Jump to content


Honorary Members
  • Posts

  • Joined

  • Last visited

Everything posted by CaptainHindsight

  1. Good guess: Ransomware Protection is what seems to cause the slow down. Below is a fairly complete suite of measurements with a simple tar/gz command. The only reduction in execution time was when Ransomware Protection is absent (either by being turned off, or because MBAM was uninstalled). Each measurement below was for the command time tar -czvf /cygdrive/c/captnH/test.tar.gz /cygdrive/e/aLargeDirectoryOfMine && rm /cygdrive/c/captnH/test.tar.gz Update: the command above is a bad choice to show the impact of MBAM, see the end of this post. Each condition was measured twice, to ensure consistency. (There was a couple of times that I got a weird measurement maybe 6 seconds higher or lower than the 2 times reported below, but those results were not repeatable.) In general, the command took 37-38 seconds to execute unless Ransomware Protection is absent, in which case it took ~32 seconds. Results: #1: all Real-Time Protections on a: real 0m37.770s user 0m29.529s sys 0m3.561s b: real 0m37.782s user 0m27.529s sys 0m4.233s #2: Web Protection OFF a: real 0m37.420s user 0m28.999s sys 0m4.388s b: real 0m37.727s user 0m29.232s sys 0m3.530s #3: Malware Protection OFF a: real 0m37.111s user 0m28.826s sys 0m4.202s b: real 0m36.985s user 0m30.139s sys 0m3.093s #4: Ransomware Protection OFF a: real 0m32.349s user 0m31.811s sys 0m2.670s b: real 0m32.275s user 0m31.468s sys 0m2.717s #5: Exploit Protection OFF a: real 0m37.404s user 0m28.670s sys 0m5.203s b: real 0m37.365s user 0m29.530s sys 0m2.951s #6: MBAM installed, but ALL Real-Time Protections OFF a: real 0m32.553s user 0m31.999s sys 0m2.889s b: real 0m32.328s user 0m31.624s sys 0m3.279s #7: MBAM deep clean uninstalled (Malwarebytes Support Tool CLEAN) a: real 0m32.566s user 0m31.999s sys 0m2.982s b: real 0m32.436s user 0m31.796s sys 0m1.873s Above I noted that the tar/gz command was a poor choice to show the impact of MBAM. Reason: it uses the -z option to compress the tar contents, which uses a lot of CPU and causes delays which mask the effect on disk I/O caused by MBAM. If ever run the benchmarks above again, instead use the command time tar -cvf /cygdrive/c/captnH/test.tar /cygdrive/e/aLargeDirectoryOfMine && rm /cygdrive/c/captnH/test.tar Using the above tar only command, I found that with MBAM Ransomware Protection ON the execution time is ~6 seconds and with it OFF it takes ~1.78 seconds which is a huge (> 3X) impact. I also very quickly benchmarked the impact of MBAM's Ransomware Protection on my Java code if attempts to tar the same directory as the code above does (which uses the tar command in a cygwin bash shell). The impact of MBAM on Java is vastly more detrimental: with Ransomware Protection on, my Java code takes a staggering 180 seconds, with it off it drops to 7 seconds...
  2. By "exclusions" do you mean MBAM's "Allow LIst"? I did a brief we search just now, and the most relevant links that I found were Malwarebytes for Windows antivirus exclusions list which is about excluding MBAM from OTHER antivirus programs Exclude detections in Malwarebytes for Windows (and its associated video) which is about configuring MBAM's Allow List 2. is clearly the more relevant link. But as I said in my original post: "I know that MBAM has an Allow List. But for programs, all that it seems to do is to allow programs that you trust to be guaranteed to make network connections. Is there any way to tell MBAM to not inspect the local disk I/O of trusted programs?" OK, screw the documentation, try an experiment. In my initial post, I mentioned one of my tests was that I opened a cygwin bash shell and executed the command tar -czvf test.tar.gz ./aLargeDirectoryOfMine I executed that command twice just now. Actually, I prefixed the above with the linux time command so as to measure its execution time. I consistently got ~38 seconds. Then I added these 2 executables to MBAM's Allow List C:\cygwin64\bin\gzip.exe C:\cygwin64\bin\tar.exe since in those 2 measurements above, those 2 executables showed up in Task Manager as using the most CPU, as expected (and MBAM was another top CPU user). I then executed the command twice more, and found about the same execution times. And MBAM was again a top CPU user. So it does not seem that MBAM's Allow List caused it to ignore the disk activity of these executables. This is what I expected from my reading of the MBAM docs.
  3. I have long been vaguely aware that if MBAM is running on my computer--and especially if I am using the Premium version, with Real-Time Protection enabled--that maybe there might be an impact on performance. For example, others have observed slowdowns (see link1 and link2) One process that I do all the time (every night, before I go to bed) is a complicated backup process which backs up all my data to both local drives as well as the critical data to a network drive. This process is governed by a Java program that I wrote. On 2021-07-22 I started this nightly backup, and when I opened Task Manager, I saw that MBAM was using about the same amount of CPU as my Java process! In fact, sometimes, it even used more CPU, as shown in the 1st attached screen shot file. (In that screen shot, Zulu is my Java process, Zulu being the version of the JDK offered by Azul.) I looked into this more on 2021-07-23. Could it be a peculiarity of Java, or Zulu, or my backup code which triggered this? So I opened a cygwin bash shell and executed the command tar -czvf test.tar.gz ./aLargeDirectoryOfMine I found once again that MBAM used a lot of CPU, as shown in the 2nd attached screen shot. Conclusion: it looks like any program which writes lots of new disk data triggers MBAM into doing lots of processing. MBAM's performance impact does not seem to be too bad during my normal computer usage, but I have to wonder how much it slows down my backup process, which has been taking 6-8 hours, which is a long time. So, I decided to experiment: measure the execution times of various parts of my backup process with MBAM installed and running and with it totally uninstalled. Results: #1, 2021-07-24, MBAM Premium installed and running as usual (e.g. with Real-Time Protection enabled) a) backup local SATA drive directory (EG) to a different local SSD drive as a .tgz archive: 133 minutes b) backup local SATA drive directory (PH) to a different local SSD drive as a .tar archive: 70 minutes c) backup local SATA drive directories (OT) to a different local SSD drive as a .tar archive: 102 minutes d) backup local .tgz archive to a network drive: 66 minutes Total time across all steps: 413 minutes #2, 2021-07-25, MBAM uninstalled a) backup local SATA drive directory (EG) to a different local SSD drive as a .tgz archive: 56 minutes b) backup local SATA drive directory (PH) to a different local SSD drive as a .tar archive: 17 minutes c) backup local SATA drive directories (OT) to a different local SSD drive as a .tar archive: 21 minutes d) backup local .tgz archive to a network drive: 62 minutes Total time across all steps: 167 minutes The local disk to local disk I/O slowdown stunned me: MBAM is having a massive impact (~2-5X slowdown) on any process that involves lots of local disk I/O. MBAM's impact on a process that involves lots of network I/O is less clear. My backup to a remote drive was slightly faster with MBAM removed, but that result is actually within the margin of error (e.g. the network conditions may have been different). My guess as to why MBAM impacts the speed of network I/O less is that my network bandwidth is < 10% of my local drive to local drive bandwidth. Someone with better upload bandwidth than me might see more impact. (Yeah, I am stuck for now on crappy Comcast cable with its pathetic upload bandwidth 20X less than its download. Pity me. Fiber unavailable...) This local disk I/O impact is so bad that I need to reconsider if I can have MBAM installed at all, or at least running, when I am doing anything intensive, like my backup process. I know that MBAM has an Allow List. But for programs, all that it seems to do is to allow programs that you trust to be guaranteed to make network connections. Is there any way to tell MBAM to not inspect the local disk I/O of trusted programs? Update: I did a web search, and this link claims that Malwarebytes Premium 4.3 has a very low impact on file archiving and unarchiving. That exactly contradicts my results--unless their results are relative to other anti virus programs, which have even worse impact than MBAM...
  4. AdvancedSetup: thanks for your response. I actually knew that, it turned out to be in my MBAM notes, but I forgot to set it in my haste in the reinstall. Thanks much again.
  5. AdvancedSetup: thanks for your response. I followed your instructions. The deinstall and then reinstall seemed to go fine. Issue #1: I was NOT prompted to restart my computer. I went ahead and did so manually did so anyways. Issue #2: after restart, in Windows Explorer, the right click context menu was now missing the choice "Scan with Microsoft Defender..." I always scan all downloaded files both with MBAM and Microsoft Defender. I have never found an issue in any downloaded files with either program, but I take security seriously. My guess: the MBAM deinstall removed some registry keys which that context menu option was using. Or maybe when I reinstalled MBAM, it overwrote some of those registry keys I did a brief web search, found this link, and executed its .reg file. That added the "Scan with Microsoft Defender..." context menu back. But after I tried executing it, I was brought to Windows Settings with a dialog in front of it that started with the text "Page not available". I attached a screen shot to this post. I then rebooted my computer, and the first time I tried, that "Scan with Microsoft Defender..." context menu was back and seemed to work. The next time that I tried, it was once more missing. I had to double click on that .reg file which brought back the context menu option, but now I get that "Page not available" error. During this time, In Windows Settings, in "Virus & threat protection", I noticed that Microsoft Defender's Periodic scanning option was off so I re-enabled it. Actually, I have had to re-enable it twice now, since the setting does not seem to persist... Oh the joys of Windows... Coming back to the main purpose here, the 2nd file attached is the MBAM logs that you requested. mbst-grab-results.zip
  6. MBAM got stuck on updating once again this morning, and once again the MBAM app's "Pause" and "Cancel" buttons were greyed out, so only solution was to reboot my computer. See the attached screenshot. Am using MBAM Premium 4.4.3
  7. Yes I am still with you! Sorry for the tardy response. I cannot run Driver Verifier right now because I have so much real work to get done. I am going to try to force time later on tonight. Hmm, I am disturbed about those bad disk block errors. How come Windows never notified me? I am going to have to look into this.
  8. 11 days ago I posted about this issue here. Since that post was marked as "resolved" I had to start a new post. I tried to used my computer this morning around 06:00. It was unbelievably unresponsive. For example, I double clicked on a .txt file, and it took several minutes for the file to open. Similarly, using Paint to slightly edit (crop) the screen shots attached to this post took many minutes. Even Task Manager at times warned me that it was Not Responding. I soon opened Task Manager, and I saw that the MalwareBytes Service was the #1 CPU user, using 26.5%. See the first attached screen shot. Sometimes appearing as the #2 CPU user was a Java process, at maybe 15% or so of the CPU. What I saw in Task Manager did not surprise me, since: before I go to bed at ~23:00, I start a Java backup program that does a fairly complicated sequence of local and remote file backups. It can take many hours to run, no surprise that it still was at 06:00 every morning a scheduled MBAM Threat Scan runs. It normally takes ~3 minutes or so to complete--if it manages to not get stuck on "Checking for updates". Following Porthos's advice, I have turned off Rootkit Scanning during this scan. Altho I do not think that it makes a difference--it should have nothing to do with getting stuck on updating, and if I ever get past updating, it does not cause long scan times. I then watched Task Manager for several minutes, and the MalwareBytes Service remained as the #1 CPU for many minutes. That was unexpected, it should have finished after maybe 3 minutes. So, I opened the MBAM client program to see what was happening. It took a couple of minutes for the GUI to fully populate. What I saw at that point was what you see in the 2nd screen shot attached to this post: MBAM was stuck on "Checking for updates". I waited for a lot longer, > 30 minutes, and MBAM never updated. Also bad: as you can see in that 2nd screen shot, the MBAM client has a huge defect: the "Cancel" button (as well as "Pause") is greyed out when it is "Checking for updates". The only way that I could stop MBAM was to shutdown every user program (including my still running Java backup program) and then restart Windows. I should not have to do this--the GUI should let me kill just the MBAM Update. So, this issue is not resolved: MBAM Premium 4.4.2 can get stuck seemingly forever on the "Checking for updates" stage and the only remedy is a Windows restart. Not good. I note that after I restarted Windows, I soon did a couple of manual scans of some downloaded files, and each time MBAM fairly quickly got past the "Checking for updates" stage and completed these scans quick enough. mbst-grab-results.zip
  9. I had another crash at ~11:05 this morning. I did a windbg analysis of the MEMORY.DMP file and it reports exactly the same information as what I first reported above ("KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure..."). Since I did that first post above, I went ahead and turned off the Malwarebytes Real Time Web Protection. Yet a crash still happened this morning. Maybe Malwarebytes is not involved in the crash, or else some other part of MBAM besides the Real Time Web Protection? Attached is a SysnativeFileCollectionApp output zip. This one should be more useful to analyse, since the MEMORY.DMP file is still in its default location. I would be grateful if anyone could analyse this and give me any insight into the cause of my crashes. They are driving me nuts! SysnativeFileCollectionApp.zip
  10. I wanted to keep my initial post as readable as possible, and it was already getting complex. So I am using this follow up post to satisfy the BSOD posting guidelines. SysnativeFileCollectionApp output zip is attached. Not sure how useful this is, since my last crash was ~4 days ago, and I moved the MEMORY.DMP file from its default location to another drive, The windbg result in my initial post might be better diagnostic information. Questions: · OS - Windows 10 for Workstations · x86 - x64 · What was original installed OS on system - Windows 10 · Is the OS an OEM version (came pre-installed on system) - Yes, my Windows 10 started off with whatever Dell installed on it · Age of system (hardware) - about 2.5 years · Age of OS installation - have you re-installed the OS - I have never re-installed the OS, but have continuously applied all Windows 10 updates as they come out · CPU - Intel Core Xeon E-2176M (Six Core Xeon 2.70GHz, 4.40GHz Turbo, 12MB 45W) · Video Card - AMD Radeon Pro WX 4150 w/4GB GDDR5 · MotherBoard - (if NOT a laptop) - is a laptop · Power Supply - brand & wattage (skip if laptop) - is a laptop · System Manufacturer - Dell · Exact model number (if laptop, check label on bottom) - Dell Mobile Precision 7530 (bought on 2018-12-13) · Laptop or Desktop? - laptop workstation SysnativeFileCollectionApp.zip
  11. My computer sometimes totally crashes. Not even a blue screen, I get a no screen: the screen is black, the power is off. The last 3 times this happened were on 2021-03-20, 2021-07-02, and 2021-07-03. I have configured my computer to try to generate a memory dump (C:\Windows\MEMORY.DMP) file so that maybe the problem can be traced down. Unfortunately, that memory dump file is not always created, nor do I really know how to do Windows debugging. So, I am posting this thread seeking insight from anyone who is a Windows expert. Below are highlights from using windbg to analyse the MEMORY.DMP file from the last (2021-07-03) crash: KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. ... BUGCHECK_CODE: 139 ... BLACKBOXWINLOGON: 1 PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE_STR: c0000409 EXCEPTION_PARAMETER1: 000000000000001d EXCEPTION_STR: 0xc0000409 ... SYMBOL_NAME: nt!KiFastFailDispatch+d0 MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe STACK_COMMAND: .thread ; .cxr ; kb BUCKET_ID_FUNC_OFFSET: d0 FAILURE_BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nt!KiFastFailDispatch Attached as a text file is the full windbg result of analysing that MEMORY.DMP file. The results above are exactly what I also saw on 2021-03-20, while the 2021-07-02 crash failed to produce a MEMORY.DMP file. Does anyone have an insight into what is going on here? I note this previous post which reported a KERNEL_SECURITY_CHECK_FAILURE, however, its details seem to be different than mine. That previous did have an intriguing reply by Porthos who suggested that other security software can interfere with MBAM. He gave a link which specifically mentions several VPNs. I use Torguard VPN's Windows client, which is not mentioned. So, does anyone see any indication in the windbg result that MBAM and Torguard may be conflicting? I will not hesitate to turn off MBAM's Web Protection if if is problematic. I have had a couple of other strange MBAM issues recently (link1, link2), and in the second one Porthos and I had some discussion about MBAM, Torguard, OpenVPN, and Wireguard. 2021-07-03_windbg_analysis.txt
  12. Sorry, I failed to notice your reply. Yes, MBAM is running now, as it has continuously been. I almost never operate my computer without it being on.
  13. This morning's is typical, and is attached here. MBAM threat scan_2021-07-04.txt
  14. It used to. And Torguard still offers Open VPN as an option. But the preferred protocol for Torguard is to use Wireguard, which is vastly simpler code, much faster, and likely far less buggy and more secure. I switched to Wireguard the moment it was available on Torguard.
  15. Yes: my main drive is a 2TB PCIe NVMe SSD (Samsung 970 EVO, was reasonably fast when it came out, still not bad). I have another 2TB SSD, a SanDisk SATA model, that is a little slower and which I use for bulk storage. Yes: this scheduled scan is a threat scan. I have attached 2 more screen shots which show this scan's config. No, the rootkit scan does not seem to lead to long scan times. Looking at my Reports, this scheduled scan completes in ~3 minutes, when it completes (which is most of the time).
  16. Just now I was rebooting my computer as part of the process to get the Malwarebytes Support Tool logs requested by Porthos in this thread that I started this morning. The first time that I rebooted my computer, before I did anything, I very soon saw an error message in my taskbar with the text "Malwarebytes Tray Application (Not Re...". The first attachment to this post is a screen shot. Soon after, I saw an error dialog pop up with the text "Malwarebytes Tray Application is not responding". The second attachment to this post is a screen shot. I tried clicking on "Wait for the program to respond", but that did nothing, so after 30+ seconds I rebooted my computer yet again. On this next reboot, which is the Windows 10 session that I am currently on, none of those errors happened. In the last couple of months I have seen this happen a couple of times after rebooting. Each time, I do the same thing: reboot a second time, and usually the error does not appear that next time. Anyone else see this? Is it a known bug? Is there a cure? I have been running 4.4.2 Premium (the latest release) for several days now. My computer is running Windows 10 Workstation and is fully patched. My first sentence above ends in a link regarding another issue that I recently saw, no idea if there is any relationship, and that other post now contains the Malwarebytes Support Tool logs. One other thing that I should mention: I use Torguard VPN's Windows client. It is set to start running and connect to a VPN server almost immediately after reboot. It was running at the time that I saw these 2 error message. I am not sure yet if MBAM and Torguard conflict or not, but I intend to do another post today regarding a Windows crash that I had yesterday which may be an indication of a problem.
  17. Porthos: thanks for your rapid reply. I have followed your instructions, log file is attached. mbst-grab-results.zip
  18. Several times in the last month, I tried to use MBAM to manually scan recently downloaded files, but the scan did not start because the previous scheduled scan was still running. I found that this scheduled scan was always stuck on the stuck on the "Checking for updates" stage, which is why it never finished. I saved a screen shot of this the last time that I noticed that it happened, on June 24. I have attached that screen shot to this post. Does anyone know what is going on? I have never had this problem before. I note that I was using MBAM 4.4.0 Premium when that screen shot was taken, but I was recently prompted to upgrade to 4.4.2 which I have done. I have not seen this problem yet on 4.4.2, so maybe this was a known bug that got fixed? I found the 4.4.2 Release Notes, and they cite a seemingly different issue that got fixed: MBAM-4485: Fixed the issue of missing Checking for updates message when the check is triggered from the taskbar.
  19. I think that high DPI scaling is only complex when the OS is trying to accomodate apps that were written in old GUI frameworks which assumed bitmapped graphics with a fixed or small range DPI (e.g. near 72 DPI). If you use a modern graphics API, you should get perfect scaling behavior (for text and vector graphic images) with no effort because the graphics framework will know what your current hardware is and will auto scale everything so that it comes out at the physical size that you want while using the full pixel resolution to be crisp. For example, all modern smartphone APIs are like this, right? My Android smartphone has a resolution > 300 DPI I think, but I never need to set any kind of scale factor, all text and icons are rendered at the right size and look perfect. This is known as "pixel density independence" in the Android docs:
  20. I just checked, and under MBAM's Settings --> Display, hardware acceleration is disabled for me. I think that it was that way by default.
  21. My MBAM GUI under my current settings definitely is sharp, it is just way too small. If I do the Override high DPI scaling behavior --> System (Enhanced) hack, the GUI gets bigger but fuzzier. In terms of bigness, it becomes 25.5 cm diagonal, which is a perfectly good size and is what your GUI image displays at on my box. But the text is fuzzy, no good!
  22. Staff: thanks again for your reply. I have a Dell Precision 7530 workstation laptop. Its video card is an AMD Radeon Pro WX 4150 w/4GB GDDR5. Its built in monitor is a 15" 4K. But I mainly use a much bigger external monitor, a Dell U2718Q, which is a 27 inch diagonal 16:9 aspect ratio fake 4K (3840 x 2160) monitor. My Win 10 Display settings are the same as yours except that I scale my monitor to 150% (otherwise the default text size is tiny). This is the same Display settings as Pluto. On my external monitor, your MBAM Reports image measures ~25.5 cm diagonal (I held up a ruler against my screen!). What diagonal do you measure? In contrast, on my external monitor, my analogous MBAM Reports image only measures ~17 cm diagonal. So, the content of that window is much more compressed than yours. I have attached a PNG file that is a screen shot of my MBAM Reports image. What diagonal do you measure? The only relevant differences that I see between your system and mine are: 1) you scale your monitor to 100%; I would have thought that this would cause your GUI to be even smaller than mine, altho we observe the reverse 2) your monitor is 32 inches diagonal whereas mine is only 27 inches This will indeed cause your GUI to be a bit bigger than mine, but not as big of a difference than we see
  23. Staff: thanks for answering me. I was aware of your post #2. My point is that whatever you are doing, it is not working for me! At least, not from a default install nor if do the Override high DPI scaling behavior --> System (Enhanced) hack. If there is another way to configure this that I have overlooked, by all means enlighten me. Do you yourself have a 4K monitor, especially one about 27-32 inches diagonal? If not, you definitely deserve one! And once you try one, trust me, you will never go back. It makes that big of a difference. If you have one, does your default installation of MBAM actually look correctly sized to you? By the way, it is not just IntelliJ that have perfect high DPI behavior. Both Chrome and Brave browsers also look great on my 4K display, and like IntelliJ, both let you grow/shrink the text size with your scroll wheel. MBAM ought to have perfect high DPI behavior out of the box, without complex configuration. If that means using a new GUI toolkit which supports modern Win 10 APIs, then I strongly urge you to update as soon as possible.
  24. I logged in just to comment on this issue. Like the original post, I too find Malwarebytes's text and icons to be ridiculously small on my 4K monitor. It is almost unusable. I hate having to use MBAM now, and I think that MBAM 4 is even worse than I recall 3 being... Like him, I also run my system scale at 150%. Why is it that some Win 10 apps behave absolutely perfectly, having fabulously sharp and normal sized text and icons, but MBAM does not? One (of many) examples of perfect behavior in Jebrain's IDEs (e.g. their Java one jetbrains IntelliJ or their Python one jetbrains PyCharm). In Jebrain's programs, you can even do awesome things with text, like hold the ctrl key and then use your scroll wheel to change size. Super slick. So, what are they doing correctly that MBAM is not? Note that Jebrain's IDEs are written in Java no less. Staff: on June 19 you wrote "Without a full GUI update to support user customizable form size...". What Windows toolkit are you using to develop MBAM? Some horrible old one that was written assuming a fixed or limited bitmap/DPI? Because I cannot imagine that modern Windows GUI toolkits fail to have perfect DPI scaling behavior. I hope that you prioritize fixing this. I have tried the hack of opening MBAM's Properties and Override high DPI scaling behavior --> System (Enhanced). That succeeds in makign MBAM's text and icons bigger, but now they are annoyingly fuzzy.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.