Jump to content

Malicious Website Protection problem, any status update ?


Recommended Posts

  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

Please provide more details on this issue and links to other topics where you're reasonably certain it is the exact same issue you're experiencing.

 

I'm not saying it's not happening to you but I also asked in support and they're not aware of it being a wide spread issue.

 

Let me please get a copy of a weeks worth of your MBAM protection logs as well as the logs below.

 

Please read the following and post back the 3 requested logs.
 
Diagnostic Logs
 
Thank you
 

Link to post
Share on other sites

Ron, as David has responded, his Daily Protection Logs won't do much good as he's reverted back to to the previous version of mbam; so, I've attached mine, but since I used the mbam clnr and and did an mbam reinstall all I have is 5 days' logs. Several frst and mbam check scans are attached to my topics that David linked in the previous post (#3). I've observed that an AKA Domain Database update fails when I'm logged in to a limited user account from startup. That results in an "unable to access the database server" message when trying to do a manual update and also results in Malicious Website Protection being turned off and not turned back on if a malware database update is processed at the same time as the AKA Domain Database update.

 

The successful updates of the AKA Domain Database only occured when I was logged in to an admin account or when logged in to a limited account after I had exited Malwarebytes from the taskbar icon and restarted it as an administrator from the desktop icon. I learned this afternoon that mbam continues to function properly once I've done an administrator restart within a limited user account for the remainder of the session.

 

It's possible this issue is more widespread than you know. It's not flagged on the taskbar (mbam icon & right click pop up) or on the mbam Dashboard unless the "update now" button is clicked. You have to look at the Daily Protection Logs to see the errors.

 

David, thanks for linking my Topics.

07_19_15 DPL.txt

07_20_15 DPL.txt

07_21_15 DPL.txt

07_22_15 DPL.txt

07_23_15 DPL.txt

Link to post
Share on other sites

  • Root Admin

I am unable to duplicate the AKA Domain database issue once the program has updated. Will wait some time and see if I can verify but it also looks like my limited user account is not updating the protection log to show that I've even checked or not.

 

Please try another MBAM CLEAN removal and reinstall of the program. Install using an Admin level account. Check for updates with the Admin level account (the logs should show the ADA Domain error) then when done shut down the computer and wait 30 seconds and restart the computer. Then log back in with the Admin level account and again check for updates. Then export the log out to a text file. Then select it and delete the protection log. Then restart the computer one more time. Then log back on with the Admin level account and review the scheduled updates. Delete all schedules. Then log off of the Admin level account and log on as the Limited User account and wait at least 4 hours and then check for updates again. Then let me know what it says or does and if indicated with any error get a screen shot please.  Then export the Protection log again and post back that log.

 

Then log off of the Limited User account and log back on with the Admin level account and go to scheduled tasks and set a database update task to check for updates once every hour. Then restart the computer again.

 

Wait at least 4 to 6 hours for updates to happen and go back in again to the protection logs and export and post back both logs from the Limited and from the Admin level.

 

The interface lets me check for updates using the Limited User Account but I need to wait myself until there is an update so that I can have the limited check and see if it either updates or fails, then I'll report back my findings.

Link to post
Share on other sites

  • Root Admin

Well that's what I don't understand yet. Originally after the program install there are a couple of missing database files so the AKA Domain Database error is normal the first time. Once you have a successful update from an Admin level account that error should not show up again. So far in my testing I get the same error on install and check for updates but at the moment any future update checks are not giving any errors. I have to wait myself for program database updates before I can complete my testing but AKA Domain Database should not come back as you have it shown. It also looks like a LUA can do just about anything they want with the program and in my opinion is not a good thing. A limited user should not be able to disable the protection modules but they can. Will post back more later on.

Link to post
Share on other sites

Ok, I'm awake now. You can see from my 07_19_15 DPL.txt  file (attached to post #4) which is the initial DPL after I did a mbam clean and re-install procedure while logged in as an admin that it looks like all the databases (including both AKA databases) loaded manually as they should have then. The other point is that mbam preforms flawlessly updating all databases as expected when the user is logged in as an administrator or has started mbam using "run as administrator" from a LUA.

 

The DPL doesn't give any indication of an mbam exit or what mode mbam is being run in (admin or LUA). Yesterday (07_23_15 DPL.txt) I exited mbam at 11:30 AM (because of an AKA update failure that started at 10:42 AM) and used "run as administrator" to restarted it. All you see in the logs at 11:30 AM is the AKADomain error, the successful AKA Domain update and the restarting of the services.

 

I'm convinced that something has changed in the software either on purpose or inadvertently. Mbam worked perfectly when being used as both admin and LUA before 07_08_15.

 

Thank you for getting involved in this. It's obvious that you are trying to work out what is going on. You should look at my Topic on the Malware Removal Help forum (https://forums.malwarebytes.org/index.php?/topic/170715-malwarebytes-misbehaving-possible-infection/) if you haven't already. There is lots of info there especially from Post #7 on (after it was determined my computer wasn't infected).

 

I'll go ahead now and do the procedure you requested last night.It will take a while.

Link to post
Share on other sites

The requested test process is finally underway (at the beginning of the 4 hour do nothing part).

 

I do have some observations regarding your comments about the Daily Protection Log (DPL). It appears to be one continuous list for a 24 hour period. Whoever or however people are logged on just adds to the one DPL. A log off as one type of user  and log on as another type doesn't register (the programs must keep running during those events). I haven't tried to test whether the permissions change when a user logs out of an admin account and into a LUA. An "update now" request doesn't register in the DPL if there are no updates available.

Link to post
Share on other sites

1 DPL 1_22 PM 07_24_15.txt - Daily Protection Log (DPL) requested after mbam clean & re-install in admin account, update now, computer shut down, 30 second wait, computer start, admin login, update now.

 

2 DPL 5_55 PM 07_24_15.txt - Daily Protection Log requested after DPL delete, computer restart, admin login, delete update schedule(s), log off admin, login LUA, wait 4 hours, update now. There is strangeness in the log. It shows an IP Database update along with Domain Database and Malware Database updates. The log shows that Malicious Website protection was turned off during that process. It was not turned back on. I ran a CheckResults scan (CheckResults 6_05 PM 07_24_15.txt - attached) which confirms that Malicious Website Protection is not running. Neither the Dashboard or the taskbar flag the issue.

 

Next As Ron requested I logged off the LUA and logged in as an administrator, set a mbam database update task to check for updates once an hour, restarted the computer, logged in to an LUA (Ron didn't specify whether to log in to and LUA or admin account). The DPL didn't indicate that Malicious Website Protection had started. A new mbam-check (CheckResults 6_45 PM 07_24_15 - attached) showed that Malicious Website Protection still isn't running.

 

As I was preparing this report an AKA Domain Database update failed (3 DPL 7_25 PM 07_24_15.txt - attached).

 

I'm now in a wait 4 to 6 hours to let updates happen. I'm expecting additional failures.

 

Today is the first time I've seen an IP Database update since I started paying attention to the DPL's on 07/19.

1 DPL 1_22 PM 07_24_15.txt

2 DPL 5_55 PM 07_24_15.txt

CheckResults 6_05 PM 07_24_15.txt

CheckResults 6_45 PM 07_24_15.txt

3 DPL 7_25 PM 07_24_15.txt

Link to post
Share on other sites

  • Root Admin

Yes you're correct in that the PM Log is one log for 24 hours regardless of who is logged on but it does list the account used for the operation. I thought I was able to confirm that LUA was not updating (it checks for updates then fails and logs it) but now something is preventing access to update servers even when I'm logged on as an Admin. As you can see from your last log 3 DPL 7_25 your computer also had a failure trying to contact the update server from what appears to be a scheduled task.

 

Update, 7/24/2015 7:25 PM, SYSTEM, 1_GENE, Scheduler, AKA Domain Database, Failed, Unable to access update server, 2015.7.24.1, 2015.7.25.1,

 

So my testing is not done however those that can assist me in testing confirmation with server issues for the most part are now gone and won't be back until Monday so I may not be able to complete all the testing I'd like to do until Monday or Tuesday perhaps.

Link to post
Share on other sites

  • Root Admin

Well that was less than satisfying. Logged on using my Admin account on Windows 8.1 and updates under an Admin account were not able to access the update server. Going to command prompt and tracing the update server I'm able to ping and trace route to it so I know we can talk to it. Then I rebooted the Windows 8.1 computer and logged back on as an Administrator and this time it was able to update without an issue.

 

So at this point not certain of the cause. Will work with our QA and Development team next week to see if we can duplicate and track down the real cause here.

Link to post
Share on other sites

If you get in that situation again, try your own technique from your Malicious Website Protection disabled sticky:

  • Right click the Malwarebytes tray icon and click "Exit"
  • Restart the Malwarebytes application from the programs menu or desktop shortcut.

I use "run as administrator" when I'm in an LUA. It shouldn't matter when you're in an admin account.

Link to post
Share on other sites

My guess is that this info is no longer needed, but just in case; You'll recall from post #10, I was waiting 4 to 6 hours logged in to an LUA for updates to happen. Ron asked that I then " go back in again to the protection logs and export and post back both logs from the Limited and from the Admin level". It's since been determined that the limited and admin logs are the same log (4 DPL 11_27 PM 07_24_15.txt - attached). That ends the actions and reporting that Ron requested in Post #5.

 

At approximately 12:15 AM today still in an LUA, I exited mbam from the taskbar (tray) and then used "run as administrator" (mbam desktop icon right click menu) to restart mbam. I've left the computer on since then. Mbam appears to have resolved the errors, updated multiple times, and even ran the default scheduled scan. 5 DPL 2_19 PM 07_25_15.txt (attached) documents those actions. I ran a mbam check (CheckResults 2_24 PM 07_25_15.txt - attached) within a few minutes of 5 DPL to allow verification of mbam status at the time.

 

One more thing: I'd noticed it previously, but had other fish to fry at those times. It seems that when I'm in an LUA and have used the mbam tray icon exit & restarted mbam with "run as administrator", a new mbam tray icon is added when I open the mbam dashboard. It's possible that it does it everytime, but maybe not. Right now I've got 5 mbam icons in the tray. The screen capture I've attached from a bit earlier shows 3. The icons are all right clickable and show the same (correct) current status info. Weird. I haven't tried an mbam "exit" to see what happens.

 

4 DPL 11_27 PM 07_24_15.txt

5 DPL 2_19 PM 07_25_15.txt

CheckResults 2_24 PM 07_25_15.txt

post-7145-0-13123200-1437864757_thumb.jp

Link to post
Share on other sites

I think I found a workaround for this issue on MBAM 2.1.8 that survives to multiple IP/Domain databases updates. That workaround to run the GUI as admin only works once and the issue is back on next IP/Domain database update so we need a different approach. Since there were a few such updates in the last 24/48 hours it gave me some test opportunities.  

 

So here is the workaround that worked for me on Windows 8.1 x64:

- if self-defense is enabled disable it (requires switch to admin account);

- If having premium license back it up it's going to vanish;

- Exit MBAM from tray then delete %ALLUSERSPROFILE%\Malwarebytes\Malwarebytes Anti-Malware (this will brick MBAM for a while);

- Download and run the installer;

- at the end of the installation uncheck the option that tells MBAM to run right away (very important);

- switch to limited user account then run MBAM;

- during the initial update MBAM will try to elevate half-way during the update. Don't let it elevate (very important, the update succeeds despite this);

- restore the rest of MBAM settings.

 

Potential cause

Because MBAM 2.1.8 unlike its previous versions unexpectedly elevates during initial update and IP and Domain databases are not included in the installer, these database components get created with wrong permissions.

 

Extra

Regarding AdvanceSetup post from 24 July 2015 - 07:47 AM, it appears that non-admin users cannot turn off protection, but there is no access denied related alert and this causes the GUI to end in an inconsistent state. Though this is another issue that affects the protection module and self defense mechanism  present in all MBAM 2.x versions.

Link to post
Share on other sites

pal1000, it appears to me that you've done some very good analysis work (well beyond my knowledge level). What you have found may well be the key to the issue several of us are having provided of course that we have a common cause. Thank you for the effort. It will be interesting to see how AdvancedSetup (Ron) responds.

 

I think we have an appropriate level of attention at Malwarebytes now. I'm going to limp along as I have been (only doing changes Ron might request) until the company has a solution.

Link to post
Share on other sites

As best as I can determine, MBAM seems to have issued a "bad" database on 24 July --- specifically, 2015.7.24.7 [and later] --- which interfered with Malicious Website Protection on some systems.

 

To be more specific:   Based on the User Interface, everything appeared to be normal so far as Malicious Website Protection was concerned... the UI alleged that Website Protection was enabled.   But:

 

1) the MBAM diagnostic program  MBAM-check   https://support.malwarebytes.org/customer/portal/articles/1835316-what-is-mbam-check-and-how-do-i-use-it-?b_id=6400    noted that the Malicious Website Protection service was NOT running,

 

2) when I went to the MBAM online IP-Protection-test website http://block.malwarebytes.org/ , it indicated I was NOT protected, and  

 

3) when I sifted through the MBAM Protection Logs (History / Application Logs), I noticed that there were no references to Malicious Website Protection starting [which should have been there].

 

This happened on two separate systems, Win7x64 and (32-bit) Win8.1.   I doubt that could be just a coincidence.

 

My solution was to (download and) reinstall a copy of MBAM 2.1.8.1057 (over itself).   That seems to have corrected the problem [at least for now... well have to see whether or not the issue recurs].

Link to post
Share on other sites

Can you all please update to database 072605 and see if there are any changes.

 

Ok, When I saw your request, I was in a LUA and running mbam as an administrator. everything looked ok with both Malware Protection and Malicious Website Protection running (verified by mbam-check). I verified that 072605 was the current malware database per the dashboard and Dally Protection Log (DPL) and then restarted the computer, logged in to the LUA letting mbam start with windows. The DPL and tray icon indicated that both  Malware Protection and Malicious Website Protection were running. Another mbam-check (CheckResults all LUA restart after 07_26_05 .txt - attached) confirmed, but oddly all the database information was zero'd out. I'll watch mbam for a while and let you know. I've only really had issues during and after AKA Domain Database and IP Database update failures. It doesn't seem to me that changes to the malware database would solve issues with updating other databases (but what do I know?). It might help if you could tell us what you are trying to accomplish.

 

Thank you for your attention to this issue.

CheckResults all LUA restart after 07_26_05 .txt

Link to post
Share on other sites

Request from shadowwar:

Can you all please update to database 072605 and see if there are any changes.

 

First Response:

Ok, When I saw your request, I was in a LUA and running mbam as an administrator. everything looked ok with both Malware Protection and Malicious Website Protection running (verified by mbam-check). I verified that 072605 was the current malware database per the dashboard and Dally Protection Log (DPL) and then restarted the computer, logged in to the LUA letting mbam start with windows. The DPL and tray icon indicated that both  Malware Protection and Malicious Website Protection were running. Another mbam-check (CheckResults all LUA restart after 07_26_05 .txt - attached) confirmed, but oddly all the database information was zero'd out. I'll watch mbam for a while and let you know. I've only really had issues during and after AKA Domain Database and IP Database update failures. It doesn't seem to me that changes to the malware database would solve issues with updating other databases (but what do I know?). It might help if you could tell us what you are trying to accomplish.

 

Thank you for your attention to this issue.

 

Follow Up:

It's several hours later. There have been so few updates today that I don't know that I can say that there is any difference. DPL 8_20 PM 07_26_15.txt (attached) shows the LUA computer restart at 12:20 PM. The only other events are an error and "Malware Database, Failed, Unable to access update server, 2015.7.26.5, 2015.7.26.6," line items at 2:11 PM. The DPL still hadn't logged any additional events as of 10:45 PM. This is the first time I can recall seeing a Malware Database Update failure since the current set of problems began. Oddly, the Dashboard indicates the current malware database is 2015.7.26.6. The "update now" button still functions as expected. Dashboard screen shots are attached. I've attached CheckResults (CheckResults all LUA 8_31 PM 07_26_15 .txt - attached) from just after the attached DPL was captured. It still has all the databases zero'd out. I was curious about the databases and logged out of the LUA and logged in to an admin account and ran another mbam-check (CheckResults all admin 10_26 PM  07_26_15 .txt - attached) which does list the databases.

 


 

DPL 8_20 PM 07_26_15.txt

CheckResults all LUA 8_31 PM 07_26_15.txt

CheckResults all admin 10_26 PM 07_26_15.txt

post-7145-0-09401900-1437971209_thumb.jp

post-7145-0-03174300-1437971223_thumb.jp

Link to post
Share on other sites

I just (4:43 PM CDT) got an "unable to access database server" message from the Dashboard on using the "update now" button. It then reverted back to showing that v2015.07.27.06 is the installed database, The DPL (DPL 4_43 PM 07_27_15 LUA mbam-RAA.txt - attached) confirms the failure, but mbam-check (CheckResults 4_44 PM 07_27_15 LUA mbam-RAA.txt - attached) shows 2015.07.27.07 as the installed Malware Database.  I'm logged in to an LUA and running mbam as an admistrator.

 

I tried "update now" again about 20 minutes later and got a "No Updates Available" message. The Dashboard displayed the updated v2015.07.27.07 when the dashboard reverted to displaying the current installed database version. The DPL hasn't updated.

DPL 4_43 PM 07_27_15 LUA mbam-RAA.txt

CheckResults 4_44 PM 07_27_15 LUA mbam-RAA.txt

post-7145-0-79090700-1438035543_thumb.jp

Link to post
Share on other sites

My workaround plan until Malwarebytes determines what has gone wrong and fixes it was to log in as an admin from computer startup, check out that mbam was workning as expected, "update now", log out of the admin account, log in to LUA, exit mbam, restart mbam using "run as administrator, check out that everything looks ok, mimimze the mbam taskbar window (to prevent creating additional mbam tray icons when I open the window). That's what I did this morning, and it all worked fine after an initial error including Malicious Website Protection being off was resolved with a database update at 8:48 AM until errors started popping up at 4:43 PM that weren't resolved until 6:19 PM. Also, at 6:19 PM,  Malicious Website Protection stopped and wasn't turned back on (DPL 10_48 PM 07_27_15 LUA mbam-RAA.txt - attached) which was verified by CheckResults 6_35 PM 07_27_15 LUA mbam-RAA.txt (attached). I tried some steps to turn Malicious Website Protection back on at 6:23 PM but was unsuccessful. I decided to wait it out and see if a later successful database update would turn Malicious Website Protection on as had happened at 8:48 AM this morning which did happen at 10:48 PM (see attached DPL). CheckResults 10_51 PM 07_27_15 LUA mbam-RAA.txt (attached) confirms that Malicious Website Protection is back on.

 

DPL note: The failure to access the database server at 1:26 PM was due to a temporary Internet outage. You'll notice it was just a listed event in the log and note labeled as an error.

DPL 10_48 PM 07_27_15 LUA mbam-RAA.txt

CheckResults 6_35 PM 07_27_15 LUA mbam-RAA.txt

CheckResults 10_51 PM 07_27_15 LUA mbam-RAA.txt

Link to post
Share on other sites

  • Root Admin

Hi Calintexas sorry for the delay but I wanted to verify and make certain the program was functioning as I thought. I've posted as well in a couple similar topics.

 

https://forums.malwarebytes.org/index.php?/topic/170417-unable-to-access-update-server/

 

 

I have confirmed that a Limited User Account cannot update the database. Though they can do pretty much just about anything else with the program.

I cannot duplicate yet this issue of the Web protection module being broken by a LUA or Admin account stopping or updating, etc. so if in fact it is an issue I'll have to review that further to see if I can duplicate the issue or not.

 

At this time version 2.18 cannot update the rules database using a Limited User Account. It must either be run by the internal scheduled task (highly recommended method) or by an Admin level account if running an update check manually. Limited User accounts will try and fail with the AKA Domain error.

 

However initial testing under 2.16 seemed to operate in the same fashion but I was not specifically testing for LUA database updates in 2.16 - I will install and test on a system and try to verify if 2.16 has changed in this capacity or not.

Link to post
Share on other sites

Ron,

 

I have MBAM v 2.1.8 on Win 10.
I logged in with a Limited Account.
MBAM did a SCHEDULED update, and the AKA Domain Database update failed.
I did not click on Update.
Malicious Website Protection stopped working, with no alert or warning.
The Notification Area icon shows Malicious Website Protection is enabled.
The GUI doesn't show there are any errors.

The only way I know of to know there is a problem:
- Open the MBAM IP block test site, and see that the site is not blocked
- Look in the Protection Log, and hopefully understand what the AKA Domain Database failed message really means

How many users with this issue will use the IP block test site, or look at and know how to intrepret the log ?

No matter what the reason, when Malicious Website Protection stops working with no alert or warning, I don't know if/when i can trust MBAM protection.
Hopefully the same thing will not happen to Malware Protection.

Is there a way to test that Malware Protection is working, similar to the MBAM IP block test site ?
 

ProtectionLog_2015_07_28.txt

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.