Jump to content
msherwood

Malwarebytes and Microsoft Security Essentials conflicts

Recommended Posts

We have been fighting with this since Friday....literally hundreds of hours and 1000+ affected users....struggle.

I have a related issue...I have 50 some  "remote" laptops that are not connected to our domain that will NOT get the push...and these users cannot be expected to enter these exclusions.  What are my options?  At best I could have them run a file-- but even a .exe wont send through our mail server for security reasons.

This has been nothing but a struggle for all of our support staff.  A dozen tech support, and 1000+ affected users sitting around.

 

 

Share this post


Link to post
Share on other sites
20 minutes ago, Cleatus said:

We have been fighting with this since Friday....literally hundreds of hours and 1000+ affected users....struggle.

I have a related issue...I have 50 some  "remote" laptops that are not connected to our domain that will NOT get the push...and these users cannot be expected to enter these exclusions.  What are my options?  At best I could have them run a file-- but even a .exe wont send through our mail server for security reasons.

This has been nothing but a struggle for all of our support staff.  A dozen tech support, and 1000+ affected users sitting around.

 

 

I know this might not be helpful, but if it's just 50 and you have remote access, just remote in an do it yourself. Because all of my clients are mainly small businesses, most aren't on domain controllers, I literally went in one by one and knocked them out remotely. It's a pain, but I think I just finished my last one, 304 today total. You should be able to knock 50 within maybe 75 mins of less, depending on how patient your users are. 

 

Tell them to all open one thing, in my case I used Firefox or Chrome. If it opened with no problems, I went down that list first, because it meant their computers were in the responsive stage and I could connect. For the ones where it hung, I told them do not press anything else and to take a break, come back in an hour and it will be fixed, and for the most part it was. After I nailed the responsive I went on to the non responsive list, and by the time I got there they were finally responsive. As long as the user doesn't press a million buttons, it will eventually wake out of its unresponsive fit, it just takes about an average of 10 Minutes, some more some less. 

First thing I did once connected was went directly into MSE and disabled real time protection and saved, once that's disabled the unresponsive crap will stop. Then I add the exclusions. For this I had a list of every process in the MBAM program files folder, and MBAE. Since some of my users have both and some don't, I just had a notepad open with all of the processes listed separated by a semi colon and a space, and I just pasted it into both the file and process exclusions, hit add, and save. Even if they don't have MBAE it doesn't matter, it will still take the exclusions, and it saves time so you don't have to check whether they have it or not.

 

Once your done restart. When it comes back up, turn real-time protection back on, then restart again. Your done now and the problem is solved, move on to the next computer. In my case It got to be so routine, that I moved on after the first restart, and just came back to it after doing the first restart on the next, so I didn't have to wait while restarting.

Once you get it down, you can knock out 50 Computers quickly. The only thing that will slow you down is that once computer that freezes before you can disable real-time protection. Just take a note of which computer that is, and come back at the end. I know it sucks, but unless someone has a way of pushing policies to MSE in an environment where 50 different computers are off on different networks, this is probably the best way, and at least you getting paid for it.

Maybe someone can come up with a better plan, but I would just start doing them manually in the mean time. The one thing I hate are unhappy clients, I want them staying right where they are, so I don't mind going out of my way for them to keep them happy. And I made sure to let them know to vent their frustrations at Microsoft! 

Share this post


Link to post
Share on other sites

It's still early, but I think Microsoft may have pushed down an update to Security Essentials that resolves this (definitions version 1.233.237.0). I have a test system running that and MB v.2016.11.21.16 with no issues for about an hour.  I'm expanding the number of test systems now.

Share this post


Link to post
Share on other sites

thanks for the info on how you got it done-- two problems....these are Police laptops--half the people are asleep (night shift) and /or off for three days or on vacation.  Two, I don't have any remote access software-- I requested some, but they refused to spring for it.

 

Share this post


Link to post
Share on other sites
1 minute ago, Cleatus said:

thanks for the info on how you got it done-- two problems....these are Police laptops--half the people are asleep (night shift) and /or off for three days or on vacation.  Two, I don't have any remote access software-- I requested some, but they refused to spring for it.

 

Damn, that is a problem. I am sorry. 

 

Well MPoirier just above you says that Ms pushed a new update that may fix it, so if your lucky, all you have to do is tell them to update! 

 

If not, I am sorry, I didn't realize you had no remote software. Best you can do is send out a mass email telling them how to disable real time protection. They will still have MBAM in the meantime, and hopefully an update will come soon from MS that fixes the issue. 

Share this post


Link to post
Share on other sites
4 minutes ago, Cleatus said:

thanks for the info on how you got it done-- two problems....these are Police laptops--half the people are asleep (night shift) and /or off for three days or on vacation.  Two, I don't have any remote access software-- I requested some, but they refused to spring for it.

 

As someone stated earlier have them rename MBAMService.exe to .old and restart.  Wait till the updated definitions fix the issue.

 

Share this post


Link to post
Share on other sites

Was this in fact a Microsoft change that caused the issues?  We have a premier support case open with MS since Friday.  Their initial response was a change Malwarebytes made that conflicted with their existing AV solution.

Share this post


Link to post
Share on other sites
1 minute ago, cjmx said:

Was this in fact a Microsoft change that caused the issues?  We have a premier support case open with MS since Friday.  Their initial response was a change Malwarebytes made that conflicted with their existing AV solution.

This was DEFINITELY DUE to a Microsoft Security Essentials definition update (and all Microsoft Anti Virus that uses the definition).  This has been admitted several time by Microsoft themselves, although they accepted no blame, they claim their AV is to only be used alone! 

Share this post


Link to post
Share on other sites
1 minute ago, cjmx said:

Was this in fact a Microsoft change that caused the issues?  We have a premier support case open with MS since Friday.  Their initial response was a change Malwarebytes made that conflicted with their existing AV solution.

I am tempted to believe it was MS...when we first noticed the issue, we were trying to fix it using system restore, which had created a restore point based on the last Security Essentials update...which lead us hunting/waiting for a Security Essentials update to provide a permanent fix.  Then we noticed that system restore was also inadvertently inactivating MalwareBytes, and it wasn't until MalwareBytes reactivated that the issue came back. Which lead us to disabling MalwareBytes...now I'm back full circle: Security Essentials update seems to have resolved this.

Share this post


Link to post
Share on other sites
2 minutes ago, oreonutz said:

This was DEFINITELY DUE to a Microsoft Security Essentials definition update (and all Microsoft Anti Virus that uses the definition).  This has been admitted several time by Microsoft themselves, although they accepted no blame, they claim their AV is to only be used alone! 

good to know.  I know they stated several times to use their AV alone.  If only....

Edited by cjmx
spelling

Share this post


Link to post
Share on other sites

 

9 minutes ago, MPoirier said:

I am tempted to believe it was MS...when we first noticed the issue, we were trying to fix it using system restore, which had created a restore point based on the last Security Essentials update...which lead us hunting/waiting for a Security Essentials update to provide a permanent fix.  Then we noticed that system restore was also inadvertently inactivating MalwareBytes, and it wasn't until MalwareBytes reactivated that the issue came back. Which lead us to disabling MalwareBytes...now I'm back full circle: Security Essentials update seems to have resolved this.

I hope more people can confirm this. This means the 20 clients or so I wasn't able to reach today will either not even notice the problem or have an easy fix. If you can confirm that the new definitions fixed this nightmare, please post so here. 

 

Can the Support Techs at Malwarebytes confirm this too? 

10 minutes ago, MPoirier said:

 

Share this post


Link to post
Share on other sites
33 minutes ago, MPoirier said:

It's still early, but I think Microsoft may have pushed down an update to Security Essentials that resolves this (definitions version 1.233.237.0). I have a test system running that and MB v.2016.11.21.16 with no issues for about an hour.  I'm expanding the number of test systems now.

I'm at 15 clients now, with no issues, on those versions (or higher, Microsoft has already pushed down 1.233.245.0). We were having problems before within 10 minutes of having both programs running, so I THINK we're in the clear.  I'm going to let these guys run the rest of the day before I let the rest of the users run free though.

Share this post


Link to post
Share on other sites

Microsoft told me explicitly today that the definition updates they made started to target Malwarebytes protection processes as malicious.  This came from my TAM, not a premier support engineer.   Our TAM did say that MS doesn't supported two realtime protection agents running at the same time but said they are still working with Malwarebytes as they recognized that the Malwarebytes product is better at detecting certain unwanted adware that may not be flagged by SCEP.  He said he does not foresee any real change in Microsoft's stance on the multiple RTP clients though... they don't intend to do testing with 3rd party security products prior to release of updates. 

Per my TAM, there were updates in the def files that adjusted how SCEP detects malicious behavior patterns in processes.

In hindsight, the right thing to do when running multiple security agents is probably to make sure they exclude each other (although doing this of course opens up the risk of security software being exploited and going undetected as a result).

Share this post


Link to post
Share on other sites
20 minutes ago, Cleatus said:

how many BILLIONS did this cost the Windows users world....

Not sure that the majority of the windows world is running the combo of Microsoft security and Malwarebytes agents necessarily. 

Yes, this sucks, but in the end, if the vendor recommends not running two realtime threat protection agents on one machine (the vendor being Microsoft in this case), then the onus is on us ultimately to have the correct procedures and protection in place to prevent the conflicts.  

Lessons Learned:

  • Make sure you have exclusions in place for the likely conflicts of security agents
  • Maybe structure SCEP policies for phased definition updates? Have a subset of machines checking more frequently so more likely to get the def update and experience the issue first
  • Have disaster plans in place for if any AV/Malware agent goes haywire - know how to disable, quickly and across many clients.
  • I guess be willing to accept the risk of conflicts when using the Ms security tools in an unsupported configuration (I'm still looking for where MS has documented this - it was news to me when I called premier support but I can't say I've read every piece of documentation on SCEP from MS).  Also not really realistic in a real world where often a combination of security products are needed to provide an acceptable level of protection.  Maybe time for a review of security product selections. 
  • When you get a handful of reports on these issues initially, be prepared for the worst-case widespread scenario.  Not sure if everyone had a slow trickle at first, but that was what we saw.  
  • For those who didn't necessarily have the ability to manage their AV apps centrally - this may be something to reconsider from a strategy standpoint.  SCEP on our Macs isn't centrally managed... don't know what we'd have done if this had been an issue on MacOS.  May drive some changes in our environment.  We were able to keep our incident rate pretty low due to the fact that our MS and Malwarebytes security agents could be controlled centrally.
  • Tools exist that can help cut down on efforts required to detect what is causing issues like this - I'm sure time was lost for a lot of folks just determining which app was causing the issue.  We're lucky enough to have an agent for user experience/performance that was able to show that Malwarebytes was consuming high disk I/O... the sooner you know what software is causing an issue, the sooner you can work on mitigation. 
  • Complain to Microsoft about their complete exclusion of compatibility testing for their security agents.  Maybe if we make enough noise they will reconsider. 
  • Complain to Malwarebytes... if they know that certain big name security vendors don't support both things running at once, let customers know this and know what mitigating steps (exclusions) should be taken to prevent problems. 

 

Share this post


Link to post
Share on other sites
6 minutes ago, cjmx said:

initial tests have been successful with 1.233.245.0 without any exclusions.

We're testing this too. We'll be back in a few with our results.

Edited by msherwood

Share this post


Link to post
Share on other sites

We are seeing hanging issues with 1.233.245.0 and no exclusions. If we enable the exclusions, no hangs.

Anyone else seeing different results with 1.233.245.0?

Share this post


Link to post
Share on other sites
7 hours ago, msherwood said:

We are seeing hanging issues with 1.233.245.0 and no exclusions. If we enable the exclusions, no hangs.

Anyone else seeing different results with 1.233.245.0?

I finally went home and went to bed, lol. Had been up since Saturday working on this issue, so when I did the last computer and realized I wasn't getting any more calls, I took the opportunity to head home and catch some z's. The flip side to that is now I am up! Lol! 

I do still have a few clients out there her didn't come into their business today, who will be turning their computer on for the first time since Friday tommorow, so I will do some testing with those who have the initial hanging to see if an MSE update fixes the hang. Remember though that you won't know if it solves the problem until after a restart, so the best way, in my opinion, to test is to disable MSE Realtime protection (so it doesn't hang up on you while updating)  then update, restart, enable Realtime, restart. Then see if the issue is still happening. Fastest way to trigger is to do an MSE scan. At least this is what I have been able to figure out. I will check back during the day tommorow and let you know if the update works for me. Have a great night sleep! 

Share this post


Link to post
Share on other sites

I thought I had some success with the exclusions earlier today, but I had another extended hang just now (with MSE 1.233.245.0  and MSE/MBAM/MBAE exclusions in place). After many minutes waiting to shutdown, the "Preparing to Update configuration" message was shown on the screen, despite not making any changes nor seeing any Windows update notices (and nothing is shown in Update History).

For now, I have kept the exclusions in place, but disabled MSE Real-Time Protection. I did update MSE again to find new definitions version 1.233.278.0 available, but I will keep Real-Time Protection off until there is a more concrete diagnosis and fix available. I will check for updates here from Malwarebytes and Microsoft tomorrow.

Share this post


Link to post
Share on other sites

Wish there was a notification of this issue--of course it was certain software conflicting, but it would have saved us a bunch of time looking for the culprit.

Share this post


Link to post
Share on other sites
1 hour ago, Cleatus said:

Wish there was a notification of this issue--of course it was certain software conflicting, but it would have saved us a bunch of time looking for the culprit.

We had some indication in our environment because the Friday morning this began some of our Windows 10 computers were popping up the error "The Malwarebytes Anti-Exploit service is taking too long to start. Please reboot your computer to restart protection." On those computers users hit OK and could proceed as normal, but Anti-Exploit was not running.

We disabled MBAM and MBAE for Windows 7 computers via GPO and then on reboot our Windows 7 computers began getting that same error message after login, as well as the error "The procedure entry point _MbaeStoreIEC@4 could not be located in the dynamic link library mbae-api.dll." In both cases users can just hit ok to proceed without MBAM or MBAE running. But at least now their machines are functioning. We did not disable SCEP or real-time scanning at all in our environment.

We are currently testing to see if the Microsoft antivirus definition updates improve the situation and, like others, we'll be watching this thread for info. Thanks to everyone here for sharing what info they have, it's been very helpful to us in our troubleshooting efforts. 

mbam.jpg

mbam2.jpg

Share this post


Link to post
Share on other sites
8 hours ago, Stave said:

I thought I had some success with the exclusions earlier today, but I had another extended hang just now (with MSE 1.233.245.0  and MSE/MBAM/MBAE exclusions in place). After many minutes waiting to shutdown, the "Preparing to Update configuration" message was shown on the screen, despite not making any changes nor seeing any Windows update notices (and nothing is shown in Update History).

For now, I have kept the exclusions in place, but disabled MSE Real-Time Protection. I did update MSE again to find new definitions version 1.233.278.0 available, but I will keep Real-Time Protection off until there is a more concrete diagnosis and fix available. I will check for updates here from Malwarebytes and Microsoft tomorrow.

That is really interesting. I did over 200 Computers yesterday, one by one (unfortunately they are all different small businesses, that I acquired as clients over time, so I haven't had a chance to rollout MB Managed Solution yet, but this is definitely making me realize I need to switch to Managed Soon), I did each computer with Exclusions in Mse And MB. And this worked for me on every computer, I have not had one call back yet saying it happened again. 

Did you add the exclusions in Mse not only to "Files and Folders" exclusions but ALSO TO "Procceses" exclusions as well? 

 

Also did you restart after doing these exclusions, because I noticed not every computer responded to the exclusions right away, about half of them did, but the other half didn't, so I just always restarted regardless after adding exclusions. Also it may be helpful to exclude the MSE processes in MB as well. 

Hopefully this helps you. 

Also I thought I would note, I had my first casualty from this last night. My sister has an older laptop that I revived for her with a brand new Samsung 850 Evo, less than 3 months ago. I was so busy working on helping my clients, that I forgot to take the time to add the exclusions on her laptop. Well she had never restarted so she had no idea there was a problem, until the scheduled Sunday at 11pm Scan, I found out that this too will force the problem to take effect, even if you haven't restarted. Unfortunately at the time she was in the middle of Copying files, and her computer bluescreened with a Kernel Data In Paged Error, and when she brought it to me after it wouldn't start, I started doing Diagnostics, and have confirmed that her almost 3 month old Samsung 850 Evo is completely bricked. I pulled it and plugged it into my machine built specifically for recovering data from drives, and I can't even get the damn thing to power on. I am tempted to take it apart to try and find out exactly what happened internally, to see if I can temporarily fix it to get her data, but she has assured me that she ran her backup that I implemented for her earlier in the day, so I think I am going to keep it in tact so I don't void the warranty and get it replaced. I have installed over at least 100 of either 850 Evo's or 850 Pros just since the beginning of the year, including on my own machines, and other than 2 DOA that I recieved, I have yet to have one fail, so this was an interesting casualty. I obviously can't say for sure that it was caused by the MSE problem, but I am definitely strongly inclined to believe that the sudden power shift to the drive from the blue screen had something to do with it, and so this is my first casualty of this conflict, and also my first time having to deal with Samsung. I hope they replace the drive quickly. I am used to dealing with NewEgg, they are fast and efficient, I hope Samsung is the same. 

 

Anyone else have SSDs killed by this conflict? Any advice and or experiences returning Drives under Warranty to Samsung? Feedback Greatly Appreciated! Thank You Guys! 

Share this post


Link to post
Share on other sites

I am still having issues reported after adding the exceptions and both SCEP and MBAM clients having updated. However, in my situation MBAM is only on about 150 machines and SCEP is on every machine. How can i disable all clients until this issue is resolved? I don't see anything specific in the management console.

 

Any help is appreciated.

 

Many thanks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.