Jump to content

Recommended Posts

MBAE 1.09.2.1384 is responsible for the blank IE loading. The 1.09.2.1398 build released by the MBAE program manager on this post has been shown to fix that issue - https://forums.malwarebytes.com/topic/199801-mbae-10921384-internet-explorer-11-latest-updates-random-freezes/?do=findComment&comment=1121614

The most recent conflict that caused Windows to lock up involved Defender, SCEP and MSE. If you do have one of these products in use, it will require a special ignore list to be used. That list is here if needed - https://forums.malwarebytes.com/topic/190771-malwarebytes-and-microsoft-security-essentials-conflicts/?do=findComment&comment=1100493

SEP has not shown any of that behavior but it always a good idea to setup mutual exclusions between security programs. The recommended SEP setup is with child process, Sonar and scan locations disabled for Malwarebytes processes. Here’s a video to follow – http://screencast.com/t/KN5dU7wPVZ11

 

Here’s the file locations to copy:
C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamapi.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamapi.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamhelper.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamhelper.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbampt.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbampt.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae64.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\Windows\System32\drivers\mbam.sys
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.dll
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamnet.dll
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamcore.dll
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.new
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.new.yaml

 

Edited by djacobson
spelling
Link to post
Share on other sites

Dyllon,

your reply is great - But, It fixes a different issue for one affect user. What about the original problem posted?

I've got several machines with MBAM protection disabled as per your suggestion and they have not had any issues.

What do I do now?

Link to post
Share on other sites

For reference of the thread, I have changed MBAM Protection startup to delay by 30 seconds and i've updated MAE to version 1.09.2.1398.

I have also enabled MBAM protection on the 4 computers so all machines on the network are running the same policy of MBAM.

Link to post
Share on other sites

@djacobson Will this topic continue to be updated after converting it to a case?  I'm still having the same issues as Kieferschild and am at the point that I'm removing the live MBAM protection like Kieferschild has done on several computers, in order for the computers to work correctly.

Link to post
Share on other sites

@Bencunn I will keep you updated.

The last thing Dyllon said to me was this:

Quote

There's three pieces to Anti-Malware's real time, the file blocker, the web blocker and the whole engine itself. Each can be disabled to test which portion is causing the problem, that itself can help narrow it down greatly.

Our command line can help with the testing.

Tool location:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamapi

Enable / Disable web blocker:
mbamapi /protection -enable ip
mbamapi /protection -disable ip

Enable  / Disable file blocker:
mbamapi /protection -enable fs
mbamapi /protection -disable fs

Enable / Disable entire realtime engine:
mbamapi /protection -start
mbamapi /protection -stop

If you have access to taskmgr still during the lock ups, you can kill the real time engine process, mbamservice.exe.

 

Link to post
Share on other sites

I have also partially replicated the problem on my own computer.

If I go to task manager and kill MBAMService.exe, the symptoms are exactly what is happening. minus the immediate lock up.

This does not happen if I I stop it via CMD or services.

Do you think it could be an issue with this process starting up?

@BenCunn I'm running ESET instead of Symantec now so it's not the same test.

Could you enable protection on one of the PCs and change the startup delay from the console to say 90 seconds?

Link to post
Share on other sites

@kieferschild I appreciate the updates.

If I open task manager and stop MBAMservice.exe it locks up my computer as you mentioned.

If i stop it via CMD it does not happen.

I've created another policy that has website blocking disabled and has a 90 second delay, and added a couple computers to it for testing.

Link to post
Share on other sites

mbamservice.exe is the whole realtime engine, if killing it causes the machine to lock up, the issue may not be caused by Anti-Malware's realtime engine at all, this points heavily to some other program that is interfering with mbamservice.exe. whatever that other process is, is what we need to find. @BenCunn do you also use Kaseya?

Link to post
Share on other sites

I loaded a clean Windows 10 64-bit virtual machine that has Windows 10 and VMware tools installed on it (no Symantec or additional 3rd party software).  I then installed Malwarebytes and restarted the computer.  After that I opened Task Manager, stopped MBAMservice.exe and it still locked up.

1 hour ago, djacobson said:

@BenCunn do you also use Kaseya?

We do not use Kaseya.

Link to post
Share on other sites
15 hours ago, djacobson said:

This is a console managed build yes? And .Net 3.5 is enabled in Windows Features?

It's pretty much a fresh copy of Windows 10 (Creator's Update) on a VMware virtual machine.  When I installed Malwarebytes, the installer asked to download .Net 3.5 so I did that during the installation and it's enabled in the Windows Features.

14 hours ago, djacobson said:

 

Use the commands for now guys, I'll investigate the mbamservice piece.

 

@djacobson I appreciate your help and time spent to look at this issue for us.

Link to post
Share on other sites

Another update:

On a computer with live MBAM protection enabled (website blocking ENABLED and no delay set) I had issues this morning.  I noticed it when i was unable to run an installer for a .exe file, then I opened File Explorer and had the "green bar bug".  A full Symantec scan was ran the day before.  I looked at the task manager (Ctrl + Shift + Esc) and saw that MBAMservice.exe was still running.  I tried the command prompt, mbamapi /protection -stop , but after hitting enter it got stuck and didn't go through.  I tried restarting and it got stuck as expected so I did a hard reboot.  I started up the computer, File Explorer was working again.  I opened command prompt, ran the command mbamapi /protection -stop and that worked correctly.

Link to post
Share on other sites

@BenCunn Dyllon told me yesterday that stopping the services via CMD whilst the problem is happening will not work. See his email:

 

Quote

I've come to find out from engineering that killing mbamservice.exe on the managed Malwarebytes will crash the machine, do not use this as a process for testing anymore. Bad advice on my part, I apologize. For the commands, don't use them when you are having the issue, set the computer to have web off, file on; another with web on file off before you start and see if the lockup happens accordingly.

You can also set this via policy, this way you can test populations of machines instead of one or two, and statistically the environment is much more likely to exhibit the behavior and show which realtime setup is part of the issue. Right click your main policy and make two copies of it. These two copies, we're going to setup the different realtime setups to test for which portion is the cause. Configure one policy one way and the other copy another way, assign machines to these policies and let them run. Let me know what you find out.

 

Link to post
Share on other sites
10 hours ago, djacobson said:

5915d9ca21b91_webofffileon.JPG.46d66a88c6498df4a6a00f29e411cc27.JPG

Due to the news of the massive ransomware attack today, I changed all computers to move to the policy above.  I'm no longer testing the startup delay as I want to make sure computers have live protection.

Link to post
Share on other sites
  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.