Malwarebytes and Microsoft Security Essentials conflicts

[oreonutz]

22 minutes ago, Cleatus said:

cont... 

Are they needed? 

looking at my standalone laptops that are running Malwarebytes, it does NOT have that--but the managed clients do...

 

(I would have edited my above post, but it gave me like 1 min to edit before locking...)

So Malwarebytes Corporate uses The ', Malwarebytes Home Doesn't. You can change it to take out the apostrophe when installing it, but the default install path inside program files includes the apostrophe, and once it's installed with the apostrophe, yes it is needed. However you can Uninstall it, and then reinstall it with the new path, and rename it to not have the apostrophe included, and then you will not need it. 

[oreonutz]

Sorry to double post, I forgot to quote in the first one, and figured I could delete my first post, but it seems, at least at first glance, that there is no option to delete the post. 

[djacobson]

It's just our old path name, carried over from the legacy Anti-Malware Pro, the old 1.50, 1.6x and 1.75. The business standalone and managed versions were built off of 1.75 Pro. In consumer version it has been changed to no apostrophe for Anti-Malware. It is used by us as a quick way to identify if someone has the correct build for their subscription. Easy to tell between business versions, consumer and sometimes seeing both installed on machines.

[djacobson]

3 hours ago, oreonutz said:

Sorry to double post, I forgot to quote in the first one, and figured I could delete my first post, but it seems, at least at first glance, that there is no option to delete the post. 

No worries, I'll fix it for you.

[anthonyp]

I am concerned that we have had legitimate questions that have been left unanswered for weeks but the second a question about apostrophes is asked there's an immediate response by a moderator.

[bstephens]

I just wanted to mention something in regards to the various people discussing the usage of the full path name with the " ' ", i.e. apostrophe character, in the folder structure versus the usage of duplicating every listed excluded process / executable in the multiple 8.3 syntax variants, i.e. ~1, ~2, ~3, ~4, and so on.  The reason that the 8.3 syntax may be necessary for some people to utilize is that the Microsoft SCCM SCEP management interfaces for controlling the SCEP Policies of their SCEP clients do not recognize the " ' " apostrophe character as a valid path character for any given exclusion.  You can quite literally use the SCCM SCEP Policy modification interfaces within SCCM to browse to the folder containing the process executable that you want to exclude, choose it, and then be returned to the SCCM dialog to click the "Add" button and it will not let you add it because of the presence of the " ' " character.  We have seen this cause issues before within other systems that for whatever reason have decided that the apostrophe is not a valid character to have in a folder structure.  So short of getting Microsoft to alter SCCM's interfaces to accommodate the usage of the apostrophe character in this instance or getting Malwarebytes to no longer use the apostrophe in their product's folder structure on the end clients, we have been relegated to working around this issue in some way.

The usage of the 8.3 syntax affords you a way around this, but also unfortunately means that you have to add all of the potential variants of this 8.3 syntax as exclusions because one client workstation's ~1 folder may just as easily be another's ~3 folder, etc. depending on the order in which any given Malwarebytes' products have been installed.

Another way could be to simply put the executable's name without any path structure and that is supposed to match that exclusion to any file matching that name pattern no matter its location on the file system.  Unfortunately this would open up for the potential of more unintended exclusions of that file name in paths you may not intend to have it excluded from being scanned within.

To compound things further there seems to be inconsistent implementation within Malwarebytes of their own folder naming syntax.  As an example my current workstation has the following three folders within its "Program Files (x86)" folder -

Malwarebytes' Anti-Malware
Malwarebytes' Managed Client
Malwarebytes Management Console

I am not sure why there is the inconsistency but as you can see there is not an apostrophe on the last product's, i.e. Management Console, folder name.

This could be easily remedied while still maintaining whatever proper possessive English syntax that someone seems intent on enforcing / implying through the usage of this fairly useless usage of the apostrophe by simply having something like the following folder structure implemented by the various Malwarebytes products.

C:
->Program Files (x86)
->->Malwarebytes
->->->Anti-Malware
->->->Managed Client
->->->Management Console

I personally don't know why Malwarebytes has even bothered to try using the apostrophe in the first place in the folder structure.  You don't see the following folder names for any of the following companies products to enforce or imply the possessive ownership or creation of their own products -

Microsoft's Office
Microsoft's SDKs
Microsoft's Security Client
Microsoft's Silverlight
Microsoft's SQL Server
Microsoft's Visual Studio 10.0
Mozilla's Firefox
Mozilla's Maintenance Service

Sorry but this syntax issue has always annoyed me from the first day I saw it and has caused small, easily addressable issues off and on throughout the years, but knowing that it could have so easily been avoided / or since addressed by Malwarebytes causes me frustration.

In its own small way this simple apostrophe syntax choice on Malwarebytes part has made the issue being addressed in this thread just that little bit more annoyingly tedious for their user's to troubleshoot / address, and easily and effectively discuss without defining a "Rosetta Stone" of sorts for why you may or may not have to use one type of exclusion syntax or another.

Sorry for the vent.

[bstephens]

Just saying, "The Devil is in the details."

[msherwood]

A few quick things on this...

Firstly, our recommendation is still what's posted in the first post of this thread and the KB article (both have the same details). 

Secondly, we have extensively tested this within our environments and we are not seeing issues after applying the suggested fixes.

Lastly, we're going to have a couple of experts join this thread and further investigate the outstanding issues.

Thanks again for being patient with us as we work through this.

[djacobson]

On 12/5/2016 at 6:39 AM, anthonyp said:

Where can we get legitimate updates on how or when this conflict will be fixed permanently? Thanks.

Anthony, I apologize this got through without an answer, thanks for pointing that out in your reply. Microsoft has fixed their conflict with the definition update, 1.233.443.0. We have seen that this issue is no longer a problem on this def version with or without the exclusions. However I would implore all of you to still add the exclusions in case a later definition breaks it again in the future.

Here is the changelog for 1.233.443.0 - http://webcache.googleusercontent.com/search?q=cache:q-ekVTef2OkJ:www.microsoft.com/security/portal/definitions/whatsnew.aspx?RequestVersion=1.233.443.0&Release=Released&Package=AM

Be aware though that the conflict and the hanging it causes may prevent your SCEP / MSE from updating to the latest available signature. In such a case, follow the steps for the unresponsive computer on my post from Nov 23rd.

[BryanWright]

15 hours ago, djacobson said:

Anthony, I apologize this got through without an answer, thanks for pointing that out in your reply. Microsoft has fixed their conflict with the definition update, 1.233.443.0. We have seen that this issue is no longer a problem on this def version with or without the exclusions. However I would implore all of you to still add the exclusions in case a later definition breaks it again in the future.

Here is the changelog for 1.233.443.0 - http://webcache.googleusercontent.com/search?q=cache:q-ekVTef2OkJ:www.microsoft.com/security/portal/definitions/whatsnew.aspx?RequestVersion=1.233.443.0&Release=Released&Package=AM

Be aware though that the conflict and the hanging it causes may prevent your SCEP / MSE from updating to the latest available signature. In such a case, follow the steps for the unresponsive computer on my post from Nov 23rd.

This is interesting as we were still having problems on computers that had the definition update.  I wonder if there was more to it, and once you had the problem getting the updated definition was not sufficient to solve the issue.  I still haven't had time to test the scheduled scanning issue.  For now, scheduled scans are disabled in malwarebytes, and we have quit having reports of problems (with the exclusions in place).

[anthonyp]

15 hours ago, djacobson said:

Anthony, I apologize this got through without an answer, thanks for pointing that out in your reply. Microsoft has fixed their conflict with the definition update, 1.233.443.0. We have seen that this issue is no longer a problem on this def version with or without the exclusions. However I would implore all of you to still add the exclusions in case a later definition breaks it again in the future.

Here is the changelog for 1.233.443.0 - http://webcache.googleusercontent.com/search?q=cache:q-ekVTef2OkJ:www.microsoft.com/security/portal/definitions/whatsnew.aspx?RequestVersion=1.233.443.0&Release=Released&Package=AM

Be aware though that the conflict and the hanging it causes may prevent your SCEP / MSE from updating to the latest available signature. In such a case, follow the steps for the unresponsive computer on my post from Nov 23rd.

This is interesting.  Yesterday, I ran Windows updates, made sure I was on the latest MSE definition (I am on 1.233.1637.0), and restarted my computer.  Then, to test if the problem was fixed I removed the exclusions from MSE. Upon restarting I was not able to log in.  I waited ten minutes before rebooting to Safe Mode and then added the exclusions again.  

Also,  bstephens, I did not intend to imply that your punctuation issue was not important.  I was alluding the the idea that the mods were not replying to questions that were more difficult for them to answer.

[superaj]

We have a handful of Windows 7 systems that are still experiencing this even with the exclusions added.  For now we are having to disable MSE.

 

[Soopa]

1 minute ago, superaj said:

We have a handful of Windows 7 systems that are still experiencing this even with the exclusions added.  For now we are having to disable MSE.

 

Us too.  Malwarebytes support had me upgrade to the latest version of the console and managed client, but no luck.  Seems to work fine as long as we don't do scheduled scans, so I have changed those to run overnight instead of during the day.

[djacobson]

May I ask what your guys' version numbers are for; MSE and SCEP, its new addition Microsoft Antimalware and your Malwarebytes Anti-Malware. Screenshots of your exclusions for file/folder and process in Microsoft's products as well.

Feel free to PM these to me or you can create a ticket by emailing corporate-support@malwarebytes.com. If you already have a ticket, PM me your ticket number.

[djacobson]

While working with Anthony, I noticed an older known issue may also be contributing to logon freezing. Those of you with logon scripts that assign drive shares or start applications which run from shared drives may be experiencing an issue due to interference by our web blocker real time and not necessarily just the conflict caused the Microsoft security products. This could contribute to not seeing complete resolution of the issue after proper implementation of the exclusions. If you feel this may be part of what you are experiencing, please PM me.

[BryanWright]

On 12/12/2016 at 6:13 PM, djacobson said:

While working with Anthony, I noticed an older known issue may also be contributing to logon freezing. Those of you with logon scripts that assign drive shares or start applications which run from shared drives may be experiencing an issue due to interference by our web blocker real time and not necessarily just the conflict caused the Microsoft security products. This could contribute to not seeing complete resolution of the issue after proper implementation of the exclusions. If you feel this may be part of what you are experiencing, please PM me.

We seem to periodically be having issues with a few stubborn machines, even with the exclusions in place, and it sounds like this could be the issue, but it's difficult to pin down, because if that were the case you would think it would affect everyone with the same configuration and it doesn't.  It seems to just randomly choose who to affect.  We're a small department, managing over 600 users, and of course have too many other projects that I haven't been able to give this my full attention, especially since it's just an occasional computer or user now.  I'll try to get the screen shots requested above and more details regarding versions, etc. when I have some time.  Until then I'm hoping someone else solves this permanently.

[BryanWright]

Another quick update.  We have been migrating computers to a new SCCM server this past week.  The new server did not have the exclusions in place, and the freezing problems started backup with computers that were migrated to the new servers.  They weren't the complete freezes from before, but more random periodic freezes that lasted a few minutes then went away for a while but eventually returned.  So there are still some issues with the current security definitions or versions of both programs.  

I've now added the exclusions to the new SCCM server and forced all the clients to check-in for the updated policy, so hopefully this resolves this issue for now and I can get back to my more important year-end projects.

[nd1818]

We've been mostly OK for the past few weeks with the exceptions in place and the protection agent in Malwarebytes disabled by policy, however in the last day we're starting to see a number of machines with high CPU utilization for SCEP and MBAM.  Are we seeing a new, similiar issue?  Previously it wasn't so much CPU spiking as it was Disk IOPS.   Anyone else seeing a recurrence of these/related problems? 

[superaj]

On 12/22/2016 at 8:45 AM, nd1818 said:

We've been mostly OK for the past few weeks with the exceptions in place and the protection agent in Malwarebytes disabled by policy, however in the last day we're starting to see a number of machines with high CPU utilization for SCEP and MBAM.  Are we seeing a new, similiar issue?  Previously it wasn't so much CPU spiking as it was Disk IOPS.   Anyone else seeing a recurrence of these/related problems? 

We also have a handful of systems across different businesses that are having lockups.  Even with the exceptions in both MBAM and MSE in place, the only way to get the systems to work properly is to completely disable MSE realtime scanning and this almost always has to happen in safe mode.  This is happening with MBAM for business systems and consumer MBAM.  I've been submiting diagnostic logs to MBAM support via email but haven't gotten any replies or updates yet. 

[oreonutz]

2 minutes ago, superaj said:

We also have a handful of systems across different businesses that are having lockups.  Even with the exceptions in both MBAM and MSE in place, the only way to get the systems to work properly is to completely disable MSE realtime scanning and this almost always has to happen in safe mode.  This is happening with MBAM for business systems and consumer MBAM.  I've been submiting diagnostic logs to MBAM support via email but haven't gotten any replies or updates yet. 

I too have now been seeing lock ups, but only on Servers running 08 and 2012. In 3 cases MSE has had exclusions added, and Malwarebytes Corporate also had the exclusions added. In one case MB wasn't even activated, it was a client I recently took over from another IT company, and apparently they were just using MB Corporate to manually scan. Even in that case the Server would lock up each night when MSE started its scan. After a crazy amount of testing I finally disabled real time protection, and its back to normal. Before disabling MSE real-time protection I completely Uninstalled Malwarebytes and the problem still persisted even after a restart, and there is no other Anti Virus installed on that particular server, so now I am starting to believe that this may be a conflict with more than just MB. 

The other reason I believe that is the final 2 servers I have been having trouble with, one 2008 and one 2012, have no MB installed on the machines whatsoever, and both have MSE installed as the only means of protection, and both of those servers are locking up when their Nightly scans kick in. I have completely disabled MSE real time protection as a temporary measure while I diagnose and find out with what MSE is conflicting with now, but this is clear to me that MSE is becoming more trouble than it is worth.

Also I have noticed several of my home based business clients who chose to run Malwarebytes Premium instead of corporate are starting to run into locking up issues now as well. I have noticed with those I need to add every process in the Chameleon Folder as an exclusion before the computer becomes responsive again. Microsoft has really messed up here, and I doubt it's going to end with just conflicts with MB... 

[oreonutz]

My norm for Servers is to just run Immunet only. It usually does a superb job of keeping servers clean, I recently within the last 6 months started to use MSE and MB, because I had an instance of a nasty piece of ransom ware slip past immunet on a server and distribute itself across the entire network and the only thing that saved me was MB Corporate was installed on every machine on the network and it actively killed the ransom ware on the individual machines and neutralized the source on the server because of a mapped Network Drive on a workstation that I used to remote into the server and run maintenance, so it had full rights and was able to delete the file being spread, long enough for me to bring down the server and do a full clean and restore from backup. Basically, I got lucky. And that's when I decided to use the same combination on Servers that I do on workstations, but now this problem... 

 

It's frustrating and I wish Microsoft would just fix their definitions not to attack legitimate software... 

[superaj]

Is there an updated list of exceptions for MBAM 3.0?

[anthonyp]

We have been experiencing more lockups as well even with the exclusions in place.  Disabling real-time scanning seems to fix the issue so far but certainly isn't a long term solution.

[Cleatus]

On ‎11‎/‎19‎/‎2016 at 0:43 PM, Marcsel said:

we have a large client 125 users or so that this has taken them done completely all day yesterday.  Not to mention having 3 staff onsite attempting to figure out what the problem was/is.  This really is unacceptable, we have to answer to management.  What is this going to be fixed?  How do you even begin compensating clients that have over $100,000 dollars lost in productivity?  

try this times 2000 users....

[oreonutz]

On 12/25/2016 at 6:16 PM, superaj said:

We also have a handful of systems across different 2Fw businesses that are having lockups.  Even with the exceptions in both MBAM and MSE in place, the only way to get the systems to work properly is to completely disable MSE realtime scanning and this almost always has to happen in safe mode.  This is happening with MBAM for business systems and consumer MBAM.  I've been submiting diagnostic logs to MBAM support via email but haven't gotten any replies or updates yet. 

I too have now been seeing lock ups, but only on Servers running 08 and 2012. In 3 cases MSE has had exclusions added, and Malwarebytes Corporate also had the exclusions added. In one case MB wasn't even activated, it was a client I recently took over from another IT company, and apparently they were just using MB Corporate to manually scan. Even in that case the Server would lock up each night when MSE started its scan. After a crazy amount of testing I finally disabled real time protection, and its back to normal. Before disabling MSE real-time protection I completely Uninstalled Malwarebytes and the problem still persisted even after a restart, and there is no other Anti Virus installed on that particular server, so now I am starting to believe that this may be a conflict with more than just MB. 

The other reason I believe that is the final 2 servers I have been having trouble with, one 2008 and one 2012, have no MB installed on the machines whatsoever, and both have MSE installed as the only means of protection, and both of those servers are locking up when their Nightly scans kick in. I have completely disabled MSE real time protection as a temporary measure while I diagnose and find out with what MSE is conflicting with now, but this is clear to me that MSE is becoming more trouble than it is worth.

Also I have noticed several of my home based business clients who chose to run Malwarebytes Premium instead of corporate are starting to run into locking up issues now as well. I have noticed with those I need to add every process in the Chameleon Folder as an exclusion before the computer becomes responsive again. Microsoft has really messed up here, and I doubt it's going to end with just conflicts with MB...