ottchris

Much appreciated. Will see if I can spot the trigger when the issue next occurs.

To muddy the water, for the last few days, I have seen some occasions of ESET (not AVAST) services running at 25% CPU seemingly forever, until I quit Malwarebytes that is. Restart MB and all back to normal again. Just got around to checking here so haven't tried disabling MB web protection or any other workaround apart from quitting/restarting MB. Only offering this as an observation for the moment, i.e. not expecting any assistance as haven't uploaded any logs etc.

About every 15 minutes or so MBAMService.exe sends a couple of MB to an Amazon AWS address e.g ec2-54-69-202-72.us-west-2.compute.amazonaws.com:443. The address varies. I'll try to organise a cumulative log but I don't have an appropriate tool to hand; once upon a time you could access detailed user-friendly logs but everything is dumbed down these days! Assuming this is the same issue, prior to the issue that is the subject of this topic, I had been able to correlate the transmissions with MBAMService log entries reporting re-transmitting whitelisted 'ransomware'. Since the 'multiple error notifications' issue appeared I am unable to locate any record of the transmissions, at least in the MB plain text logs.

Great! While I'm here and this should really be under a separate topic but the evidence should be in the same logs you already have. I've recently noticed periodic outgoing transmit activity associated with MBAMservice.exe. The logs appear to suggest Malwarebytes ransomware component while detecting items that have been whitelisted (by Malwarebytes, not the user) still sends copies back to your servers. In my case, this means the same two whitelisted executables are being sent to your servers multiple times every day. It's an issue because I keep seeing significant transmit activity when there shouldn't be any.

X drive is Boxcryptor (. Not familiar with bitlocker apart from the name. I assume it's a product rather than an encryption standard. Boxcryptor Technical Overview https://www.boxcryptor.com/en/technical-overview/

Logs sent via message.

Malwarebytes Version information ================================== "controllers_version" : "1.0.421", "db_version" : "2018.08.21.06", "dbcls_pkg_version" : "1.0.6441", "installer_version" : "3.5.1", I was about to gather information in order to query what appear to be repetitive uploads of whitelisted false positive ransomware (the subject of a future topic) when I discovered the following error messages have been filling the log files. Here is a sample: Begin Quote. 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" End Quote I traced back to their first appearence: Begin Quote. 08/19/18 " 01:17:59.499" 43935996 05d8 3f70 ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/19/18 " 01:17:59.499" 43935996 05d8 3f70 ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f3)" 08/19/18 " 01:17:59.499" 43935996 05d8 3f70 ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/19/18 " 01:17:59.500" 43935996 05d8 3f70 ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f3)" End Quote. The preceding entries appear to reflect a Malwarebytes update. Suggestions?

Both now scanned negative. Slightly odd as all the version numbers (Components, Update Package etc) are unchanged between the latest scan and the original "Ransomware blocked" report (timestamped 1:07 am). Anyway, many thanks again for the super fast response. Best Regards, Chris PS. It occurs to me that the whitelisting may have been the outcome of the automatic 'post-detection' upload I observed. If that is the case it begs the question of how the whitelisting mechanism is updated?

Thanks for the very quick response. I made a judgement call (as one of the applications is borderline critical) to reboot a basic system, restore the items from quarantine and then temporarily close MB while I posted the report here. I will now run MB, make sure it is up to date, scan the files and report back. Best Regards, Chris

Two unrelated executables (and two associated registry entries) suddenly quarantined in the early hours of this morning. As far as I am aware neither has recently been modified and bth are run every day. Here is the report: -Log Details- Protection Event Date: 7/21/18 Protection Event Time: 1:07 AM Log File: 00bd97f0-8c7a-11e8-919e-00ff21366bd3.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.391 Update Package Version: 1.0.5993 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Ransomware Details- File: 2 Malware.Ransom.Agent.Generic, C:\PROGRAM FILES (X86)\WINSTEP\WORKSHELF.EXE, Quarantined, [0], [392685],0.0.0 Malware.Ransom.Agent.Generic, C:\Program Files (x86)\Creative\Sound Blaster E-Series\Sound Blaster E-Series Control Panel\SBE.exe, Quarantined, [0], [392685],0.0.0 End Following quarantine, I observed upload activity which appeared to be from Malwarebytes so I suspect you already have the files in question but I have also included them in the attached zip file. MBReport20180721.zip

Log entry: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 6/3/18 Protection Event Time: 6:26 PM Log File: 32b6cfa2-6753-11e8-9fd8-00ff21366bd3.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.365 Update Package Version: 1.0.5342 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Category: RiskWare Domain: ipv4.icanhazip.com IP Address: 69.162.69.148 Port: [50977] Type: Outbound File: *****\Shift.exe (end) This has been blocked/reviewed/removed before (October 23, 2017) https://forums.malwarebytes.com/topic/213216-false-positive-icanhazipcom/ Regards, Chris

I admit I didn't consider the option of disabling the service and decided to uninstall until the problem is fixed. Security-related applications are by their nature designed not to make it easy to close them down anyway. Having spent the last few days trying to pin down an SSD TRIM issue, I could have done without Malwarebytes suddenly deciding to eat up all my VM. Having said that I'm a little surprised at the reactions in this thread. If and when we know what triggered the issue, we can then decide whether it was reasonably avoidable or not.

Indeed. I had tried killing it but not unexpectedly it came back to life and started committing virtual memory again. Just before that Windows (7) had stepped in and closed a few processes in order to keep running but nearly all of VM remained committed. As I run Malwarebytes as secondary protection after ESET Internet security I have just uninstalled Malwarebytes as a temporary solution in order to keep working.