Jump to content

MBAM 3.0.4 Hangs on Heuristics Analysis


Recommended Posts

I have written previously on this issue.  The update issue was resolved, but on one of my two computers, both running BDTS2017 as an anti-virus solution, the MBAM scan hangs on Heuristics Analysis and won't complete.  Both computers, different makes, run on Windows 10 Pro x64, Build 1607, fully updated.

MBAM shows the last scan time correctly of the cancelled scan, but clicking on that time does not take me to any log.  When I cancel the scan, it just keeps running, so I have to "X" out of the program.  When I relaunch it, the scan is still running.  I have to reboot to stop the scan.

Please advise what logs you need.

Thank you and have a great day.

Regards,
-Phil

Link to post
Share on other sites

Hello garioch7:

The Dev team and staffers may wish to analyze the following:

If for no other reason than to see what MB3's newest "Heuristics Analysis" phase of scanning may/may not react to, if the system's Windows partition has the slightest amount of corruption/damage, please consider running the Window 10 full 5 stage Check Disk utility w/Repair.  e.g. $ chkdsk <system volume> /R

Then, for the simplicity of everyone, please use Shawn Brink's procedure, and please capture those Windows 10 Event Viewer chkdsk results to a "CHKDSKResults.txt" file as per https://www.tenforums.com/tutorials/40822-chkdsk-log-event-viewer-read-windows-10-a.html#option2 and attach that text file to your next reply.  It is highly likely you already know/have experienced the seemingly never-ending periods of so-called stalls/hanging while the 5 stage chkdsk is running.

Thank you.

Link to post
Share on other sites

SMART.PNG1PW:

Thank you for your reply.  The drive in question is a Samsung 850 Pro 1TB drive.  As such, I used the "/f" switch rather that the "/r" switch.

I have attached the chkdsk report, the Samsung Magician S.M.A.R.T. status report, and an image of the MBAM Heuristics Analysis scan.  I ran another scan after the chkdsk /f run (attached MBAMHang.png).  Yesterday it hung on item 395,767.  The two times previous to this (nine days ago), MBAM hung at items 394,179, and then 394,214.

Let me know what else you need.  MBAM runs fine on my laptop.

Thank you and have a great day.

Regards,
-Phil

chkdsk.txt

MBAMHang.PNG

Link to post
Share on other sites

Hello Garioch7:

Thank you kindly for the posted data.  I too run Samsung 850s and although the system in question you show is running an older version of Magician, you should not be adverse to running the 5 stage Check Disk utility on infrequent occasions.  And although the SSD's raw S.M.A.R.T. values are quite ideal, the entire system itself will always be the final arbiter.

Thank you.

 

Link to post
Share on other sites

  • Staff

Hi garioch7,

STEP 1:

1. Open Malwarebytes, click Settings > Application
2. Look for 'Event Log Data' and slide the toggle switch to 'ON"
2. Run a threat scan.
3. See if you reproduce the scan hang.

Then please attach the MBAMSERVICE.log that is in the following folder: C:\ProgramData\Malwarebytes\MBAMService\logs  <-- You'll need to be able to View Hidden folders to locate this.

This will give us more detailed logging about what is happening during the scan.

STEP 2:

Please download Farbar Recovery Scan Tool from here http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ and save it to your desktop.

Note: You need to run the version compatible with your system.

**After you click the Download Now 64-bit, or the Download Now 32-bit, another page will open — DO NOT CLICK ANY ADDITIONAL 'download now' buttons, just wait and look toward the bottom of your browser for the option to Run or Save. Click Save.

•Double-click to run it. When the tool opens click Yes to the disclaimer.

Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway.

•Click the Scan button.

•When the scan has finished, it will save 2 logs  in the same directory the tool was run from.  Please attach the following logs:

Addition.txt

FRST.txt 

 

Link to post
Share on other sites

Ried:

I reproduced the hang with logging enabled.  When I rebooted to cancel the hung scan, I noted that the MBAM AE module was off.  I turned it to "On" and it just hung on "Starting...".  I turned off Event logging, rebooted and all was well again in terms of MBAE protection.  I have attached the requested files and a screen shot of the MBAE module hang.

I have also included a MBAMService.Log.bk1 file, that I had to append ".log" to the filename for it to upload.

Thank you and have a great day.

Regards,
-Phil

Addition.txt

FRST.txt

MBAE_Starting.PNG

MBAMSERVICE.LOG

MBAMSERVICE.LOG.bk1.log

Link to post
Share on other sites

dcollins:

Do you require any more scans or log file from me?  Is there an update on what is causing the heuristics analysis "stall"?

Have a great day, and thank you for your assistance to date.

Regards,
-Phil

Link to post
Share on other sites

  • Staff

Sorry for the delay, we've been researching this heavily and going through some logs to try and narrow it down. One other thing that might be helpful is a memory dump of one of our services. Can you follow the instructions outlined below to create a memory dump and then upload the file?

  1. Open Malwarebytes and go to Settings -> Protection
  2. Disable the Self Protection option
  3. Download the following Procdump.zip file: Procdump.zip
  4. Place procdump.zip in C:\
  5. Right click on procdump.zip and then choose properties
  6. In the window that pops up, click the unblock button near the bottom and then click ok
    Screen Shot 2016-12-21 at 11.06.23 AM.png
  7. Extract procdump.zip.
  8. Check that the extracted files are in the directory "C:\Procdump"
  9. Right click "mbamservice_procdump.bat" and select Run as administrator.
    • If you did the steps correctly you will see the following:
      procdump_running.png
  10. Run a threat scan with MBAM 3.0.
  11. When MBAMSERVICE.exe crashes it should close that command window and generate a memory dump file in "C:\Procdump".

Procdump.zip

Edited by dcollins
Link to post
Share on other sites

dcollins:

I did as you requested, but when I "Run as Administrator" the .bat file, the first time a "Sysinternals" consent prompt came up, I clicked "Yes" or "OK", the black command console window appeared, and then disappeared.  I tried it a second time and did not get the "Sysinternals" prompt.  The screen just flashed and there was no command console window.

I have attached a screenshot of the C:\Procdump folder contents.

Not sure what I am doing wrong.  Your instructions were very clear.

Any advice?  Thank you and have a great day.

Regards,
-Phil

procdump.PNG

Link to post
Share on other sites

dcollins:

Thank you for your reply.  I rebooted my computer.  I ran services.msc and confirmed that the Mbamservice was running.  The MBAM application opened just fine.

I ran the batch file as administrator again.  I just a couple of black flashes on the screen and then it returned to normal.  No command console window was open.

Any other ideas?  Thank you and have a great day.

Regards,
-Phil

Link to post
Share on other sites

  • Staff

OH! Please go to into Malwarebytes and go to Settings -> Protection and disable the Self Protection option. Then try running the file as admin. if that doesn't work, this new zip will add an extra pause at the end so we can see any error messages being displayed. You'll need to delete the C:\Procdump folder and then follow the steps above, just using this zip file.

procdump.zip

Link to post
Share on other sites

dcollins:

OK, turning off MBAM Self-Protection permitted the Procdump program to work; however, it did not generate any log file because MBAM does not crash.  It just hangs on an item number being scanned, as per my image in this post.

What I did was cut and paste the contents of the log file to the point where it too stopped recording any more events, simultaneous to the MBAM Heuristics Analysis scan hanging.  I have attached that file.

Hope it reveals something.  Thank you and have a great day.

Regards,
-Phil

procdump.txt

Link to post
Share on other sites

  • Staff

How long did you wait to see if it crashed? Sometimes it may take anywhere from 5-10 minutes. If nothing happens after that amount of time, can you follow these instructions below to grab a memory dump while the process is running?

Can you please follow the instructions below to grab an in-memory dump of the issue.

  1. Open Malwarebytes and go to Settings -> Protection
  2. Turn off Self-Protection
  3. Download ProcessExplorer from Sysinternal using the following link: https://live.sysinternals.com/procexp.exe
  4. Run ProcessExplorer.exe
  5. Click on File -> Show Processes for All Users and choose Yes on the UAC prompt
    Note: This step may not be necessary. If you don't see the "Show Processes for All Users" option in the file menu, you can skip to step 4
  6. Start a scan with Malwarebytes
  7. Once the scan sticks, wait for 5-10 minutes
  8. With the scan still stuck, go back to ProcessExplorer and look for MBAMService.exe in the list
  9. Right click MBAMService.exe and choose Create Dump -> Create Full Dump...
  10. Save the file to your desktop
    Note: The dump file will most likely be very large. You won't see too much happening, but wait about 30 seconds and then you can close Process Explorer
  11. Upload dump file
Edited by dcollins
Link to post
Share on other sites

dcollins:

Thank you for your email.  I tried it the first time, but I was denied access to the MBAMService, so I could not export the full dump file.  I rebooted, turned off MBAM self-protection, ran both MBAM and Process Explorer as Administrator, and tried again.  This time it was successful at exporting.  You might want to update your "canned."

You are right.  The dump file was huge and took about 45 minutes for me to upload, due to the slow Internet speeds (0.5 Mb/sec. upload speed) here in rural Cape Breton, Nova Scotia, Canada. The upload link is here.

I sure hope that you find something in the dump file that can help you to resolve the issue.

Thank you and have a great day.

Regards,
-Phil

Link to post
Share on other sites

FYI

I have been having the same issue since upgrading from v.2 and AntiExploit.  Removed the software several times with Revo and mbam-clean, deleted files/folders and went through the registry but nothing worked. I eventually stopped the service after attempting to scan again then started and ran another scan. This time the scan completed (493,599 files in 00:03:14). I reproduced this by rebooting running another scan which locked during Heuristics Analysis - stopped and started the service again - scan completed.

Note: I am running Norton Security but did stop real time protection while installing. I also tried scanning in safe mode but Malwarebytes did not register itself as a licensed product.

Hope this helps!

Link to post
Share on other sites

pcupgr:

:welcome: to the Malwarebytes Forums!

Amazing!  Your "work-around" worked! :rolleyes:  I opened a command prompt as Administrator, executed "services.msc", successfully stopped and started the MBAMservice, even though the "Self-Protection" module was "on", after a Threat Scan hung again at Heuristics Analysis. I then relaunched MBAM after your little "trick" and the MBAM scan finished successfully.  Threat scan log attached.

Hopefully, between your "trick" and that huge process dump file I submitted earlier this morning, the pros here will be able to figure what is causing the "stalls" in Heuristics Analysis scanning on some computer platforms.

Thank you for sharing your solution with me, and the rest of us!  Welcome aboard.  Have a great weekend and Christmas season.

Regards,
-Phil

mbamscan.txt

Link to post
Share on other sites

dcollins:

Just a bit more information.  I wondered if the MBAMservice might be getting "jammed" with the quick start-up of my tower's SSD (C: drive).  My computer is set not to use "Fast Start" but the Samsung 850 Pro 1 TB drive does load Windows 10 Pro x64 in a big hurry, compared to a mechanical drive, which is in my laptop, and which does not have any MBAM issues.

So, I rebooted the tower computer and waited until all was stable and the CPU and drives had gone to idle.  Then I stopped the MBAMservice and restarted it, via services.msc.  I ran an MBAM scan and it again hung on Heuristics Analysis, very close to completion.

So I followed pcupgr's advice, launched services.msc again, stopped and then started the MBAMservice and ran another scan.  It ran to completion successfully.  See attached log.

So there is some kind of consistent pattern of MBAM "misbehavior" affecting some computers.  I hope this is of some help.

If there are any other logs or testing you want me to do, please advise.

Thank you and have a great weekend.

Regards,
-Phil

mbamscan2log.txt

Link to post
Share on other sites

dcollins:

Thank you for your response.

No apologies necessary for the upload time - that is unfortunately my "rural" reality, BUT, if I want to assist in resolving the issue, I need to contribute what I can, since obviously my tower computer platform has some "peculiarity" that is triggering this MBAM "misbehaviour".  "If you are not a part of the solution, you are part of the problem."

@pcupgr deserves credit for having discovered the MBAMservice, stop-start solution after a "stall."  I can't take credit for that insight, but it did work for me, so obviously my tower computer platform is not totally unique, just in the very small minority that are affected by whatever is going on.  By the way, how do I do that member "quote thing?"  I would like pcupgr to know that I am talking about him/her.

I hope that you have good holidays.  There is no emergency here - we do have a "work-around", although I suspect you would like to isolate the critter that is causing this "misbehavior" because it might be causing other mayhem.

Anything you need from me, since obviously my platform is a little different from your test computers, just ask.  I WILL get you what you need.

Thanks again for your assistance.  You have my sympathies, seeing all of the sudden demand for MBAM Tech Support in this Forum.  Where do you start?

Have a great weekend.

Regards,
-Phil

Link to post
Share on other sites

dcollins:

I just upgraded to MBAM 3.0.5. because MBAM prompted me to do so.  The scan continues to hang in Heuristics Analysis.  Stopping and starting the MBAMservice, via services.msc, allows the scan to complete successfully, as it did for pcupgr, when a new scan is initiated without reboot.

Just thought that I would pass that along.

Have a great day.

Regards,
-Phil

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.