Anti-ransomware layer bogs down formatting

[gman68w]

I was formatting a MicroSD card, and it was taking an awful lot longer than usual. I opened up the thing I use to track resource hogs, and sure enough, MBAM.exe was bobbing up and down to and from about 6% of total core usage. One by one, I disabled each layer of protection. The highlighted area is where I disabled the Anti-Ransomware layer. The formatting picked up speed after that. Now, since that was the last layer to be disabled, I don't know if it was that layer of realtime protection specifically, or just that any of them at all were running. 

[Aura]

Just by curiosity, was Process Lasso running at the same time? If so, can you exit it, re-enable the Anti-Ransomware module and format your MicroSD card again? See if it's faster that way.

[gman68w]

That's not the way Process Lasso works. And I did say that the boost came after disabling the protection layer. That would point more towards MBAM than PL.

Edited February 1, 2017 by gman68w

[bitsum]

The compatibility issue with Process Lasso and MB Anti-Ransomware (the only known problem) was fixed many months ago and will not return. We also do no hooking at this file-system or device layer, so are doing nothing in that area.

Analysis of the issue did show that MB Anti-Ransomware has a relatively 'heavy' footprint on some of it's low-level hooks.

Now, Process Lasso (again, this is no longer the case), was calling OpenThread with an unusually high frequency, but not an absurd frequency, the CPU should have been able to handle it. Still, that was fixed. We literally do not call that API anymore, gathering the thread status from prior enumerated information we have.

What I am saying is that if Process Lasso had this issue, then other software might. I mean, if an app performs great in a virgin system, a developer passes it on... but then if MBARW is installed and the performance changes, then, well, surprise!

Again, Process Lasso's issue was resolved months ago, and if any evidence exist of an issue with it an MBARW, I would love to hear more (because we test with it now).

I am saying this so nobody assumes this user's use of Process Lasso is the issue. As he shows, the issue goes away with Process Lasso continuing to run. 

p.s. Thanks for being a Process Lasso user

Edited February 1, 2017 by bitsum

[Aura]

I was just wondering. I don't know how Proccess Lasso works, so if it had some kind of real-time monitoring, it could have been another issue with the Anti-Ransomware module, but it looks like it isn't.

[AdvancedSetup]

Actually, if you would be so kind @gman68w and run the following, then restart the computer and retest formatting the card and let me know if that helped any or not.

 

 

1. Open a CMD Window as an Administrator on the target server and enter the following commands:

 

• cd %windir%\system32\
• lodctr /R
• cd %windir%\sysWOW64\
• lodctr /R

 

    Note: This should not affect performance on the machine. This command resyncs the counter values.

 

2. Open up Regedit and navigate to the following registry key:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfProc\Performance

 

3. Make sure that the value (if it exists) for the Disable Performance Counters is not 1.  If the entry does exist and the entry is 1, change it to 0 or delete that entry within the key.  ** PLEASE NOTE ** make sure you contact your system administrator before making changes to the registry, and make sure that you back it up before you delete it.

 

4. Restart the Windows Management service.

 

Note: After completing the Microsoft instructions, a reboot is required.

 

 

[bitsum]

18 hours ago, Aura said:

I was just wondering. I don't know how Proccess Lasso works, so if it had some kind of real-time monitoring, it could have been another issue with the Anti-Ransomware module, but it looks like it isn't.

It is no problem, and since there was a former incompatibility, it was prudent to ask about. Certainly the user should try w/o Process Lasso, to be safe. It just doesn't operate near any of this disk-level or file-system stuff, and the prior GUI (only) bug was fixed in absoluteness, so I'm pretty confident on it - but to be 100% would be arrogance, so don't take anything off the table.