2

Would an anti-virus software make any other processes that it scans to consume more CPU?

We recently switched to a new Next-Gen, AI based Anti-Virus software. On couple of our Linux servers that runs Java processes, there has been frequent high spikes in CPU usage recently. Apparently, it is Java that is the highest consumer of CPU while the anti-virus process isn't using a lot. I am pretty sure that it is not the anti-virus behind the higher CPU usage since the these spikes started a couple of days before even the AV software was installed. So, right now, I am in the process on convincing others that it is not the anti-virus (trust me, no one is believing what they see at top -c) . Before I go back to the team, I would like to make sure that when anti-virus scans every single file that gets opened by other processes, the resultant CPU usage would show up against the anti-virus process and not against the process that opens the file. Is this how it will appear in CPU usage stats?

Server run Amazon Linux and the Anti-Virus is Crowdstrike Falcon.

Sreeraj
  • 1,297
  • 1
  • 13
  • 21
  • Yes, entirely possible, especially when it's loading its own DLLs (by whichever means, Shims would be one way, but AppInit DLLs also exist and from kernel mode an APC could be used to shuttle a DLL into a process) in those processes. However the stuff done by a KM filter driver would not be billed to the UM process. – 0xC0000022L May 30 '20 at 11:31

1 Answers1

1

It is difficult to tell with certainty, depends on the AV implementation and how it intercepts resources being used by processes (executable, files, memory).

Because some AVs run with very high privileges (potentially at the kernel level) it is possible that they intercept system calls and libraries to sandwich their scanning code at run time. In this case, there won't be a separate AV process taking up resources, the system will account resource use to the process that is doing the system calls and pulling in the libraries.

... Unless the sandwich code offloads the effort to AV processes. Then we're back to the scenario where it's the AV that takes up scanning resources.

More traditional AVs work on the basis of scrubbing ram and the file system, potentially monitoring new processes, which would have AV pricesses doing most of the work not the work processes.

How can you find out exactly how it is happening? You'll need to dig in a bit, use strace, monitor kernel tasks with perf, monitor process use of resources over time with and without AV, etc.

Pedro
  • 3,911
  • 11
  • 25