Jump to content

How is a missed scheduled scan handled?


Recommended Posts

Last week (2015-05-21) I re-installed MBAM as I was running 2.0.4.1028.  Elected to install from scratch, so did the MBAM Clean Removal Process and installed 2.1.6.1022.  Accepted all the default suggestions and, on completion, let it update and scan.  Noted that the installer had set the time of the next scheduled scan to 2015-05-22  03:13:35 and that it should run again within 23 hours if it failed. 
 
To me, 'Run again within xx hours' means 'If the first attempt isn't possible, I'll try again until it succeeds, until xx hours have elapsed'.  But it seems I've misunderstood, as this doesn't happen. Since installation, no scans have been scheduled (see attachment) even when I've (twice) left the PC running actively for over 14 hours.  The chances of my computer being active at three in the morning are slim, but it can be turned off or in 'sleep' whatever time is set.
 
So what are the principles for handling missed scheduled events? 
 
Or is there something I've missed (though remember - I accepted all the installer's suggestions and haven't, as yet, changed anything).
 
Regards Alan_S
 
 
Environment:
 
Win 7 Pro updated as of April Patch Tuesday
MBAM 2.1.6.1022 (EAM excluded)
MBAE 1.6.1.1019
Emsisoft Anti-Malware (MBAM excluded)
 
 
Attached:
 
Screenshots of MBAM settings
Results of MBAM Check
 

 

Link to post
Share on other sites

Last week (2015-05-21) I re-installed MBAM as I was running 2.0.4.1028.  Elected to install from scratch, so did the MBAM Clean Removal Process and installed 2.1.6.1022.  Accepted all the default suggestions and, on completion, let it update and scan.  Noted that the installer had set the time of the next scheduled scan to 2015-05-22  03:13:35 and that it should run again within 23 hours if it failed. 
 
To me, 'Run again within xx hours' means 'If the first attempt isn't possible, I'll try again until it succeeds, until xx hours have elapsed'.  But it seems I've misunderstood, as this doesn't happen. Since installation, no scans have been scheduled (see attachment) even when I've (twice) left the PC running actively for over 14 hours.  The chances of my computer being active at three in the morning are slim, but it can be turned off or in 'sleep' whatever time is set.
 
So what are the principles for handling missed scheduled events? 
 
Or is there something I've missed (though remember - I accepted all the installer's suggestions and haven't, as yet, changed anything).
 
Regards Alan_S
 
 
Environment:
 
Win 7 Pro updated as of April Patch Tuesday
MBAM 2.1.6.1022 (EAM excluded)
MBAE 1.6.1.1019
Emsisoft Anti-Malware (MBAM excluded)
 
 
Attached:
 
Screenshots of MBAM settings
Results of MBAM Check
 

 

CheckResults.txt

post-170349-0-29727400-1432536954_thumb.

post-170349-0-88663200-1432536954_thumb.

post-170349-0-45039000-1432536955_thumb.

Link to post
Share on other sites

Hello alan_s:

Your attachment actions above were not successful. If you require detailed instructions, please advise.

 

Your post reads as if you did everything well. However it would be best if various system parameters could be verified before continuing.

  • Please read the topic Diagnostic Logs and then individually ATTACH the 3 requested logs in your next reply to this thread only.
  • The 3 files, from Step 1, to be individually ATTACHED from your desktop are: CheckResults.txt, FRST.txt and Addition.txt. Please do not Zip or Copy and Paste them into a reply. Please do not alter, any FRST categories as they are pre-configured for this forum.
Thank You. :)
Link to post
Share on other sites

Check your update settings as well.  Make sure that you have it set to check no more often than once an hour.  If it is set like that now, set it for two hours.  The Update=realtime setting would cause what you describe, and sometimes settings get a bit tweaked if your program version updated.

 

Here's a link to the guide (if you didn't already know about it):

 

http://www.malwarebytes.org/support/guides/mbam/

 

It describes the realtime settings part.  The other part just comes from experience.

Link to post
Share on other sites

And sorry about the double post.  Got 'Failed, try again later' first time and foolishly didn't check if was a false alarm or not - it was.

Not to worry. I too have seen significant delays in server replies this morning.

We will request that a Moderator/Administrator combine your two posts.

Thank you. :)

Link to post
Share on other sites

Many thanks for your speedy reply!  

 

The default setting for updates was hourly, repeating every hour.  So I've  set it to repeat at 2 hour intervals as you suggest.  See what happens!  

 

And sorry about the double post.  Got 'Failed, try again later' first time and foolishly didn't check if was a false alarm or not - it was.  
Link to post
Share on other sites

Hello alan_s:

Despite your adherence to a sound install procedure, please delete any copies of mbam-setup-2.1.6.1022.exe or mbam-setup-consumer-2.1.6.1022.exe from your system.
 
Please download a fresh copy of the MBAM2 installer from: https://downloads.malwarebytes.org/file/mbam/.

Please restart Windows 7 and perform one more Clean Removal, system restart (and Re-install) MBAM Clean Removal Process 2.x. When installing from mbam-setup-2.1.6.1022.exe, please use the one from the step above.
 
After running the post-install database update and scan, please attach a new copy of CheckResults.txt using mbam-check-2.1.1.1001.exe only.

Thank You. :)

Link to post
Share on other sites

Hi:

 

You wrote:

 

 

Last week (2015-05-21) I re-installed MBAM as I was running 2.0.4.1028.  Elected to install from scratch, so did the MBAM Clean Removal Process and installed 2.1.6.1022.  Accepted all the default suggestions and, on completion, let it update and scan.  Noted that the installer had set the time of the next scheduled scan to 2015-05-22  03:13:35 and that it should run again within 23 hours if it failed. 
 

 

As you already have 2 threads with multiple helpers for the same issue, I don't wish to confuse things.

 

However, some users don't realize that one can edit the tasks in the scheduler, to set the desired time, not just the interval.

 

For the scheduled scan task, a daily Threat scan (as per defaults) is sufficient for most users.

NOTE: if you want the scan to run at the exact scheduled time, then be sure to disable the setting to "check for updates before scanning" -- see screen shot.

Otherwise, the update check and subsequent scan will be randomized to +/- 15 minutes of the scheduled time.

 

I don't personally use the "recover if missed by" setting, but one way to reduce potential scheduler clashes between UPDATE CHECKS and SCANS is to set a schedule like this:

  • Update checks: hourly, recurrence every 1 hour, on the half-hour (e.g. 12:30 AM) (these will be randomized +/- 15 minutes)
  • Scan: daily, recurrence every 1 day, on the hour (e.g. 5:00 PM), with the setting to "check for updates before scanning" disabled

So, my update checks occur sometime between XX:15 and XX:45, while my scan occurs at exactly 5:00 PM. No chance of a clash.

 

Also, unless the advanced scheduler setting to "show notification after successful update is enabled, database updates will be "silent" (no popup notification).  No matter what, update checks performed when there is no available update will not be logged -- only update checks for which there *is* a database update are logged in the protection log.

 

And clean scheduled scans are also "silent" -- they will be logged, but there is no notification or popup or log popup on the desktop (as there was in version 1.x).

 

And now, back to your regularly scheduled thread.... :D

post-29793-0-21670300-1432558190_thumb.p

Link to post
Share on other sites

Many thanks for your input, daledoc.  

 

I didn't change the scan time setting to avoid any suspicion of a ham-fisted edit, the problem being that recovery from a missed scan was not working. Actually, I suspect that this has been happening for some time as, prior to the re-install (when using 2.0.4.1028) I had it set to 12:45 and if the PC was not live at that time then no re-attempt seemed to occur.

 

Your tip of disabling 'Check for updates before...' was interesting.  Not only because of the clash potential (I never thought of that) but also since it surely explains why the old 12:45 schedule used to slowly creep forward day by day in practice.

 

Anyway, for now I'll see how the fresh re-install requested by 1PW goes but certainly try your suggestion later. And if the worst comes to the worst I can always do a manual scan now and then.  After all, that's what I've always done with the AV program. Then I know that the PC is active!
Link to post
Share on other sites

Hi:
 
Yes, the computer needs to be "awake" to scan (and to update).
So it helps to schedule the daily scan for a time that the computer is likely to be awake.
Some users prefer a time slot when the system is "idle" but, to be honest, on a reasonably robust system I have never, ever found scanning to negatively impact resource use (your mileage may vary).
A threat scan -- the recommended scan type -- should only take a few minutes.
There's no need to keep the 3 AM scheduled scan time for that task, if it's not convenient.
 
Likewise, I personally find the "recover if missed by" setting to be more of a pain than it's worth.
First of all, the critical protection component of MBAM Premium is the real-time protection.
A scan is just a "second opinion" that will only pick up cooties that have already made it onto the system.
Moreover, if the computer is powered off, it can't really catch a bug. :D
And the "catch up" scan can run at an inconvenient time, e.g. in the final phase of Windows Updates installs or other tasks.
So, I don't bother with a "recovery" setting -- as you mentioned, a manual scan can be run any time.
But it's entirely up to you, of course.
 
Yes, a clean reinstall often solves many minor issues.
Yes, both the pre-scan update check AND the subsequent scheduled scan will be randomized if that setting is enabled.
 
So, you ought to be "good to go".  You might want to monitor the daily PROTECTION LOGS for a few days, to make sure.
 
Feel free to post back if you need more help.

More info about v2.1.6 HERE  User Guide ONLINE  User Guide PDF  FAQ: Common Questions, Issues, and their Solutions

 
Cheers (and apologies to 1PW for hijacking the thread),

Link to post
Share on other sites

For 1PW:

 

OK, I've done as you requested: removed everything, then mbam-clean and a new install. Again, I accepted all the installer's default suggestions and I've left the settings as installed - except for setting the repeat time for updates to 2 hours, as reccomended by Gonzo. The mbam-check results are attached.

 

Just for the record this is the 'diary' of what I did:

 

Preparation:

 

* Deleted  mbam-setup-2.1.6.1022.exe,   mbam-clean-2.1.1.1001.exe  and  mbam-clean-2.1.1.1001.exe

 

* Downloaded  mbam-check-2.1.1.1001.exe  via link in https://forums.malwarebytes.org/index.php?/topic/146024-diagnostic-logs

 


 

* Downloaded  mbam-setup-2.1.6.1022.exe  via https://downloads.malwarebytes.org/file/mbam

 

 


 

* Checked that Self Protection Mode under 'Advanced Settings'  wasn't on 

 

* Closed down down real-time protection in Emsisoft EAM (AV)

 

* Closed down MBAM (right click icon and select 'Exit') and all other applications.

 

* Ran  mbam-clean.exe and allowed the computer to be re-started

 

 

Installed the new version 

 

* Ran the installer. 

 

* At the end of the installation, unticked 'Enable Free Trial' and allowed MBAM to launch. 

  It updated the database. 

 

* Added the directories needed (EAM etc.) under Settings -> Malware Exclusions

  

* Activated it

 

* Changed the scheduled update repeat frequency from 1 to 2 hours as recommended by 'Gonzo'

  

* Let it do the scan offered on the dashboard.  No problems found. 

 

* Re-instated real-time protection in Emsisoft EAM (AV)

 

CheckResults.txt

Link to post
Share on other sites

Hi:

 

The latest log (and your excellent, detailed narrative) suggest that the system needs to be rebooted to complete the MBAM clean reinstall:

 

 

Pending File Rename Operations:
================================
If any Malwarebytes Anti-Malware items are listed below, the user must reboot to complete a Malwarebytes Anti-Malware upgrade installation.
Pending File Rename Operations:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
    PendingFileRenameOperations    REG_MULTI_SZ    \??\C:\Program Files\Malwarebytes Anti-Malware\mbamext.dll.old

 

Also, the logs shows that you have the following settings enabled - you might want to check to see if that's case and if you really want those settings configured that way:

  • Check for updates before scanning (in the advanced settings of the scheduler task for update checks)
  • Delay protection for 15 seconds at start-up (dashboard > settings > advanced settings) -- this is usually neither necessary nor recommended (unless system specs "require" it), as it can decrease protection

Just a thought...

 

Cheers,

Link to post
Share on other sites

Oh dear!  I certainly meant to re-boot but it seems like it stopped at 'meant to'!  Anyway, it's done now.  As is disabling 'Check for updates before scanning'.  How could I have forgotten that after the earlier discussion?  Probably Anno Domini...  But 'Delay protection at startup' wasn't set. 

 

Thank you for taking care of me!  

 

Link to post
Share on other sites

LOL.

No problem.

The nuances of the many settings and scheduler settings can be a bit daunting, even for those of us who spend a lot of time here. :D

 

For the record, it looks as if your scheduled scan is set for ~2 AM with a 23-hour recovery period.

So, if your computer is not awake then, we would expect that a make-up scan should run automatically and (if clean) silently soon after the system has its morning coffee.

 

>>If that's your preferred setting, then you might want to monitor the protection logs for a few days to see if the scan runs as planned.

>>If that's NOT your preferred setting, feel free to edit the scan time to something more convenient.

(FWIW, it's one of the first settings I change after a fresh install, and I've never had a problem with it**. You can even "test" it by changing the scheduled scan time to something a few hours from now > check your logs a little while thereafter > if all is good, set it back to your preferred time.)

 

Cheers!

 

 

**There is a minor, known bug with the scheduler not honoring Daylight Saving Time. With any luck that should be fixed by the next time it becomes an issue, in November.

Link to post
Share on other sites

So, if your computer is not awake then, we would expect that a make-up scan should run automatically and (if clean) silently soon after the system has its morning coffee.

 

Exactly!  That's what I had expected.  But it seems that the scheduler is not quite that clever.  If the computer is not awake at the scheduled time, the scheduler doesn't make a new attempt when it's turned on.
 
I did a couple of experiments today: 
 
At 08:30, I scheduled a daily 'Threat' scan for 09:00 and, 'if missed', run again within 23 hrs.  Put the computer into 'sleep'.  09:00 passed uneventfully. 'Woke up' the computer at 11:15 and, hallelujah, it started a scan!  It recovered!  Working as I feel it should.  For some reason, it attempted an update too and this failed 'Couldn't contact the server'.  But this feels a minor issue.  A manual update was OK and I'm sure the next scheduled update would have succeeded
Incidently, the update frequency is set to start at 2 hour intervals (even hours) and 'check for updates before scanning' was not set.
 
At 13:30, I changed the scan type to a daily 'Custom' scan of a USB stick, starting today at 14:30 and, 'if missed', run again within 23 hrs.  I 'safely removed' the USB and expected the missing scan target would cause the scan to fail. Then I could re-insert the USB and see if a recovery would be run later. But no, the scan ran at 14:30 and classed as a success: No malicious data encountered.  Well I suppose that's true in a sense - the data it was to scan wasn't available so it didn't find anything malicious.  Not what I expected, but best not to start a semantics discussion!
 
So, if the computer is turned off at primary scan time then, when the it becomes active, the scheduler appears to assume that the scan was done and that everything went well.  There doesn't seem to be any check on whether it in fact was done at all. 
 
I don't think this is going to be fixed by tweaking settings.  And I don't expect it's going to be very high on Malwarebytes 'to do' list. Indeed, it might even be the intended behaviour. I think the most realistic course is for me to set the scheduling parameters to more suitable values and live with it.  Or do as with my AV and just run a manual scan now and then. 
 
So 1PW, Gonzo and daledoc1, sorry to have lured you into what seems to be a bit of a wild goose chase but I've learned a lot and now have a much better understanding of how it behaves.  Thank you for your patience and suggestions.  Of course, if anyone should get a good idea...
 
Regards Alan_S
Link to post
Share on other sites

Hi:

 

Thanks for the follow-up. :)

 

For the record, the recommended/default scan type is a Threat scan (daily).

Routine "Custom" scanning of other volumes and drives is neither necessary nor recommended.  It's a task better suited to your antivirus.

And, TBH, if you're trying to schedule a custom scan of an external USB stick that is not mounted all the time, I'm not sure whether or how that would/should work, as it's not standard use of the automated scheduler. (A manual, on-demand scan of that USB pen drive would probably work better, if you really want to scan it.)

 

If you search the forum, you just won't see any other reports of the issue you report. :(

 

So it does sound as if something might be amiss with your settings, perhaps duplicate or overlapping scheduled tasks (Threat and Custom scans, and update checks), clashing between the many "recovery" settings, and/or your computer's power management settings.

 

We'd be happy to help you with this, but I will likely need to escalate this to the forum staff.

It would help to have a fresh set of all 3 Diagnostic Logs, please.

If you run FRST again, please place a check-mark in the "Addition.txt" option before running it.

Then please post back with all 3 logs attached to your reply.

 

Alternatively, you might wish instead to open a ticket at the help desk >>here<<, for one-on-one email support.

If you opt for that, please include the following link when you complete the web form, so that your help desk team member can get up to speed:

https://forums.malwarebytes.org/index.php?/topic/168719-how-is-a-missed-scheduled-scan-handled/

Thanks again,

Link to post
Share on other sites

The USB thing was just an attempt to provoke a case of 'failed scan' so I could see how it was handled, not for 'proper' use.

 

For now, I'll see how things go using the settings I have had for the last year or so.  If there's problem then I'll certainly take you up on your offer!  

 

Again, thanks for your help.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.