Cannot open programs

[rssbandittrick]

Hi there,

It seems like a coincidence. But, I have 2 users who have the same issue whereby they cannot open any programs on their machines and they're having to hard reset the computer because it gets stuck shutting down/restarting.

Event logs show that there is no virtual memory available which I suspect it causing problems with opening programs.

This has only started appearing since the rollout of MBIS.

Is this something you're aware of?

I will be uninstalling MBAM from these 2 PCs shortly.

[djacobson]

If your other security software is a Windows product, then yes, it is known. What's in use on your environment?

[rssbandittrick]

Hi,

We use Symantec Endpoint Protection Cloud.

We have the same security set up at other locations but are not experiencing the same problems.

I have also put in exclusions in both MBAM and SEP.

[djacobson]

Are scan locations, child process and sonar all set to ignore our processes? The interference is most likely happening to mbamservice.exe, which runs the real time engine. You can also isolate which portion of the real time is involved by either turning off the web blocker or the malicious file portions in your policy and see how the machine reacts.

I'm curious though, even with SEP, could you check the task-manager of an affected machine and see if msmpeng.exe is running?

[BenCunn]

Several of our users are experiencing the same issues.  Users first notice it when they go into File Explorer to access their network drives, then see a green bar loading at the top of the window and no drives show up.  If they try to use a program such as command prompt, the program won't load; and when users try to restart their computers, it gets stuck in the restart screen with a spinning circle.

Several users are experiencing this and have to force shut down their computers to fix the issue.  I was able to target the issue down to Malwarebytes by uninstalling the Malwarebytes software on one of our Windows 10 computers and leaving it on another (both were having the issues above).  The computer without Malwarebytes stopped having the issues while the other continued to have the issues.  I just recently reinstalled the software after the Windows 10 Creator's update, but the computer started having issues again the next day.

We use Symantec Endpoint Protection along with our Malwarebytes Endpoint Protection (Malwarebytes Anti-Malware + Malwarebytes Anti-Exploit for Business)

[rssbandittrick]

Ben,

lets try and find a common denominator here.

Do you users have local administrator rights on their computer?

The ones having the issue do not.

I have the same AV and MBAM set up in our office and other customers and they have local admin rights and we have no problems.

[rssbandittrick]

I have just excluded the following two folders from Symantec:

C:\Program Files (x86)\Malwarebytes' Anti-Malware

C:\Program Files\Malwarebytes' Anti-Malware

Will let you know how I get on.

[djacobson]

Drive shares and applications running from drive shares may also be contributing to this. @BenCunn are you assigning those shares with logon scripts? Can I have you try to disable the web blocker side and see what happens in your case?

[BenCunn]

kieferschild - Users have local administrator rights on the computers that are having issues.  I'll be curious to see if adding those two folders to your exclusion list helps.

djacobson - Computers with and without user logon scripts are both having issues.  Do you want me to try disabling the web blocker on Symantec after the computer is affected or before?  I prefer to keep the web blocker on and try to disable it after the computer has the issue.

djacobson - Should I try adding mbamservice.exe to our list of exclusions within our SEP policy?

Edited April 13, 2017 by BenCunn

[djacobson]

@BenCunn you can try adding the mbamservice process to Symantec. I was wondering if you could pause our web blocker to see if that portion of the real time is what is affecting the logon/logoff time.

[BenCunn]

I tried turning off the Website Blocking on a computer while it was having the issues but the issues remained.  I went into Task Manager and tried force closing mbamservice.exe, but that made the issues much worse and froze up the computer.  I’ll try adding mbamservice.exe to my list of exclusions within Symantec.

Also to answer a question you asked earlier:

On 4/11/2017 at 4:45 PM, djacobson said:

I'm curious though, even with SEP, could you check the task-manager of an affected machine and see if msmpeng.exe is running?

On an affected computer and a non-affected computer, msmpeng.exe was not listed within Task Manager under the Details tab.

[djacobson]

Thanks for checking, I just wanted to make sure you guys weren't getting hit with the MS product conflict. Defender is a difficult program to disable, there's a chance it is running under an svchost.exe entry instead of on its own. One can check services.msc for the Windows Defender service state as well.

 

[BenCunn]

Adding mbamservice.exe to the exclusion list didn't help as one of the affected computers had issues this morning.  Another user reached out today and said they were having the green bar loading bug in File Explorer, resulting in another hard shutdown to fix the issue.

 

[djacobson]

@BenCunn, do you have any machines that can reliably go through the lockup and recover without a hard reset?

[rssbandittrick]

I've just had a call from my customer who advises he had to hard reset his PC today because of this issue.

Defender is set to manual and was not started.

It's odd how this is only happening to the same 1/2 PCs.

[djacobson]

@kieferschild @BenCunn can I have you guys run these tools?

Step A – Malwarebytes Client Log Set
On the client go to C:\Program Files (x86)\Malwarebytes' Managed Client and run the tool CollectClientLog.exe. Attach the folder it generates.

Step B – Malwarebytes Check Log
Please download and save our diagnostic tool, mbam-check.exe, to your desktop from this link.

Malwarebytes Check Tool

Double-click mbam-check.exe to launch the tool. A black command prompt window will briefly appear, and then a log file will open. The log which opens will be saved to your desktop as CheckResults.txt.

Step C – frst Log
In addition to the check logs, I would like to have you run a tool known as frst. frst will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run frst.

1.) Please download frst and frst64 from the link below and save it to your desktop:

frst 32 Bit
frst 64 Bit

Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
3.) Click the Scan button
4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

Please attach MBMC Client log, CheckResults.txt, frst.txt and Addition.txt in your reply.

 

[rssbandittrick]

Since posting I have removed a few apps from the PC, Run CCleaner and reinstalled both Symantec and Malwarebytes.

I've asked the customer to get in touch as it's happening, so I will get the logs then.

[rssbandittrick]

At the same site I have a 3rd PC now.

Can open Outlook but Internet and Navision are not opening.

I'm about to remotely access the computer.

@djacobson are you about?

[rssbandittrick]

@djacobson

I got on the PC and started the log collect but explore crashed. I then started a restart and it hung.

I disabled all Malwarebytes protection via the console and it got a little further but ultimately the PC had to be hard reset.

logs should be in your inbox.

I'm reinstalling malwarebytes and Symantec now as I did with the previous PC.

[rssbandittrick]

I've had a call from another customer who cannot open Outlook.

It started in safe mode with no problems and it also starts up when i disable the Symantec add on.

They've only recently just had Malwarebytes installed too.

I tried to log collect and explorer crashed. I tried restarting the process but the PC has hung.

it's starting to get annoying now

[arbrich]

Try going in to the Malwarebytes AntiExploit Software

Not sure on Business Version but try to find Settings\Protection and click on Manage Protected Applications and turn OFF protection for any applications you cannot run.

This is the only thing that worked for me on System with Symantec Endpoint Protection.(Version 14 and 14 MP1)

We could not get Chrome, Firefox, or Adobe Acrobat Reader to run.

This change is the work around until they release update.

[rssbandittrick]

@djacobson

The PCs which had MBAM Protection disabled have so far no had any problems.

Ive had a call from someone who has it enabled and they're unable to open Microsoft Dynamics NACV 2016 (Process name is Microsoft .Dynamics.Nav.Client.exe)

I've set this PC to disable protection and it still wont open. I've tried to do some troubleshooting but as always, explorer and task manager are not responding.

my only option is going to be to reboot this PC.

[djacobson]

Could I have you test if it possibly the anti-exploit side? There's been a blow up on the mbae product that IE is not able to be used, I'm wondering if this is more of what you're experiencing since disabling mbam is not working in your recent tests.

We could watch what's happening with Procmon but in order to save the recording, the machines have to be able to recover without a hard reboot.

[rssbandittrick]

Hi Dyllon,

the computers which have got mbam disabled have not had the issue with opening programs. the pc i reported had it enabled and i've had to hard reboot the computer to get it working again. today i have an issue with a different pc where internet explorer will not load correctly but firefox will. i have tried to run procmon but it wont load. i assume malwarebytes is stopping this too. I just disabled mbam on this PC and saw task manager activity increase a lot then stop. Now Windows Explorer has stopped responding so I've had to kill the process and bring it back up. I enabled MBAM again and I reset IE via IE Options. I also deleted temp files etc and IE opens properly now. Not sure if it was Malwarebytes or just IE.

You mentioned that MBAE had "blown up" - Do i need to disable this for my customers?

Can you tell me if the issues i'm having are solely malwarebytes or is it because it's clashing with Symantec?

Reason i ask is, we're moving our customers to ESET and if it's a clash then I can move them to ESET right away.

[rssbandittrick]

I may have spoken too soon. The user is unable to browse "This PC" to show network drives or local drives. I've tried to log in as administrator but it just hangs "loading windows".

Unable to do anything on this machine really so i've had to reboot it. And guess what happened when I told it to reboot? It hung. Had to force reboot the PC.

Can we resolve this? Client getting frustrated, I'm too busy to keep dealing with this with no resolve. Disabling MBAM is not an option. Only other option is to remove malwarebytes and discontinue using it elsewhere.