Loc2262

Yes I just verified in the service log. I had not booted my Windows installation for a day. Today MWB definitions file was 1.0.6535 upon boot, and before it had a chance to update, Services.exe tried to download Windows updates and got blocked on the IP 8.248.97.254. Half a minute later it updated to 1.0.6547 and the block was gone. Thanks again!

Hello blender! Yes, seems to be fixed. I tried telnet connect to port 80 on the IP and host, no blocking by MWB. Many thanks! Kind regards, Frank

Protection Event Date: 8/29/18 Protection Event Time: 10:02 AM Log File: e2432946-ab61-11e8-88dd-408d5c5489c8.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.365 Update Package Version: 1.0.6535 License: Premium -System Information- OS: Windows 10 (Build 16299.611) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Category: RiskWare Domain: 3.tlu.dl.delivery.mp.microsoft.com IP Address: 8.248.97.254 Port: [49765] Type: Outbound File: C:\Windows\System32\svchost.exe

It almost seems like it's a beta (or developer) version that was incorrectly released to the public. I don't have the Beta option active but got .421 last night. In MBAMSERVICE.LOG I found those lines: 08/14/18 " 23:25:57.986" 11055703 0000 1ea4 INFO mbupdatr.exe e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp "wmain" 476 "Updated module: AEControllerImpl.dll" 08/14/18 " 23:25:57.986" 11055703 0000 1ea4 INFO mbupdatr.exe e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp "wmain" 476 "Updated module: ArwControllerImpl.dll" 08/14/18 " 23:25:57.986" 11055703 0000 1ea4 INFO mbupdatr.exe e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp "wmain" 476 "Updated module: CleanControllerImpl.dll" 08/14/18 " 23:25:57.986" 11055703 0000 1ea4 INFO mbupdatr.exe e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp "wmain" 476 "Updated module: CloudControllerImpl.dll" [...] Those lines usually occur during a CP update, but only name "mbupdatr.cpp" without the jenkins path. Also in the folder "Program Files\Malwarebytes\Anti-Malware\sdk" I found additional files named "mbam.tmf", "mbamchameleon.tmf", "mbamswissarmy.tmf" and "mwac.tmf" were installed. Those are ASCII files "trace message format" and seem to contain information for a debugger / windows function call trace utility. They are clearly from a development environment. The first few lines of "mbamswissarmy.tmf" e.g. read: // PDB: d:\Jenkins\workspace\N_Swissarmy_Kernel\src\..\bin\x64\Win7_Release\mbamswissarmy.pdb // PDB: Last Updated :2018-07-24:01:34:08:964 (UTC) [tracepdb] The MBAMSERVICE.LOG also refers to the TMF files in one line: 08/14/18 " 23:26:00.300" 11058015 0ef8 08c4 INFO SPSDK SetGpIfeoProtection "selfprotectionuser.cpp" 929 "Starting Wpp logging - path = C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sdk\MbamChameleon.tmf" Also the INF files for the drivers contain "incorrect" (old) version information. Except for the version line, they're identical to version .391. The version info in the driver SYS files themselves is okay. Catalog files and driver files are correctly signed. Maybe someone can provide some clarification why a regular update version contains such development related data?

Yeah that's very true. No, thank you and @vbarytskyy for the fast response! You're doing an awesome job here, also and especially during the "memory flood crisis" last week.

I downloaded the update 1.0.3875 and can confirm the file is no longer flagged. Thanks for the very fast response!

Great, many thanks for the fast reply!

Damnit, it was all my fault! I had set my system time one day into the future yesterday to test the behavior of some automatically running process. And I forgot to set it back. I corrected the date and all is okay again. Interesting though that MWB says "Updates are not current" when the system clock is wrong. So at least we learned something from this.

Hello! I believe a recent definition update has some issues. I just did a Threat Scan, and it reported one file as "Malware: Trojan.Agent". That file is "C:\USERS\FRANK\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\TEMPLATES.LNK". That file was not changed since its creation in November 2017. I verified that from a backup. The file was never before flagged by MWB. I'm attaching the file. I uploaded the file to VirusTotal too: https://www.virustotal.com/#/file/3d8193359b08bf73506c11410d26718caf8d4758a3470ff6bc20db201cc6f72d/detection templates.lnk.zip fp-report-templates.lnk.txt

Yeah, Porthos, my system reports the version numbers you listed. Still the dashboard says "Updates are not current". When I restart MWB, it says "Updates are current" for a few minutes, then a popup appears asking me to update definitions.

Sorry, I uploaded the wrong mb-check-results. Here's the one with FRST logs included. mb-check-results.zip

Here's the requested MWB check log. mb-check-results.zip

Thank you for the fast reply! I'll upload logs shortly. Also, I believe a recent definition update has some issues. I just did a Threat Scan, and it reported one file as "Malware: Trojan.Agent". That file is "C:\USERS\FRANK\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\TEMPLATES.LNK". That file was not changed since its creation in November 2017. I verified that from a backup. The file was never before flagged by MWB. I'm attaching the file. I uploaded the file to VirusTotal too: https://www.virustotal.com/#/file/3d8193359b08bf73506c11410d26718caf8d4758a3470ff6bc20db201cc6f72d/detection templates.lnk.zip

I just noticed that my MWB 3.3.1 Premium dashboard says "Updates are not current". I click on "Check for updates", no new updates are found. It started doing that just now. Log excerpt: 02/06/18 " 16:38:47.265" 9419968 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::ValidateDBManifest "UpdateControllerImplHelper.cpp" 4117 "Signature successfully validated" 02/06/18 " 16:38:48.265" 9420968 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::ValidateDBManifest "UpdateControllerImplHelper.cpp" 4121 "DB manifest successfully validated" 02/06/18 " 16:38:48.265" 9420968 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::CheckDbManifest "UpdateControllerImplHelper.cpp" 4437 "Validated DB manifest - success" 02/06/18 " 16:38:48.265" 9420968 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 537 "DoUpdate - Starting check for updates (manual)" 02/06/18 " 16:38:48.265" 9420968 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 545 "Checking for: Installer=[No], SDK/Ctlr=[No], DB/CLS=[Yes]" 02/06/18 " 16:38:48.267" 9420968 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::GetInstalledPkgVersions "UpdateControllerImplHelper.cpp" 1177 "DB/ClsEng package --> [mbam-c.dbcls.64bit], current version: [1.0.3874]" 02/06/18 " 16:38:49.013" 9421718 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 576 "Checked for updates - no updates available" 02/06/18 " 16:38:49.013" 9421718 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 589 "Update check is complete." 02/06/18 " 16:39:02.673" 9435375 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::ValidateDBManifest "UpdateControllerImplHelper.cpp" 4117 "Signature successfully validated" 02/06/18 " 16:39:03.773" 9436468 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::ValidateDBManifest "UpdateControllerImplHelper.cpp" 4121 "DB manifest successfully validated" 02/06/18 " 16:39:03.773" 9436468 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::CheckDbManifest "UpdateControllerImplHelper.cpp" 4437 "Validated DB manifest - success" 02/06/18 " 16:39:03.773" 9436468 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 537 "DoUpdate - Starting check for updates (manual)" 02/06/18 " 16:39:03.773" 9436468 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 545 "Checking for: Installer=[Yes], SDK/Ctlr=[Yes], DB/CLS=[No]" 02/06/18 " 16:39:03.774" 9436468 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::GetInstalledPkgVersions "UpdateControllerImplHelper.cpp" 1119 "Installer package --> [mbam-c.installer.consumer], current version: [3.3.1]" 02/06/18 " 16:39:03.774" 9436468 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::GetInstalledPkgVersions "UpdateControllerImplHelper.cpp" 1146 "SDK/Controller package --> [mbam-c.ctlr.64bit], current version: [1.0.262]" 02/06/18 " 16:39:04.455" 9437156 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 576 "Checked for updates - no updates available" 02/06/18 " 16:39:04.455" 9437156 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 589 "Update check is complete." 02/06/18 " 16:39:05.397" 9438093 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::ValidateDBManifest "UpdateControllerImplHelper.cpp" 4117 "Signature successfully validated" 02/06/18 " 16:39:06.483" 9439187 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::ValidateDBManifest "UpdateControllerImplHelper.cpp" 4121 "DB manifest successfully validated" 02/06/18 " 16:39:06.483" 9439187 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::CheckDbManifest "UpdateControllerImplHelper.cpp" 4437 "Validated DB manifest - success" 02/06/18 " 16:39:06.483" 9439187 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 537 "DoUpdate - Starting check for updates (manual)" 02/06/18 " 16:39:06.483" 9439187 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 545 "Checking for: Installer=[Yes], SDK/Ctlr=[Yes], DB/CLS=[No]" 02/06/18 " 16:39:06.484" 9439187 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::GetInstalledPkgVersions "UpdateControllerImplHelper.cpp" 1119 "Installer package --> [mbam-c.installer.consumer], current version: [3.3.1]" 02/06/18 " 16:39:06.484" 9439187 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::GetInstalledPkgVersions "UpdateControllerImplHelper.cpp" 1146 "SDK/Controller package --> [mbam-c.ctlr.64bit], current version: [1.0.262]" 02/06/18 " 16:39:07.280" 9439984 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 576 "Checked for updates - no updates available" 02/06/18 " 16:39:07.280" 9439984 1d8c 1d30 INFO UpdateControllerImpl mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate "UpdateControllerImplHelper.cpp" 589 "Update check is complete."

Hehe, something similar here. I was playing Elder Scrolls Online and noticed regular lags, stuttering graphics and the like. Noticed MBAM using 25% CPU load, figured it might be doing a scan in the background, then saw the memory usage. Note that the service is configured to auto-restart in terms of unintended termination, so you need to turn that off on the "Recovery" tab of the service settings if you wish to disable the service as a temporary fix.