Possible conflict between MBAM and RAMDisk

[kcir]

Hi,

Ever since I upgraded MBAM to version 2 (2.0.2.1012 specifically) I have experienced BSODs during the heuristics section of any scan. After a bit of messing around I narrowed it down to a possible conflict with RAMDisk. RAMDisk is a piece of software that will allow you to create a virtual drive that is stored in memory. I use this virtual drive as the TEMP/TMP directory for speed and to avoid unnecessary wear and tear of my SSD.

When this virtual drive is mounted and I run any type of scan in MBAM it will generate a BSOD (PAGE_FAULT_IN_NON_PAGED_AREA caused by MBAMSwissArmy.sys) when it reaches the heuristics part of the scan. If I unmount the drive the scan will run without a problem.

For good measure I also did a clean removal & reinstall as described in this topic, but this doesn't solve the problem.

Background info:
- Windows 7, 64bit fully patched
- Running MBAM 2.0.2.1012 (Paid/Premium version)
- RAMDisk 3.4.5 with a 2GB virtual RAM disk that I use as the Windows TEMP/TMP (and other applications)

I am not sure if the problem lies with MBAM or with RAMDisk. Although the BSOD mentions MBAMSwissArmy.sys I don't think that rules out that the error isn't caused by the RAMDisk drivers.

I would appreciate it if you guys could look into this. If required I can provide logs or other information.

[daledoc1]

Hi:

 

We will need to wait for staff to confirm, but I don't think running MBAM from a RAMDisk is supported.

 

Thanks,

[kcir]

To clarify, I am not running MBAM from a RAMDisk, I use a RAMDisk as a temp directory and MBAM chokes on it while doing its heuristics scanning magic. MBAM itself is installed on my SSD.

[David H. Lipman]

"...unnecessary wear and tear of my SSD."

 

That's a physical effect.  A spindle hard disk can experience "wear and tear" because its magnetic voice-coil pickup and spindle motor.

 

There is no wear and tear with a Solid State Drive because data is note stored in a mechanical fashion and it is also immune to mechanical vibration and has a high tolerance for G-Force shock.

 

There are two types of memory.  They are...

* Primary Storage - This is faster Dynamic, volatile, and more expensive storage.

* Secondary Storage - This is slower, larger, and non-volatile and less expensive storage.

 

If one can afford it, one can use nothing but Random Access Memory and use a battery backup so it is non-volatile and it will be very fast.  Now you can envisage 8GB RAM and a.5TB of hard disk but can you envisage .5TB of RAM ?  It is cost prohibitive.

 

Thus we use slower secondary storage such as a spindle hard disk or now Flash Disk Solid State Drives.  However Solid State Drives are not like their ancestor spindle drives and they are quite fast with low latency.  Hell I just eRecycled a 10GB 4800 RPM notebook drive.  What a difference as compared with a 7200RPM or even a 15K RPM hard disk.  Now random-read random-write silicon storage is replacing  all spindle drives.  It is faster that a a mechanical spindle drive b ut not quite as fast as RAM - yet.

 

Thus I can not see the logic of a RAM disk.  The RAM would be better used for the OS so the OS doesn't have to swap data back and forth top secondary storage.  This is why a 64bit OS has an advantage.  I can see that not the case of a 32bit OS.  Therefore I can see going to a 64bit for that reason.

 

Now I can see the logic of using an alternate drive for a TEMP folder location.  Especially with spindle drives, you can only read or write at a time on one media.  You can't control how a multi-platter drives reads or writes data.  It is a black box as far as the OS is concerned.  A program can't and write to the drive at the same time.  thus jobs are queued.  If you are installing an application and it creates a TEMP file it can't read physically from a CAB file and write to a TMP file at the same time.  The function is serial in nature.  However you can use two disks and have the TEMP folder on a separate drive.  Then data can be read or written on one drive at the same time data is read or written on a second drive.  With PATA/IDE drives hard disks worked in a Master-Slave relationship where two hard disks shared the same controller.  Thus each would have to be on a different channel.  One drive a master of the Primary Channel and the second drive a Master on the Secondary channel.  this was overcome with SCSI as each SCSI drive has its own controller but shared a SCSI bus.  That's why RAID and striping went hand to hand with SCSI.

 

Today hard disk I/O circuitry is so fast that we no longer need to have a Parallel data path (PATA/IDE) and now we can have great speed using a serial path (SATA).  With SATA all drives have their own controller like in SCSI.  Thus there is no longer a master-slave relationship that PATA had.  We can use multiple disks and assign functionality to different disks to effectively increase the performance of a computer overall.  However Virtual RAM disks are not physical drives and don't conform to disk I/O operations.  Thus a RAM disk is shimmed into an OS and one can encounter "problems".

 

The idea of using multiple drives and assign functionality to different disks to effectively increase the performance of a computer is a sound idea.  The use of a RAM disk is not the best way to go.  I would suggest a very fast, low capacity, SSD and use that for TEMP files pointed to by the %TMP% and %TEMP% environmental variables.

[AdvancedSetup]

RAM Disks are not supported. You will need to disable RAM Disks to use our program.

 

Thank you

[KenW]

It depends on what the ram disk is used for. I only run Einstiein at Home on mine. Running a scan on a ram disk for a system folder is not a good idea. Mine is not a freeware product if that even makes a difference.

[AdvancedSetup]

@KenW

 

Thank you for you input but the question asked was directed at our product. On our product it is not supported.

[kcir]

RAM Disks are not supported. You will need to disable RAM Disks to use our program.

 

Thank you

 

Alright, I guess I will have to disable scheduled scans and unmount the RAM disks before running a manual scan.

 

Do you need any more information from me incase you want to investigate this further? I realize you cannot support every combination of software but perhaps this unexpected use case exposed a bug in MBAM. What if malware made a RAM disk to cause MBAM to crash the system whilst scanning, and with it preventing MBAM from removing the malware? Just a thought...

[David H. Lipman]

Malware does NOT make RAM disks !

 

Use of a RAM disk for a modern OS is just not done for reasons I have explained and I have provided alternate routes as a course of action.

 

I doubt Malwarebytes will ever try to support use of a RAM disk because of the non-standard use of Kernel Hooks.  They are not physical devices that conform to disk structures such as IDE, EIDE/PATA, PCMCIA, SATA, SCSI, ESDI and SAS.

[mikiep]

RamDisk is just another program that people use.   Has nothing to do with conforming to hard disk spec's.   Even windows itself makes and uses its own RamDisks ..   

 

I wouldn't try to guess the numbers out there in our world, , but i'm relatively certain many thousand users of SDD's are offloading things to ramdisks and the numbers of SDD users are increasing very rapidly..

[David H. Lipman]

I'm sorry, that just is not true.  A RAM disk is not "just another program people use".  In fact, it isn't really a program like;  MS Excel, AutoSketch, PhotoShop, VideoStudio, Quicken, et al.  It is a utility..  One that tries to emulate the structure of a physical disk by creating a virtual disk out of Primary Storage and make it look like Secondary Storage.  It isn't even logical with a modern OS that can be 64bit and thus address a very large amount of RAM.  Secondary storage is non-volatile storage whose read/write access speed is slower that Primary Storage.  Taking away economic constraints, one can conceivably run a computer purely in Primary Storage and not need Secondary Storage.  All one has to do is supply a constant voltage to the RAM such that it becomes non-volatile.

 

There are times when a RAM Disk can be quite beneficial.  Such as from booting an OS from a CD (which by definition is Read Only) and creating a RAM disk because it is Random Read/Random Write.  However when you are in a Windows environment under under such conditions as normal use, a RAM Disk makes very little sense.  As a virtual, emulated drive, there is no standard and thus how it drivers hook into the OS presents problems and challenges that only hinder operation.  Thus nobody should be surprised that this is something that a anti malware application, that must hook into the kernel of the OS, doe not support.

[AdvancedSetup]

As an aside... it looks like the Development Team may fix it to work in a future version of the program. For now though it currently is not supported.

 

As the original question has been addressed I'll go ahead now and close this topic now.

 

Thank you