Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


June 16th, 2010

How I met the optimization and other stories

Hello again, I’m gonna tell you a story about an emulator that becomes 5x faster during one day. In the beginning there was an disassembler and a virtual execution environment. The disassembler liked the environment so much that they got together one day and the framework for our emulator was born. It was growing day by day, line by line – up to 20k+ lines of code – and here the “problem” begins.

Once a project (emulator in this case) reaches such complexity, there’s a non-zero probability to contain some bottlenecks. So we spent some time on benchmarking it. The very first instruction flow was around 7k insn/ms. What to imagine behind this number? To clean some virus families we need to emulate e.g. 300k instructions – so there would be a 300/7 = 42 ms delay on each cleaned file. Count it all together for thousands of files and you’ll definitely need to make it faster.

After fixing some hot spots in the code to be as light as possible we got the number of 9k insn/ms. That’s a bit better, but frankly – we expected more. So, where’s the problem? Surprisingly – the “optimize for speed” (/O2) option in MSVC actually does not optimize the code that much and I guess also other optimization options (such as omit frame pointers) are ignored in this configuration. Well, my mistake, better to try than to expect anything. So after another tuning we got much higher instruction flow – 18k insn/ms – and only a simple change from “optimize for speed” to “full optimization” (/Ox) did the trick :-D. I couldn’t believe.

Last step was to implement an instruction cache (similar to the one used by processor itself). This trick increased the instruction flow to 38k insn/ms (in some cases), which is roughly 5x faster than before. So, now our equation gives only 300/38 = 7 ms delay on cleaned files. The conclusion for you is – don’t worry to clean your files, it should run pretty quickly. Btw: I still don’t know how many ppl from our user base already noticed the presence of cleaning routines in v5. If they did and tried, there would be no Parite and other samples in our FP submission system.

And now something less technical:

Another thing that is worth to mention is a case of AXA Financial. As one of our users pointed out (http://forum.avast.com/index.php?topic=60547.0), their Indonesian site was hacked and a malcode was injected. That’s a quite hard knock for those who think “I’m not looking for porn and warez, I’m completely safe”, as you can see – even legit and respected sites may be hacked. Fortunately, our users were protected:

When I went to the site yesterday, everything was fine again (but I didn’t check it meanwhile, so I don’t know whether their reaction was prompt enough), anyway – thanks AXA for cleaning it. You’ll surely tighten the security of your servers to avoid such attacks ;-). And of course thanks to the users who helped us (and not only us) with reporting such incidents.

  • Pingback: How I met the optimization and other stories | Security Antivirus Virus

  • http://warbandit.exteen.com Ringman

    Excuse me. How different between old engine of avast compared with version 5 on Virustotal ?

  • http://www.avast.com Michal Krejdl

    @Ringman
    There are some detections available only in v5 (Win32:Packed-*, Win32:SuspBehav-*), that’s the difference.

  • http://www.ppinfotek.com Yanto Chiang

    Hi Michal,

    Thanks for your summary,

    We tried it again this evening with avast! at our customer site, and not detected anymore.
    I think their website (AXA Financial) was cleaned from the injected script.

    cheers,
    yanto chiang
    ppinfotek.com

  • http://www.techpage.in techpage

    i think avast is best free antivirus.good info guys

  • http://www.rejzor.tk RejZoR

    So, if i understand this correctly, the new faster emulator should already be available to the end users or is still pending for public release?

  • http://www.avast.com Michal Krejdl

    @RejZoR
    Exactly, it’s already there ;-)

  • http://website.com shirley tempted

    Hi, you should correct the information in the about section of the blog //blog.avast.com/about/ I guess you are not ALWIL anymore ;-)

  • coolmario88cp

    Hi, if i download the trail verision of interent security will it remove avast free edition i hope not

  • mehrdad

    Hi Michal
    I have a question!
    imaging someone like me from Iran likes your product…. how can that guy buy it legally???
    there is no reseller here in Iran!

  • john dear

    @mehrdad Hi mehrdad, I am not working in avast, but I have a feeling, that you can buy it online from http://www.avast.com website… you just click on something like “buy”… well at least it works in my country… http://www.avast.com/index here you click on “buy for 59.95 USD” and thats it!

  • http://www.avast.com Michal Krejdl

    @mehrdad
    Selling to Iran is somehow limited (not by us), but I don’t know any details about that, sorry.

  • Coolmario88cp

    @Michal Krejdl
    i need advice how often should i scan my computer? and how do i speed up the scan?

  • blaze

    I cant perform the boot time scan on my comp because it is win 7 64-bit. Are u guys coming up with a patch for 64-bit or something?

  • http://www.avast.com Michal Krejdl

    @Coolmario88cp
    It’s very individual and there’s no general rule. You can schedule a scan for a week or month period, depending on your habits. And how to speed up the scan? Not scanning unnecessary areas e.g.? That’s also a question without a simple answer, because I don’t know the data set on your PC.

  • http://www.avast.com Michal Krejdl

    @blaze
    64bit boot-time scan will be available in v5.1 (later this year).

  • Laperuz

    Well, i hope your work will 5x faster now ;) As far as i remember, you had planned a stream updates (http://forum.avast.com/index.php?topic=47868.msg404426#msg404426). It means that updates will be available every 10-15 minutes,won’t they? What is the current stage of this?

  • http://www.avast.com Michal Krejdl

    @Laperuz
    (I guess) vlk will inform you (and other users) soon about the news for v5.1

  • qamar

    avast antivirus i need

  • qamar

    i need avast antivirus