pal1000
-
Posts
139 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by pal1000
-
-
cfglobalcdn.com is the CDN of netu.tv video hosting website. As an extra problem netu.tv always uses subdomains of cfglobalcdn.com so allowing cfglobalcdn.com doesn't seam to help. I find it odd the inability to include subdomains when allowing websites on such a long term developed security software like Malwarebytes.
-
Detection: Malware.AI.1032332009
This is not the first time I saw this FP. It disappeared last year before I could report it, but now it's back. I could always reproduce if enabling expert systems algorithms.
-
14 hours ago, AdvancedSetup said:
Okay, we're in different time zones but let me know when you're available to look into this further.
8-11 UTC, 13-16 UTC, 19-21 UTC daily.
-
Okay I am wiling to run some checks and I am aware this is a common problem for many regardless of anti-malware product used. Also system reboot doesn't help and if I reactivate Windows Defender, its integration with security center works properly.
-
No. It stays on premium and protection modules seam to stay active per UI.
-
4.5.9.198 CP 1.0.1672 may also be affected but I didn't get to test it and now it's too late as CP 1.0.1672 was only available in beta and never made it to stable.
Issue only starts manifesting when re-installing so upgrading from an unaffected product version and CP hides the problem.
4.5.9.198 CP 1.0.1683 beta is still affected.
Snippet from Addition.txt
==================== Event log errors: ======================== Application errors: ================== Error: (05/13/2022 10:39:53 PM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating status to SECURITY_PRODUCT_STATE_ON. Error: (05/13/2022 10:39:48 PM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating status to SECURITY_PRODUCT_STATE_ON. Error: (05/13/2022 10:39:43 PM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating status to SECURITY_PRODUCT_STATE_ON. Error: (05/13/2022 10:39:38 PM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating status to SECURITY_PRODUCT_STATE_ON. Error: (05/13/2022 10:39:33 PM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating status to SECURITY_PRODUCT_STATE_ON. Error: (05/13/2022 10:39:28 PM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating status to SECURITY_PRODUCT_STATE_ON. Error: (05/13/2022 10:39:23 PM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating status to SECURITY_PRODUCT_STATE_ON. Error: (05/13/2022 10:39:18 PM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating status to SECURITY_PRODUCT_STATE_ON.
I have good explanations for the other errors reported by FRST and I can provide them if necessary.
-
Solved in 4.5.4.168 CU 1.0.1957 somehow. Activating by login failed 2 times with `Unable to access license server` error, but activating with product key was successful. This could very well be just a temporary server side glitch.
-
3 hours ago, RTL434 said:
@pal1000 @1PW Well I don't think I will be in this situation but since I will be removing Malwarebytes temporarily to use my Win 10 for another test, I was curious as to what would happen. I was currently on the 4.5.3.162 beta and deactivated it to free. Restarted the PC and then activated the license. No problem---back as 4.5.3.162. Only thing I can see that happens is that the Enable Beta option has been reset.
That's normal because you can only enable beta updates when premium is activated.
3 hours ago, RTL434 said:I was going to zip up the pictures and post them as a zip file but don't know if that leaves them accessible to "ordinary members" or only Staff/Moderators can view them. Maybe someone could enlighten me as regards that for the future. Have temporarily stored them here in my BT Cloud.
Those pictures don't help much. nothing stood out to me there. Also judging by the fact you couldn't reproduce following the alternative steps which comply with Malwarebytes supported usage, it means the hang may only happen when activating from Malwarebytes `Getting started` screen. If so the upgrade process itself hides the issue so the alternative and supported steps fail to reproduce the issue. However this issue may surface to supported usage when/if Malwarebytes v4.5.3.162 CU 1.0.1579 gets promoted to stable.
-
Thanks @1PW for highlighting the supported way of installing beta updates. With that being said, these alternative steps might also reproduce the problem but I haven't tested them:
- upgrade to v4.5.3.162 CU 1.0.1579 then restart the system if prompted;
- disable premium then restart;
- try activating premium again.
-
Prerequisite
- Malwarebytes online installer v4.5.3.263 or newer. Note that this is only available by enrolling in beta at the moment I am writing this. It gets downloaded in "C:\ProgramData\Malwarebytes\MBAMService" under a folder which name begins with "In". Copy it somewhere readily available.
Steps
- Uninstall Malwarebytes normally or via Support Tool;
- Run Malwarebytes online installer with undocumented command line option to install beta program directly*;
- Try activating license either via providing the key or by logging in, both activation means reproduce the problem.
Note (*)
I am aware this is unsupported and probably only Malwarebytes developers are supposed to know how to do this step, but this will become a real issue if/when Malwarebytes v4.5.3.162 CU 1.0.1579 hits general availability.
-
I decided to try this experimental MBAE build linked here out of curiosity, but it didn't took me long to discover why it wasn't announced here, it crashes Command prompt no matter what shields or protection settings I disable. Reverting to MBAE 1.13.4.345 built into Malwarebytes premium makes issue go away.
-
Issue came back. Apparently issue occurs after the following steps:
- remove all scheduled scans;
- create a quick scan schedule and don't change anything, just go ahead and confirm the scheduled scan.
Outcomes
- because scheduled scan date and time matches system date and time down to minutes, scan won't run and its scheduled time gets delayed by 5 mins over and over for about half a day;
- During this half day check for updates button doesn't work and background intelligence updates don't trigger either.
Issue goes away temporary
- on restart;
- after a few hours.
Issue returns on its own
- on logout / switch user;
- on next boot if fast startup is enabled;
- after a few hours.
Restoring proper functionality
This is tricky. Sometimes support tool succeeds in curing the problem, sometimes it fails. Same for normal uninstaller. Running both with reboots for each maximizes chances of success.
-
This can't be reproduced no matter what after clean installing from Oct 16. I think Support tool eliminated whatever persistent glitch occurred during components 1.0.1053-1.0.1070 beta cycle.
-
Clean installed with support tool and the issue seams fixed. One thing I need to test is if the problem returns if I do a standard uninstall, reboot and reinstall. If it does come back then the culprit is the uninstaller.
-
I was already on MB 4.2.1.89 Component 1.0,1070 stable as I did a clean install before opening this thread. Issue manifested shortly after install.
-
This issue seams to be triggered by threat intelligence updates. Also when issue is in effect threat intelligence updates, component updates and scheduled scans don't trigger. Issue fixes on its own after a day and half at most and can reoccur after another threat intelligence update. Issue can be triggered silently in the background, so if you don't check Settings About page the only clue hinting at something being wrong are the times when scheduled scans run. They'll run shortly after issue fixes on its own.
This problem started around component 1.0.1045 or 1.0.1053. Clean installing doesn't help at all and issue can manifest immediately after a fresh install.
-
Scenario A, just like B is also caused by disabling these services:
- iphlpsvc
- dmwappushservice
- SSDPSRV
- fdPHost
- LanmanWorkstation
-
These same five services being disabled is the root cause for these issues as well:
-
The only one running is SSDPSRV (SSDP Discovery).
-
If those aren't the cause then maybe one or more of these is:
- dmwappushservice
- SSDPSRV
- fdPHost
I still disable SMB via Windows Firewall, blocking ports
137-139, 445
outbound TCP and UDP..
-
On 8/4/2020 at 5:45 PM, pal1000 said:
2. If I allow Support tool to install MBAM after cleanup, it installs the very old MBAM legacy 3.5.1 for XP. I saw this even with MBST 1.6.2 and now version 1.7.0.
And finally this was also caused by those services being disabled. MB 4.2.0.82 Component 1.0.1025 hitting general availability gave me the opportunity to test this.
This thread can be closed as all issues reported has been dealt with at my end with the exception of incomplete cleanup issue, which was known to Malwarebytes before this topic started. I wonder if Support tool should have a fix for LanmanWorkstation service. I am inclined to believe Malwarebytes relies on some SMB loopback communication. IP Helper may also be involved, but I don't see how.
-
@exile360, as I found the root cause of this issue and neutralized it at my end, I think this topic can be closed.
-
On 8/4/2020 at 5:45 PM, pal1000 said:
1.It doesn't autostart after reboot to perform post-reboot cleanup despite being logged on as admin both before and after reboot and UAC being already set to defaults since the very beginning . I was able to manually start post reboot cleanup using Autoruns tool. There I saw MBST autostart entry is in a Run key under HKCU. I don't remember exactly when and where but I read somewhere that Windows refuses to autostart programs that have admin rights flag set, especially if they try to run from HKCU. This is the case for support tool. Both downloaded executable and unpacked executable to admin user temp folder have admin rights flag set. Still reproducible with release 1.7.0.
This was also caused by certain services being disabled.
-
On 7/30/2020 at 12:43 PM, pal1000 said:
Scenario B - Disable start with Windows is reproducible without fast startup too.
Tests I made clearly indicate that one of the tweaks I made to my system was responsible for this one. See https://github.com/pal1000/pal1000.github.io/commit/9ba400c0521a949ece3da93cfea9f0bb26832363
I then found batcmd.com website which has a very comprehensive catalog with information about Windows services all the way from XP to Windows 10 Version 2004, including default startup type, the exact kind of information to recover from this kind of problem.
cfglobalcdn.com and subdomains is blocked
in Website Blocking
Posted
Logs
cfglobalcdn-1.txt cfglobalcdn-2.txt