After doing some more digging it seems there were some miscalculations and a misunderstanding of Avast/AVG's disk writes.
I was counting both FASTIO_WRITE and IRP_MJ_WRITE.
Apparently, FASTIO_WRITE = Written on Windows cache manager/RAM while IRP_MJ_WRITE is the actual writes that are happening on the disk.
The explanation below should help:
If the question is, does FASTIO_WRITES to a file always eventually ends up being a IRP_MJ_WRITE?
The answer according to Gemini:
The short answer is: **No, not always.**
While "data must be saved" is generally true for standard files, Windows architecture allows for scenarios where a `FASTIO_WRITE` never results in an `IRP_MJ_WRITE` (physical disk write).
Here are the three specific ways `FASTIO` avoids becoming an `IRP`:
### 1. File Deletion (The "Race" Scenario)
This is the most common scenario with antivirus temp files.
* **How it works:** An app writes 10MB to the RAM cache via `FASTIO_WRITE`. The "Lazy Writer" (the thread that creates IRPs) is scheduled to flush that data in 5 seconds.
* **The Bypass:** If the antivirus finishes its scan and **deletes** the file within 2 seconds, the Windows Cache Manager simply discards those memory pages.
* **The Result:** The data existed in RAM, was read from RAM, and was destroyed in RAM. No `IRP_MJ_WRITE` was ever generated, and the SSD remained untouched.
So as per the explanation, not all Avast writes are being written on the disk. My initial test of about 60 MB written was inaccurate. About 15 MB of disk writes were caused by Avast. So 1/4th of the supposed amount. So, still not 0 MB but lower than what I initially thought.
I also said above that for ESET 21 MB was written. Which in fact, is the correct number for ESET. With ESET, I said that I watched more than 20 MB worth of a football match. So maybe in the case of ESET, the ratio is also something like 1/4th of the streamed content size. Some scanning is probably done on the Ram while some has to be written on the disk.
I also tested Kaspersky and Kaspersky caused zero disk writes similar to Bitdefender but their method is different from Bitdefender. More similar to Avast and ESET, but 100% more efficient. Kaspersky doesn't use Windows temp files, it uses its own temp folder and files but this data (while streaming) never touches the disk. It stays in Ram. They use memory-mapped files. This is like a placeholder file for the Ram.
The explanation by Gemini is:
### Memory-Mapped Files
This is another method that can be used to avoid disk writes.
Programs like **Kaspersky** use this heavily.
* **How it works:** The program tells Windows to treat a block of RAM as a file.
* **The Bypass:** Writes happen directly to the memory section. Unless the system runs out of RAM (memory pressure) or the program explicitly calls a "Flush" command, the Cache Manager doesn't feel the need to create an IRP to push that data to the disk.
So because of the above reason, I saw no write activities from Kaspersky while watching a streamed content, no matter which sites I tried. BTW, Gemini is not making anything up. Logs captured by Process Monitor were given to it for analysis.
Bitdefender as I said, also doesn't cause disk writes in these scenarios. Kaspersky uses memory-mapped file but Bitdefender doesn't even do that. It processes everything internally in its own memory space.
There is a way to prevent these particular disk writes by Avast and ESET whithout disabling HTTPS scanning, which I will share in a different comment.
