Performance tips for anti-malware

To improve system resources utilization on Deep Security Agent, you can optimize these performance-related settings according to best practices.

See also:

Minimize disk usage

Reserve an appropriate amount of disk space for storing identified malware files. The space that you reserve applies globally to all computers: physical machines, virtual machines, and Deep Security Virtual Appliances. The setting can be overridden at the policy level and at the computer level.

Alerts are raised when there is not enough disk space to store an identified file.
  1. Open the policy or computer editor that you want to configure.
  2. Click Anti-Malware > Advanced.
  3. Under Identified Files, clear Default.
  4. Specify the disk space to use in the Maximum disk space used to store identified files box.
  5. Click Save.

If you are using a Deep Security Virtual Appliance to protect virtual machines, all identified files from the protected VMs will be stored on the virtual appliance. As a result, you should increase the amount of disk space for identified files on the virtual appliance.

See also Virtual Appliance Scan Caching

Optimize CPU usage

  • Exclude files from real-time scans if they are normally safe but have high I/O, such as databases, Microsoft Exchange quarantines, and network shares (on Windows, you can use procmon to find files with high I/O). See Exclusions.
  • Do not scan network directories. See Scan a network directory (real-time scan only)
  • Do not use Smart Scan if the computer doesn't have reliable network connectivity to the Trend Micro Smart Protection Network or your Smart Protection Server. See Smart Protection in Deep Security.
  • Reduce the CPU impact of malware scans by setting CPU Usage to Medium (Recommended; pauses between scanning files) or Low (pauses between scanning files for a longer interval than the medium setting).
    1. Open the properties of the malware scan configuration.
    2. On the Advanced tab, select the CPU Usage during which scans run.
    3. Click OK.
  • Create a scheduled task to run scans at a time when CPU resources are more readily available. See Schedule Deep Security to perform tasks.
  • In VM Scan Cache, select a Real-Time Scan Cache Configuration. If scans are not frequent, increase the Expiry Time (avoid repeated scans). See Virtual Appliance Scan Caching.
  • Use agentless deployments so that CPU usage is in one centralized virtual appliance, not on every computer. See Choose agentless vs. combined mode protection
  • Reduce or keep small default values for the maximum file size to scan, maximum levels of compression from which to extract files, maximum size of individual extracted files, maximum number of files to extract, and OLE Layers to scan. See Scan for specific types of malware.

    Most malware is small, and nested compression indicates malware. But if you don't scan large files, there is a small risk that anti-malware won't detect some malware. You can mitigate this risk with other features such as integrity monitoring. See
  • Enable multi-threaded processing

    Use multi-threaded processing for manual and scheduled scans (by default, real-time scans use multi-threaded processing). Multi-threaded processing is effective only on systems that support this capability. To apply the setting, enable it and then restart the computer.

    Do not enable multi-threaded processing if:
    • Resources are limited (for example, CPU-bound tasks)
    • Resources must be held by only one operator at a time (for example, IO-bound tasks)
    1. Go to Policies.
    2. Double-click to open the policy where you want to enable multi-threaded processing.
    3. Go to Anti-Malware > Advanced.
    4. In the Resource Allocation for Malware Scans section, select Yes.
    5. Restart the computers on which you enabled multi-threaded processing for the setting to take effect.
    Enabling multi-threaded processing may impact CPU usage:
    • Multi-threaded processing can reduce the number of CPU cores available at a given time to the computer's other processes.
    • On Linux, when Resource Allocation for Malware Scans is enabled, the CPU usage setting is ignored even if set to Medium or Low.

Optimize RAM usage

  • Reduce or keep small default values for the maximum file size to scan, maximum levels of compression from which to extract files, maximum size of individual extracted files, maximum number of files to extract, and OLE Layers to scan. See Scan for specific types of malware.
    Most malware is small, and nested compression indicates malware. But if you don't scan large files, there is a small risk that anti-malware won't detect some malware. You can mitigate this risk with other features such as integrity monitoring. See Set up Integrity Monitoring
  • Use agentless deployments (RAM usage is in one centralized virtual appliance, not every computer). See Choose agentless vs. combined mode protection.