
Deep_Security_9.0_Performance_Test_for_Scan_Enhancement.doc
31页Deep Security 9.0 Performance Test for Scan Enhancement (Cache, Concurrent Scan and Quick Scan Features)(Increase performance and efficiency around on-demand scan)Version 0.2 Trend Micro Confidential – For Internal Use Only Revision HistoryRevision no.ArthurRevision DescriptionDate0.1Seiko ChangFirst Draft2013/01/040.2Seiko ChangReview by Mason Lee2013/01/09ContentsSummary 5Test Environment 6File Traverse Time 8On-Demand Scan Time 9Integrity Scan 11Quick Scan Time and On-Demand Scan Time for DSA 14Appendix A – CPU resource usage among different concurrent scan settings 15Appendix B – File List in the Guest Operation System 24Anti-Malware PerformanceSummaryThis report presents our performance testing results on Deep Security 9.0 and ESX 5.1 environment.In order to improve the scanning time, the new feature Scan Caching, Concurrent Scan and Quick Scan was introduced by Deep Security 9.0.This report aim to find out the effectiveness of Scan Caching, Concurrent Scan and Quick ScanScan Caching is used by the Virtual Appliance to maximize the efficiency of Malware and Integrity Monitoring Scans of virtual machines. Scan Caching improves the efficiency of on-demand scans by eliminating the unnecessary scanning of identical content across multiple VMs in large VMware deployments. A Scan Cache contains lists of files and other scan targets that have been scanned by a Deep Security protection module. If a scan target on a virtual machine is determined to be identical to a target that has already been scanned, the Virtual Appliance will not scan the target a second time. Attributes used to determine whether entities are identical are creation time, modification time, file size, and file name. In the case of Real-time Scan Caching, Deep Security will read partial content of files to determine if two files are identical. There is an option setting to use a files Update Sequence Number (USN, Windows only) but its use should be limited to cloned virtual machines. Scan Caching benefits Integrity Monitoring by sharing Integrity Monitoring scan results among cloned or similar virtual machines. Scan Caching benefits Manual (on-demand) Malware Scans of cloned or similar virtual machines by increasing the speed up subsequent scans. Scan Caching benefits Real-Time Malware Scanning by speeding up boot process scans and application access scans on cloned or similar virtual machines. These improvements in efficiency further improve overall scan performance by allowing the Virtual Appliance to perform concurrent scans of multiple virtual machines at the same time.Concurrent Scans determines the number of scans that the Virtual Appliance will perform at the same time. The recommended number is four. If you increase this number beyond eight, scan performance may begin to degrade. Scan requests are queued by the Virtual Appliance and carried out in the order in which they arrive. A Quick Scan only scans a computers critical system areas for currently active threats. A Quick Scan will look for currently active malware but it will not perform deep file scans to look for dormant or stored infected files. On larger drives it is significantly faster than a Full Scan. Quick Scan is only available on-demand. You cannot schedule a Quick Scan as part of a Scheduled Task. These performance metrics are as follows:l File Traverse Timel (Schedule) On-Demand Scan Timel (Schedule) Integrity Scan Timel Quick Scan Time and On-Demand Scan Time for DSATest Environment- Dell PowerEdge R710- Processor Type: Intel Xeon E5645 @ 2.40GHz- Processor Sockets: 2- Cores Per Socket: 6- Memory: 48 GB- Storage : Dell MD3620i- Hosto Hypervisor : ESXi 5.1.0 799733o Filter Driver : 9.0.0.844o Epsec Host Driver : 5.1.0-707233o Guest Virtual Machine(s) : OS: Windows 2003 (32 bit) CPU: 1 vCPU Memory: 512 MB Endpoint Thin Agent : 5.1.0-780214 Number of files in System : ~=20841o Deep Security Virtual Appliance (DSVA) :VCPU2Memory2048Version9.0.0.844o vShield Manager : 5.1.0.707232o Deep Security Agent OS: Windows 2003 (32 bit) CPU: 1 vCPU Memory: 512 MB Agent version : 9.0.0.846File Traverse TimeThis case measure the scan cache effectiveness of real-time scan.According to the current design, the Scan Cache is beneficial only for file open but file write operation, I write a tool to traverse all files in the operation system that only cause file open and file close event. Traverse Time (sec.)1st VM without scan cache506.9831st VM with scan cache501.4312nd VM with scan cache171.0943rd VM with scan cache166.6664th VM with scan cache171.6975th VM with scan cache174.7696th VM with scan cache171.778Note: Without DSVA activated/protected/power on, the file traverse time is about 29.05 sec.Seems the Operation System and EPsec thin agent has its own cache 。
