CPU

[Guest]

When I do a Full Scan, my CPU usage goes up to 100 percent. Any idea why?
I thought it was other programs having attached themselves to the start up
menu, but ive disabled them and it still does it. If I am only running
Defender, up it goes, and then run v slowly.

L

 

[Guest]

You are observing normal behavior for a full scan. Other anti-spyware
products behave similarly. You may reduce total scan time and sometimes CPU
utilization by unchecking scan within archives. It is suggested that you run
full scans when you are not using the computer. A dual core processor would
be nice, but is not required.

 

[Guest]

tks mr cat. i didnt know that. It does mean that a Full Scan can take 2 hours
or more, as it slow the notebook to a grinding halt.
Since then ive noticed that opening Outlook can also shoot the CPU up to 100
percent, though it falls back pretty quick.
As regards Defender ill probably stick to quick scans.

 

[Guest]

you are welcome.

tks mr cat. i didnt know that. It does mean that a Full Scan can take 2 hours
or more, as it slow the notebook to a grinding halt.
Since then ive noticed that opening Outlook can also shoot the CPU up to 100
percent, though it falls back pretty quick.
As regards Defender ill probably stick to quick scans.

 

[Guest]

Hello lindzog,

From the Help file:

Scan for spyware and other potentially unwanted software

A quick scan checks the places on your computer's hard disk that spyware is
most likely to infect. A full scan will check all files on your hard disk and
all currently running programs, but it might cause your computer to run
slowly until the scan is complete. We recommend that you schedule a daily
quick scan. At any time, if you suspect that spyware has infected your
computer, run a full scan.

 

[Bill Sanderson MVP]

Sticking to quick scans is actually what the Defender help recommends. Do a
full scan either when something is detected, or when you can spare the full
attention of the machine (lunch, overnight, etc.) The quick scan is
intelligently designed to catch spyware in place and functioning--it starts
with the contents of ram and the startup vectors and works back from there.
Full scans will catch stuff which has been downloaded and is just sitting
somewhere--in the TIF or wherever, but isn't active. Probably worth
cleaning up, but not a current threat.

--

 

[Guest]

i am still slightly puzzled by this. I have second HP notebook. I can run
several anti spyware progs, including Defender on Deep scan on it, all at the
same time and the CPU rarely reaches 100 percent, and it if it does its only
briefly.
But on the first notebook, the CPU whizzes up to 100 percent with just
Defender. Perhaps this processer, the mobile Centrino, isnt as powerful as
the other, which is a Pentium 4 (I think)?

 

[Dave M]

Hi lindzog;

Different chip architecture is more likely the answer. On my system the
CPU never exceeds 50% just for MsMpEng.exe as measured by task manager,
because this system is capable of hyper-threading technology and it's
enabled. I'd expect that's the difference your seeing between your two
boxes.

 

[Guest]

Ive been reading that there is a bug in XP that can cause the CPU to read too
high...but as it aint really broke, ill leave it alone. Puzzling though.

 

[Guest]

Though you've already resolved the primary issue of Quick Scan vs. Full Scan
and identified some potential reasons for the different results on different
systems, the core issue is really rather simple. It's based on the balance
between processor and disk system performance.

Since some files like TIFF or BMP files are large but not packed, they take
more time to read from disk than to scan, so they generally cause more disk
activity and less processor utilization. On the other hand a ZIP file will
generally cause less disk activity to read since it's compressed, but much
more processor utilization as the files it contains are unpacked and scanned
in memory. If the processor in a particular system is slow (single core, low
number), but the disk system is high performance, the scanning process will
tend to saturate the processor much of the time resulting in a high Processor
Utilization number.

The interesting thing is that most people will focus on Processor
Utilization as the source of sluggishness, since they can easily see this in
Task Manager or other system monitor applications. However, the real cause of
slugishness is usually more dependent on the disk subsystem, since the
processor can be easily interrupted to perform a different task. Generally,
the disk system must complete it's requests more sequentially, so if a large
file read has been requested it will need to complete before moving on to the
new request made by a user. This is the momentum like 'grab' effect that's
most often noticed by the user during a scan.

Since older systems tend to have both less powerful processors and less
efficient disk subsystems, they take longer overall to perform the same scan,
even with less total files to scan. However, since it's more difficult to
monitor the activity of the disk sub-system in a meaningful way, it's roll is
rarely recognized and the processor receives all of the blame. Though there's
still a dependancy on the antimalware application's design, the differences
seen using the same application on different systems are more related to
these hardware associated effects.

Bitman

 

[Bill Sanderson MVP]

Interesting. Mobile Centrino's do some dancing to balance speed with power
consumption. It might be interesting to change the power management
settings to tell the thing to run full out no matter what, and see whether
that changes the percieved behavior. I'm fuzzy about where you do
that--bios or windows power management (or both.) I've got such a machine
myself and ran Defender on it throughout the beta, but I've switched to
Vista on it and am running a different antimalware client on it at the
moment.

--

 

[Bill Sanderson MVP]

Thanks--excellent thoughts. FWIW, Vista's performance management tools make
it easier to get some useful information out of the disk subsystem part of
this puzzle, from my brief looking into it so far.

--

 

[Guest]

tks bitman. brilliantly informative. I knew none of that.
tks for your input too bill.
Ive learned a lot here...Ive also noticed that there is a key big consumer
of CUP, namely System Idle Process, which gobbles it. Ive tried to research
this but Im out of my depth. From what I read its normal for it to use a lot
of CPU, so I am not going to worry unduly. I suspect my CPU didnt get ramped
up so quickly when the notebook was new, but a year on, there's been lots of
updates, driver updates etc, and I suppose any of these could affect
performance.
For your info here, I run Spybot, Ad Aware Personel, Btyahoo Anti Spy and
Windows Defender. After runing all four on my computer i though it shoudl be
clean, but I decided to try SuperAntispy (having seen it mentioned on this
site) and it found another 73 Tracking Cookies. It always amazes me how each
anti spy prog finds some stuff the others didnt.
Spybot recently found a trojan , Swizzor (in my temp files), which Sophos AV
did not pick up, and nor did Windows Defender, sadlly, which I had hoped
"Real time" protection might block. When i last visited this site some months
back, you guys were saying Window Defender was not very good - it was still a
Beta then. Is it still the case that it is not very good at what it is
supposed to do?

 

[Bill Sanderson MVP]

repeat after me: i before e except after c.......

--

 

[Bill Sanderson MVP]

System Idle Process is just a name to attach to CPU cycles that aren't doing
anything useful--it isn't "eating them"--it just gives a label. So--if
that's the top of the list when you sort by CPU usage, that's good, and
normal. If you want it to always run full out add a distributed processing
app like Seti, or several that search for cancer cures or drug formulas. I
would avoid doing that on a Centrino laptop, I think--I suspect you'd find
that the fan would run continuously and it would be annoying and warm.

I think Defender does a good job at real-time protection. I don't have a
clear idea about how well it does at detection and cleaning of bugs in
place--I haven't seen comparative reviews since release.

In general, I've not found Defender to be a drain or drag on the systems I
have it installed on, and they number about 50, with 3 PII 350's with 4 gig
drives among them. I don't doubt that there are CPU usage issues,
especially around the update process--but I'm happy to keep it installed and
running, and hear very little from the users about it--invisible and in the
background is exactly what I'm looking for.

--

 

[Dave M]

Yeap Bill, unfortunately Malware Test Labs missed our really BIG
announcement of a final release for his comparatives on Nov 12th... perhaps
next month... I alerted them to the FINAL today via email, he is still on
1.1.1347 but with current defs... WD came up 6th in the removal
comparatives out of 27 products... still not too shabby for a Beta...
<snicker>
http://www.malware-test.com/test_reports.html
--

Regards, Dave


Bill Sanderson MVP wrote:
~snip~

I think Defender does a good job at real-time protection. I don't have a
clear idea about how well it does at detection and cleaning of bugs in
place--I haven't seen comparative reviews since release.

~snip~

 

[Dave M]

Yeap, they will include WD Final for December comparatives... I just got
that response back.

 

[Bill Sanderson MVP]

Thanks--I doubt that showing will make the Defender team too happy, but 1347
was pretty long in the tooth by that time, although I am still running it on
some systems--mainly Windows 2000 systems!

--

 

[Guest]

So answer re the verdict on Windows Defender? Is it any better now? Does it
work?

 

[Guest]

Ok, so you meant Perceived...but that doesnt answer the question as to
whether Defender is any good yet?