Downloading signature databases

spotify · 2025-03-30T13:38:14+00:00

There was an error rendering this rich post.

Hi
I don't know if I'm writing in the right topic. If not, please move it to the right place.

Question. Do Bitdefender developers plan to finally reduce the signature database in terms of weight in MB? Downloading dozens of MB (sometimes even 500MB) each time doesn't make sense, does it? First, it's a lot of data constantly being written to the disk (SSD has limitations due to TBW) and second, it extends the update time. I don't think any AV on the market updates for that long! During the update, you can go make a coffee or replace the stopwatch with a calendar.

Why does all your competition download the signature database in a few seconds and it weighs at most a few MB - for example Kaspersky, Eset, Norton, etc.
Is Bitdefender really unable to change this for so many years? Do you at least plan to change it? When?

Find more posts tagged with

Comments

Gjoksi

Hello.

This is something that should be addressed to @camarie, who works as Principal Software Developer at Bitdefender and @Alexandru_BD, who also works for Bitdefender.

Please, wait for their reply.

Regards.

Flexx

https://community.bitdefender.com/en/discussion/103708/downloading-signature-databases

In the past, I have also contacted the Bitdefender Malware Research Team through Bitdefender Support regarding the same issue, requesting the development of generic detections for specific types of malware. Specifically, I proposed detecting a common file associated with a particular malware type so that if a similar file appears with a different hash, it can still be identified by the same generic detection.

The response I received from the Bitdefender Malware Research Team via Bitdefender Support was that they have currently created a detection for that specific malicious file and may work on a generic detection in the future.

However, in my experience, such features never actually get implemented. Bitdefender signature-based detections have now become similar to Norton signatures from the 1990s.

This query can be answered by @Bogdan BOTEZATU, the Director of Threat Research and Reporting at Bitdefender, if @Alexandru_BD can get him to visit the forum once again.

Additionally, I have reached out to Bitdefender Support, and they have escalated the query to the Bitdefender Malware Research Department on a high priority basis. I will provide updates here as soon as I receive any further information.

Regards

spotify

Bitdefender is one of the best, if not the best AV package on the market today. Behavioral protection is very good and a world leader. Bitdefender is a pioneer in many solutions that increase security. So I don't understand how for so many years they haven't been able to rebuild the SDK and, for example, be on the same or similar to what Eset has. Why? Why does the user have to download a huge signature package of hundreds of MB every day? Bitdefender developers don't want to or can't rewrite or change it? It's not possible? The costs are too huge? Well, you can probably afford this expensive Bitdefender to finally get rid of this problem like these updates, which are one big misunderstanding.

spotify

Can any answers be expected to the questions asked?

Flexx

https://community.bitdefender.com/en/discussion/comment/352082#Comment_352082

https://community.bitdefender.com/en/discussion/comment/352245#Comment_352245

The responsibility of compacting signatures lies with Bitdefender malware researchers, not Bitdefender product developers. Since Bitdefender Support has already escalated the issue to the Bitdefender malware research team, the response time may exceed the usual 72 hours. In most cases, it may take up to a week, as these inquiries are a lower priority for the Bitdefender malware researchers, who handle thousands of malware samples daily. Customer queries are addressed as time permits.

As the ticket has already been created, we appreciate your patience while awaiting a response from the Bitdefender malware research team. This post will be updated as soon as new information becomes available.

@Alexandru_BD

Regards

Alexandru_BD

@Flexx I'll leave it to you to follow up here, once you receive a response from the security researchers on your ticket. And I'll keep this thread open and share my personal thoughts as well.

@spotify first of all, thank you for your appreciation. Obviously, we as forum moderators cannot really answer this question, so I think this needs to be answered by the teams who are responsible for this process. I say we wait for them to reply to Flexx, and he'll post back here.

Considering that there's a massive threat landscape out there, and there are millions of unique malware strains, including polymorphic variants, the signature databases have to cover all of them, so yes, I think their update size is justified. And as you probably know, the security solution uses multiple layers, traditional signatures, heuristic rules, AI components, behavioral patterns, etc, and these all need updating. I think compressing them may have side effects when it comes to optimization, and the developers must prioritize reliability over size, because large updates are known to be less prone to corruption or failures, than many tiny ones pushed one after another. Naturally, the signature updates should also include legacy support for old threats, in case users encounter older malware, so this may also bring more weight.

While better ways exist, such as cloud, AI (and Bitdefender also uses both cloud-based scanning and machine learning), I think signature-based detection is still foundational and very dependable, because it offers offline protection as well, it's predictable and reliable, and it's a proven detection method, especially for known malware.
Furthermore, I think this method could actually improve performance as well, since local signature scans are usually fast and don’t require server round-trips.
I speak for myself here, but I personally can live with this trade-off of having a bigger signature package, since I didn't notice any decrease in performance, or anything that could affect my daily work on the device when these updates take place. I guess it's just the way they prefer to do it, but I'm sure they have their legitimate reasons for doing it this way.

spotify

Take it easy. I'm in no hurry.

I just hope someone comes back with an answer and explanation sooner or later.

Everyone understands the threats. And signatures are important. But the Bitdefender solution is a disaster. I don't know of any other solution on the market that downloads such a large amount of data when updating signature databases. I don't know of any other solution that takes so long to update. All of Bitdefender's competition doesn't have such problems, it doesn't download 0.5GB or more of signature databases with each update. And all of the competition doesn't lose security because of it. Just look at the AV-Comparatives or Av-Test tests. Downloading such data to an SSD drive day after day is killing it and reducing its lifespan (TBW).

If you use the cloud, why aren't the old ones from Windows XP or even older sitting there? With all due respect, all of the competition has it solved better and you can go on and on - from Eset, through Kaspersky, Norton, AVG, Avast, Fsecure and many, many others.
There is no drop in performance, since Bitdefender takes up so much RAM. And how does the hardware not feel it and doesn't affect the operation of the system? After all, the SSD drive gets a kick of data every day.

Eset, which also relies heavily on signature databases in its protection, has almost none with Bitdefender updates. Sarcasm. :)

But seriously, in the example Eset signature updates are kb, not MB or GB.

By the way - how does cloud scanning work? I'm curious. If a given file/document looks like a threat, does Bitdefender send such a file to your cloud? Or how does it happen?

Flexx

https://community.bitdefender.com/en/discussion/comment/352271#Comment_352271

Everyone understands the threats. And signatures are important. But the Bitdefender solution is a disaster. I don't know of any other solution on the market that downloads such a large amount of data when updating signature databases. I don't know of any other solution that takes so long to update. All of Bitdefender's competition doesn't have such problems, it doesn't download 0.5GB or more of signature databases with each update.

It appears that you may be experiencing issues with either your Bitdefender product or the software you are using to monitor its data usage. If your concern is specifically about Bitdefender signature database updates, I would like to highlight that several well-known security solutions, such as Emsisoft, eScan, and others, utilize the Bitdefender signature database. Additionally, many corporate anti-malware solutions also rely on Bitdefender's signature-based detection.

A fresh installation of Emsisoft Anti-Malware and eScan Anti-Malware typically results in a Bitdefender signature database download of around 30 MB. Subsequent daily updates for the Bitdefender signature database are generally small, averaging between 5 MB and 10 MB over a 24-hour period. If your Bitdefender product is downloading significantly larger amounts—such as 500 MB or more—this suggests a potential issue with the software installation or the integrity of the signature database.

To verify this, I recommend downloading and running the Emsisoft Emergency Kit, which is a portable scanner rather than a full anti-malware suite. After installing it, update the database and check the actual download size for the Bitdefender signatures. In my own testing, Bitdefender’s signature folder size remained under 15 MB, even after multiple update intervals.

If your Bitdefender product continues to download excessive amounts of data, I strongly suggest uninstalling and reinstalling the software to ensure a clean installation. Additionally, reaching out to Bitdefender's support team may help identify the root cause of the issue. Please let us know if you require further assistance.

Eset, through Kaspersky, Norton, AVG, Avast, Fsecure and many, many others.

Now, without going into deep details, I'm going to provide information at a surface level. ESET, followed by Kaspersky, has its own malware detection engine. AVG and Norton use Avast's malware detection engine. F-Secure is based on Avira's malware detection engine, and there are others as well. Below, I've shared two links where you can explore the third-party vendors that various antimalware products use in their software.

https://www.av-comparatives.org/list-of-consumer-av-vendors-pc/

https://www.av-comparatives.org/list-of-enterprise-av-vendors-pc/

Eset, which also relies heavily on signature databases in its protection, has almost none with Bitdefender updates. Sarcasm. :)


But seriously, in the example Eset signature updates are kb, not MB or GB.

Furthermore, I have installed ESET on another PC, and the reason its signature updates appear in KB-sized increments is that ESET has significantly reduced the creation of traditional static signatures (those manually crafted by malware researchers). Instead, ESET primarily relies on machine learning (ML), the Host-based Intrusion Prevention System (HIPS), and cloud-based detection mechanisms. This information was confirmed by Marcos, an administrator on the ESET forum.

You can check the following link to see how ESET updates are released, as stated in the support article provided by ESET Support:

https://support.eset.com/en/kb6053-types-of-updates

Therefore, before comparing two security products, it is essential to understand how each solution functions, as not all anti-malware products operate in the same manner. A thorough technical analysis is required before drawing conclusions.

By the way - how does cloud scanning work? I'm curious. If a given file/document looks like a threat, does Bitdefender send such a file to your cloud? Or how does it happen?

Now, regarding the operation of cloud scanning (which is generally similar across most antimalware solutions), we'll focus specifically on Bitdefender's implementation.

Combines Local & Cloud: Analyzes suspicious files using both local scanning and cloud-based threat intelligence.

Initial Local Scan: When a file is accessed or run, Bitdefender first scans it locally.
- Uses signature detection (matching known threats).
- Uses heuristic analysis (checking for suspicious code or behavior).

Safe Files: If the local scan confirms the file is safe, nothing more happens.

Suspicious Files: If a file looks suspicious but isn't definitively malware:
- A hash (unique file fingerprint) may be sent to Bitdefender's cloud servers.

Cloud Check (Known Files): If the cloud has seen this hash before, it quickly returns a verdict (safe/malicious).

Cloud Analysis (Unknown Files): If the file is unknown to the cloud:
- Part or all of the file may be uploaded for deeper analysis.
- Cloud analysis uses AI, behavioral detection, and sandboxing (running the file safely in isolation).

Malware Confirmation: If the cloud determines the file is malicious:
- The global threat intelligence database is updated.
- This protects all Bitdefender users from the newly identified threat.

Privacy Defaults:
- By default, only metadata and file hashes are sent.
- Personal files (like documents or images) are not uploaded unless you explicitly permit it in the settings.

Regards

Flexx

I have received a response from the Bitdefender Malware Research team via Bitdefender Support. According to Bitdefender Support, the Bitdefender Malware Researchers have already reviewed the Bitdefender Community post, as I had shared the Bitdefender Community post link with them.

Below is the reply from the Bitdefender Malware Researchers, provided via Bitdefender Support. Kindly review the attached image.

Regards

Flexx

https://community.bitdefender.com/en/discussion/comment/352353#Comment_352353

Another response from Bitdefender support today.

There is nothing more to add here.

Regards

spotify

https://community.bitdefender.com/en/discussion/comment/352275#Comment_352275

Thank you very much for answering my questions.

It's hard to quote, so I'll try this:

"A fresh installation of Emsisoft Anti-Malware and eScan Anti-Malware typically results in a Bitdefender signature database download of around 30 MB. Subsequent daily updates for the Bitdefender signature database are generally small, averaging between 5 MB and 10 MB over a 24-hour period. If your Bitdefender product is downloading significantly larger amounts—such as 500 MB or more—this suggests a potential issue with the software installation or the integrity of the signature database"

Small amounts of data are downloaded. True. But what about the signatures on the disk? Each update downloads new signatures, verifies them, etc., and then overwrites what is already on the disk. In the process, a new file is created with new overwritten signatures, refreshed, the old file is deleted, etc. Has anyone checked how much data is with each update and how much the disk has to overwrite? If not, check it yourself. It's not a few kb or a few MB.

Today I checked it. I have WizTree installed. Bitdefender downloaded the update. A few MB. And the size of the Bitdefender disk increased by about 500MB due to this operation - update, overwriting. And probably after restarting the computer, it will return to the appropriate size. And so every time with each update we have 300-500MB of transferred data and SSD has more thick data written. And that's why I wrote about TBW. It's not good for SSD drives. Unfortunately.

EDIT

Turning the computer off and on again - 500MB of free space returned. Bitdefender has converted its signature database.

Yes, I know. But Bitdefender also has machine learning, cloud, and cloud detection.

Cloud Analysis (Unknown Files): If the file is unknown to the cloud:

Part or all of the file may be uploaded for deeper analysis.

Privacy Defaults:

By default, only metadata and file hashes are sent.

Thanks for the explanation. Finally we know how it works. And that's really cool.

But a question. Part or all of the file may be uploaded for deeper analysis. And then you wrote - By default, only metadata and file hashes are sent.

So is it the file or only metadata that is sent to the cloud?

Personal files (like documents or images) are not uploaded unless you explicitly permit it in the settings.

Where are these settings in home solutions?

Thank you for the information you pasted. I am glad that Bitdefender is still working on solutions. It looks good that you have reduced the database by 10%. And hopefully more.

In the future, please paste the text. Not everyone knows English well and you cannot copy text from a photo to translation tools such as Google Translate.

Best regards ;)

RedsFan

Maybe with the mods forcing things to fix :-) Whiiii

Flexx

https://community.bitdefender.com/en/discussion/comment/352378#Comment_352378

Small amounts of data are downloaded. True. But what about the signatures on the disk? Each update downloads new signatures, verifies them, etc., and then overwrites what is already on the disk. In the process, a new file is created with new overwritten signatures, refreshed, the old file is deleted, etc. Has anyone checked how much data is with each update and how much the disk has to overwrite? If not, check it yourself. It's not a few kb or a few MB.

Today I checked it. I have WizTree installed. Bitdefender downloaded the update. A few MB. And the size of the Bitdefender disk increased by about 500MB due to this operation - update, overwriting. And probably after restarting the computer, it will return to the appropriate size. And so every time with each update we have 300-500MB of transferred data and SSD has more thick data written. And that's why I wrote about TBW. It's not good for SSD drives. Unfortunately.

Well, I’m not sure what’s happening on your end, but on my system, Bitdefender does not replace the old signature files entirely. Instead, it goes through the list of already-downloaded signatures stored in the system folder and updates them incrementally with new data. It does not re-download the entire signature database from scratch.

On my system, there's no overwriting of the entire database. The signature files are updated in real time as new definitions are applied. Occasionally, some older or incorrect entries might be deleted to remove false positives, but this is part of the normal update process.

Bitdefender’s update mechanism is designed to be efficient—it uses differential (incremental) updates to reduce bandwidth and disk usage. So if you're seeing the full 500MB of disk space being consumed repeatedly or full downloads each time, something may not be working as expected on your Bitdefender installation.

@Alexandru_BD, @Gjoksi, @Scott, @Nunzio77, are you able to reproduce this issue? Because I am unable to.

Yes, I know. But Bitdefender also has machine learning, cloud, and cloud detection.

Thanks for the explanation. Finally we know how it works. And that's really cool.


But a question. Part or all of the file may be uploaded for deeper analysis. And then you wrote - By default, only metadata and file hashes are sent.


So is it the file or only metadata that is sent to the cloud?

What I described earlier reflects the general behavior of most modern cloud-based antivirus engines. However, it's important to understand that no antimalware vendor—including Bitdefender—fully discloses the inner workings of their detection and cloud analysis systems. These mechanisms are proprietary, known only to the vendor’s internal development and malware research teams, and are not shared publicly.

Typically—as a general rule of thumb—only metadata, file hashes, and behavioral data are sent to the cloud for analysis by default. However, if a file appears highly suspicious or cannot be confidently classified through metadata alone, part or even the entire file may be uploaded to the cloud for deeper inspection.

Again, this explanation is based on widely observed industry practices. The specific methods used by Bitdefender are not publicly documented. So yes, a file can be uploaded—but it’s conditional and not the default behaviour for every detection.

In simple terms: while a general explanation of how cloud scanning works is available, the exact implementation details are not publicly disclosed. That information remains proprietary and is limited to the vendor’s internal development and malware research teams.

In the future, please paste the text. Not everyone knows English well and you cannot copy text from a photo to translation tools such as Google Translate.

That is a known feature—Google Translate can convert images to text for translation. However, it's not done here because authenticity and confirmation are important. Replies need to be clearly identified as coming from Bitdefender Support.

In some cases, translations from images to text have been provided within dedicated language forums to help users who don’t understand English. But posting in the English forum is not intended for translation purposes. Users should post in their respective language forums to receive proper assistance in their own language.

I will rest my case here and leave it to the forum admin, @Alexandru_BD, to get back in touch with you. Thank you for your understanding.

Regards

Flexx

https://community.bitdefender.com/en/discussion/comment/352385#Comment_352385

😂

spotify

"Well, I’m not sure what’s happening on your end, but on my system, Bitdefender does not replace the old signature files entirely. Instead, it goes through the list of already-downloaded signatures stored in the system folder and updates them incrementally with new data. It does not re-download the entire signature database from scratch.

I don't intend to argue. This file is even hidden somewhere in Bitdefender files on the disk.

As I wrote. I've been following it.For example, I have a program called WizTree for this (you can also check it with another program).

Normally, all Bitdefender Total Security files take up about 2.3GB on the system disk. When there is just an update, which by the way takes a very long time, Bitdefender immediately takes up about 2.8GB on the disk.

Just restart the computer or turn it off/on and we have 2.3GB back.

That's why I'm bringing this up.

Why does the amount of disk space change so much from the Bitdefender website? Above I wrote how it looks from my side. And how I think.
Why do updates take so long? I don't know of any other product that would update for so long. Maybe the update of signatures and creation of a new file is causing this? I don't know.

I am seeking an explanation for these phenomena

Typically—as a general rule of thumb—only metadata, file hashes, and behavioral data are sent to the cloud for analysis by default. However, if a file appears highly suspicious or cannot be confidently classified through metadata alone, part or even the entire file may be uploaded to the cloud for deeper inspection.

I understand that solutions and patents are not disclosed. It's normal for me.

Thanks for the explanation. I understand how the cloud works, but I would like to have an influence on what, if BD considers a malicious file, is sent to the cloud. I have no intention of sending documents and photos to the cloud, since they are my private things. There should be an option in the settings to "prohibit" sending such files to the cloud.

For example, Eset has such an option in the case of its LiveGuard

I understand the intentions and it is clear to me. And it is very good that you provide the original.

But it was also nice in the form of text under the photo.

I would like to but there is no Polish forum.

spotify

I would like to refresh the topic. I am still waiting for an answer in this topic ;)

Flexx

https://community.bitdefender.com/en/discussion/comment/352815#Comment_352815

@camarie, @dvsls, can you look into this?

Regards

camarie

I don't know details about how the signatures' database works internally, but the difference between 2.8GB and 2.3GB between restarts should consider also the fact that, for certain components, both the previous and the updated database are kept until the restart. This is, AFAIK, a failsafe mechanism; in case something in the updated components shows signs of incorrect behaviour - let's say it clear, bugs can happen, updates from version N to N+1 is not the same as from N-10 to N+1, pending Windows updates, specific conditions on the local machine and so on and so on. If this happens, those components have the possibility to revert back to the previous versions.

I can't speak for every component, but in very simplistic terms, it is like this:

component xyz is at xyz_001_002
update should bring to xyz_002_003
both are kept
a test is run after the update locally in order to make sure xyz_002_003 is behaving correctly
some of the files from xyz_001_002 are kept in memory (normally an unload of 001_002 is attempted followed by a reload of 002_003, but this is not always possible, especially if there are components - and they are - already loaded by the OS, as device drivers, or other antimalware components loaded in external processes such as browsers
xyz_001_002 is marked as deletable and xyz_002_003 is promoted to the "current" status
therefore, until the restart, those two might coexist
after the restart, only xyz_002_003 will remain.

Again, this is (1) based on splinters of informations I heard every now and then, I worked with some of those components, but I am not involved in the update team and (2) the exact approach might vary from component to component (or not at all applicable), so take this as a generic explanation on why the size might differ across restarts. Similar behavior occurs, for example, on Windows update, Chrome etc.

spotify

This is all logically clear to me.

But Windows Update or Chrome or other software do not have updates 3-4 times a day, day after day. Each Bitdefender update is about 500MB of new data. During the day, assuming 4 updates, we have 2GB per day. That's about 14GB of data during the week. That's about 56GB per month. SSD disk has a limited amount of TBW. Such downloads shorten the life of the SSD disk.

Are you able to finally change it so that there is not so much to save each time? Reduce the signature database? Base it more on the cloud? Does Bitdefender have any plans in this matter?

And why do these updates take so long? I don't know of any other AV that took so long to update?

camarie

The daily signature updates I don't think uses the same logic I wrote in the previous message. I'm afraid I can't speak intelligently about all the points you raised (not being involved in any of them), it is better that someone from the antimalware/engines to take it from here and perhaps offer the details.

Flexx

@spotify, as @camarie mentioned, this question will need to be addressed by Bitdefender malware researchers. Currently, there are no Bitdefender malware researchers active on the Bitdefender Community Forum. Therefore, you’ll need to contact Bitdefender Support regarding your query so they can escalate it to the Bitdefender malware researchers.

Based on this post and my personal communication with Bitdefender malware researchers via Bitdefender Support, the process for you may typically involve some back-and-forth communication between you, Bitdefender Support, and the Bitdefender malware research team. Each response may take up to a week from Bitdefender malware researchers (but again, this is an assumption).

While Bitdefender Support can forward your query, kindly note that the Bitdefender malware researchers may take time to respond, as they are often engaged in high-priority tasks—such as creating malware signatures and reviewing false positives and false negatives—on a daily basis. Given that thousands of new malware samples emerge every day, extended response times from the Bitdefender malware research team are to be expected.

Ultimately, the decision to contact Bitdefender Support is yours.

Kindly contact Bitdefender support by visiting https://www.bitdefender.com/consumer/support/help/

Select, How to's & Troubleshooting Bitdefender products→Troubleshooting→I don't know→Contact Support→ You will get the option of chat, call or email.

To get immediate update, make use of the chat option. Bitdefender support may require logs and will assist you in generating them.

Also, ensure you do not have any ad-blocker or privacy-blocker extensions enabled, as they might prevent the chat window from appearing.

Regards

spotify

Thanks for your answers.

So it turns out that this problem does exist.

I'll write to Bitdefender support when I have a free moment. In any case, I hope that Bitdefender knows about it and is working on changing it.

Best regards ;)