Jump to content

CaptainHindsight

Honorary Members
  • Posts

    55
  • Joined

  • Last visited

Reputation

2 Neutral

Recent Profile Visitors

1,306 profile views
  1. Good guess: Ransomware Protection is what seems to cause the slow down. Below is a fairly complete suite of measurements with a simple tar/gz command. The only reduction in execution time was when Ransomware Protection is absent (either by being turned off, or because MBAM was uninstalled). Each measurement below was for the command time tar -czvf /cygdrive/c/captnH/test.tar.gz /cygdrive/e/aLargeDirectoryOfMine && rm /cygdrive/c/captnH/test.tar.gz Update: the command above is a bad choice to show the impact of MBAM, see the end of this post. Each condition was measured twice, to ensure consistency. (There was a couple of times that I got a weird measurement maybe 6 seconds higher or lower than the 2 times reported below, but those results were not repeatable.) In general, the command took 37-38 seconds to execute unless Ransomware Protection is absent, in which case it took ~32 seconds. Results: #1: all Real-Time Protections on a: real 0m37.770s user 0m29.529s sys 0m3.561s b: real 0m37.782s user 0m27.529s sys 0m4.233s #2: Web Protection OFF a: real 0m37.420s user 0m28.999s sys 0m4.388s b: real 0m37.727s user 0m29.232s sys 0m3.530s #3: Malware Protection OFF a: real 0m37.111s user 0m28.826s sys 0m4.202s b: real 0m36.985s user 0m30.139s sys 0m3.093s #4: Ransomware Protection OFF a: real 0m32.349s user 0m31.811s sys 0m2.670s b: real 0m32.275s user 0m31.468s sys 0m2.717s #5: Exploit Protection OFF a: real 0m37.404s user 0m28.670s sys 0m5.203s b: real 0m37.365s user 0m29.530s sys 0m2.951s #6: MBAM installed, but ALL Real-Time Protections OFF a: real 0m32.553s user 0m31.999s sys 0m2.889s b: real 0m32.328s user 0m31.624s sys 0m3.279s #7: MBAM deep clean uninstalled (Malwarebytes Support Tool CLEAN) a: real 0m32.566s user 0m31.999s sys 0m2.982s b: real 0m32.436s user 0m31.796s sys 0m1.873s Above I noted that the tar/gz command was a poor choice to show the impact of MBAM. Reason: it uses the -z option to compress the tar contents, which uses a lot of CPU and causes delays which mask the effect on disk I/O caused by MBAM. If ever run the benchmarks above again, instead use the command time tar -cvf /cygdrive/c/captnH/test.tar /cygdrive/e/aLargeDirectoryOfMine && rm /cygdrive/c/captnH/test.tar Using the above tar only command, I found that with MBAM Ransomware Protection ON the execution time is ~6 seconds and with it OFF it takes ~1.78 seconds which is a huge (> 3X) impact. I also very quickly benchmarked the impact of MBAM's Ransomware Protection on my Java code if attempts to tar the same directory as the code above does (which uses the tar command in a cygwin bash shell). The impact of MBAM on Java is vastly more detrimental: with Ransomware Protection on, my Java code takes a staggering 180 seconds, with it off it drops to 7 seconds...
  2. By "exclusions" do you mean MBAM's "Allow LIst"? I did a brief we search just now, and the most relevant links that I found were Malwarebytes for Windows antivirus exclusions list which is about excluding MBAM from OTHER antivirus programs Exclude detections in Malwarebytes for Windows (and its associated video) which is about configuring MBAM's Allow List 2. is clearly the more relevant link. But as I said in my original post: "I know that MBAM has an Allow List. But for programs, all that it seems to do is to allow programs that you trust to be guaranteed to make network connections. Is there any way to tell MBAM to not inspect the local disk I/O of trusted programs?" OK, screw the documentation, try an experiment. In my initial post, I mentioned one of my tests was that I opened a cygwin bash shell and executed the command tar -czvf test.tar.gz ./aLargeDirectoryOfMine I executed that command twice just now. Actually, I prefixed the above with the linux time command so as to measure its execution time. I consistently got ~38 seconds. Then I added these 2 executables to MBAM's Allow List C:\cygwin64\bin\gzip.exe C:\cygwin64\bin\tar.exe since in those 2 measurements above, those 2 executables showed up in Task Manager as using the most CPU, as expected (and MBAM was another top CPU user). I then executed the command twice more, and found about the same execution times. And MBAM was again a top CPU user. So it does not seem that MBAM's Allow List caused it to ignore the disk activity of these executables. This is what I expected from my reading of the MBAM docs.
  3. I have long been vaguely aware that if MBAM is running on my computer--and especially if I am using the Premium version, with Real-Time Protection enabled--that maybe there might be an impact on performance. For example, others have observed slowdowns (see link1 and link2) One process that I do all the time (every night, before I go to bed) is a complicated backup process which backs up all my data to both local drives as well as the critical data to a network drive. This process is governed by a Java program that I wrote. On 2021-07-22 I started this nightly backup, and when I opened Task Manager, I saw that MBAM was using about the same amount of CPU as my Java process! In fact, sometimes, it even used more CPU, as shown in the 1st attached screen shot file. (In that screen shot, Zulu is my Java process, Zulu being the version of the JDK offered by Azul.) I looked into this more on 2021-07-23. Could it be a peculiarity of Java, or Zulu, or my backup code which triggered this? So I opened a cygwin bash shell and executed the command tar -czvf test.tar.gz ./aLargeDirectoryOfMine I found once again that MBAM used a lot of CPU, as shown in the 2nd attached screen shot. Conclusion: it looks like any program which writes lots of new disk data triggers MBAM into doing lots of processing. MBAM's performance impact does not seem to be too bad during my normal computer usage, but I have to wonder how much it slows down my backup process, which has been taking 6-8 hours, which is a long time. So, I decided to experiment: measure the execution times of various parts of my backup process with MBAM installed and running and with it totally uninstalled. Results: #1, 2021-07-24, MBAM Premium installed and running as usual (e.g. with Real-Time Protection enabled) a) backup local SATA drive directory (EG) to a different local SSD drive as a .tgz archive: 133 minutes b) backup local SATA drive directory (PH) to a different local SSD drive as a .tar archive: 70 minutes c) backup local SATA drive directories (OT) to a different local SSD drive as a .tar archive: 102 minutes d) backup local .tgz archive to a network drive: 66 minutes Total time across all steps: 413 minutes #2, 2021-07-25, MBAM uninstalled a) backup local SATA drive directory (EG) to a different local SSD drive as a .tgz archive: 56 minutes b) backup local SATA drive directory (PH) to a different local SSD drive as a .tar archive: 17 minutes c) backup local SATA drive directories (OT) to a different local SSD drive as a .tar archive: 21 minutes d) backup local .tgz archive to a network drive: 62 minutes Total time across all steps: 167 minutes The local disk to local disk I/O slowdown stunned me: MBAM is having a massive impact (~2-5X slowdown) on any process that involves lots of local disk I/O. MBAM's impact on a process that involves lots of network I/O is less clear. My backup to a remote drive was slightly faster with MBAM removed, but that result is actually within the margin of error (e.g. the network conditions may have been different). My guess as to why MBAM impacts the speed of network I/O less is that my network bandwidth is < 10% of my local drive to local drive bandwidth. Someone with better upload bandwidth than me might see more impact. (Yeah, I am stuck for now on crappy Comcast cable with its pathetic upload bandwidth 20X less than its download. Pity me. Fiber unavailable...) This local disk I/O impact is so bad that I need to reconsider if I can have MBAM installed at all, or at least running, when I am doing anything intensive, like my backup process. I know that MBAM has an Allow List. But for programs, all that it seems to do is to allow programs that you trust to be guaranteed to make network connections. Is there any way to tell MBAM to not inspect the local disk I/O of trusted programs? Update: I did a web search, and this link claims that Malwarebytes Premium 4.3 has a very low impact on file archiving and unarchiving. That exactly contradicts my results--unless their results are relative to other anti virus programs, which have even worse impact than MBAM...
  4. AdvancedSetup: thanks for your response. I actually knew that, it turned out to be in my MBAM notes, but I forgot to set it in my haste in the reinstall. Thanks much again.
  5. AdvancedSetup: thanks for your response. I followed your instructions. The deinstall and then reinstall seemed to go fine. Issue #1: I was NOT prompted to restart my computer. I went ahead and did so manually did so anyways. Issue #2: after restart, in Windows Explorer, the right click context menu was now missing the choice "Scan with Microsoft Defender..." I always scan all downloaded files both with MBAM and Microsoft Defender. I have never found an issue in any downloaded files with either program, but I take security seriously. My guess: the MBAM deinstall removed some registry keys which that context menu option was using. Or maybe when I reinstalled MBAM, it overwrote some of those registry keys I did a brief web search, found this link, and executed its .reg file. That added the "Scan with Microsoft Defender..." context menu back. But after I tried executing it, I was brought to Windows Settings with a dialog in front of it that started with the text "Page not available". I attached a screen shot to this post. I then rebooted my computer, and the first time I tried, that "Scan with Microsoft Defender..." context menu was back and seemed to work. The next time that I tried, it was once more missing. I had to double click on that .reg file which brought back the context menu option, but now I get that "Page not available" error. During this time, In Windows Settings, in "Virus & threat protection", I noticed that Microsoft Defender's Periodic scanning option was off so I re-enabled it. Actually, I have had to re-enable it twice now, since the setting does not seem to persist... Oh the joys of Windows... Coming back to the main purpose here, the 2nd file attached is the MBAM logs that you requested. mbst-grab-results.zip
  6. MBAM got stuck on updating once again this morning, and once again the MBAM app's "Pause" and "Cancel" buttons were greyed out, so only solution was to reboot my computer. See the attached screenshot. Am using MBAM Premium 4.4.3
  7. Yes I am still with you! Sorry for the tardy response. I cannot run Driver Verifier right now because I have so much real work to get done. I am going to try to force time later on tonight. Hmm, I am disturbed about those bad disk block errors. How come Windows never notified me? I am going to have to look into this.
  8. 11 days ago I posted about this issue here. Since that post was marked as "resolved" I had to start a new post. I tried to used my computer this morning around 06:00. It was unbelievably unresponsive. For example, I double clicked on a .txt file, and it took several minutes for the file to open. Similarly, using Paint to slightly edit (crop) the screen shots attached to this post took many minutes. Even Task Manager at times warned me that it was Not Responding. I soon opened Task Manager, and I saw that the MalwareBytes Service was the #1 CPU user, using 26.5%. See the first attached screen shot. Sometimes appearing as the #2 CPU user was a Java process, at maybe 15% or so of the CPU. What I saw in Task Manager did not surprise me, since: before I go to bed at ~23:00, I start a Java backup program that does a fairly complicated sequence of local and remote file backups. It can take many hours to run, no surprise that it still was at 06:00 every morning a scheduled MBAM Threat Scan runs. It normally takes ~3 minutes or so to complete--if it manages to not get stuck on "Checking for updates". Following Porthos's advice, I have turned off Rootkit Scanning during this scan. Altho I do not think that it makes a difference--it should have nothing to do with getting stuck on updating, and if I ever get past updating, it does not cause long scan times. I then watched Task Manager for several minutes, and the MalwareBytes Service remained as the #1 CPU for many minutes. That was unexpected, it should have finished after maybe 3 minutes. So, I opened the MBAM client program to see what was happening. It took a couple of minutes for the GUI to fully populate. What I saw at that point was what you see in the 2nd screen shot attached to this post: MBAM was stuck on "Checking for updates". I waited for a lot longer, > 30 minutes, and MBAM never updated. Also bad: as you can see in that 2nd screen shot, the MBAM client has a huge defect: the "Cancel" button (as well as "Pause") is greyed out when it is "Checking for updates". The only way that I could stop MBAM was to shutdown every user program (including my still running Java backup program) and then restart Windows. I should not have to do this--the GUI should let me kill just the MBAM Update. So, this issue is not resolved: MBAM Premium 4.4.2 can get stuck seemingly forever on the "Checking for updates" stage and the only remedy is a Windows restart. Not good. I note that after I restarted Windows, I soon did a couple of manual scans of some downloaded files, and each time MBAM fairly quickly got past the "Checking for updates" stage and completed these scans quick enough. mbst-grab-results.zip
  9. I had another crash at ~11:05 this morning. I did a windbg analysis of the MEMORY.DMP file and it reports exactly the same information as what I first reported above ("KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure..."). Since I did that first post above, I went ahead and turned off the Malwarebytes Real Time Web Protection. Yet a crash still happened this morning. Maybe Malwarebytes is not involved in the crash, or else some other part of MBAM besides the Real Time Web Protection? Attached is a SysnativeFileCollectionApp output zip. This one should be more useful to analyse, since the MEMORY.DMP file is still in its default location. I would be grateful if anyone could analyse this and give me any insight into the cause of my crashes. They are driving me nuts! SysnativeFileCollectionApp.zip
  10. I wanted to keep my initial post as readable as possible, and it was already getting complex. So I am using this follow up post to satisfy the BSOD posting guidelines. SysnativeFileCollectionApp output zip is attached. Not sure how useful this is, since my last crash was ~4 days ago, and I moved the MEMORY.DMP file from its default location to another drive, The windbg result in my initial post might be better diagnostic information. Questions: · OS - Windows 10 for Workstations · x86 - x64 · What was original installed OS on system - Windows 10 · Is the OS an OEM version (came pre-installed on system) - Yes, my Windows 10 started off with whatever Dell installed on it · Age of system (hardware) - about 2.5 years · Age of OS installation - have you re-installed the OS - I have never re-installed the OS, but have continuously applied all Windows 10 updates as they come out · CPU - Intel Core Xeon E-2176M (Six Core Xeon 2.70GHz, 4.40GHz Turbo, 12MB 45W) · Video Card - AMD Radeon Pro WX 4150 w/4GB GDDR5 · MotherBoard - (if NOT a laptop) - is a laptop · Power Supply - brand & wattage (skip if laptop) - is a laptop · System Manufacturer - Dell · Exact model number (if laptop, check label on bottom) - Dell Mobile Precision 7530 (bought on 2018-12-13) · Laptop or Desktop? - laptop workstation SysnativeFileCollectionApp.zip
  11. My computer sometimes totally crashes. Not even a blue screen, I get a no screen: the screen is black, the power is off. The last 3 times this happened were on 2021-03-20, 2021-07-02, and 2021-07-03. I have configured my computer to try to generate a memory dump (C:\Windows\MEMORY.DMP) file so that maybe the problem can be traced down. Unfortunately, that memory dump file is not always created, nor do I really know how to do Windows debugging. So, I am posting this thread seeking insight from anyone who is a Windows expert. Below are highlights from using windbg to analyse the MEMORY.DMP file from the last (2021-07-03) crash: KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. ... BUGCHECK_CODE: 139 ... BLACKBOXWINLOGON: 1 PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE_STR: c0000409 EXCEPTION_PARAMETER1: 000000000000001d EXCEPTION_STR: 0xc0000409 ... SYMBOL_NAME: nt!KiFastFailDispatch+d0 MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe STACK_COMMAND: .thread ; .cxr ; kb BUCKET_ID_FUNC_OFFSET: d0 FAILURE_BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nt!KiFastFailDispatch Attached as a text file is the full windbg result of analysing that MEMORY.DMP file. The results above are exactly what I also saw on 2021-03-20, while the 2021-07-02 crash failed to produce a MEMORY.DMP file. Does anyone have an insight into what is going on here? I note this previous post which reported a KERNEL_SECURITY_CHECK_FAILURE, however, its details seem to be different than mine. That previous did have an intriguing reply by Porthos who suggested that other security software can interfere with MBAM. He gave a link which specifically mentions several VPNs. I use Torguard VPN's Windows client, which is not mentioned. So, does anyone see any indication in the windbg result that MBAM and Torguard may be conflicting? I will not hesitate to turn off MBAM's Web Protection if if is problematic. I have had a couple of other strange MBAM issues recently (link1, link2), and in the second one Porthos and I had some discussion about MBAM, Torguard, OpenVPN, and Wireguard. 2021-07-03_windbg_analysis.txt
  12. Sorry, I failed to notice your reply. Yes, MBAM is running now, as it has continuously been. I almost never operate my computer without it being on.
  13. This morning's is typical, and is attached here. MBAM threat scan_2021-07-04.txt
  14. It used to. And Torguard still offers Open VPN as an option. But the preferred protocol for Torguard is to use Wireguard, which is vastly simpler code, much faster, and likely far less buggy and more secure. I switched to Wireguard the moment it was available on Torguard.
  15. Yes: my main drive is a 2TB PCIe NVMe SSD (Samsung 970 EVO, was reasonably fast when it came out, still not bad). I have another 2TB SSD, a SanDisk SATA model, that is a little slower and which I use for bulk storage. Yes: this scheduled scan is a threat scan. I have attached 2 more screen shots which show this scan's config. No, the rootkit scan does not seem to lead to long scan times. Looking at my Reports, this scheduled scan completes in ~3 minutes, when it completes (which is most of the time).
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.