and puts them into RAM. That’s the place where the CPU can access them most efficiently. The working data that is created by your programs, along with other programs, are kept in RAM. That means the more programs you start and the bigger the data you’re working with, the earlier your RAM gets maxed out.

As RAM is typically between 2 and 16 GB nowadays, it may happen that Windows requires more RAM than you physically have installed. No cause for alarm, as the developers at Microsoft were aware of that risk and introduced something called Page File. The principle is simple: Programs or data in RAM that aren’t used frequently get written down to a ‘virtual RAM’ file on the hard disk (hidden at c:\pagefile.sys). That way, you get some free extra RAM space. However, any data required from virtual RAM needs to be read from the slow hard disk before it can be used again.

This is when your computer gets significantly slower and you start scratching your head, asking yourself what happened and if your computer is maybe about to bite the dust. Don’t be concerned, it has merely started swapping data to the page file.

Good high memory usage vs. bad high memory usage

Let’s conclude what we have learned so far: RAM is fast, make use of it! Reducing memory usage from e.g. 70% down to 40% doesn’t get you any advantage, as free RAM is wasted dead material. It doesn’t save you any power nor does it provide any performance improvements. From that point of view: Make sure you’re using as much RAM as possible to get the best overall system performance.

But there’s a tipping point when it’s maxed out and Windows starts to use the page file. You can avoid Windows hitting this point frequently by making sure you have enough RAM installed. RAM is cheap to buy and a bigger RAM module is probably the easiest way to extend the lifetime of your old computer for another year or two. For example, I’m a heavy computer user but I rarely need more than 4 GB of RAM.

Why does antivirus/anti-malware software need so much RAM after all?

blog_antivirus_antimalware_ram_after_all_730x200

We often hear customers blaming our software for using too much RAM…

Well, we want to detect malware. To do that, we need recognition/search patterns to compare files with our database of known threats. Those patterns (sometimes called fingerprints or signatures) are not really that big, but there is a really huge number of threats out there, and therefore we need many signatures too.

At present, the Emsisoft protection software uses more than 7 million malware signatures. To load them all into RAM, it needs a bit more than 200 megabytes. That sounds like a lot, but keep in mind that this equals a short sequence of 28 bytes on average that we can use to confirm whether a file is good or bad.

To illustrate that: Imagine a text sequence of just 28 letters that must be found in a library of 1 billion books, and you are not allowed to come up with a single false detection. A malware scanner has to check 7 million signatures against each of roughly 300,000 files on your hard disk…

All within a fraction of a second!

Technically there is no way to make 7 million signatures suddenly disappear. They must be:

  • Stored somewhere if you want a really good detection rate instead of an absolute minimum (as seen in Windows Defender).
  • Accessed somewhere quickly so they can scan every new and modified file that enters the computer.
  • Fast enough so you don’t even notice that something was scanned in the background.

The place to do this is the RAM.

The challenge with RAM usage doesn’t only affect Emsisoft, it’s an industry-wide issue. All signature-based antivirus or anti-malware scanners naturally require a significant amount of RAM to protect your computer effectively.

An insider’s secret: Antivirus programs tend to hide their RAM usage

High memory usage is bad for marketing, but what do you do if you can’t avoid it? You hide it. There are two major techniques to make a big program look like a small one:

  1. Use the page file: As described earlier, Windows puts less frequently used parts of programs onto the slower hard disk. Programs can also force that process and ‘ask’ Windows to swap them to the pagefile in regular intervals. Then the Windows Task Manager shows a very low memory usage, but the price for that is regular 1-3 second ‘thinking-periods’ when you access the program. That’s the amount of time needed to read the data from the hard disk again.
    Reduced memory usage

    Reduced memory usage

    In Emsisoft Anti-Malware and Emsisoft Internet Security, you have full control over that feature. When you turn off “Memory usage optimization” in main settings, the software doesn’t initiate swapping to the page file. This means overall system performance is likely to increase if you have enough RAM.

  2. Use system drivers: Windows Task Manager only shows active programs and services, but not drivers. Drivers are code modules that are loaded directly by the operating system for certain core functionality. Some anti-virus vendors load hundreds of megabytes of data in their drivers to create the illusion of low memory usage. You can spot these by summing up the memory usage of all active programs and compare that with the value of total used RAM. If there is a huge difference, something is probably hiding high memory usage from you.

As the number of threats doubles every year, why doesn’t memory usage double at the same rate?

The good thing about malware is that many samples appearing in the real world (outside labs) are very similar. There is a limited number of malware families and often samples just differ in a few bytes of data. That means we can detect large numbers of threats with fewer, but smarter signatures. Using that method, the number of required signatures for best detection don’t grow as fast as the total number of threats out there in the wild.

Conclusion: Make use of your RAM

Take some time to open the Task Manager (right-click the taskbar, select “Task Manager”) and check how much RAM you effectively use during a busy computer day. If you’re not somewhere near the physical maximum, disable the “Memory usage optimization” feature in Emsisoft protection software, to make sure you get the best possible performance.

Emsisoft protection software settings

Emsisoft protection software settings

Don’t select your antivirus/anti-malware software based on memory usage reviews, unless you are really short of memory (less than 2 GB).

 

  • Richard Symons

    Nice way to try and deflect away from the fact your software is extremely resource heavy and slows down systems because of it.
    Less programs sitting in RAM and using smaller amounts of RAM helps your system to run quicker and smoother as the pagefile will be able to swap larger amounts of data in and out of the RAM making everything run quicker.
    Having less of your RAM free due to resource heavy antivirus like yours and other un-needed programs running means your pagefile ( hard drive ) has to work harder and more often as it cant swap as much data back and forth to your RAM.
    I stopped using Emisoft due to the fact my system was always working harder than it should because of it , fans running constantly or a least more often than they should have been , system running slower and less reliably. As soon as Emisoft internet security and anti-malware was removed and replaced by another top performing security suit , my system ran cooler and quieter due to less fan activity needed and was much quicker at doing tasks.
    I used to love your software but had to get a refund because of what it was doing to my system the last time I tried it.

    Please dont post fluff articles trying to defend your resource heavy program … it might be a good security suit but its not god enough to make people put up with a slow computer because of it.

    Try posting more of your intelligent security articles rather than nonsense that tries to place blame elsewhere.

    • Christian

      Richard, you might have missed the point that Emsisoft Anti-Malware was actually rated the third-best performance product in 22 tested by AV-Comparatives last year. See the bronze award as described here: http://blog.emsisoft.com/2016/01/31/speedy-and-spot-on-emsisoft-makes-the-av-comparatives-top-rated-product-list-again-in-2015/

      Several other tests confirm that our software is amongst the best performing when it comes to slow-down ratings. My suspicion here is that some mis-configuration or some combination with an additional third party software caused the slowdowns on your system. Happy to investigate further if you want.

      • Lufen

        The Truth has been spoken !

      • nuncius

        Agree that Emsisoft Anti-Malware is excellent performer -one of the best- even when considering its system demands (RAM,CPU, responsiveness,..).
        But as I understood, Richard was using (also, or only?) Emsisoft internet security, which seems to have far worse performance output – according to my “test” experiences (even its FW capabilities arent kind of top).

        • Richard Symons

          Thanks for the reply nuncius , yeah was using only the Emsisoft Internet security not running it alongside Anti-Malware or anything else , just Internet Security

      • Richard Symons

        No point missed , thats why I decided to post when I had that email. Reviews and awards dont mean anything if in real world situations users dont get the same results as reviewers on test bed machines doing nothing but running windows and testing security. Doesnt matter how good a product is if my system runs much harder due to the fact its taking so much of the system for itself.
        I spoke with support before getting the refund and there was no mis-configuration , in fact I even wiped my fairly new system clean and installed the bare minimum before adding the security system and it was at that point resource usage went sky high. Took that off and tried 2 others separately and low and behold , no issues what so ever.
        Its not like I dont have a good system with poor resources available to it , its an octo core i7 with 16GB ram and an SSD sitting alongside a large storage drive. Im sitting here now with only 18% memory and 1% cpu usage , that was far different when running Emisoft security.
        I used to love the software and enjoyed taking part in the betas a few years back but not so fussed on it now. I will of course try it again when the next version releases , im sure lots of users are enjoying Emisoft with little issue ,,, this generation for me though is a no go I am afraid.

        Thanks for the reply though , its nice to see you guys taking an interest :) , and please excuse me if I seem to come across harsh in anyway , not intended :)

        • Zdravko Mihaylov

          Well as I told you, I run Emsisoft on a DUO core VISTA computer and on a DUO core Windows 7 computer with 2 GB of RAM. I have no issues. It’s now quite obvious that the problem was somewhere else. It can happen. It can be a conflict between drivers, conflict between softwares. You might have a software that makes conflict with Emsisoft, and that no one till now had or reported.. But it’s possible. That’s why I don’t like windows, specially the new ones. My job involves support for CAD/CAM that connects the machine to computers. I’ve seen such conflicts, like a stupid Sony camera software causing a 3D modelling software to malfunction….
          Anyway, hope you have no issues now. And always do check from time to time your computer with malwarebytes ;-)

    • Zdravko Mihaylov

      Mate… What you explained is simply not true. I installed emsisoft, after I had a real problem with antivirus killing my computer (Panda)….
      I run emsisoft on both unsupported Vista and on a computer with 2gb of ram (as ridiculous as it sounds) with Windows 7. Both computers are office computers, but soon they will be upgraded. And both have absolutely no trouble running websites, office apps, scanners, printers, etc..
      With my previous antivirus that I used for more than 5 years I had such problems. Except the most important, I had viruses it also killed the performance of any PC. Even of my asus laptop with i7 and gpu 880m. Every page I tried to open had huge delay, and I realized it’s from the antivirus only after uninstalling it.

      Now with emsisoft, not only I have no performance issue, but also I have NO VIRUS issue, which is most important. Before I always run regularly apps like Adwcleaner, Hitman Pro, Malwarebytes because there was always something left. Now I can run only once per month, or per two months, because I saw that almost no nasties are left when I use emsisoft.

      I don’t know what ancient computer you are running, but I don’t see any problem with the antivirus. If you can’t afford to upgrade your pc, than just you have to face the risk to use a lighter, and less protective antivirus.

      That’s all my experience. Since I moved to emsisoft, I’ve been more than happy. I had problems with vista, contacted the team and everything was fixed. So really thank you Emsisoft team for the great product and great support! Continue the good work!!!

      • Richard Symons

        Mate , Im running a top end 8 Core i7 with 16GB of ram and a gtx970 so dont knock my computer or insinuate I cant offord one , the one I use has better specs than yours. … I used to work in the IT business , was in it for 15 years , I know what I am doing and I know how to diagnose problems …. I ruled out all other software by starting from fresh on a clean system and only having the very basics installed.
        And just as your problem was resolved by removing the antivirus you had installed , so mine was removed by uninstalling Emisoft. So dont tell me what I explained is not true , its the issue I had and thats how it was resolved. I used Emisoft all the time in the past and this release I was left disappointed in how more bloatfilled it seemed compared to their products of the past.

        I can guarantee you now , if you look in taskmanager at your system usage amounts at this moment in time it will be far higher than what mine is right now just because your running emisoft and im not.
        1% CPU usage and 19% memory and thats with a few programs open now as I right this… I know as I type this both of yours will be higher.
        Im happy for you that you like the product you have … I will be happy to try the software again in the future to see if its as good as it used to be. I just didnt agree with this article because I felt its a piece written to defend its high system usage rather than a good tech article which it normally is.
        Dont attack me personally or assume im a poor broke person using a computer from the dark ages just because I dont hold the same view as you about a product.
        As you can see , I appear to be in a better position than you with regards to what tech I currently use.

        • Jess W Farnsworth

          What works for one will never work for all. I run a Dino. Dual core 2800 processor and Linux 15.04. Runs better than the day it came from the store with windows I know that.

        • Zdravko Mihaylov

          I am sorry that my comment seemed as a attack, or that I assumed you are poor block. I really didn’t mean it in this way. My work also involves IT. At my home right now I have 3 desktops and a couple of laptops, one of which I described. But I do not want to compare out budget or anything. Just wanted to share my experience. The slow computers I explained are from my work office, I am responsible for them + others, kind-a administrator. And I had to clean them from viruses (which is annoying, when they are slow and have important information on them). Luckily everything is clean now, no information loss, and Emsisoft runs like a charm even on the slowest one.
          Apology again that my comment sounded as an attack and wish you all the best =]

        • Jimmy Walbert

          Dude, Since you’ve tried everything, even a wipe out. I bet you reinstalled the same drivers the OEM released with the computer when it came out. I would try going to Intel and getting ALL the latest chipset drivers, AHCI too. Go to Nvidia and get the latest video drivers. And maybe even consider a BIOS update. If the software still runs slow then hopefully it will be worked out in a future update.

    • Omendata

      Sounds like you may have a hardware issue.

      Did you analyse the wait chains and do in depth analysis of why emsisofts product wasnt working for you as i install it on all manner of machines and have had maybe two issues and that was with users with faulty ram.

      My advice is switch off your page file and upp your memory – Windows doesnt need the page file anymore if you have plenty of ram say 16gb and speedbost with a class 10 flash unit is a good idea!

  • Good job for telling people the truth!
    I was a long time aware about this feature.
    By the way, only in Windows 10 it first put rarely used memory into process called “System” and only when RAM reach maximum it stored into Pagefile.

  • MSerif

    Thanks Emsisoft :)

  • RhondaGarrett

    Thank you for the informative article. Just a couple weeks ago I built a new system with 32 GB RAM, and was unsure what the “Memory Usage Optimization” feature was. Now I know I can safely turn it off and likely benefit from it. Thanks for such a great product and for being so open and involved with your customers.

  • SubliminallyObvious1 .

    Please!!! bring back Online Armor ++. It was the bomb.

  • SENAD

    Hi, bring back Online Armour free firewall and also make a free version of Emsisoft Anti-Malware with live protection for home users. Thank you very much and all the best for you.

    • Christian

      There is no point in hijacking this RAM related topic for Online Armor requests.

      Let me be very clear about this: Online Armor is not going to come back, sorry.

      Its codebase is outdated and not ready for today’s x64 systems or IPv6 protocols. Emsisoft Internet Security is its successor as it features a re-implemented new firewall core.

  • Martin Stanmore

    While true that for most of the time there is more than adequate RAM on the average PC to allow you to leave memory usage optimization turned off this isn’t the case all the time.

    Nearly everyone has programs on their PC which are memory hungry, for example video games or streaming services. I do a lot of video & photo editing and 3D modelling. The amount of memory required to efficiently stitch 400 x 15 Mpixel images into a panorama, render a 2hr HD movie or print a 70GB 3D model leaves no room for anything else to be running unecessarily.

    If your memory usage optimization operated dynamically in response to the load being placed on the machine at the time it would be a much more desirable feature.

    Unfortunately anti-malware, updaters and other similar ‘background’ programs seem tuned to run/not-run based only on the level of keyboard activity, rather than resource usage, as a result they nearly always interupt at the most inapropriate times, ie right in the middle of a stitch routine.

    More than a few products have been deleated from my PC for this reason.

  • Adrean Kael

    Let me get this straight, the point of the article is why AV programs use so much ram and why that’s a good thing, and the only reasons you can come up with are ram is cheap and ram is fast? Nice try at a snow job but I’m not buying it. You’re basically saying that your company policy is “Who cares if our program uses a horrendous amount of system resources, ram is cheap and it’s fast.” I’m sure that’s not the case but your whole “free RAM is wasted dead material” is a fallacy. That’s like saying your savings is wasted dead material. I multitask like a mad man and occasionally I find myself in the mood to watch a movie, listen to music or play a game while I’m working at my computer. Free resources allow me to do this without stopping to save what I’m working on, close the program and then have to relaunch it when I’m done goofing off. Free ram is a GOOD thing and if your company policy is “it’s cheap so go spend more money (on top of what you paid us for our software) so our program can eat it up like Halloween candy”, then I’m probably not going to be doing business with your company for long.

    • Christian

      To summarize the article for you: Antivirus needs a lot of RAM because it wants to protect you properly. Thats not an excuse, but an attempt to clarify why it is the way it is.

      You can believe me when I say that all vendors do their best to keep the amount as low as possible, but there are technical limits (as described above).

      The fact that RAM is cheap is a nice side effect that can help to extend the lifetime of your PC, nothing more.

  • Andrei Florin

    RAM is no longer cheap. In 2011 I bought 4GB DDR3 1333 MHZ with 13$ , in 2016, same model of ram , same amount and same speed it cost app. 60$ . Hell ! NO !

    • cat1092

      RAM is as close to 2011 pricing as it gets, 16GB sets of DDR3 1333MHz for as little as $69 on promo, shipped. Back in 2011, few seen that pricing on these sets, though like you pointed out, a 4GB stick or 8GB set was really cheap. Come 2012, pricing doubled. Fast forward to late 2015, pricing is reasonable again (wished it was in late 2014/early 2015), I can now purchase 64GB of RAM in the same 16GB DDR3 1600MHz kits for less than I paid for 32GB total then. Maybe I should stock up, have a upcoming build, and RAM is a commodity, the CPU (i7-4790K) uses the same RAM modules.

      Since most of my computers are maxed out with RAM, I have no issue with the software that protects me to do it’s job, a less than one minute (Malware) or less than 15 minute (Custom) scans doesn’t slow me down. Emsisoft consumers has the choice to turn off memory optimization in the controls of the software (both EAM & EIS consumers), if not wanted. Still, either is going to use so much RAM to speedily scan the drive(s), hunting for danger.

      I can’t understand why one would not want this type of protection, if one thinks that Emsisoft is a RAM hog, try some alternatives & see the difference. Some will slow the computer to a crawl, to where one can’t have more than a couple Web pages open at once w/out the browser crashing. Neither EAM, EIS or the Emsisoft Emergency Kit (EEK) has done that to me, even with a system having 4GB total RAM. Of course, more is desired, yet for some computers, 2 to 4GB RAM is the limit.

      Some other choices may ‘run’ fine w/out impact to the computer, but how effective is it? Visit AV-Comparatives & get the truth. They perform unbiased tests (meaning no ad income to sway opinions), with techs not knowing what the other is testing, on identical builds, complete series of tests, and the results are posted for the world to see. Emsisoft is closing on the competition test after test, racking up awards left & right. VB100 is another source, however I don’t know much about how they test, am more familiar with AV-Comparatives. As are many in the IT community when it comes to security. Resource usage are also a factor in the tests performed & Emsisoft still comes out strong.

      Cat

  • TheSeeker11

    But, but, I have 64GB of RAM and I want 63GB free to sit there and not be utilised!

  • SR2K-21

    Out of the many security suites i have used Norton,Bullguard,Avast and bitdefender emsisoft is one of the fastest if not the fastest for me on my system,it does use a lot of ram on my system but it is still fast i found my browser feels snapier also.

  • NRK

    More reason to use a PXE Server and have a fresh new locked down system every time you boot! Lock down the user to just what they need (principal of least privilege) with a firewall appliance facing the internet. Shut down the internet to just those sites needed, host our site other than in house, turn off all the USB/1394 ports on the users computer, air gap some computers. The file server scans every file in and out plus a nightly deep scan.

    This is a war and the users are like mercenaries, they have their price. Discipline and control to the extreme are tools to keep the bad stuff out. AV SW is about the fourth line of defense (after the internet facing appliance, the system design, and the user), if it is needed the war is lost and your losses sky rocket.

    There are many methods and mine is dictatorial control, no quarter given to users or invaders. When I showed the boss the cost of one little cute christmas penguin screen saver he got the message that poor security was effecting his bottom line. With the help of MS and Dell I knew if someone farted at their desk.

    Just like in plumbing where you have a leak or you don’t our systems are either secure or not. I use the same principals at home (two servers, four workstations, three tablets, three phones) as at work and can’t remember a virus, etc. since the penguin in 2008.

  • Cat Tilley

    For the past 3-4 years, have had no trouble with either EIS or EAM, if either needs to use RAM, that’s fine, as my notebooks has 8GB, my PC’s starts at 12GB & ends at 32GB, and yes during a scan with EIS, quite a bit of RAM was used.

    Yet that’s what it’s there for, I upgrade all of my computer’s RAM to the max with today’s pricing, and the one with 32GB was upgraded when $135 per 16GB set. So yes, I purchased it to be used, not showcased, as I don’t have a transparent door with neon lights drinking resources. Plus that PC has a massive i7-4790K, an upgrade from the i7-4770 that in itself wasn’t shabby.

    Do I care if my scheduled scans or active protection requires resources? No, I could care less. Rather, I’d prefer EIS to have the resources to do it’s job…….to protect me from danger.

    As far as other brands goes, I’ll only say w/out getting into details that Emsi is right in the article. All brands of security requires RAM to do it’s job, otherwise we’d be wide open to infection. The Malware distributors would win if the security ran from the HDD/SSD only.

    That brings up the question, do we want a clean or infected OS? I prefer prevention over cure, so let EAM or EIS (depending on computer) have the resources to do it’s job. Emsisoft isn’t racking up awards from well known testing organizations for the sake of it, they’re winning because of the job the team is doing. The first of which, is not having 15-20 upper level employees playing golf half the day after lunch, then call it a day, rather having a smaller team dedicated to getting work done.

    Word of mouth is spreading about how good Emsisoft is, and they know that their market share is growing, and is poised for more growth.

    Cat

  • Henry Price

    Helpful. Thanks a lot. I am using ESET Antivirus, although I admit that it used up most of my RAM when it implements but my laptop is still working fast and smoothly. I wonder what technology does ESET performs but its still one of the fastest AV software Ive used