I have collected data which suggest that SEP takes the same time to scan files, regardless of their size. How can this be?
I have been working to time the antivirus software. I have a script that generates human-readable files by randomly selecting words from the system dictionary (/usr/share/dict/words). Each line in the file is ten words long. I then time how long it takes to run cat on each file, directing stdout to /dev/null. For the experiment in this post, I am generating 500 files, and varying the length to see how it affects the run time, first with the SEP cache disabled, and ensuring that the files are not in the system cache (echo 3 > /proc/sys/vm/drop_caches). Then, it is tested with only the SEP cache disabled. Finally, the SEP cache is enabled, the test is run a few times to ensure that the files are cached, and then timings are taken.
As I understand it, if a file is in the SEP cache, SEP will not scan it. Therefore, the time to read the files when they aren't in cache minus the time to read the files when they are should equal the time it takes to scan the files. In the attached PNG, it can be seen that the graphs of the times with and without SEP cache are basically parallel, thus the difference between the two is constant. This implies that SEP requires a constant time to scan files, regardless of how big they are. This seems absurd.
How can this be possible unless SEP is not scanning the entire file?
For those who want a rough estimate of disk space, remove a 0 from the number of lines; that's about how many kB each file is.
These tests were also run on binary files and returned the same results.
