Computer security does not always work perfectly with high performance, but now some mainstream anti-virus software has lost its balance and has gone too far. Here I will introduce some convenient skills and tools.
I found that many companies' computers experienced terrible latencies when starting their systems because their computers were installed with security defense systems. This is not a little bit of trouble, because I have a boot record of over 8 minutes and over 10 minutes, and this number is changed to 1.5 minutes without the barrier of firewall or anti-virus software. This problem not only affects Windows, but also Linux/BSD, regardless of the system you use-mainly during login, but it is usually affected when the user starts the browser window or email program again.
I think everyone is looking forward to balancing the performance and security defense capabilities of computers. However, I can see that the delay time of popular security products cannot be accepted by me. Even worse, many Administrators and Users have become accustomed to this situation.
They should not give up like this-you can sacrifice some performance for higher security, but security products should not sacrifice performance at the cost.
So what can you do?
List Performance
First, establish a measurement benchmark before troubleshooting. Use stopwatch or watch timing, in seconds, to calculate the time taken by the computer from cold start to full desktop availability. "Available" means that the user can start normal operations without significant latency and the CPU usage should be kept within 5%. In addition, I usually divide the startup process into two phases: one is from cold start to prompting the user to log on, and the other is from the user's successful login to available desktop. If possible, set the computer to automatic logon During measurement to prevent incorrect logon times. Cold start at least three times until you get the same start time, the gap is 5 or 10 seconds.
If the startup time is terrible, try to temporarily disable your host firewall or anti-virus product, and then restart the time test. I have found many popular firewalls or Anti-Virus products cause important delays. I have seen the host firewall reduce the speed of network packets to 1/6 or even. Sometimes, although the first packet is delayed, it is enough to cause slow response of local resources.
Some security software can be adjusted to improve performance. In this case, you may need help from the supplier.
If you disable host firewall or anti-virus software, you cannot significantly improve performance. enable them again and try other operations. I often disable various non-critical services or daemon programs one by one, and restart them until I find the culprit.
If there is no problem with the service or self-started daemon program, I will look for the user mode program next. In user mode, you can use many different programs after logon to determine which are automatically loaded. In Linux/BSD, self-starting programs can be started from many different places. If you are not sure which folders and text files to modify, you 'd better search for them on the Internet.
In Windows, I use the investigation and analysis software Autoruns to find the automatically loaded program, which can display dozens or hundreds of automatically started programs on your machine. It is easy to operate and can also be used to disable various programs that you think are faulty. Bkjia.com has previously published a detailed introduction to the Autoruns tool, and even some technical experts have used it to find out the driver protection of rogue software.
Try again
After Autoruns lists suspected targets, you still need to work hard to troubleshoot the problem: Only one suspicious program is disabled at a time, restart the program, and remeasure the time, re-enable the program if it is not a problem. For Windows users, using Autoruns is a good way to identify malware, spyware, and advertising software. Process Explorer and Process Monitor are also good analysis tools.
Other common headaches include low physical memory, non-existent shared hard disk permanent hard disk images, abnormal pause login scripts, and corrupted configuration files. This week, I encountered a popular script to add a program, which caused a startup delay of one and a half minutes-and under normal circumstances, this would only take a few milliseconds.
I often use Network sniffer, such as Microsoft Network Monitor or Wireshark, to capture all inbound and outbound traffic in hybrid mode and find various errors, such as too small MTU (Maximum Transmission Units, Maximum packet ), the transmission rate is too high and the latency of data packets is too high. Using Packet sniffing a few weeks ago, I found that a client's computer was randomly connected to the domain controller at the other end of the earth, instead of those around a few meters.
In Windows, Windows Performance toolkitand xperf.exe are good technical troubleshooting tools. It can measure every running program when the host is switched on, sleep, or paused. It displays detailed details graphically, telling you at which time the program occupies the resources of the computer. It is an advanced troubleshooting tool and a gold mine for computer information.
Good security always comes at the cost of reduced performance. The question is, how much is acceptable? Although the various environments are different, the startup within 3 minutes is definitely out of the normal range. If you are used to a longer start time, I encourage you to spend a day or two to find out where the problem is, because a good security administrator should be able to find a proper balance between security and performance, adjust the strategy based on Business and Environment needs.