Jump to content

Conflict: Windows Defender and Malwarebytes 3.0

Winter
 Share

Recommended Posts

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

Winter

Winter

Posted
  • Author
Posted

Glad to help!  No hurry, I'm certainly looking forward to having this issue resolved, but I know in the meantime I'm pretty well protected.  This is my 'fun' machine (oh boy is it ever!), and I'm doing file history, system restore points, and Macrium Reflect to cover the bases if anything breaks like my incident that started this thread.

I'll be here when you're ready. :)

~Winter

 

Link to post
Share on other sites
  • 2 weeks later...
  • Staff
Rsullinger

Rsullinger

Posted
  • Staff
Posted

Hey Winter,

 

Sorry for the long wait. We recently pushed out something through mb3 that should help with this issue. Can you try starting it up again and see if it will startup? If not, you may need to do a re-install of MB3, but we will test that after you confirm if it is fixed now or not. 

Link to post
Share on other sites
Winter

Winter

Posted
  • Author
Posted

Hi Rsullinger:

Just saw this--sorry for the delay.  I can tell you that the update did not resolve the problem.  I will do a re-install of MB3.  Do I need to run a specific MB3 uninstaller utility or is this as simple as Add/Remove Programs from the Control Panel?

Thanks,

~Winter

Link to post
Share on other sites
Firefox

Firefox

Posted
Posted (edited)
20 minutes ago, Winter said:

Hi Rsullinger:

Just saw this--sorry for the delay.  I can tell you that the update did not resolve the problem.  I will do a re-install of MB3.  Do I need to run a specific MB3 uninstaller utility or is this as simple as Add/Remove Programs from the Control Panel?

Thanks,

~Winter

While @Rsullinger returns....

There is no uninstaller for version 3 at this time, all you should have to do is uninstall from the Add/Remove Programs from the Control Panel.

Edited by Firefox
Link to post
Share on other sites
Winter

Winter

Posted
  • Author
Posted
11 minutes ago, Firefox said:

While @Rsullinger returns....

There is no uninstaller for version 3 at this time, all you should have to do is uninstall from the Add/Remove Programs from the Control Panel.

Okay, that makes things easier.  Thanks Firefox!  When I get home this evening I'll do exactly this, and with luck I'll have an answer for Rsullinger when he's online again. :)

~Winter

Link to post
Share on other sites
Winter

Winter

Posted
  • Author
Posted

Well this isn't good...uninstalled, rebooted, ran re-install, got this:

C:\WINDOWS\system32\drivers\mbae64.sys

An error occurred while trying to replace the existing file:

DeleteFile failed; code 5

Access is denied.

Click Retry to try again, Ignore to skip this file (not recommended), or Abort to cancel installation.

Retry doesn't work.  Not gonna ignore, time to Abort....and then what?  Manually delete mbae64.sys?  Anything else I need to clean up?

Thanks,

~Winter

 

MB3 error.jpg

Link to post
Share on other sites
  • Staff
Rsullinger

Rsullinger

Posted
  • Staff
Posted

Hello Winter,

 

Yea, you will have to manually remove that file.

 

Close all open applications and browsers.
Navigate to C:\Windows\system32\drivers
 Locate mbae.sys or mbae64.sys, right-click the file and select Rename. Rename it to mbae.old or mbae64.old

Now MBAM3 will install without any issues.

If the issue persists, boot your system to safe mode and navigate to C:\Windows\system32\drivers.
Locate and delete the file named mbae.sys or mbae64.sys.

Reboot your PC normally and try the installation again.

 

Let me know if you have any issues after doing this! 

Link to post
Share on other sites
Winter

Winter

Posted
  • Author
Posted

Okay!  From a normal start-up, actually moved the .dll then ran the installer.

Activated license

Set up exclusion for Windows Defender (because we don't want THAT happening again)

Just to make super double-dog certain I did get your latest & greatest from the server, told the program to check for updates--none needed

Turned on Settings-->Protection-->Exploit Protection and it let me, activating immediately and no red flag on the MB tray icon.

Ran the typical "recommended" scan to get rid of any nag/warnings - scan completed, nothing found.

Rebooted.

Logged in and all was running fine - no prompts/pop-ups, all protections running including Exploit protection.  Decided to kick off a custom scan with all the things and found I could easily scan for rootkits and select drives with the mouse (a different issue that I'd seen on my Surface Pro 2).

So for now I think I'm good to go!

I get to play on my gaming machine Sunday, so I'll be able to log some hours, keep an eye on it, and if anything changes I'll come back here and update the thread.

Thanks!  Tell your dev team they did a good job. :)

~Winter

 

Link to post
Share on other sites
  • 1 month later...
Winter

Winter

Posted
  • Author
Posted

Ouch.  Sorry, team:  it happened again.  One of the updates in the last couple of weeks did two things:

1) Blew away my license keys and made me re-enter them (and on some machines it tells me they're expired)--I just put in a Support ticket for that

2) Reverted the desktop I talk about here to "You're not protected", which once again hangs when trying to turn Exploit Protection on, and leaves the 'Protection Disabled' red flag on the system icon.

Rather than just remove and re-install, I wanted to notify you in case it would help to collect any information before I do anything.

Link to post
Share on other sites
Winter

Winter

Posted
  • Author
Posted

Okay, the manual re-install worked (and thankfully didn't have the other issue of the key deciding it's expired--been working through that one with Oscar and Kenyan via e-mail based Support).

I gave it a couple of reboots to make sure, and it appears the settings stuck.  All protections are enabled.

Which, for now, leaves me in the spot of knowing that if I have this happen again on an update, I should do an uninstall and re-install.

For your team, I'll throw in these bits...I can put them in a separate thread if need be, but for me this is resolved right now.  Stuff about that uninstall/reinstall.

1) The uninstaller might not delete mbae64.sys...and a re-install will conk out because the installer can't overwrite it. ("DeleteFIle failed; code 5 Access is denied.")

2) The mb-clean.exe might not delete mbae64.sys either

3) Trying to rename/delete mbae64.sys can fail because access denied...and you can't take ownership of the file.

I lied to the computer - tried to rename the file to mbae64.sys.bak, when it popped up Access Denied, I ignored all of that and rebooted the machine with that prompt still open.  The machine came back up with the rename complete and I was able to delete the file.

Hope this helps,

~Winter

Link to post
Share on other sites
happypuppy

happypuppy

Posted
Posted

I registered on this forum just to comment on this thread. I have the exact same problem and have been going crazy reinstalling windows. This is my 3rd 'reset' after a clean install last week after wiping my entire system, and it didn't occur to me that the problem could be malwarebytes, I was sure I had some type of hardware or driver conflict. I guess I was lucky that I didn't spend another $2000 on a new system before seeing this:).

The most recent reset (yesterday 2/27/17), I stopped loading anything else and only installed Office 365 and mbam. I thought it was the nvidia drivers, then Office. Page after page of red errors in Event Viewer, blue screens for no reason and the system crawls (i7) with nothing loaded,  
Finally when googling one of the blue screens, someone mentioned uninstalling mbam in a forum. I've used mbam for years so it never occurred to me that a conflict was even possible! I then googled malwarebytes 3 and Windows Defender and found this thread. 

The 3 recurring blue screen messages (could not keep the newly reset computer on for more than an hour before it would bluescreen to one of the below):

Driver Page Fault in Freed Special Pool (failed tcpip.sys)
Kernel Security Check Failure 
IRQ Not Less or Equal 

I have since excluded both Defender folders in Malwarebytes (in Programs).

I have excluded this list of Malwarebytes files from Defender:

C:\Program Files\Malwarebytes\Anti-malware\mbamservice.exe

C:\Windows\System32\Drivers\mbam.sys

C:\Windows\System32\Drivers\mwac.sys

C:\Windows\System32\Drivers\mbamchameleon.sys

C:\Windows\System32\Drivers\mbamswissarmy.sys

C:\Windows\System32\Drivers\mbae64.sys

C:\Windows\System32\Drivers\farflt.sys

Below were suggestions from a different forum:

 C:\Program Files\Malwarebytes\Anti-Malware\MbamPt.exe

 C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe

 C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe

 C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe

 C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

 

I really hope I can keep using Malwarebytes, but I too can't keep reinstalling Windows 10 twice a week, so any further help would be appreciated.  I'm an end user, and the list of things I've altered in Windows, chasing crashes around number in the dozens, and I have no clue what I'm doing. As soon as I shut down the 'Real Time Protection' and Anti-Exploit in Malwarebytes, the Event Viewer came back with no errors. After excluding, I turned them back on, but is that a permanent fix? 

Link to post
Share on other sites
Winter

Winter

Posted
  • Author
Posted

@happypuppy  Good luck!  I'm really glad to see @firefox to the rescue too - thanks for that!

I'm really sorry to hear you had to go through so much rebuild work.  I'm just going to share a couple of observations thus far.

- On a new build, when I install MBAM, I go ahead and tell Windows Defender to exclude MB 3's folder before I do anything else.  I then reboot and tell MB 3 to ignore Windows Defender's folder(s)...then reboot to make 100% sure those changes stick

- If an update brings my particular problem back, the first thing I do is uninstall and reboot.  Next I check C:\Windows\System32\drivers\ for mbae64.sys; if it's there, I try to delete it.  Then I run the MB-clean tool here and reboot.  If mbae64.sys was in that folder, and it's still there after the reboot, then I try to delete it again.  This is where it gets a bit of a mess...if I can't delete this file, I let the 'Try Again' / 'Cancel' message stay up and reboot the computer.  That apparently caused my machine to kill the file, last time.  Once mbae64.sys is gone, I can install the latest MB 3 normally.

- If the update blows away my license key (which also happened recently), I don't mess around with troubleshooting or trying to re-apply because I got the 'license key is expired' message.  I just repeat the above uninstall/reboot/delete/clean/reboot/reinstall process again.

Hopefully none of this will be a problem in the next few releases...'til then, I hope this helps.

Link to post
Share on other sites
happypuppy

happypuppy

Posted
Posted

Thank you both for your comments:). I'm going to post here because I didn't get any comments on my separate thread. I installed the full Malwarebytes 3 on my mom's reinstalled Win 7 system, and it works flawlessly. No conflicts, no issues. She doesn't have Office 365 tho, she still uses Office 2010, which is a standalone system. This tells me that the problem is definitely in Windows 10 or Msft Office 365. 

After tons of further research into my very varied bluescreens, I think I solved the entire problem. I found it here:
https://answers.microsoft.com/en-us/windows/forum/windows8_1-hardware/cryptographic-services-failed-while-processing-the/c4274af3-79fb-4412-8ca5-cee721bda112 

The 2nd post outlines the solution, and while this solution appears in many different articles and forums, this one explains exactly why it works and how to make it work. Essentially, it's taking YOUR OWN numerical descriptor for NT Authority/Service and adding it to the MSLLDP descriptor (via sc sdset MSLLDP ). 

This, and shutting down the Verifier that I forgot I had turned on last week, completely and utterly fixed all my issues in Event Manager. 

So my 'fix' was
1. add exclusions for all of Malwarebytes processes to Defender. Added exclusions for Defender in Malwarebytes. 
2. Make sure Verifier is off if you turned it on.
3. added NT Authority/Service to the MSLLDP descriptor

This allowed Win 10, Office, Malwarebytes to work together. 

I am so curious why Windows 10 did not automatically include this setting, and I can't seem to find the answer to it. I thought perhaps it may be a dangerous setting but then why wouldn't they 'fix' the issues that omitting it creates? 

I decided to do it because NT Authority\System and NT Authority\Interactive already has ownership of the MSLLDP, just no access to Service, which makes the system error and bluescreen repeatedly. 

I did not install the Malwarebytes beta for the DCOM, the above already fixed the DCOM. Unless Malwarebytes released a fix in an update I didn't know about. Either way, it's all working! 

Winter,
I checked my windows\system32\drivers and not only is mbae64.sys there, so is mbam.sys, MBAMChameleon.sys, MBAMSwissArmy.sys. Why don't I want these files in my System32? I don't understand where they should be if not there? 

Link to post
Share on other sites
Winter

Winter

Posted
  • Author
Posted

Wow!  That solution is a deep-down clean - I'm impressed. (I'm Microsoft Certified, a former developer, and just spent last year rolling O365 out to 3,000+ people and training folks on it--so that's an expert endorsement!).

Let me clarify my statement about mabe64.sys, because that *could* really confuse people--sorry about that!

What I was referring to is that if I have to uninstall MB3 and reinstall it, sometimes the installer doesn't delete mbae64.sys.  Then when I go to reinstall, the installer chokes because it can't overwrite the file that's there.  Some people delete or rename the file, but sometimes you can't do that either because Access Denied (and crazy amounts of problems trying to change that or take ownership).

So, the ONLY circumstance in which I wanted mbae64.sys out of the folder, is when I'm trying to install MB 3 anew, and the installer is trying to put its own mbae64.sys in there...because apparently the old one wasn't tidied up.

Hope that clarifies!  Glad to hear you were able to solve the problem.

~Winter

Link to post
Share on other sites
happypuppy

happypuppy

Posted
Posted

So far so good, no more errors or issues:)! I'm going to copy my 'solution' over to the new thread so I'm not saying the same things on both, and also addressing your very good question about 32 vs 64 bit install... because I think that actually may have been part of the problem!! 

Thank you for the kind words. I'm just a housewife with no computer training at all. The difference is, I simply don't give up on problems til they are solved. By now however, I think I can fix any computer issue, hardware or software, even if I don't always understand the reasons for the problems:). Rawr! 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.