Jump to content

RAM usage for mbamservice.exe seems high


Recommended Posts

Hi there,

My system has 6Gb RAM (4 usable as SSD turbocache takes 2Gb) and I was using Firefox, IE, Word and Outlook and noticed that my system was becoming a bit sluggish.  Looking at Process Hacker I wanted to see what was going on and saw my RAM was up to 70% usage.  Digging deeper I could see that (of course) FF was the biggest consumer by far (10 tabs) but I also noticed that mbamservice.exe was consuming 420Mb RAM.  I thought this was a bit high (I am on the latest release). 

Is this normal/within the acceptable range?

 

 

I already removed MBAM using the mbam-clean and reinstalled but it seems to be making no difference.  I also have Avast 2016 "Free".

 

Thanks

Paul

 

 

 

Link to post
Share on other sites

Hey, @smipx013.

I looked at your image - and the first thing I want to point out is that what you're looking at is not what is being used by the applications.  For a much better explanation, please see this link:

http://stackoverflow.com/questions/1984186/what-is-private-bytes-virtual-bytes-working-set

However, when your system started to grind to a halt, it may have been more so because of paging due to such heavy hitters open than anything else.

Question:  If you do the exact same thing but not run Outlook, how is the system?

Link to post
Share on other sites

Hi John,  Thanks for the reply.

Agreed.  I think it the Firefox causing the major issue and exacerbated by Outlook and everything else - including the 2Gb turbocache on the SSD.  I just upped my RAM to 8Gb :-)

I was aware of the "private bytes" not being a total reflection and the nightmare of working out the actual usage for a process. As there is no other "easy" way to know the actual allocation of memory from the RAM only its the best I have for now though.  I would be keen to know of another way though (one that does not include the memory that may be paged out). 

Here is the detailed view of the memory allocs for the service.  I just really need to know if it is "normal" or if there is something else going on:-

http://imgur.com/4bKYqqI

Cheers,

Paul

 

Link to post
Share on other sites

Hey, Paul.

Taking a look at that image and the previous one, It is not even double what I have on my system, running Windows 10 Pro.  Based upon different hardware configurations, different settings, and different software installed, I can easily see this being a normal value and not something out of the ordinary.

The system I'm referring to is a Desktop that I built myself.  My current specs are as listed in my signature, the last link, except that now I am running build 14316 of Windows 10 Pro x64 Insider Preview.  The software that I have running in the background is minimal, and I do not use Outlook, and I have a bit more RAM than you do, so those factors alone could easily account for why I have a smaller usage showing, around 190 MB for MBService for me.

Link to post
Share on other sites

hi,

 

No I've not excluded MBAM from Avast and Vice versa but I wasn't sure that was strictly necessary.  I will try that though and report back if it makes any difference.

As for the selections:

in "detection and Protection" I have all 3 selected (Advanced Heur., rootkits and scan within archives (although I thought this was only applicable to a scan as opposed to RT protection). PUP treat as Malware, PUM treat as Malware, Malware protection enabled + Website protection enabled.

I also have "reduce priority of scans to imporve multitasking selected under Advanced.  The rest is stock.

 

Link to post
Share on other sites

Ok so I added the mutual exclusions and did a cold restart. Ran chrome for 5 minutes browsing various sites and then opened Outlook and read a few mails and did a send/receive.  The RAM is sitting at 305Mb just now.  Not sure if the mutual exclusions made a difference or if that is just a coincidence and something else in a few hours / days will/might trigger and increase so I will keep my eye on it and report back. I will also so a "sleep" and resume to see if that makes a difference...

Link to post
Share on other sites

6 minutes ago, smipx013 said:

Sleep/resume made no difference. Still at 305Mb.  I will report back in 24 hours when MBAM does an automatic update and avast has the chance to do a few updates too.

Hi:

I hope @Porthos and @John L. Galt will pardon my intrusion on their excellent advice thus far...

If I may, a couple of things strike my eye:

  1. First and foremost, we really don't have much in the way of solid data about the system (i.e. logs), just a few screen caps.  It's hard to know for sure what's going on, as every computer is unique.  We can really only speculate and render educated guesses, without a bit more data.
  2. You mention that you have not yet tried setting mutual "trust" settings/exclusions between Avast and MBAM.  This is usually not strictly necessary, but it might help.
  3. Your post just now suggests that MBAM is configured to check for database updates only once a day?  MBAM specializes in certain types of zero-hour and zero-day threats. There are often 5 to 10 (sometimes more) database updates per 24 hours.  To stay abreast of emerging threats, an automatic update check schedule of every 1 to 4 hours is recommended. (This is unrelated to resource consumption issue, but is a security vulnerability issue.)

So, I respectfully suggest the following (but it's certainly up to you, of course):

  1. Please follow the steps in this pinned topic and then ATTACH to your next reply all 3 (FRST.txt, Addition.txt and CheckResults.txt): Diagnostic Logs
  2. If you wish to set mutual exclusions, the screen shot below shows how (with a different example) to exclude the Avast folder in MBAM, and the instructions below list the MBAM files to exclude in Avast.
  3. You might want to edit your automated update check schedule to HOURLY with a recurrence of 1 to 4 hours (unrelated to resource consumption issue, per se).

Please let us know how it goes.

Thanks,

-----------------

Please exclude the following files from your Antivirus Software for your version of Windows:


For 32-bit versions of Windows XP, Windows Vista, Windows 7 & Windows 8 & Windows 10:

  • C:\Program Files\Malwarebytes Anti-Malware\mbam.exe

  • C:\Program Files\Malwarebytes Anti-Malware\mbamdor.exe

  • C:\Program Files\Malwarebytes Anti-Malware\mbampt.exe

  • C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe

  • C:\Program Files\Malwarebytes Anti-Malware\mbamresearch.exe

  • C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe


 
For 64-bit versions of Windows Vista, Windows 7 & Windows 8 & Windows 10:

  • C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe

  • C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamdor.exe

  • C:\Program Files (x86)\Malwarebytes Anti-Malware\mbampt.exe

  • C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamresearch.exe

  • C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe

  • C:\Program Files (x86)\Malwarebytes Anti-Malware \mbamscheduler.exe


Note: If you are using a software firewall besides the built in Windows Firewall, you'll need to exclude MBAM.EXE, MBAMSERVICE.EXE and MBAMRESEARCH.EXE from it, as well.
 
Note: Once that's done, please make sure that if either of those programs has any sort of web filter, that you add the following as a trusted site:

data-cdn.mbamupdates.com

221-Exclusions-2016-03-31_6-14-39.png

Link to post
Share on other sites

4 hours ago, smipx013 said:

Ok so I added the mutual exclusions and did a cold restart. Ran chrome for 5 minutes browsing various sites and then opened Outlook and read a few mails and did a send/receive.  The RAM is sitting at 305Mb just now.  Not sure if the mutual exclusions made a difference or if that is just a coincidence and something else in a few hours / days will/might trigger and increase so I will keep my eye on it and report back. I will also so a "sleep" and resume to see if that makes a difference...

Since you added the exclusions, the RAM usage has gone down a bit - roughly close to 20%.  That is not a bad scenario, and I'm inclined to believe that you're in a slightly better place.  The fact that you have the exclusions, however, may be more pertinent to the fact that your system is not slowing down nearly as badly as you noticed before.

If you can, try to get back to the same situation you had running before and see if it makes a difference.  Of course that will still not be a complete answer, as you have already bumped your RAM by another 2 GB, which should help immensely in terms of still being able to set the 2 GB cache limit for the SSD and still have over 4 GB free to be used by the system.  It could be a combination of several factors, but since it went down, that is a good thing.

If you can, like I said, try to duplicate the exact scenario (as closely as you can) and see if there is still a significant slowdown.  If so, I think the next step would be to analyze the programs themselves using some diagnostic logs that we will have you generate so we can make sure all is running well.

NOTE: If you haven't added the exclusions as Daledoc1 listed in her post above me, please do so exactly as she has laid out - that will go a long way to helping prevent file scanning conflicts, which may have been the root cause of the slowdown, particularly with email scanning.

Edited by John L. Galt
Added note
Link to post
Share on other sites

Hi,

Thanks both for the replies.  

Just to be clear - I should have said "leave it for 24 hours to let Avast and MBAM so several updates etc."  
My update schedule is hourly.  

I didn't have the following in my exclusions so have amended them......


        C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamdor.exe

        C:\Program Files (x86)\Malwarebytes Anti-Malware\mbampt.exe
        


C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamresearch.exe


Im going to do a reboot now to see what the stats look like.  I will then remove all of the exclusions, reboot and see if it makes any difference and report back.

In the meantime, attached are my logs:

 

 

CheckResults.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

Hi, 

Results from testing removing all of the mutual exclusions.  I rebooted after taking them all back out and the memory used is still ~305Mb (exactly 309Mb in fact) so I think that might be a red herring.  I will put them all back in though as it will ensure no interference going forwards.

Thanks

Paul

 

Link to post
Share on other sites

Hi:

Several things jump out from your logs:

  1. Although you said that you have recently "cleanly" reinstalled, the CheckResults.txt log suggests otherwise.  It suggests that the last CLEAN install/upgrade was back in Jan 2015.  The last install/upgrade, back on March 23, 2016, was NOT a clean install.
  2. You have some PUP remnants in MBAM quarantine.  It's possible that there are traces/leftovers of other PUPs/malware on the system might be contributing to your problem.
  3. There are some other log entries that appear to be abnormal, though I am not 100% certain:

 

Quote

 

Terminal Services Status for (null) entries in PM logs and GetUserToken errors:

  1. ===============================================================================

    --------------TERMService:--------------
    Type:                   32
    State:                  1 (The service is not running.) (State is stopped)
    WIN32_EXIT_CODE:        1077
    SERVICE_EXIT_CODE:      0
    CHECKPOINT:             0
    WAIT_HINT:              0


    TermService Start is set to: 3 (Manual Startup)

 

Until a forum staff member has a chance to formally review your logs and information, I suggest the following:

  1. Please carefully follow ALL the steps in this pinned topic to CLEANLY reinstall the current build.  Be sure to follow the advice to "deactivate" your account and to have available your license info before you begin. A proper clean reinstall often resolves many minor performance issues.  Be sure to reboot when prompted by the removal tool; it's not a bad idea to reboot again AFTER reinstalling. Here is the link: MBAM Clean Removal Process 2x
  2. If that does not resolve your issue, you may wish to head over to the malware removal section for a deeper look at the system by a trained malware expert.  The help is free and will only cost you a bit of your time. To do that, I suggest starting with the advice in this pinned topic -- I'm not saying that you *are* infected; it's just that the tools needed for deeper diagnosis must be run in that other forum area. Here is the link: Available Assistance for Possibly Infected Computers.
  3. Please wait for a forum staff member to review your case to make further recommendations.

Thank you,

 

 

 

Link to post
Share on other sites

Hi,  thanks for that.  I don't think I have a malware infection - I clean other peoples machines of malware as part of my job (as well as troubleshoot windows installation and repair hardware).,  (I thought) I did an mbam-clean on March 23rd this year but I will do one more today for sure.  

The malware remnants may have been picked up from a few hard drives I plugged into my righ (in order to back them up) prior to a full clean of their computer with the hard drives in situ on their computers.  I also had hiren tools and Falcon4 UBCD tools locally as well as a few remote SSH and telnet tools. I  know some of them can produce false positives (like key finders etc.).  99% sure my rig is clean though but if not then I am here to learn what I missed so I can add it to my own knowlegebase,  There may well be some more obscure tools on the machine that are causing an incomparability though for sure.  Things like Winpcap10 and process hacker, some obscure data recovery tools etc. 

There are a couple of quarantined opencandy's and passsword revealers from when I was installing some video editing tools and from the copy of Hirens tools I copied en-masse from a the Hiren boot CD but I have since cleaned everything up fully using MBAM, HRT, ADW, RogueKiller, TDSS Killer and a couple of online scanners (Trend Housecall and ESET if I recall).

Please note: I do not use this machine or my licensed copy of Malwarebytes to clean other poeples hard drives.  I just want that to be ultra clear - If I did I realise I would be looking at a technicians licence :-)

cheers,

Paul

 

 

 

 

Link to post
Share on other sites

Hi:

The proper clean reinstall will clear out accumulated logs and junk. The whole process will take less than 5 minutes.  And it -- combined with a fresh set of mutual exclusions after reinstalling -- may resolve your issue.  It most often does fix a host of minor MBAM performance problems.

If it does not, then a deeper look at the system in the appropriate forum area may reveal a root cause and a solution.

But it's certainly up to you how to proceed. :)

Cheers,

Link to post
Share on other sites

Hi,

 

MBAM clean removal and reinstall now down (properly this time) so its all fresh and the exclusions for Avast re-added.

The RAM is hovering around the 313Mb mark.  The only other thing I have done is move over from FF to Chrome as my daily browser.  I wonder if FF could have been having an impact (more so than Chrome).

New MBAM log attached..

thanks

Paul

 

CheckResults.txt

Link to post
Share on other sites

Thanks, @daledoc1, for stepping in - @smipx013 - I told ya someone would help you out :)

Now, as to Firefox versus Chrome - I know that Firefox seems to take a lot of RAM up, but I also value the ultra-customizability of Firefox versus Chrome.  Chrome has come a long way, but I am a Firefox guy hard core.  But, I also test apps in various websites, so I have Chrome (developer channel) plus Chrome Canary (runs side by side with regular Chrome installs, is ultra-bleeding edge, and uses its own profile), and I run the (daily updated)Nightly builds of Firefox as well - again, ultra-bleeding edge, with a couple of profiles, one main and a backup in case things go wonky or for testing when I need a clean profile to test with.  in addition, there is IE, Edge, and I have Vivaldi and all three versions of Opera installed, as well.

My system specs are below (in my signature, last link) - I'm currently running Windows 10 Professional x64 (Insider Preview build 14328).  Below is the screenshot of the RAM usage for all three of the main browsers I use:

  1. Chrome (dev) with 9 tabs open (only 1 currently active, as they loaded from my last session and I have not done anything else in Chrome other than open it)
  2. Chrome (canary) with 11 tabs open (same thing as above)
  3. Firefox (Nightly v48.0a1) with 55 tabs open (but in different groups, so the only currently active tabs is probably closer to 10):

Firefox is handling memory allocation and usage a lot better than Chrome.  But it is not just memory usage you have to look at.  I used a free app similar to Process explorer called process hacker and customized the columns that you see across the top - so many factors will affect your system's responsiveness, and I've highlighted a few o the columns to illustrate that:

Browsers RAM usage.PNG

The thing to note- Firefox has 5 times as many tabs open as either Chrome profile, but is not using 5 time as much memory.  In  addition, Firefox has 10 times as many active tabs (tabs that I've actually clicked on, reloaded, and tabs that I have set to automatically reload in the background even if I haven't touched them in a while) versus Chrome (both versions have a GMail tab open, so that one tab is active every time the browser loads, but all others are not).

Another thing to note - I've only got a little over half of my installed RAM in actual use.

Final note:  Even though I'm using the Firefox Nightly browser to type this response, when I captured that screenshot, it was Chrome that actually showed Input/Output activity, and it showed an even high I/O write activity than Firefox - just from sitting there open.  That was probably because GMail was updating in the background....

One of the things that makes my system so much more usable, other than the amount of RAM, of course, it also the fact that I have 2 SSDs running on my SATA III channels - my main system SSD (960 MB) and my User data SSD (256 MB), so not only am I not using a mechanical drive for storing any of these browser profiles, applications ,etc, I've got it split up so that a program loads off the System SSD (say, for instance, Firefox) and then loads the data that the program needs (the profile that Firefox wants to access) from the second SSD, freeing up the activity from the first SSD so that it can start making use of the pagefile system for applications without being interrupted by data load calls from the same drive.

it is a lot to take in, but I'm trying to illustrate that I have a highly customized system, so the comparison of my system stats and such to yours (or anyone else's, for that matter) will never give any sort of a true comparison.  That is why I was saying that your values did not look too out of whack - in my mind, you probably did not have all this customization that I have going on, so it makes sense that MBAMService was using more RAM on your system than it is on mine.

Now, on to the good stuff - here is a screenshot (using the same columns) for mbamservice (notice the capitalization - I also highlighted the correct one, although the color coding scheme may make it a bit hard to see, but it is the one with mbam in lowercase, which related to Anti-malware, versus the one in uppercase, which is the one that related to Anti-Ransomware):

MBAM Service RAM usage.PNG

Start looking at those values - and you'll get quite a treat.  Today, my mbamservice is using more RAM (under Private bytes column) than yours - 351 MB.  But the peak private bytes usages is over half a GB, and peak virtual bytes (pagefile) is over 1 GB....

However, in regular old Windows 10 Task Manager, it shows a 'whopping' 100 MB:

MBAM Service RAM usage 2.PNG

So....in conclusion, after looking at all that, I'd have to say that, in my opinion, your mbamservice RAM usage of ~300 MB seems perfectly normal to me.

One last thing - if at any time I seem like I am simplifying any of the above, or if it seems like I'm trying to treat you like an idiot, please do not take it that way.

This post is not just for you, who I have a feeling does understand some of this, but also for future readers, and particularly a very novice computer user who would have no idea what half of the stuff I wrote about above is.  Therefore, for future users, I had to keep the writing at the lowest common denominator, that being the ultra-novice user.  And yet I still think I got too technical lol.

At any rate - I sincerely hope this helps clear up a lot of your concern about the RAM usage of Anti-Malware and all of its components.

As always, if you have any questions, please feel free to post back.

Link to post
Share on other sites

Thanks for that detailed, comprehensive explanation, @John L. Galt.

Alas, it's largely over my gray head.

Having said that, RAM is there to be used. 
And some programs will tcertainly take what they "need" when it's available, to improve performance. 
As I understand it, that's what Firefox and presumably other browsers do. 

But I don't know if that's also the case for MBAM/MBAE/MBARW-beta. We probably need to wait for a member of the product/dev/QA teams to weigh in.

AFAIK, though, there is no major issue with any sort of memory leak for any of the current release versions of MBAM or MBAE.

Staff will correct me if I am wrong, and can likely provide more insight...:)

Cheers,

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.