Jump to content

Recommended Posts

I can confirm that putting the malwarebytes exe paths into the exclusions on our SCCM antimalware policies did work for us.

However, due to the fact all of our machines lock up after booting because of the conflict we are having to boot into safe mode, then set the MBAMService to manual (this is the only service that is causing the issues for us) then rebooting and forcing a machine policy sync through Configuration Manager in control panel on the end device. Set the MBAMService to auto and reboot and all is fine (assuming the machine pulls down the update antimalware policy from SCCM).

We also set the Malwarebyte exe as excluded processes using just the file name as the path has invalid characters.

Appears to start affecting our clients some short time after recieving a definitions update for endpoint protection.

Link to post
Share on other sites
  • Replies 180
  • Created
  • Last Reply

Top Posters In This Topic

What threw us was running just the MBAMService on its own (disbaling everything else from starting) still locked machines up. Apparently MS endpoint still runs! Looks like a problem with the definitions on the MS front identifying MBAMService. Luckily implemented this "fix" this morning but had no reply to my support ticket to be able to update your team with this info.

I was concerned it might be a virus trying to disable Malwarebytes so had taken precautionary measures and disconnected the whole affected network. Would have been nice to have a major issue more publicly advertised.

Link to post
Share on other sites

If you're not having success with the exclusions, here's what worked for us within MBAM 1.80:

1 - Boot into safe mode with networking

2 - Open MSE – Go to Settings -> Excluded Processes and add the following:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamapi.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamdor.exe
C:\Windows\System32\drivers\mbam.sys

3 - Save Changes

4 - Shutdown and Boot into Normal Mode

Also, we're working on MBAE and we'll have more to share on that shortly. 

Link to post
Share on other sites
23 minutes ago, msherwood said:

If you're not having success with the exclusions, here's what worked for us within MBAM 1.80:

1 - Boot into safe mode with networking

2 - Open MSE – Go to Settings -> Excluded Processes and add the following:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamapi.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamdor.exe
C:\Windows\System32\drivers\mbam.sys

3 - Save Changes

4 - Shutdown and Boot into Normal Mode

Also, we're working on MBAE and we'll have more to share on that shortly. 

Wouldn't it be ProgramsFiles (x86) 64bit installations?

Link to post
Share on other sites
10 minutes ago, msherwood said:

Yes, for those with x64. My message was a quick copy/paste to get it posted. I'll come back and edit here in a bit.

no problem.  Just wanted to make sure since the exclusions are not working for us. 

Link to post
Share on other sites

We've completed thorough testing on the following setups with file and process exclusions in place: 

  • Windows 7 x64 Sp1 Pro – 1.7 Managed Client (MBAM and MBAE) and MSE
  • Windows 7 x86 Sp1 Pro – 1.80.2.1012 standalone MBAM + 1.09.1.1161 standalone MBAE and MSE

We were able to successfully scan and use the machines as you normally would.

Please add the following files as both Excluded Files and Excluded Processes inside of MSE.

Managed client:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamdor.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe
  • C:\Program Files\Malwarebytes' Managed Client\SCComm.exe

For x64 installations:

  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamdor.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe
  • C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe

Standalone Malwarebytes Anti-Malware client:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamdor.exe

For x64 installations:

  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamdor.exe

Standalone Malwarebytes Anti-Exploit client:

  • C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe

For x64 installations:

  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe

We really appreciate your patience and understanding on this. Please continue to share your findings with us.

Edited by msherwood
Link to post
Share on other sites

OK, results in: MBAM Home Premium (licensed on Desktop, Free on laptop). Version 2.2.1.1043. Both machines Win 7 SP1, 64 bit. Both now have the November Security-Only patches installed.

   On MSE, I've excluded C:\Program Files (x86)\mbam.exe, mbamdor.exe, mbampt.exe, mbamresearch.exe, mbamscheduler.exe and mbamservice.exe. MSE will not let me exclude the driver in System32 as a process. I don't have mbamapi or mbamgui

On MBAM, I've excluded C:\Program Files\Microsoft Security Client

On the desktop, threat scans are the normal speed. (Normally 17 minutes, today ran 16 minutes.)  Doing a custom scan with rootkit check (was 2.5 hours) is now 3 hours, 16 minutes. 

On the laptop, haven't tried a threat scan yet, was 3 hours for custom, tonights run was 4 hours, 42 minutes.

It seems to take an extraordinary time for MBAM to get through the winsxs directories, especially the manifests. A casual look implied that the other areas were running more or less at the normal speeds..

I'm not seeing slowdowns beyond the scans now, and an apparent slowdown in Pale Moon (my main browser) is gone.

Right now, the issues are "merely annoying", in that I can get work done while it's scanning. I can live with it. I don't expect to do any more testing for the while.

 

Link to post
Share on other sites
16 hours ago, msherwood said:

We've completed thorough testing on the following setups with file and process exclusions in place: 

  • Windows 7 x64 Sp1 Pro – 1.7 Managed Client (MBAM and MBAE) and MSE
  • Windows 7 x86 Sp1 Pro – 1.80.2.1012 standalone MBAM + 1.09.1.1161 standalone MBAE and MSE

We were able to successfully scan and use the machines as you normally would.

Please add the following files as both Excluded Files and Excluded Processes inside of MSE.

Managed client:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamdor.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe
  • C:\Program Files\Malwarebytes' Managed Client\SCComm.exe

For x64 installations:

  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamdor.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe
  • C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe

Standalone Malwarebytes Anti-Malware client:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamdor.exe

For x64 installations:

  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamdor.exe

Standalone Malwarebytes Anti-Exploit client:

  • C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe

For x64 installations:

  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe

We really appreciate your patience and understanding on this. Please continue to share your findings with us.

Further to this, some of our machines freeze before we can apply the exclusions or before they can pull down the updated antimalware policy from SCCM. Also on some machines booting into safe mode, then disabling the MBAMService from starting and rebooting to try and get around this does not work and MBAMService still starts.

As a workaround to this issue we have booted into safe mode, renamed the MBAMService.exe, restarted normally, updated the antimalware policy with exclusions and then rename the exe back and restart. Otherwise it is seemingly impossible to get it updated without the computers completely freezing.

On another's note I have taken this opportunity to push out the latest version of MBAM, using SCCM to detect when the exclusion is in place on MSCEP which therefore automatically fixes the renamed exe workaround we have implemented and starts the MBAMService meaning we don't have to wait around for it to update and can get through more computers in that time.

Link to post
Share on other sites

I think I've seen a similar issue here intermittently for the past few days on Windows 7 x64 Ultimate SP1 (with current November updates), Anti-Malware Home Premium 2.2.1.1043, Anti-Exploit Free 1.09.1.1261 and Microsoft Security Essentials (1.233.202.0 definitions). On boot, any application I tried to launch would hang for a long time (minutes) before responding. I was able to eventually shutdown, but the process also took extra minutes for each menu selection (to shutdown). I saw MsMpEng.exe and mbam.exe using the majority of CPU% on startup. The Event manager showed MsMpSvc timeouts as well as other Service timeouts.

Finding this thread here, I have added the mutual exclusions to both MSE and MBAM and the persistent hangs at startup seem to have stopped. Both programs still claim the most CPU for a while after startup, but they calm down after their initial scans and other programs launch normally without the previous extreme delays I was seeing.

Link to post
Share on other sites

We are still having issues after SCEP is uninstalled. I had to disable anti-exploit across our organization.

What's odd is that SCEP shows as uninstalled, but there is an add/ remove program entry for "Microsoft Antimalware". I'm not sure if this is Security Essentials, SCEP, Windows Defender, or something else. When I try and uninstall it, it says the product is not installed.

Link to post
Share on other sites

@RedCountyPete, @CoxGreen and @Stave - thanks for sharing more details around this and your specific situation.

 

9 minutes ago, kmsheehan said:

So glad to find this thread--our organization is having this same issue--it's hitting our Service Desk hard, and we're losing productivity across our organization. Will you be releasing an update to address this?

We are still investigating the root cause. We'll update this thread when we know more.

Link to post
Share on other sites

We use MalwareBytes Enterprise Edition, and so far, excluding those files has NOT worked for us.  We've disabled the MalwareBytes services using GPO in the time being, as it was getting quite chaotic trying to handle 100s of users sporadically having their computers freeze up.

Link to post
Share on other sites

Our initial testing is indicating that adding the exclusions did work for us. We're still having trouble with computers that haven't been turned on since we applied the fix, but once we get them signed in to receive the exclusions, I expect their issues will be resolved as well.

4 minutes ago, MPoirier said:

We use MalwareBytes Enterprise Edition, and so far, excluding those files has NOT worked for us.  We've disabled the MalwareBytes services using GPO in the time being, as it was getting quite chaotic trying to handle 100s of users sporadically having their computers freeze up.

Did you add the exclusion to both the files and the processes?

Link to post
Share on other sites
2 minutes ago, kmsheehan said:

Our initial testing is indicating that adding the exclusions did work for us. We're still having trouble with computers that haven't been turned on since we applied the fix, but once we get them signed in to receive the exclusions, I expect their issues will be resolved as well.

Did you add the exclusion to both the files and the processes?

You have to add them to the process list if you are using SCCM/SCEP.

After the exclusions are added, it will look something like this. We had to go up to "~4" because of the "'" in the Program Files name.

Screenshot_112116_091407_AM.jpg

Link to post
Share on other sites

I run an Network Administration company out here in Las Vegas, NV and use the combination of MB Corporate and MSE across nearly 90% of All My Clients. My heart Ache Started Friday before I saw this thread, luckily with only a few clients (I confirmed it only happens after restart, so most of my businesses only restart once a week or so, so the real trouble has been all day today) So I pulled a computer that was having what seemed like Hard Drive Failure Issues to me, and brought it to my office to work on. I thought it was related to an update, but it took me hours worth of work to realize it was MSE. Once I narrowed it down to MSE I ran a Google search and had to use search tools to narrow it down to results in the last week and found this thread. I can confirm that your fix of adding all MB's executables as exclusion in MSE solves the problem. I found it best to login remotely and immediately disable real-time protection, then add the exclusions, to both processes and files, then restart, then turn back on real-time, then restart again. This process has proven to be the least amount of hassle, you just have to be patient, and tell your clients to be patient with the original start time, give it about 10 minutes, and it will come up. Otherwise if you can go on site and have access to the computer, the fastest way is just starting up the workstation in safe mode, adding the exclusions there and restarting. 

 

Microsoft really messed up here! The one thing I am yet to confirm is whether the same problem is happening with the regular non corporate version of MB and MSE. I have a handful of home based clients who use that version, and I have logged in and added the exclusions as a precaution, but haven't heard from any actual problems from those users prior. I am wondering if I am wasting my time on those workstations, or if their is actually a confirmed issue with MSE and the home version of MB. 

My partner is in the hospital and 2 employees are on other calls, so it's up to me to get about another 150 computers excluded before they restart. I feel for the rest of the admins on here, what a day! 

 

Anyways thanks for the post, will check back later! 

 

Matt

Link to post
Share on other sites

Forgot to mention, all clients reporting the issue have been running Win 7. I have been adding the exclusions to The New Windows Defender for my Win10 Clients as a precaution, but am unsure if they have been effected by this as I have yet to run across a Win10 machine that has restarted since the update on Friday. Can anyone confirm that this problem is also happening on Windows 10 with Defender and MB, or is it just a Win 7 problem? 

Link to post
Share on other sites

oreonutz - " I thought it was related to an update, but it took me hours worth of work to realize it was MSE. Once I narrowed it down to MSE I ran a Google search and had to use search tools to narrow it down to results in the last week and found this thread. I can confirm that your fix of adding all MB's executables as exclusion in MSE solves the problem"

I am curious, Which thread did you find?

 

Link to post
Share on other sites

Have been having the issue at my company as well.  Saw a spattering of issues on Friday, flagged it as a possible issue that could spread, so we got a plan into place (before we knew SCEP was involved).  The plan was if we heard more reports, we would disable the protection module in our Malwarebytes enterprise policy.  We believe this did mitigate a fair number of machines from having the issue.  However, some machines still presented the problem before the Malwarebytes policy could take effect.  Once we found this forum thread with the SCEP exclusions, we made that change in our SCCM SCEP policies, which seemed to further reduce the incident rate.  We also began to see machines "self heal" as they got policy updates.

Premier support call to Microsoft confirmed a SCEP definition update caused this to begin happening.  Interesting note, Microsoft says they don't support two agents running Real Time Protection on a single machine. Malwarebytes, on the other hand, does support it.  Microsoft indicated that, despite this lack of support for the config, they are working with Malwarebytes on the issue.  Microsoft recommend the Malwarebytes exclusions in the SCEP policy, but indicated that the policy updates may not happen on machines experiencing the issue already.  To address those machines, instead of removing Malwarebytes or disabling the services, they suggest:

  1. Export the SCEP policy in SCCM to an XML file
  2. If the machine is not performant enough to run a command prompt in normal mode, boot to Safe Mode
  3. Copy the exported XML to the affected machine
  4. Open a cmd prompt as administrator
  5. In cmd, run the command:  "C:\program files\microsoft security client\Configsecuritypolicy.exe" "c:\<path>\<policy>.xml

The above steps will manually configure all policy settings, including the new exceptions.  Perhaps it's possible for the non-SCCM managed MS clients to export a policy as well, not sure.  We have both managed SCEP and Malwarebytes in our environment which I believe was an advantage in our case (along with quick escalations from our IT Support team).

On the whole, we've seen about 6% or less of our Windows machines affected between Friday evening and today.  We're a global company so we were able to make additional configs based on feedback from our APAC offices once we determined this would be a widespread issue.  On the whole getting the config changes for both Malwarebytes (disable protection) and SCEP (exclusions) has been the most effective large-scale prevention for us, but we were able to catch many machines before they got the offending definition updates. 

I also contacted Malwarebytes support via phone.  They have also recommended the SCEP exceptions and are actively working with Microsoft on the issue (no ETA available).  

Hopefully some of the info above may be helpful to someone here.

As of now, I have a support call open with both vendors, although I believe Microsoft intends to close my premier case tomorrow.  They did explicitly acknowledge that it was related to their def update, however the acceptance of blame won't happen since it is an "unsupported configuration."  If I'm feeling motivated I may try to find where/if that is mentioned in any documentation for SCEP. 

Link to post
Share on other sites
13 minutes ago, mchammer99923 said:

Can you just type in the .exe name to exclude in scep processes? i'm getting errors when typing in the full path for the managed client due to the ' in the name

yes.

 

 

Link to post
Share on other sites
30 minutes ago, beckermi said:

I am curious, Which thread did you find?

 

Actually I found this thread:

which then linked to this thread. But like I said, it didn't come up until after I narrowed the search down to posts in the last week. I didn't know at the time that it was conflicting with MB or it might have been easier to find this thread. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.