Jump to content

Malwarebytes and Microsoft Security Essentials conflicts


Recommended Posts

7 minutes ago, BryanWright said:

Our problem is we have 400+ machines. managed through system center, which won't allow us to paste in the whole list at once and doesn't allow 's in the process name. 

I've updated the short names with the correct ~numbers, hoping this works so I don't have to manually update 400 computers.

And I didn't realize you couldn't add the ' even when pasting directly into it. That means you need to take the list, break it up into as big of sections as it will let you, and then covert it to the correct short names. It will be time consuming, but not as time consuming as doing it one by one. Although Because my clients have 240+ computers across over 50+ business' very few of our clients are managed from a central policy. So I had to login to each remotely and do it one by one. It was a bitch, mainly because of systems being unresponsive, but in that case all I had to do was paste that exact list above into MSE or SCEP save and reboot, then turn back on realtime protection and reboot, then it was done, then on to the next. I did over 200 computers in under 4 hours, and did the last almost 50 on Tuesday in under an hour and a half. It is BS, and annoying, but incredibly easy, and you will eventually be done, and which ever tech that draws the short straw, at least they get paid for it. If it takes too long to figure out how to get it done correctly from your System Center, this may be the best way to make sure they all get done correctly and no more problems in the future, at least from Microsoft pushing updates that are actively trying to harm MB Users.

Link to post
Share on other sites

  • Replies 180
  • Created
  • Last Reply

Top Posters In This Topic

Just letting everyone know that we have created a KB article for this and updated the original post with the most recent instructions posted earlier today.

If you continue to experience issues, please continue to post about it.

Link to post
Share on other sites

I'm fairly certain I have all the exceptions entered with the correct short form now. we didn't figure it out until reading the prior posts, but our lockups were occurring at the 12:00 malwarebytes scheduled scans too.

I pushed the updated policy out, but with the holiday and so many leaving early I think it only got to about 50 percent of the computers. everyone should get the policy Monday morning. 

Link to post
Share on other sites

On 11/28/2016 at 11:21 AM, ulrich07 said:

What is the best way to push out all these exclusions for MSE? I don't want to work around and do it manually on 100+ computers. 

Has the latest MWB database and MSE update resolved the conflict? Or are we still having to manually add all these exemptions to each system? 

Link to post
Share on other sites

  • Administrators
52 minutes ago, acgomez said:

Has the latest MWB database and MSE update resolved the conflict? Or are we still having to manually add all these exemptions to each system? 

Our testing is showing that this is no longer happening. However, we do recommend adding the exclusions to MSE.

Link to post
Share on other sites

As a test, I re-enabled MSE Real-time protection after the Tuesday (11/29) update from Microsoft. After a couple days without issue, I had the same system slowdown hang again today (12/1). I have had all the exclusions in place since last week, but the exclusions alone do not seem to be a 100% effective solution. I have now disabled MSE Real-time protection again and will keep it off until there is some official diagnosis and solution from Malwarebytes and Microsoft.

Until this recent problem I had both MSE Real-time protection running alongside Malwarebytes Premium for at least a few years without the need for any exclusions and without conflicts. Earlier in this discussion, I read that Microsoft doesn't intend to support two simultaneous real-time scanners, but I can't help wonder what has changed to break the previous compatibility.

Link to post
Share on other sites

19 minutes ago, Stave said:

As a test, I re-enabled MSE Real-time protection after the Tuesday (11/29) update from Microsoft. After a couple days without issue, I had the same system slowdown hang again today (12/1). I have had all the exclusions in place since last week, but the exclusions alone do not seem to be a 100% effective solution. I have now disabled MSE Real-time protection again and will keep it off until there is some official diagnosis and solution from Malwarebytes and Microsoft.

Until this recent problem I had both MSE Real-time protection running alongside Malwarebytes Premium for at least a few years without the need for any exclusions and without conflicts. Earlier in this discussion, I read that Microsoft doesn't intend to support two simultaneous real-time scanners, but I can't help wonder what has changed to break the previous compatibility.

For us, with real-time protection on in both we are not having issues (with the exclusions for each in place in the opposite product.  However we still have an issue when the scheduled sans go off in Malwarebytes that slows things down/freezes the computers.  We've disabled the scheduled scans for now until we find a solution.

Link to post
Share on other sites

1 hour ago, BryanWright said:

For us, with real-time protection on in both we are not having issues (with the exclusions for each in place in the opposite product.  However we still have an issue when the scheduled sans go off in Malwarebytes that slows things down/freezes the computers.  We've disabled the scheduled scans for now until we find a solution.

I wonder what differences are in everyone's machines? I still am not having any issues whatsoever, and all I have done is keep the exclusions in place. However, I personally do recommend to keep the exclusions in place, while I have not done any specific testing, I continue to have clients who have been on vacation the last few weeks show up and turn on there computers, only to have the computer become unresponsive anywhere between an hour later to a day later. From what I can gather, it is an update from MSE and then either a scheduled MSE Scan or a restart that causes the hanging problems to occur, and these are only with clients who have not been around to recieve the exclusions yet, and have not returned my phone calls. 

But in every single case, for me, once the exclusions are added in both MSE and Malwarebytes, I no longer have a SINGLE issue. And this is across a wide range of workstations. Everything from a Dual Core AMD that's years old, to a brand new generation 7 i7, and everything in between. So I am not sure what the difference is between the people on here who are still having issues, and the people who aren't having issues, but I would be very interested to find out. 

Link to post
Share on other sites

For us, we are using the Malwarebytes enterprise console and Microsoft System Center Endpoint protection.  Neither is running as a stand alone product.  Perhaps that is the difference.  We are also running Malwarebytes Anti-Exploit, which you can't really add exclusions to in the same way, but I don't think anti-exploit is the issue.

Link to post
Share on other sites

26 minutes ago, oreonutz said:

Anti exploit is DEFINITELY AN ISSUE. I run that as well in certain clients. Obviously you can't add exclusions in it, but you can add exclusions to MSE for MBAE, I would do it right away, that caused me problems as well. 

Right.  I have the exclusions entered for it.  It's just the scheduled scans in Malwarebytes that are still causing issues.  As soon as the scan kicks off the computer freezes.  The rest of the time it works fine.

Link to post
Share on other sites

34 minutes ago, BryanWright said:

Right.  I have the exclusions entered for it.  It's just the scheduled scans in Malwarebytes that are still causing issues.  As soon as the scan kicks off the computer freezes.  The rest of the time it works fine.

 

1 hour ago, BryanWright said:

For us, we are using the Malwarebytes enterprise console and Microsoft System Center Endpoint protection.  Neither is running as a stand alone product.  Perhaps that is the difference.  We are also running Malwarebytes Anti-Exploit, which you can't really add exclusions to in the same way, but I don't think anti-exploit is the issue.

So I just re-read your post before last, and realized that must be the difference. Going through all the posts I have read on this thread of people still having problems, it looks like what you all have in common is you all run MSCE or another managed version of Microsofts Security Essentials. That has to be it. I use the Managed and Unmanaged Enterprise Malwarebytes depending on the client, but every single one of my clients uses the regular unmanaged version of MSE. From my understanding the managed versions of MSE won't allow you to add the ' in the exclusion list so you have to use the short name, I am willing to bet that the problem is with that short name. I wonder if you could test on a single computer that is still having the issue to go on that computer and manually add the exclusions, turn back on real-time protection in both MSE and MB, and see if the problem is fixed. As I do not use MSCE I am not familiar with it, so I am not sure if you can add exclusions to a single computer, but if you can, I would try it, and see if the problems persist. 

If they are fixed after that, maybe it's possible to create a policy based on that machine. I know from your prior post a few days back that you believe you had gotten the short form right, but I would be willing to bet it's still somehow the problem. Either with the short name being wrong on some machines but not others, or just an error with using short names all together. I could be wrong and it could just be that MSCE can't be fixed with exclusions, but something tells me it can. 

From what I can gather the reason the lockups happen is because MSE is now targeting MB's chameleon, and because chameleon won't allow changes to it, the computer locks up. So if that's true, when a scheduled MBAM scan starts, chameleon or another MB process is again targeted by Microsofts Real Time Protection, and the lock up starts. So if this is all true, then I would place money on the fact that for what ever reason in the case of those still having issues, MSCE's exclusions aren't doing there job. If possible I would pull one machine that is still having issues, and add the exclusions manually and see if it makes a difference. And if it does work, find a way to make your policy reflect the changes. Remember you can add paths in the exclusions list that don't exist. So if you have to add multiple short name versions, one with ~1, ~2, and so on, it your policy it won't hurt, it will simply only apply the exclusion for the short name that applies to the path the machine recognizes.i would be willing to bet that the short name changes per computer, so it might be best to make a list of all possible short names, and add all the processes to your exclusions list. 

I hope my train of thought helps you on this and isn't completely useless to you. Good Luck. 

Link to post
Share on other sites

1 minute ago, oreonutz said:

 

So I just re-read your post before last, and realized that must be the difference. Going through all the posts I have read on this thread of people still having problems, it looks like what you all have in common is you all run MSCE or another managed version of Microsofts Security Essentials. That has to be it. I use the Managed and Unmanaged Enterprise Malwarebytes depending on the client, but every single one of my clients uses the regular unmanaged version of MSE. From my understanding the managed versions of MSE won't allow you to add the ' in the exclusion list so you have to use the short name, I am willing to bet that the problem is with that short name. I wonder if you could test on a single computer that is still having the issue to go on that computer and manually add the exclusions, turn back on real-time protection in both MSE and MB, and see if the problem is fixed. As I do not use MSCE I am not familiar with it, so I am not sure if you can add exclusions to a single computer, but if you can, I would try it, and see if the problems persist. 

If they are fixed after that, maybe it's possible to create a policy based on that machine. I know from your prior post a few days back that you believe you had gotten the short form right, but I would be willing to bet it's still somehow the problem. Either with the short name being wrong on some machines but not others, or just an error with using short names all together. I could be wrong and it could just be that MSCE can't be fixed with exclusions, but something tells me it can. 

From what I can gather the reason the lockups happen is because MSE is now targeting MB's chameleon, and because chameleon won't allow changes to it, the computer locks up. So if that's true, when a scheduled MBAM scan starts, chameleon or another MB process is again targeted by Microsofts Real Time Protection, and the lock up starts. So if this is all true, then I would place money on the fact that for what ever reason in the case of those still having issues, MSCE's exclusions aren't doing there job. If possible I would pull one machine that is still having issues, and add the exclusions manually and see if it makes a difference. And if it does work, find a way to make your policy reflect the changes. Remember you can add paths in the exclusions list that don't exist. So if you have to add multiple short name versions, one with ~1, ~2, and so on, it your policy it won't hurt, it will simply only apply the exclusion for the short name that applies to the path the machine recognizes.i would be willing to bet that the short name changes per computer, so it might be best to make a list of all possible short names, and add all the processes to your exclusions list. 

I hope my train of thought helps you on this and isn't completely useless to you. Good Luck. 

I hadn't thought about that.  I need to see what processes are starting up with the scheduled scans and make sure they are excluded in MSE.  Now some more research to go do.

Link to post
Share on other sites

3 minutes ago, BryanWright said:

I hadn't thought about that.  I need to see what processes are starting up with the scheduled scans and make sure they are excluded in MSE.  Now some more research to go do.

Good Luck My Friend. And also remember it won't hurt to add multiple paths for the same process. So for instance if we are talking about MBAM.exe, I don't know the short name for that process off the top of my head but for a minute let's presume it's "c:\Program~1\Mbam.exe". Then since that ~1 might not work for another computer, another computers short name might be "c:\Program~2\Mbam.exe". So to save yourself the trouble you should add both paths to your exclusions list, and do this for all possible short names on all of MBAM and MBAE's processes. This will be a long exclusion list, but it will only apply to the path that the individual computer recognizes, so all the extra exclusions won't hurt, it just makes it so you can have one policy for all workstations on your networks, no matter what short name MB's might use. I am not always good at explaining things, but I hope that makes sense and helps. Let us know how it works out. 

Link to post
Share on other sites

23 hours ago, BryanWright said:

Right.  I have the exclusions entered for it.  It's just the scheduled scans in Malwarebytes that are still causing issues.  As soon as the scan kicks off the computer freezes.  The rest of the time it works fine.

My users are having this issue too.  SCEP exemptions have been added and real-time scanning turned back on, but during MBAM scans their computer locks up on them.  It's been like two weeks now, hasn't it?  What's the latest on a permanent fix?

Link to post
Share on other sites

We have about 30 workstations in total.  The week of Thanksgiving we had this issue on five workstations and the exclusions fixed the issue.  We had hoped that this issue would be fixed so we didn't exclude the processes on all workstations, but it appears that the issue is not yet resolved.  This morning we had two different workstations that were locked up before the login screen and excluding the processes in safe mode appears to have fixed the issue.  Where can we get legitimate updates on how or when this conflict will be fixed permanently? Thanks.

Link to post
Share on other sites

As an update, I haven't had time to troubleshoot the scheduled scan still causing the computers to freeze, but I had one remote user who was having freezing issues and discovered a few things on investigation.

1.  He had a stand-alone version of Malwarebytes installed, probably an older version, but I didn't note the version.  What I did notice was that the program files directory did not have the ' in the path name for the Malwarebytes directory.  So it wasn't honoring the exclusions set.

2.  I completely uninstalled Malwarebytes, but the computer continued to have issues with random freezing.  I had to remove and reinstall system center endpoint protection to completely fix the issue with freezing.  As he was a remote user I did not reinstall Malwarebytes, we'll do that after I get to the bottom of the issue with scheduled scans causing the computer to freeze.

Link to post
Share on other sites

I have implemented the ultimate Enterprise Wide resolution for this issue (SCEP vs MBAM) as it relates to GPClient.exe timeouts at startup hangs (Applying Computer Settings) along with Application Hangs and OS lockups (explorer.exe) associated with Scheduled Scans.  After weeks of following this forum and implementing published KB resolutions, toying with exclusions and workarounds, we have implemented a fix that is 100% successful.  Albeit, we though this issue could be put to rest until this morning, when it was Deja vu all over again.  Please see resolution below. 

1.  Deploy SCCM Package Uninstalling MB Managed Client

2.  Reboot the computer.

3.  Shutdown MBAM Management Server

 

 

 

Link to post
Share on other sites

19 minutes ago, BOwens said:

I have implemented the ultimate Enterprise Wide resolution for this issue (SCEP vs MBAM) as it relates to GPClient.exe timeouts at startup hangs (Applying Computer Settings) along with Application Hangs and OS lockups (explorer.exe) associated with Scheduled Scans.  After weeks of following this forum and implementing published KB resolutions, toying with exclusions and workarounds, we have implemented a fix that is 100% successful.  Albeit, we though this issue could be put to rest until this morning, when it was Deja vu all over again.  Please see resolution below. 

1.  Deploy SCCM Package Uninstalling MB Managed Client

2.  Reboot the computer.

3.  Shutdown MBAM Management Server


 

That may work, but it's not really a solution, most of us use Malwarebytes because we see the other Anti Virus just isn't enough. It's messed up that Microsoft is trying to force us, and in some cases succeeding, to get rid of Malwarebytes altogether. Let's not forget it was a Microsoft Definition update that caused this problem to begin with. I guess if temporarily lowering your security is ok with you, then this solution would work, I would opt for getting rid of Microsofts anti virus, but I know MB doesn't catch everything on its own either, so we are left in a tough position. 

At the end of the day, as IT Administrators it's up to us to come up with a solution our environments can work with, but if security must be lowered, I strongly believe it is Microsoft who should take the hit, not Malwarebytes, and we should be letting Microsoft know it. 

Link to post
Share on other sites

On ‎11‎/‎23‎/‎2016 at 0:12 PM, djacobson said:

Hi everyone, I noticed some people using shortname exclusions in Microsoft's product because of our apostrophe. Keep in mind there's a possibility these exclusions as is may not be referring to the right area, depending on how you installed the Malwarebytes software. It could be a different integer listed in the short name, these short names assume you have installed the program(s) in a certain order, resulting in one path being a malwar~1 or malwar~2. If this is wrong, the exclusions you entered will not work!

dirx.JPG

 

It is best to copy/paste the exclusions when adding them. We have seen issues when using the short filename convention and/or environment variables (%programfiles% mapping to “C:\Program Files\” instead of “C:\Program Files (x86)\” or vice versa).

Solution Steps:

·         If your computer is responsive, complete steps 1-8

·         If your computer is unresponsive, wait 10-15 minutes for it to become responsive and then complete steps 1-8

·                 If after waiting 10-15 minutes and your computer is still unresponsive, boot to Safe Mode and complete steps 1, 3-6 and then 8

 

Alternatively, you can immediately boot into Safe Mode and complete steps 1, 3-6 and then 8.

1.       Open MSE/SCEP

2.       Disable Real-Time Protection: Settings -> Real-Time Protection

3.       Exclude files: Settings -> Excluded files and locations and add all the files below

a.       Note: make sure to use the full path to the file

4.       Click Save Changes

5.       Exclude processes: Settings -> Excluded processes and add all the files below

a.       Note: make sure to use the full path to the file

6.       Click Save Changes

7.       Re-Enable Real-Time Protection: Settings -> Real-Time Protection

8.       Reboot computer into Normal Mode

If you’re copying all exclusions at once, be sure to include the required semicolon after each entry.

 

Managed client:

·         C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

·         C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

·         C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

·         C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

·         C:\Program Files\Malwarebytes' Anti-Malware\mbamapi.exe

·         C:\Program Files\Malwarebytes' Anti-Malware\mbamdor.exe

·         C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe

·         C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe

·         C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe

·         C:\Program Files\Malwarebytes' Managed Client\SCComm.exe

 

For x64 installations:

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamapi.exe

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamdor.exe

·         C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe

·         C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe

·         C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe

·         C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe

 

Standalone Malwarebytes Anti-Malware client:                  

·         C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

·         C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

·         C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

·         C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

·         C:\Program Files\Malwarebytes' Anti-Malware\mbamapi.exe

·         C:\Program Files\Malwarebytes' Anti-Malware\mbamdor.exe

 

For x64 installations:

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamapi.exe

·         C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamdor.exe

 

Standalone Malwarebytes Anti-Exploit client:

·         C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe

·         C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe

·         C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe

 

For x64 installations:

·         C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe

·         C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe

·         C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe

whats with the apostrophe after Malwarebytes on most of the file names above?

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.