So we revisited the verification code once more, and found out that the code spends most of the time in a function that is responsible for the calculation of SHA-1 hashes.
Now, this by itself raised a lot of interest in exploring if things could be improved even more. It is possible that the Wintrust APIs reopen/reread the catalogs every time a file is checked, whereas our implementation only reads them once and keeps them cached in memory for the whole duration of the scan. We haven't really done a full analysis of what's actually causing this, but our current hypothesis is that the performance gain is related to checking of the signature catalogs. On our test system (a Dell workstation with an Intel Core i7 CPU, 4GB RAM and Windows 7) the duration of the Full System Scan time suddenly went from 39:35 to 16:03 - meaning almost 2.5x speedup! What's interesting that this change brought us not only increased reliability (the reason why we decided to implement it in the first place), but also significant performance gain. The works on this were finished about a month ago, and after some additional reliability testing, we finally released it to the public as part of the April 19th definition update (last Monday). What seemed like an easy task in the beginning actually turned out to be a fairly large project with tens of thousands of lines of code, and many months of work. For this reason, we have been working on our own implementation of the signature verifier.
We knew this wasn't ideal though - especially because we realized that in case the underlying system was somehow compromised, any such system API could already be redirected/hijacked by malware and so trusting it was not 100% bulletproof. Previously, we were using the crypto services provided by the operating system (called "wintrust") to do the actual verification of the digital signatures. In particular, this applies to files which are on our internal whitelists, as well as files which are digitally signed by trusted publishers (we maintain a relatively short list of software publishers that we trust, and we consider any files produced and digitally signed by these publishers as safe). One of the great new features of avast 5 is the persistent cache, a mechanism which allows us to skip rescanning of certain files. How to make the Full System Scan 6x faster in 10 daysĭuring the last few weeks, we have been tweaking the avast! 5 engine and while doing this, we found out that there were some hidden reserves with respect to its performance (namely, the duration of the on-demand scans).
0 kommentar(er)
