Jump to content

LiquidTension

Staff
  • Content Count

    2,964
  • Joined

  • Last visited

Posts posted by LiquidTension


  1. Thanks for the file.

    Testing shows that Symantec Desktop Encryption 10.4.2 MP2 registers an LSP/Winsock DLL which is causing MBAMService to crash. This is a known issue with Malwarebytes version 3.7 on Windows 10 due to the introduction of an Early Launch Anti-Malware (ELAM) driver.

    We're currently working on a fix for this issue. I'll provide an update once it's released.

    Support have informed me that you also have a help desk ticket, so you will get a response to that as well.

     


  2. Hi hexaae,

    Just to clarify, the "I want to continue to this site anyway" string of text is not intended to be a clickable link that brings you to the blocked website.

    Clicking it or the blue circle to the right is only intended to reveal a message box explaining the implications of visiting the website and providing a link to instructions on how to setup a exclusion should you wish to circumvent the block. For reference, the message box is depicted below.

    image.png.353b7b3ca7727d280d1c6002cb08350d.png

    The "Go Back" button is not intended to bring you to the blocked website either. Clicking the button performs an operation that is intended to return you to the previous page that was loaded prior to the block occurring and not the actual website that was blocked. Depending on how you access the website or how you have your browser configured, there may be nothing to return to.

    If you trust the website and wish to circumvent the block, you will need to add an exclusion for it in Malwarebytes.

    With that said, our Research team have reviewed the block on the website in question (the one referenced in the URL found in post #2) and determined it is no longer required. As a result, the block is being removed. This change will be included in a database update released shortly. Later today, you should find that Malwarebytes no longer blocks the website (with or without an exclusion).


  3. That's not a problem. Thanks for the update.

    As you don't intend on using the Changed Block Tracking feature, there's no need to use the updated mrcbt.sys driver file. For completeness, you might want to uninstall that feature from Macrium Reflect as the driver is still loaded at boot even with the option unchecked. To do so: Open Programs and Features -> Right-click Macrium Reflect and click Change -> Click Next followed by Modify -> Uncheck Install CBT and click Next -> Click Install -> Reboot the computer.

    We haven't seen any issues specifically between Macrium Reflect and the Ransomware Protection component, so it's possible it was the reboot that solved the issue (following on from the earlier unexpected shut down).

    Please continue to monitor the computer and let us know if you encounter any further issues.


  4. Malwarebytes version 3 has never officially been supported on Windows XP SP2. The legacy Malwarebytes Anti-Malware version 2 was supported on Windows XP SP2, but please note that this product reached end of maintenance nearly 2 years ago. It does still receive definition database updates, but it is severely lacking in detection capabilities and other areas when compared to Malwarebytes version 3 (in Free mode).

    My advice would be to strongly consider moving away from XP in favour of a support Operating System.

    If this truly isn't possible, the legacy Malwarebytes Anti-Malware version 2 can be downloaded using the following link: https://malwarebytes.box.com/s/4usptr0ghcqoer1z07o1br2yk9g2cbtd
     

    Quote

    Also, I noticed the deactivation instructions say that the free version has limitations, which is of course expected, but it did get me to thinking that I should ask: You can still at least pick specific files/dirs to scan, correct? 

    Yes. For Malwarebytes version 3 and Malwarebytes Anti-Malware version 2, Free mode includes the ability to run scans on specific files/folders.
     

    12 hours ago, agxp said:

    Beyond the questions in my previous reply, I should also ask: Since it installs in premium mode to start with, is there more stuff that is installed to run in the background while premium mode is on (Internet Explorer or other browser add-in's, startup scan processes, etc.)?  If that's the case, will deactivating premium mode get rid of those completely, or do they remain installed (but in a deactivated state)? 

    Real-Time Protection drivers are installed dynamically in Premium/Trial mode. Once reverted to Free, those drivers are automatically uninstalled. There are no leftover running elements from the Premium/Trial mode.


  5. Hello,

    Thanks for reporting the issue.

    The system freeze you originally experienced was likely caused by the mrcbt.sys driver belonging to your installed Macrium Reflect product (specifically related to the "Changed Block Tracking" feature). We've had a few reports from other users experiencing similar freezes and analysis of dump files obtained from the users revealed the source to be operations performed by Macrium Reflect's mrcbt.sys driver.

    I suspect the subsequent issues you encountered with the Anti-Rookit module not starting are related to the machine's forced/ungraceful shut down.

    I recommend starting by addressing the system freeze. From your logs, I can see that the Changed Block Tracking feature is enabled in Macrium Reflect. Macrium have provided an updated version of their mrcbt.sys driver file that is intended to help address the issue. It can be downloaded from here: https://updates.macrium.com/mrcbt/64/mrcbt.sys

    Replace the mrcbts.sys file in C:\Windows\System32\drivers with the updated version from the download link above and then reboot your computer (this is important).

    Afterwards, please let us know if you encounter any further issues with system freezes and or Rootkit scanning within Malwarebytes.


  6. Hello,

    When changing settings within Malwarebytes, are you dragging the toggle across as depicted below? This will sometimes result in the setting not being saved. We have a defect filed for the issue.

    Drag.gif.20f11d7624d634e514fc65e103af5ecc.gif

    To guarantee the setting is saved, tap/click the different setting position as depicted below.

    Click.gif.c39370299bbb62a40b6ca6cb21e5815f.gif

    If the above does not apply to what you are seeing, please provide the requested troubleshooting information mentioned in post #2 along with additional details on what settings you are changing.


  7. Hello,

    We have a defect filed for the erroneous creation of a duplicate/additional scheduled scan in a certain scenario (involving license state changes). Ultimately, we would need the logs requested in the post above to confirm if the cause of your issue is the same or not. However, I do understand if you would prefer not to provide them.


  8. Hi @JustRay,

    Does the block occur with all CNN.com pages or just certain pages?
    Can you provide the URL of a CNN page that you experience the block on please?

    To help us better understand why you're experiencing this block on the CNN.com website, capturing a trace with a program called Fiddler will help.
    Here are steps on how to do so:

    • Close your browser.
    • Download and install Fiddler: https://www.telerik.com/download/fiddler/fiddler2
    • Launch the program once installed.
    • Open Google Chrome and navigate to a CNN webpage that you experience the Malwarebytes website block on.
    • When the Malwarebytes block occurs, return to the Fiddler window and save the trace by clicking File followed by Save followed by All Sessions.
    • Once saved, open the folder containing the .saz file. Right-click the file and click Send to followed by Compressed (Zipped) folder.
    • Please send a Private Message to me (hover over my name and click Message) with the Zip file attached.


    Thank you!


  9. Hi @DSperber,

    Thanks very much for keeping us up-to-date with the contact you've had with Macrium. Our analysis of the dumps you recently provided show the same set of conditions and deadlock cause.

    Please do let us know how you get on with the updated version of mrcbt.sys that Macrium provided you.

     

    Quote

    So in passing, I wonder if there's any connection here, in possibly explaining not only the freeze story but also why this particular machine also produces 36887 errors regularly?

    The Malwarebytes service logging indicates a correlation between the Self-Protection module and those events being logged to the Windows System Event Log. If you find they still persist, we can certainly continue looking into this. I don't believe they are associated with the freeze/deadlock, but it would certainly be worth verifying if they still persist after the deadlock no longer occurs.
     

    Quote

    So if the underlying problem was a defect solely in MRCBT.SYS completely unrelated to MBAM, and I hadn't touched Macrium Reflect three weeks ago, how is it that the freeze disappeared on M910t...

    Your deadlock occurs between a RegUnloadKey operation performed by MBAMService (the main Malwarebytes service) and a RtlQueryRegistryValues operation performed by mrcbt.sys (in which it tries to acquire a CmpRegistryLock resource). Taking Malwarebytes out of the equation changes the scenario.


  10. Hi @Winjama,

    Thanks for reporting the issue.

    Please could you provide the following information:

    uViWDv6.png Export Event Logs

    • Press the Windows Key + R on your keyboard at the same time. Type eventvwr.msc and click OK.
    • Expand Windows Logs.
    • Right-click Application and click Save All Events As.... Name the file application and click OK.
    • Repeat for Security and System.
    • Navigate to the location of the files. Highlight the three files, right-click one and click Send to followed by Compressed (zipped) folder.
    • Name the Zip file EventLogs.zip and attach the file in your next reply.

  11. Thanks for the information and files.

    The dump is consistent with other blue screens we see when McAfee is installed and an email client (Outlook, Thunderbird, etc) is opened. This is typically fixed with a reinstallation of McAfee.

    As you have McAfee Total Protection installed, please uninstall the program and verify the blue screens stop.
    Afterwards, you can reinstall the McAfee product if desired and should find no further issues encountered.


  12. That's understandable. We appreciate your efforts with assisting the troubleshooting of the issue.

    Please note that the freeze has still been observed by some users even after Malwarebytes is no longer installed. With that said, investigation is still on-going and we are actively looking into whether a change on our side can help alleviate this issue for users with Macrium Reflect and Malwarebytes installed.


  13. Hello,

    Thanks for your patience.

    Analysis of the dump explicitly implicates mrcbt.sys; a driver file belonging to Macrium Reflect. This is consistent with our internal testing of the freeze, along with reports from other users experiencing the same issue. In your case, the freeze is caused by Macrium Reflect's (specifically, the mrcbt.sys driver) attempt to acquire a lock on a registry resource which Malwarebytes has already called the RegUnloadKey function on.

    The mrcbt.sys driver is associated with Macrium Reflect's "Changed Block Tracking" feature (Other Tasks -> Edit Defaults -> Advanced -> Advanced Incrementals). We've found the following steps mitigate the freeze whilst still allowing full image backups to be performed.

    • Open Programs and Features.
    • Right-click Macrium Reflect and click Change.
    • Click Next followed by Modify.
    • Uncheck Install CBT and click Next.
    • Click Install.
    • Reboot the computer <- Important!
       

    We're still investigating whether there is anything we can do on our side to help mitigate this issue. However, do keep in mind that it is the Changed Block Tracking feature in Macrium Reflect that is triggering the freeze.


  14. Hello,

    We sometimes see users report experiencing a blue screen with email client use when McAfee is installed alongside Malwarebytes. This is typically fixed with a reinstallation of McAfee.

    As you have McAfee Total Protection installed, please uninstall the program and verify the blue screens stop (ensuring you re-enable all Malwarebytes Real-Time Protection).
    Afterwards, you can reinstall the McAfee product if desired and should find no further issues encountered.


  15. Hello,

    Thank you for reporting the issue.

    To help us investigate the issue, please provide a full memory dump (%systemdrive%\MEMORY.dmp) along with further details on the issue.

    • When did the blue screens start occurring?
    • How often do they occur and is there any particular action that triggers them?
    • Which version of Malwarebytes did you have installed?
       

    The dump file can be uploaded to a file hosting service (Google Drive, OneDrive, WeTransfer.com, etc).

    In addition, please carry out steps 4 and 5 in the topic linked:
    https://forums.malwarebytes.com/topic/190532-having-problems-using-malwarebytes-please-follow-these-steps/

    Thank you!

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.