Intel Accelerated Memory Scanning eases anti-virus CPU load

Contemporary anti-virus products don't have the same impact on system performance that they did back in the single-core days, but they can still eat a hefty chunk of CPU speed. A new technology from Intel called Accelerated Memory Scanning (AMS) could help with reducing scanning load on machines with Skylake-and-newer CPUs. The idea is that the machine can offload scanning and detection of memory-based malware to its integrated graphics processor. 

Intel says that in its testing, the new tech dropped scanning CPU utilization from 20% to 2% (though it wasn't specified under what conditions). A change like that will certainly free up some speed for whatever the user is doing, especially on dual-core CPUs. Intel remarks that AMS could reduce the impact of security software on a machine's battery life as well as its performance, or enable more frequent or intensive scanning.

Accelerated Memory Scanning is one half of what Intel is calling Threat Detection Technology. The other half is called Advanced Platform Telemetry (APT). It's not completely clear whether APT is a hardware or software solution—or some combination of both—but Intel says it "combines platform telemetry with machine learning algorithms to improve the detection of advanced threats." Intel says Cisco will be the first to deploy APT in its Tetration security platform.

Alongside the new Threat Detection Technologies, Intel is also launching what it calls Intel Security Essentials. The company calls this initative "a framework that standardizes the built-in security features across Intel processors." Going forward, Intel wants to establish a baseline for security features among all of its hardware to make it easier for developers to "build trusted applications in a consistent way." Previously, it wasn't necessarily clear which security features were supported on which platforms. That should no longer be the case going forward.

Obviously, the thing with the most direct impact for you and me will be Accelerated Memory Scanning. If you're keen to try it out, you won't have long to wait. Microsoft is integrating the tech into Windows Defender Advanced Threat Protection later this month. If you use a different security package, don't fret: Intel says it's working with other companies so they can take advantage of the tech soon.

Comments closed
    • kuttan
    • 1 year ago

    [i<]"If you use a different security package, don't fret: Intel says it's working with other companies so they can take advantage of the tech soon." [/i<] Great! Finally some use with unused crappy Intel IGPs

    • wownwow
    • 1 year ago

    “RSA 2018 security conference”

    The 1st session should be presented by Intel:

    Why our design engineers didn’t follow the privilege levels defined by ourselves?

    • ronch
    • 1 year ago

    I think it’s all just academic. Like worrying how much CPU utilization is eaten up by a Realtek audio codec. And of course, there’s the question of detection accuracy: Does this somehow potentially reduce detection accuracy because some shortcuts are made? Isn’t Intel more vulnerable to some recent vulnerabilities because it takes some shortcuts to speed things up?

      • Srsly_Bro
      • 1 year ago

      20% is a meaningful number. I’d rather have 2%, bro.

    • moose17145
    • 1 year ago

    Wonder if this still works if you have the integrated graphics disabled due to having a discrete card installed, or if the iGPU needs to be the active GPU.

    If this works even if the iGPU is disabled due to the system already having a better dedicated card installed, then this is definitely a win as it helps unlock otherwise dormant processing power that would just be unused and wasted die space.

      • willmore
      • 1 year ago

      I didn’t think it was done that way anymore. I thought more recent drivers allowed them both to be active. Maybe not on Vista or earlier, but on Win7 and newer, I see both GPUs listed in programs that let you do things to them.

        • moose17145
        • 1 year ago

        Guess I have been somewhat out of the loop on how these iGPUs work when you have a dedicated graphics card. Last time I dealt with integrated graphics on a desktop, you had to disable it in order to get your discrete card working, otherwise the system would ALWAYS try to default to the integrated.

        My last couple of systems have all been on the HEDT platform… so iGPUs have not been something I have had to deal with.

          • Srsly_Bro
          • 1 year ago

          I have SNB 2700K and I can have iGPU and discrete GPU both enabled.

    • Mat3
    • 1 year ago

    It’s the hard drive that slows the system to a crawl during scanning.

    • dragontamer5788
    • 1 year ago

    [quote<]Advanced Platform Telemetry [/quote<] [url=https://en.wikipedia.org/wiki/Advanced_persistent_threat<]Backronym[/url<] anyone?

      • willmore
      • 1 year ago

      Well, Advanced Persistant Threat was already taken….

    • just brew it!
    • 1 year ago

    With core counts marching steadily upwards, I wonder it they’ll get much buy-in from the AV vendors? I’m assuming that 18% savings is for a single core; on a 6-core system you’re only saving 3% of your total CPU resources.

    On the mobile battery life side, I wonder how much power it will really save since some of those GPU resources would’ve been idle (and drawing less power) without this.

      • blastdoor
      • 1 year ago

      I’ve always thought AV seems like something an OS vendor ought to do rather than relying on third-parties.

      Is it just a historical accident that AV has been the domain of third-party vendors, or is there a good reason for it that I’m not seeing?

        • dragontamer5788
        • 1 year ago

        [quote<]Is it just a historical accident that AV has been the domain of third-party vendors, or is there a good reason for it that I'm not seeing? [/quote<] Anti-Trust Law. Microsoft was considered a monopoly in the early 2000s. Not necessarily by the US Government either: Europe forced Windows to accept alternative web browsers, alternative 3rd party security tools, etc. etc.

          • just brew it!
          • 1 year ago

          That came later, though. IIRC Microsoft did not have their own security solution in the DOS and early Windows days.

            • srg86
            • 1 year ago

            MS-DOS 6 had DOS and Windows 3.1x versions of Microsoft Anti-Virus.

            Though that was developed by Central Point Software (later bought by Symantec).

          • blastdoor
          • 1 year ago

          Yeah, anti-trust occurred to me, too. But that didn’t stop MS from integrating other software products into the OS, some of which seem far less obviously a natural part of the OS than others (the big example being Internet Explorer, but also smaller examples like minesweeper, windows media player, etc).

          Also, even the anti-trust folks recognize that some things do make sense to bundle with an OS. I don’t recall MS ever getting into trouble for bundling a graphical file browser with the OS, even though there are third party alternatives to Explorer.

          I would think that AV is fundamental to the stability/operation of a computer and therefore rightly a part of the “operating system”.

          —- edit

          Also, anti-trust doesn’t explain why AV isn’t bundled with macOS or Linux

            • chuckula
            • 1 year ago

            [quote<]But that didn't stop MS from integrating other software products into the OS, some of which seem far less obviously a natural part of the OS than others [/quote<] Microsoft will BURN for bundling Notepad and destroying the third-party text editor market!

            • blastdoor
            • 1 year ago

            well, yeah, exactly.

            So why not AV?

            Wouldn’t the world be a better place if AV came built-in and turned-on in all major operating systems?

            If that were the case, then new hardware features like what Intel is doing here (which seems like a great thing for them to be doing) would be more likely to make a real difference.

            • BurntMyBacon
            • 1 year ago

            Simple answer: Resources

            Maintaining a database of signature based virus definitions is an ongoing and resource intensive process. Current definitions based providers charge periodic subscriptions such that many end up paying more for two or three years of AV support than they did for the operating system itself. Granted some have used cloud technologies to reduce the burden here, but that just pushes the crossover point out a bit. Behavior based protection may work well for strictly defined and white-listed setups, but still isn’t mature enough for general computing. Furthermore, it still requires constant updating to keep up with new malware when used on setups that aren’t strictly defined and white-listed.

            Microsoft isn’t interested in a no Return On Investment money sink like anti-virus. Their efforts culminating in the current Microsoft Defender were, for all practical purposes, forced on them. Apple had been running a smear campaign on how insecure Windows was and they were gaining in popularity. Users were afforded more default privileges in Windows (due to Microsoft’s own design decisions), but weren’t taking the necessary steps to secure the system. Microsoft Defender addresses the most obvious low hanging fruit, but doesn’t (and isn’t meant to) keep up with the mainstream Antivirus vendors. This may change if Microsoft starts pushing Windows as a service, though.

            • JustAnEngineer
            • 1 year ago

            Were you an enacs guy a vi guy or a speedscript guy?

            • chuckula
            • 1 year ago

            iVim for the win^ESC:wq

      • chuckula
      • 1 year ago

      If the IGP can do the job more efficiently than the CPU (even if it is slower) then it’s a win on mobile devices.

      This doesn’t appear to be a feature aimed at the highest-end processors for at least the reason that they don’t have IGPs anyway.

      • DavidC1
      • 1 year ago

      Nah.

      On my i3 7100 it pegs all 4 threads to 30-40%.

      • GTVic
      • 1 year ago

      Depends if an application is waiting to access a file while it is being scanned then performance can be impacted. A simple situation like copying a self-extracting file. The file is being scanned, the files inside the file are being scanned, if you have encryption or compression the CPU is encrypting and/or compressing the file to the hard disk. Then you run the file which causes it to be scanned again, plus the files inside, plus the decrypting/decompressing, plus the individual files inside the archive are being extracted, scanned, encrypted/compressed. If you have a badly written virus scanner this can bring your computer to its knees.

    • christos_thski
    • 1 year ago

    Waiting for the inevitable “don’t use antivirus programs comments” barrage in 3…2..1..

      • crystall
      • 1 year ago

      Here’s a good reason why not and why this makes something bad worse: the file parsers used by antivirus scanners have already been exploited for drive-by attacks (see below for a couple of links on this type of attacks). In a nutshell the exploits work this way: you visit a web page, the browser automatically saves some files from the page in its cache, the antivirus scanner looks at them, one of the files is designed to exploit one of its vulnerabilities and in no time your antivirus scanner turned into a rogue process running with kernel privileges.

      Running the scanner on the GPU means you have just made your security perimeter even larger than it already is by exposing vulnerabilities in the GPU stack. And we know how stable and secure GPU drivers are, don’t we?

      [url<]http://www.blackhat.com/presentations/bh-europe-08/Feng-Xue/Whitepaper/bh-eu-08-xue-WP.pdf[/url<] [url<]http://www.ieee-security.org/TC/SP2012/papers/4681a080.pdf[/url<]

        • LostCat
        • 1 year ago

        Many of those exploits have been closed either by the AV vendors or with help from Googles Project Zero. If you have knowledge of an active current exploit feel free to share, but I’m under the impression they’re far better off than that these days.

        • Beahmont
        • 1 year ago

        Yes, and if you don’t use an anti virus program the same files can just exploit much more widely know faults in everything from your browser, to your CPU to do the same thing only easier.

        Your argument is ‘Don’t use anti-virus software, it’s only X% effective.’ Well that’s still more effective than not using it.

    • chuckula
    • 1 year ago

    Intel IGPs: We can scan for viruses!

    AMD APUs: We’re powerful enough to implement the neural networks that write the viruses beyotch!

      • kuttan
      • 1 year ago

      Jump from a cliff chuck 😀

Pin It on Pinterest

Share This