Jump to content

Recommended Posts

Hello all:

Last week I did a brand-new, clean system build with Windows 10 Professional 64-bit.  I put Malwarebytes 3.0 on it.  When I ran a full scan, MalwareBytes decided there were some system components core to Windows that it felt needed quarantine.  (INFO: I'm extremely proficient with Windows, having worked in IT for 25 years in a lot of areas).  After verifying these files were valid and correct, I told it to exclude those items from quarantine and went on about my business.

A couple of days later, I turned on my system and Windows Defender went nuts, saying it had been disabled and needed to be re-enabled.  Only...now I couldn't do that because the entire machine had ground to a halt.  Trying to open items might take as long as 10 minutes to respond.  If I disabled MB 3, the system was usable but slow, and I still couldn't re-enable Windows Defender - attempting to access the interface would freeze the program and it wouldn't respond at all.

I thought there might be a way to 'repair' Windows Defender, but couldn't get my hands on it to do so.

Using System Restore to roll back a day put me back into a usable state...but again with Windows Defender broken, and then everything ground to a halt again on my next reboot.  Going back 2 days, same story.

So I did a clean install of just the OS and MB 3.  Nothing got flagged in the scan, Windows Defender didn't break, but again the machine got painfully slow...unless I disabled MB 3.

I've removed MB 3 completely, from an uninstall followed by running your removal tool.

I'd like some advice on how to be able to get MB 3 to work alongside Windows' built-in security, like it used to with a cocktail of MBAM & MBAE separately.  I'm willing to work with you, just let me know what would best diagnose & fix the problem.  Windows Defender is too deeply embedded in the OS for me to put up with the potential nags and issues surrounding disabling it and just using MB 3.

Thanks,

Winter

Link to post
Share on other sites
  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

  • Staff

Hello Winter and welcome to Malwarebytes.

My first concern is your first comment that legit files were flagged - I would have liked to have known exactly what files were flagged and what they were flagged as. Sadly, those logs would now be gone after uninstalling the software. :(  Do you recall if you had rootkit scanning enabled when you did the scan?

Try adding these files to Defender's exclusions list

 C:\Program Files\Malwarebytes\Anti-Malware\MbamPt.exe
 C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
 C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe
 C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
 C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

Restart the computer - any improvement?

Link to post
Share on other sites

Thanks Ried!

I know - about halfway through my reinstall I realized, "I didn't save any logs!"  Aigh.  So...I know my first scan had everything including Rootkits enabled in the scan--that's just a habit I have and I'm glad the new MB 3.0 lets me do all those scans in one.

So, that said, I'll try your suggestion when I get home tonight.  It'll involve me running a backup and system restore checkpoint, then installing MB 3, rebooting, crossing my fingers, and then trying the above with a restart, but I'll post back here as I get results.  This time, if I get false positives like last time, I can post that info here, now that I've got an account set up. :)

Thanks for the suggestions!  Fingers crossed.

Link to post
Share on other sites

Good question Ried!  But no, I do not.  Heck, it's been a long time since Roxio anything and I were on speaking terms. :P

At the time of the awfulness, I had:

Windows, MB 3.0, Office 365 (64-bit),

Intel's basic utils (RapidStorage, Chipset Utility) and its advanced ones (Turbo Boost, Xtreme Tuning Utility).

Various ASUS utils supporting motherboard and video cards, Razer (Synapse, Comms, Cortex), nVidia (GeForce Experience).

Steam with GTA V, Arkham Knight, and Tom Clancy's The Division

Alienware utils*

It should be noted that although some of the Intel/ASUS stuff *can* be used for overclocking, I had done no such thing.  I wanted to run with the system as vanilla as possible for a while.  This current rebuild left all the ASUS tools & crap off except GPUTweak II and Aura lighting controls.

But! So far....so good?  I did the following:

1) Install MB 3.0, put your above files in Windows Defender's exclusions list.  Add C:\Program Files\Windows Defender to MB 3.0's exclusions list (yes, I did one extra and went tit for tat on the other side of this conflict)

2) Reboot

3) Run a full MB 3.0 scan. 

a) It comes up with one file that I'm used to excluding - I stash a copy of ProduKey in my OneDrive share because sometimes I gotta check which license key is on what machine for whatever product.  MBAM and MB 3.0 smartly recognize that this thing could be used to drill deep into the OS, so I tell MB 3.0 "It's okay, this guy's on the guest list." 

b) I also decided to deliberately try to trip the breaker by turning on all of the real-time protections with zero startup delay, but told it to notify me instead of quarantining.

4) Reboot

5) Run a Windows Defender Scan

So far, nobody's butted heads. 

I'm willing to go out on a limb though.  If you want me to try different settings and see if I can replicate that issue, I'll give it a go.  I've got Restore Points, a Reflect image, and some extra curiosity if it'll help avoid anyone else getting the awfulness.

*Alienware....this is not an Alienware machine.  Anymore.  I used my Area-51 ALX case and did a complete upgrade while retaining the case's MIO board that controls Active Venting, Thermal Controls, etc.  Hardware specs on p.18 of the attached PDF.

 

Area-51-AlienTransplant.pdf

Link to post
Share on other sites
  • Staff

Hi Winter :)

Can you enable Event Data Logging via Malwarebytes Settings > Application tab?

Restart the machine then wait for the issue with Exploit to reproduce, then kindly send me the mbamservice.log located in the following folder:

C:\ProgramData\Malwarebytes\MBAMService\logs

Many thanks for your time.

Link to post
Share on other sites

Okay, new change.  Got the same pop-up this morning, and clicking "Turn On..." does nothing.  However, clicking the "Settings" prompt in the pop-up takes me to settings and shows that only the Exploit Protection isn't started.  I click to turn it on, it goes into "Starting..." and never gets there.  But it also doesn't act like things are all green at the main screen of the dashboard anymore; now it says "You're not fully protected".

Is there a problem with the service or executable that is the Exploit Protection component?  Maybe it's butting heads with another startup item or getting stopped internally somehow?

New log attached for you.

 

MBAMSERVICE.LOG

Link to post
Share on other sites
  • Staff

Hi Winter,

I'd like to see the services that are loading and the paths they are using to call the needed files.

This next scanner will not make any changes to your machine on its own, nor will it divulge any personal information that may compromise your security.

Please download Farbar Recovery Scan Tool from here http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ and save it to your desktop.

Note: You need to run the version compatible with your system.

**After you click the Download Now 64-bit, or the Download Now 32-bit, another page will open — DO NOT CLICK ANY ADDITIONAL 'download now' buttons, just wait and look toward the bottom of your browser for the option to Run or Save. Click Save.

•Double-click to run it. When the tool opens click Yes to the disclaimer.

Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway.

•Click the Scan button.

•When the scan has finished, it will save 2 logs  in the same directory the tool was run from.  Please attach the following logs:

Addition.txt

FRST.txt 

 

Link to post
Share on other sites

Correct! :) Most of the time if I open the Dashboard it's green and says "you're protected" even though if I drill down into Settings it tells me that Exploit Protection is off.  I can turn it on and it'll say "Starting..." and when I did that last night it didn't actually appear to get anywhere.  Then I'll still see the icon in the tray with the red warning and it'll say 'Protection Disabled'.  Reboot and we get the same yellow pop-up that says Protection is disabled.

Hope this helps!  If I get a chance to, I'll take a video of the behavior so you can see the steps.

~Winter

Link to post
Share on other sites
  • Staff

Thanks for the video. :)

Since it is clearly 'off' in the Dashboard, but I see it as Running in the FRST.txt, do you mind if we do 2 more 'checks' on this just to confirm the true state?

1. Open elevated command prompt by pressing Windows Logo key and the letter 'X'. Select Command Prompt (Admin)

Type in the following:

sc query esprotectiondriver

What does it say? Is it Running or Stopped?

2. Download and run the MBAE test tool. You'll find the download link in this post https://forums.malwarebytes.com/topic/139368-how-to-verify-that-mbae-is-working-correctly/#comment-770968

Did that perform as explained in the instructions?

Link to post
Share on other sites

Okay, first elevated command prompt (attached), next I'll run that tool and reply shortly

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>sc query esprotectiondriver
SERVICE_NAME: esprotectiondriver
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

MB3-statuscheck.jpg

Link to post
Share on other sites

Okay, step 2:  before I ran this, the MB 3 Dashboard said "Awesome! You're Protected" and Exploit Protection shows as On in Settings--> Protection, but Off in the right-click menu of the tray icon, and the tray icon still has the red flag and 'Protection Disabled' in the tooltip on hover.

1) Run MBAE-TEST as Administrator

2) Use the buttons in MBAE-TEST as directed in your link.

a) click Normal:  Calculator opens

b) click Exploit:  Calculator opens, the window I launched MBAE-TEST from is closed and MBAE-TEST.exe is killed in Process explorer.

3) At no time do I see either mbae.dll or mbae64.dll in the process explorer, though I do see MBAE-TEST when it's running and see it disappear when (Windows?) swats it down.

4) No response from MB 3 during any of this.  Nothing in the Event Viewer that might indicate the activity was logged.  Nothing quarantined by Windows Defender.  Nothing quarantined or flagged as 'Detected' by MB 3...

 

Link to post
Share on other sites
  • Staff

Thanks, Winter.

In Process Explorer, run as Administrator, click the Find icon up top and click DLL or Handle, then type in mbae.dll

Does it list out anything?

If not, exit Malwarebytes via the system tray icon. Wait about a minute for the mbamservice to unload, then re-launch Malwarebytes from the desktop icon.  Does the Anti-Exploit protection start now?

 

Link to post
Share on other sites

Okay, running the above test twice, searching specifically for mbae.dll and then during the second run, for mbae64.dll, came up with nothing.

Exited Malwarebytes, waited 2 minutes.  Re-launched and it was in the same state:  Protection pop-up shows, this time the Dashboard says "You're not protected!" and drilldown to the Settings shows that Anti-Exploit Protection isn't started.

 

Link to post
Share on other sites
  • Staff

Hey Winter,

 

My name is Ron and I want to assist you further with the anti-exploit side of things. I want to have you collect me a log found in this location:

C:\ProgramData\Malwarebytes\MBAMService\mbae-default.log

This log gives me more information just on the anti-exploit side so it should help me figure out why your protection is not starting.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.