Jump to content

CHall

Members
  • Posts

    16
  • Joined

  • Last visited

Posts posted by CHall

  1. I have recently implemented a fix/workaround for this a few weeks ago which has resolved every single MBEP issue I've ever had since purchasing the product last September.  This includes endpoints randomly dropping off the cloud console and also causing interference with our regular AV and other unrelated house software applications (which were white-listed).  None of the suggestions from the support staff has ever worked for us, including those listed above. Since implementing my own workaround, our MBEP struggles have completely stopped.

    The issue apparently is caused by a persistent memory leak in the MBAMService.exe process.  Upon endpoint startup, the memory used (in Task Manager) on all our PCs starts at around 250,000 K.  When left unattended, that memory usage will slowly creep higher and higher.  After a few days to a week, that memory rises on our endpoints to 400,000 K to 500,000 K at which point we start having issues with our other software.  Also, at this point, we start to see our first set of endpoints disappear from the cloud console.  More and more endpoints begin to disappear as the hours & days pass.  If continued to be left unattended, the memory rises to between 500,000 K and 1,000,000 K.  At this level, MBAMService.exe CPU usage rises and gets stuck well above zero.  On our fastest machines, the MBAMService.exe CPU will run steady at 13%, just enough for our users to notice performance hesitations. On our slowest machines, it will run steady at 50% in which the machines become basically crippled.  To stop this, the endpoint must either A) be restarted, or B) the MBAMService.exe process must be manually killed and restarted.  After doing this, everything calms down and starts working again.  Everything.

    So after months of endless frustration, I ended up writing a .cmd script which stops the cloud service (MBCloudEA.exe), forcibly kills the MBAMService.exe process, restarts MBAMService.exe and finally restarts the MBCloudEA.exe service.  I put a copy of this .cmd script on the endpoints and set Task Scheduler to execute it (as Local System) at 6:00AM every morning.  Ever since implementing this workaround, all our MBEP problems have completely vanished and I haven't looked back since.

    If interested, here's the script I'm using:

     

    :: Reset Malwarebytes Endpoint Protection Services

    ECHO OFF

    NET STOP MBEndpointAgent
    TASKKILL /IM MBAMService.exe /F

    TIMEOUT /t 10 /nobreak

    NET START MBAMService
    NET START MBEndpointAgent

     

    It's incredibly simple. I chose to "kill" the MBAMService.exe process rather than stop the service because if the high CPU usage gets stuck, it has a problem simply stopping the service.  Upon killing the process, MBAMService.exe re-executes itself, but I manually start it again in case it doesn't.  Restarting with it already running doesn't harm anything.  Also, if the issue is allowed to get bad, the Cloud Service has problems and sometimes stops on its own when MBAMSercvice.exe restarts. That's why I stop and restart the Cloud Service at the beginning and end of the script.

     

  2. On 12/6/2017 at 2:43 PM, Roadrunner562 said:

    I miss being able to run a scan on a single file or folder. I'm asked to check a cd/usb drive before it's put onto the network. Is this something that might be added to EP in the future?

    @Roadrunner562, me too! I use MB3 at home and this is the single most important feature I miss in the business EP version of the product. I use it as you mentioned, and also to check attachments on emails before opening them. We use another AV alongside MBEP and it has its own context menu item (right-click on the file) to run a quick check on a single file. I use this feature all the time and am frustrated I can't do it with EP. I'm not a fan of polluting a product with a boatload of unnecessary features, but that one's a must-have for me.

  3. @djacobson, that was a wonderful explanation of your product and its components. I have a better understanding of the software now than I ever had before. Thank you.

    Regarding working with other AV products, I brought up in another thread topic that MBEP was interfering with our ControlNow AV and was informed that they both use something in Windows that can't be shared when running Web Protection, and that one or the other has to be turned off for Web Protection. I accept that, however, the interference with ControlNow has to do with the endpoint not being able to update ControlNow's virus definitions, which is part of their AV product, not their Web Protection product. As I said in that other topic, I have to restart the Malwarebytes Service to stop and reset its "memory leak" to get the endpoint to resume virus definition updates with ControlNow AV. If you have any input or help with that issue, working alongside our other AV, I'd appreciate it.

  4. Gotta be honest, I don't know what I'd do without this forum and all you, the community, communicating here. When my phone started ringing from users reporting in, this is the first place I came to and was immediately relieved that we weren't under attack or something.

    Thanks all.  Keep it going.

  5. Regarding this morning's symcd.com false positive web blocks, it was announced that the issue has been resolved and to "update to the latest DB version". This is easy on my home version of MB, but I can't figure out how to do this on Endpoint Protection cloud version. The endpoints have no user interface, so I assume it's somewhere on the cloud console but I can't find it. So I'd like to ask:

    1) How do I update each endpoint to the latest DB version?

    2) How do I know what version each endpoint currently has installed?

    3) How do I go about finding out what the current version is so I know whether or not an endpoint is up to date?

    Thanks.

     

  6. Started getting phone calls this morning of Malwarebytes notifications going crazy. Turns out it's blocking symcd.com website. After a little research, it seems that this has happened in the past. symcd.com is owned by Symantec and has to do with ad certificates or something. It's possible that something changed on that site that's triggering MB to block the site. For now, I've added it as an Exclusion as it appears to be benign.

    Anyone else getting this or care to add some input here?  Thanks.

  7. 1 hour ago, TonyCummins said:

    CHall,

    I too am a loyal "home' user who was so happy they had produced a cloud based product and convinced my IT manager to move from controlnow/solarwinds endpoint protection and am now really starting to regret my decision. I really wish i had stumbled upon these forums before i pulled the trigger on purchase as it really seems like i'm being used to beta test a product in a production environment.

    Exactly. I went through weeks of technical hell right from the original purchase with no useful help from their "support" people before I finally found this forum and discovered I was not alone with these issues. I wouldn't have purchased had I read this forum beforehand. I too feel like a beta tester for this product.

    Also, we too are a user of ControlNow (Solarwinds), however I made the decision to keep that subscription and run it alongside MB for the first year, which was a fortunate move. Btw, that's one of the applications that MB starts interfering with when the memory leak is left to grow. Upon a fresh boot, the MBAMService.exe memory starts at about 250,000 K.  Over a few days, it will climb on some PCs to 400,000 K - 500,000 K and at that point, those PCs stop updating ControlNow's virus definitions and appear with critical alerts on the ControlNow Dashboard. If I kill the MBAMService.exe process and restart it fresh, the ControlNow critical alerts go away and everything resumes normal operation. Left unattended, one-by-one our PCs will collect on the ControlNow dashboard with critical notifications. We've used ControlNow for years (since it was GFI) and never had issues until MB was installed.

    There are other applications on our network that also start breaking when the memory leak reaches that level. Back after the original installations, before I was aware of all the MB issues, the memory leak would grow to well over a gigabyte and CPU usage would spin-out and slow everything down.

  8. Out of curiosity, I checked my own Event Viewer and was shocked to see that I have over 2000 Errors from source "Malwarebytes Endpoint Agent", numerous events per day going back to October 4, which was the day it was installed (re-installed) on my PC.  Not the same error either, too many different ones to be able to list here.

    I am loyal to Malwarebytes as both I and others have said in other posts, due to the fact that they always saved me from infected PCs in the past, for free, but my faith in this Endpoint Protection cloud-based product is utterly destroyed. My biggest complaint is a memory leak of some kind that requires me to restart all our PCs on at least a weekly basis, otherwise things start to break, lose contact with the cloud console (go offline), start high CPU usage on its service, and/or interfere with other applications on our PCs and network.  At this point, I just live with it, frustrated with the choice I made for our company's AV/AM/AR protection until the annual subscription is up.

  9. No, that's actually what causes the message to re-appear.  Our users log off their PCs at the end of the day and log back on in the morning.  Every morning upon logging in, users that previously had run a Threat Scan from the tray icon would get a repeat "Scan Complete" popup message upon sign in.  The only way to stop it from continuing at each log in was to restart the PC.

     

  10. When Threat Scans are enabled in the UI on the endpoint and a user-initiated scan is run, the "Scan Complete" message-box keeps re-appearing each time the user logs onto the endpoint.  The only way to get it to stop is to restart the computer.

    Not exactly the biggest issue given everything else being experienced, but I thought I should at least report it.  I issue is consistent across different endpoints.  All endpoints are running Windows 7.

  11. I see from reading DOC-2192 that the new UI is "reflecting direct user feedback", but I personally like (and now miss) the look of the previous one.  I liked the old color scheme and also the way the screens slid in and out from the side when selected.  The new UI being almost all white now looks washed-out and hard on the eyes, missing the contrast that the previous one presented.  (Not a real fan of that particular shade of blue on the left either.)  Oh well, UI "appearance" is really a subjective thing -- some will like it, others won't.  You'll never be able to design one that everyone agrees on aesthetically.

    Moving forward, it would be nice to have the ability to "name" the endpoints rather than having them referenced via their pre-assigned FQDN computer names.  Many PCs have cryptic FQDN computer names meaningful for other purposes which don't necessarily make good recognizable names on the console.  Our other antivirus cloud console allows for this.  For space on the console display, let go of the useless "Operating System" column, sliding the FQDN in its position, and the user-assignable Endpoint Name as the first column.  Thoughts?

  12. Thanks IT_Guy.  I had read your posts earlier regarding this and believe me, went right to that.  However, this doesn't seem to be the issue in my case.  My logs were quiet and fine.  I did go ahead and switch the Self-Protection switches OFF in my Test Policy though.  I've been testing scenarios in a Test Policy with a couple of endpoints I've placed in a Test Group.  Trust me, these issues have really bitten off a chunk of my IT support time and because of the unstable and unpredictable nature of the problems, they're very time-consuming to test and troubleshoot.  Sometimes it takes days for a particular policy test to prove no-good and I have to try something else.  This is why I have a carefully established test system in place.  Now that I've found this forum, I can gather info from others, as well as share my own findings, hopefully helping the developers find solutions.

  13. WOW!  I'm so glad I found this forum.  I thought I was alone and have been dealing with all the same issues that everyone else here seems to be dealing with as well.  Had twice opened a ticket with the basic, low-end Tech Support service which was a complete fail (try this, try that, etc... over days with hours between replies that got me nowhere).  I ended up discovering the "mb-clean" tool and after days of trial and error, fixed the issue myself of all endpoints going offline with no way to get them back.

    Anyway, as others have also said, I don't want to rant on and on about that and other issues I'm having, as Malwarebytes has bailed me out of virus and malware catastrophes for years.  For free.  I like what they have here and I want to support them, but man, they really need to focus on getting this handful of issues resolved already.  Biggest ones being endpoints going offline and mbamservice getting stuck in some state using high CPU.  This one is the issue I keep battling and just can't figure out.  Everything will be fine, then one-by-one, I get complaints about slow PCs and upon troubleshooting, see that mbamservice.exe is stuck running and causing high CPU, slowing everything else down.  There's no rhyme or reason, or detectable pattern I can see, as to which PCs this happens to.  It's completely random.  But it continues to happen and I have to continually deal with it.  It's gotten to the point now where I have to just accept it as part of my job responsibility and wait patiently for the day they figure out why this is happening and fix it.

    Btw, I think these couple of issues that seem to happening to everyone should be development's top priority, rather than unimportant things like changing the console appearance/theme which, in my opinion, is now unpleasant to look at.  I miss the color and screen action of the old cloud console.  Now it's all white and washed-out looking; and that shade of blue on the left......  sigh.

    Lastly, I want to express my appreciation for KDawg who seems to be involved and communicates well here in the community.  It's so important as a user/customer to have staff/representatives listening to feedback and participating in the ongoing conversations.  Thanks.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.