Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

June 16th, 2010

How I met the optimization and other stories

Hello again, I’m gonna tell you a story about an emulator that becomes 5x faster during one day. In the beginning there was an disassembler and a virtual execution environment. The disassembler liked the environment so much that they got together one day and the framework for our emulator was born. It was growing day by day, line by line – up to 20k+ lines of code – and here the “problem” begins.

Once a project (emulator in this case) reaches such complexity, there’s a non-zero probability to contain some bottlenecks. So we spent some time on benchmarking it. The very first instruction flow was around 7k insn/ms. What to imagine behind this number? To clean some virus families we need to emulate e.g. 300k instructions – so there would be a 300/7 = 42 ms delay on each cleaned file. Count it all together for thousands of files and you’ll definitely need to make it faster.

After fixing some hot spots in the code to be as light as possible we got the number of 9k insn/ms. That’s a bit better, but frankly – we expected more. So, where’s the problem? Surprisingly – the “optimize for speed” (/O2) option in MSVC actually does not optimize the code that much and I guess also other optimization options (such as omit frame pointers) are ignored in this configuration. Well, my mistake, better to try than to expect anything. So after another tuning we got much higher instruction flow – 18k insn/ms – and only a simple change from “optimize for speed” to “full optimization” (/Ox) did the trick :-D. I couldn’t believe.

Last step was to implement an instruction cache (similar to the one used by processor itself). This trick increased the instruction flow to 38k insn/ms (in some cases), which is roughly 5x faster than before. So, now our equation gives only 300/38 = 7 ms delay on cleaned files. The conclusion for you is – don’t worry to clean your files, it should run pretty quickly. Btw: I still don’t know how many ppl from our user base already noticed the presence of cleaning routines in v5. If they did and tried, there would be no Parite and other samples in our FP submission system.

And now something less technical:

Another thing that is worth to mention is a case of AXA Financial. As one of our users pointed out (http://forum.avast.com/index.php?topic=60547.0), their Indonesian site was hacked and a malcode was injected. That’s a quite hard knock for those who think “I’m not looking for porn and warez, I’m completely safe”, as you can see – even legit and respected sites may be hacked. Fortunately, our users were protected:

When I went to the site yesterday, everything was fine again (but I didn’t check it meanwhile, so I don’t know whether their reaction was prompt enough), anyway – thanks AXA for cleaning it. You’ll surely tighten the security of your servers to avoid such attacks ;-). And of course thanks to the users who helped us (and not only us) with reporting such incidents.

  1. June 17th, 2010 at 02:45 | #1

    Excuse me. How different between old engine of avast compared with version 5 on Virustotal ?

  2. June 17th, 2010 at 10:11 | #2

    @Ringman
    There are some detections available only in v5 (Win32:Packed-*, Win32:SuspBehav-*), that’s the difference.

  3. June 17th, 2010 at 13:27 | #3

    Hi Michal,

    Thanks for your summary,

    We tried it again this evening with avast! at our customer site, and not detected anymore.
    I think their website (AXA Financial) was cleaned from the injected script.

    cheers,
    yanto chiang
    ppinfotek.com

  4. June 17th, 2010 at 14:15 | #4

    i think avast is best free antivirus.good info guys

  5. June 17th, 2010 at 16:28 | #5

    So, if i understand this correctly, the new faster emulator should already be available to the end users or is still pending for public release?

  6. June 18th, 2010 at 10:40 | #6

    @RejZoR
    Exactly, it’s already there ;-)

  7. June 18th, 2010 at 14:27 | #7

    Hi, you should correct the information in the about section of the blog http://blog.avast.com/about/ I guess you are not ALWIL anymore ;-)

  8. coolmario88cp
    June 18th, 2010 at 20:31 | #8

    Hi, if i download the trail verision of interent security will it remove avast free edition i hope not

  9. mehrdad
    June 22nd, 2010 at 00:48 | #9

    Hi Michal
    I have a question!
    imaging someone like me from Iran likes your product…. how can that guy buy it legally???
    there is no reseller here in Iran!

  10. john dear
    June 22nd, 2010 at 08:39 | #10

    @mehrdad Hi mehrdad, I am not working in avast, but I have a feeling, that you can buy it online from http://www.avast.com website… you just click on something like “buy”… well at least it works in my country… http://www.avast.com/index here you click on “buy for 59.95 USD” and thats it!

  11. June 23rd, 2010 at 10:26 | #11

    @mehrdad
    Selling to Iran is somehow limited (not by us), but I don’t know any details about that, sorry.

  12. Coolmario88cp
    June 24th, 2010 at 01:49 | #12

    @Michal Krejdl
    i need advice how often should i scan my computer? and how do i speed up the scan?

  13. blaze
    June 25th, 2010 at 07:20 | #13

    I cant perform the boot time scan on my comp because it is win 7 64-bit. Are u guys coming up with a patch for 64-bit or something?

  14. June 25th, 2010 at 10:21 | #14

    @Coolmario88cp
    It’s very individual and there’s no general rule. You can schedule a scan for a week or month period, depending on your habits. And how to speed up the scan? Not scanning unnecessary areas e.g.? That’s also a question without a simple answer, because I don’t know the data set on your PC.

  15. June 25th, 2010 at 10:22 | #15

    @blaze
    64bit boot-time scan will be available in v5.1 (later this year).

  16. Laperuz
    June 25th, 2010 at 17:25 | #16

    Well, i hope your work will 5x faster now ;) As far as i remember, you had planned a stream updates (http://forum.avast.com/index.php?topic=47868.msg404426#msg404426). It means that updates will be available every 10-15 minutes,won’t they? What is the current stage of this?

  17. June 28th, 2010 at 15:21 | #17

    @Laperuz
    (I guess) vlk will inform you (and other users) soon about the news for v5.1

  18. qamar
    July 11th, 2010 at 11:52 | #18

    avast antivirus i need

  19. qamar
    July 11th, 2010 at 11:53 | #19

    i need avast antivirus

Comments are closed.