The high price of protection: Why I prefer Malwarebytes' approach

[exile360]

I just copied over a large folder of driver files for my PC (around 4GB) from a folder saved on my desktop (installed on a 1TB Samsung 970 Pro NVMe PCIe SSD) to a secondary drive (a 1TB Samsung 960 Pro NVMe PCIe SSD) and noticed the speed of the file copy operation was quite sluggish, only topping out around maybe 60MB/s (that's even slower than real-world USB 3.0 drive speeds and would be slow even for standard SATA SSDs, much less NVMe; the fastest consumer drive interface available at the moment) and bottoming out in the tens of KILOBYTES range (that's awful).  I knew something had to be off, so I checked CPU usage via one of my monitoring gadgets and confirmed my suspicions that Windows Defender was the culprit.  Sure enough, around 20%+ CPU usage from the process MsMpEng.exe which is the background process for Defender's real-time protection, used for monitoring, among other things, disk activity in real-time (including file create and file copy activities) to check for viruses/malware.

Since I knew the sources of all the files in this folder (all downloaded directly from the system manufacturer's website as well as the sites of the creators of certain specific components such as Intel and NVIDIA) and because I knew everything in that folder had already been scanned (when it was originally downloaded and placed there on my desktop), I went ahead and disabled Defender's real-time protection at which point the file operation sped up MASSIVELY, hitting around 600~700MB/s according to Explorer and completing in a matter of seconds (like less than 10) which is much closer to the performance I would expect from such high-end hardware.

So what?  This is a well known issue with most virus/malware protection applications; they slow down file operations, especially when many files are involved (like a folder full of drivers, installers and ZIP archives of driver packages) so it's just a fact of life, right?  Well, the thing is, I didn't need to disable Malwarebytes to get back that performance, and that's the point I want to bring up.  From the beginning, Malwarebytes has had a very different approach to protection when compared to most other AV/AM vendors, choosing to focus primarily on activity in memory (such as process execution attempts) and using a decoupled/separate on-demand scan engine for the manual and scheduled scans the program runs (the same scan engine given to everyone who uses the free version) and sharing only its databases with the Malware Protection component in Malwarebytes' real-time protection, and this has huge benefits when it comes to system performance.  It means that, while Malwarebytes will still occasionally hit your CPU a bit when a process is executing tasks in memory to check for things like exploits, and while it will hit the CPU a bit during certain specific disk/file operations to monitor for any potential ransomware/encryption behaviors, it generally won't hinder your system's performance when performing normal file and process operations such as copying/moving files or reading large files into memory (like when you load up your favorite PC game and it has to load all those pretty textures, models and map assets into VRAM, or when you launch your favorite photo editor, video editor or office application and it loads up all of its various plugins, assets, templates, filters and other components) which can be a huge time saver.  Not only that, but because of this reduced resource usage, your battery life will also be impacted in a positive way since each time you see a process cranking on a percentage of your CPU, that chip is drawing more power from your battery, reducing your overall available uptime in the process.

This lightness on resources is something that doesn't get as much attention as other aspects of the software, but having been a Malwarebytes user since the days of Windows XP, and having previously used nearly every AV/AM app under the sun at one point or another (partially because I'm so darn paranoid, and in part because I liked to test them and see what they had to offer), I have to say that it is one of the biggest benefits to users when it comes to their everyday computing experience.

A part of how this 'lightness' on resources is accomplished is actually through a heavier use of system RAM; a resource which is generally available in much more abundance, especially these days in most modern systems, by enabling Malwarebytes to keep most if not all of its threat databases loaded into memory so that it doesn't have to halt the execution of a process or other in-memory operation to load up its signatures to check and determine whether a process or activity is malicious (a trick many modern AVs use to make their resource usage/RAM usage seem lower, but hitting the CPU and disk much harder; a poor trade off, at least in my opinion, especially since most PCs have far fewer cores/threads than they do megabytes of RAM and you don't 'feel' when an application is using a lot of RAM unless you run out, but you can definitely feel it when your CPU is being taxed, as everything you try to do becomes more sluggish, especially if you're doing anything CPU intensive like gaming or encoding video).  Given the direction PC hardware has gone in, with a cap of around 5GHz for CPU clock speeds, the number of available cores increasing at a fairly slow pace (the first consumer level dual-core CPUs became available around 2004~2005 and we are just now at the point where most systems have at least 4 cores and 8 threads (thanks to SMT/Hyperthreading) while the amount of RAM shipped in even low-end PCs averages around 8GB or more).  A faster CPU also costs a LOT more than adding more system RAM, and it's much harder to swap them out (assuming it's even possible on your current platform/motherboard, as many recent chipsets top out at 4 core CPUs for compatibility and many laptops use soldered mobile CPUs that can't be upgraded at all).  That doesn't even account for cost, since getting a faster CPU is going to cost you anywhere from $150~$800 depending on the platform and chip you're upgrading to, yet doubling the RAM in an 8GB system to 16GB or even quadrupling it to 32GB is much cheaper, so RAM is both cheaper and more readily available, and I believe this is at least in part why the Developers made the choices they did when it came to implementing Malwarebytes' engine (compatibility with third party AVs was another reason, but the performance benefits are undeniable, at least in my opinion).

Malwarebytes' approach also makes a lot of sense from a marketing perspective.  They have always engineered the software with not only normal humans in mind, but also enthusiasts like PC techs and gamers; a crowd that's hard to please if you start consuming all their CPU cycles whilst they're about the serious business of gaming and tweaking (and sometimes breaking 🤪) their PCs (seriously, if you haven't tweaked your system to the point of breaking your OS at least once, you're doing it wrong 😜).  I'm both, and I love the fact that, while I did have to disable Defender to get my drives' full performance back, I was able to leave Malwarebytes running active in the background the entire time without a hitch.

So, for the TL;DR version: Malwarebytes real-time protection runs light on CPU so that you can get the performance out of your hardware that you paid for rather than making it feel sluggish like a PC from the days of Windows 98 and I'm glad that it does.  Thanks to Malwarebytes, when asked of my PC "But can it run Crysis?" I can honestly respond: "Why yes, yes it can!"

[exile360]

There's another point I thought I should add about how Malwarebytes does things differently from most other entities in the PC security industry.  While many major AV vendors keep massive databases of threats, often going as far back as the early days of Windows 95 and/or 98, Malwarebytes instead focuses on relevant threats that can actually infect your system today on the net, also known as 'in-the-wild' threats.  This difference in threat targeting means that those databases I referred to that are stored in memory to optimize performance and reduce CPU cycles are much smaller than the typical databases/signatures in use by most other security products (which often reach sizes of hundreds of megabytes or more on disk; a major reason they typically don't adopt Malwarebytes' approach to keeping their databases in memory).  Malwarebytes' Research team will also periodically cull out older threat signatures that haven't detected anything for a while (a clear indication that a signature is no longer needed since it is no longer getting any hits against the threats being faced by Malwarebytes' users/customers) which reduces database size and has the added benefit of reducing the amount of RAM used by Malwarebytes' primary process in memory.  It also typically reduces scan times, making those scheduled scans and manual scans faster, again potentially saving battery life and freeing up more resources, and most importantly time for the user to do the things with their PC that they want and need to such as working, streaming videos or playing games.

Malwarebytes strikes a good balance between providing top tier protection without sacrificing performance.  In an age where so many apps want to run in the background constantly to collect that all important telemetry data and display alerts and notifications, and where games and other applications are more resource hungry than ever, it is a breath of fresh air to have a security app that runs so light that you often don't even notice when it's running, quietly protecting your PC in the background.

Protecting their customers from the latest threats is obviously Malwarebytes first priority as a company, but doing so without hindering the system's performance seems to be a close second, and I'm glad that it is.

Edited November 30, 2020 by exile360