Fwiw, we are implementing such a system (basically, by creating an additional layer between the engine and the detection, so if a detection starts to spin, it will get stopped). We have been testing it and the results look quite promising (it will take some time to get into the engine, though, as it's not trivial).
If you're curious, I wrote a little technical bulletin on what happened Friday here: http://forums.sunbeltsoftware.com/messageview.aspx?catid=27&threadid=4653&enterthread=y Alex -----Original Message----- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, May 10, 2010 9:58 PM To: NT System Admin Issues Subject: RE: Computers becoming unresponsive accross entire network. Who knows, but if the machine is pre-empting the AV scanner, then that's how the issue that Kurt highlighted yesterday starts to creep in. Your malicious code gets to do "something" in between the various bits of code that the AV scanner is running. So, I agree with Ben. For a regular disk-scan, a cap might be good (or lower scheduling priority). For on-access scanning, I think you want to the AV scanner to run at high priority and avoid being pre-empted if possible. Cheers Ken -----Original Message----- From: Charlie Kaiser [mailto:charl...@golden-eagle.org] Sent: Tuesday, 11 May 2010 12:07 AM To: NT System Admin Issues Subject: RE: Computers becoming unresponsive accross entire network. But doesn't that beg the question; should an AV app EVER require 75% of a machines resources for ANYTHING? *********************** Charlie Kaiser charl...@golden-eagle.org Kingman, AZ *********************** > -----Original Message----- > From: Ben Scott [mailto:mailvor...@gmail.com] > Sent: Monday, May 10, 2010 9:02 AM > To: NT System Admin Issues > Subject: Re: Computers becoming unresponsive accross entire network. > > On Sun, May 9, 2010 at 6:03 PM, Andrew S. Baker <asbz...@gmail.com> > wrote: > > Or something that ensures that no more than 75% of > remaining CPU will > > ever be consumed by the AV app and its processes... > > For a general system scan, that sounds like a good idea. > But for on-access scans (real time, auto protect, whatever you call > it), I think you'd want the system to run it as fast as possible. > > -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
