Don't get tired. Its just getting interesting!
All right, why not, I agree...
Yes it is loaded as a kernel driver. The associated service shown in task manager shows 460K (VM). The question is, does this service reflect the true memory usage of the kernel driver? That is, if the service is stopped does the kernel driver get unloaded and the memory freed?
No way. Anyway, these are two questions (with possibly different answers).
Does task manager show memory allocated from a driver? --> No.
Does the AVG driver get unlaoded when the service is stopped? --> No.
Otherwise, how does one determine how much memory is being used by this (and other) drivers?
Not easy, really. You can try the driver verifier. Go to the Start menu, click Run, type
verifier and hit enter. Depending on your OS, couple of things can show up. The GUI of the verifier in Win2K is totally different from the one found in XP. Anyway, the interface is little quirky but it shouldn't take you more than a couple of minutes to find out how to enable the verifier for the 2 AVG drivers (these are avgcore and avgfs, I believe (I may not recall the names exactly)). Then you'll be prompted to reboot the machine.
After the reboot, fire verifier again and go to monitoring. Here you can see the number of paged and nonpaged bytes the drivers have allocated.
What are the advantages/disadvantes of loading as a kernel driver.
That's a difficult question. Each approach has its pros and cons. However, the trend now is it move (everything that can be moved) to user mode. The reason is that every single bug in a driver usually results in a BSOD
- and people hate BSOD's. This is why e.g. McAfee, whose VirusScan engine was traditionally in a driver, moved it a DLL...
Resource usage and how efficiently the code is written is. Inefficient memory usage may be one indicator of how well the code is written.
Absolutely.
But as I already said, when designing the avast 4 engine, we faced a dilemma whether to employ some advanced, new data structures that will require extra memory but will let us work faster, or use the conservative low-memory-usage approach. We chose the new approach, and I'm happy we did.
Vlk