Jump to content

self protection option


Recommended Posts

In the help it says:

  • Enable self-protection module: This setting controls whether Malwarebytes creates a safe zone to prevent malicious manipulation of the program and its components. Checking this box introduces a one-time delay as the self-protection module is enabled. While not a negative, the delay may be considered undesirable by some users. When unchecked, the "early start" option which follows is disabled.

What exactly does self-protection do?  When this option is selected, what malicious manipulation of the program and its components is actually prevented?  Shouldn't this be documented in the help?

Thanks
Bill

Link to post
Share on other sites

Greetings :)

Self-protection guards Malwarebytes' folders, files, processes and registry keys from being modified, deleted, terminated or otherwise interfered with via a self-protection driver (the same driver used by our Chameleon technology).  It's similar to the self-protection functionality offered by many antivirus and other antimalware applications and is designed to prevent malicious termination/deletion/modification/blocking of our data and processes.

It is documented in our online help guide, however it doesn't go into a lot of technical detail (this is deliberate as we don't want to tip off the bad guys to how our self-protection works as they might then be able to find some new way of bypassing it which we've not yet discovered).

Link to post
Share on other sites

14 minutes ago, BillH99999 said:

@exile360

I am still a bit confused.  You say it should guard against processes from being terminated.  I am able to quit malwarebytes or uninstall the software without any problems.  Do you mean that it only prevents other software from doing these things?

Bill

Yes, that's it exactly.  Our own processes are whitelisted so they are still able to function normally, including exiting the software and uninstalling it if the user desires to.

To see an example of how it protects, you can try to terminate Malwarebytes' tray process "mbamtray.exe" using Task Manager.  If self-protection is active then it should keep the process alive and prevent Task Manager from killing it.

Link to post
Share on other sites

@exile360

OK so I tried to terminate the Malwarebyte's tray process using Task Manager and I was unable to.  I do appreciate what the option is doing now.  Thanks for the explanation.

After trying to do that however, the process is now using 55% of the CPU and I am unable to start or quit Malwarebytes using the tray icon.  The only way I could get back to normal is by re-booting.  Is that the way it is supposed to work?  Of course that is better than having Malwarebytes maliciously altered and I won't be trying to terminate it from Task Manager again.  :D

 

Bill

Link to post
Share on other sites

Hmm, sounds like we may have inadvertently stumbled across a bug because that's definitely not supposed to happen (the 55% CPU usage and being unable to start/quit Malwarebytes from the tray).  I'll report this to the team immediately.

Anyway, thanks for your help.  It seems that in your quest for knowledge you've accidentally helped us find a previously unknown bug in our software.

I realize this is not at all your responsibility, but if needed would you be willing to help us troubleshoot this a bit more?  I'm just thinking that if you can easily replicate this behavior it might be helpful to us to gather a bit more info (crash dump from the process while it's using 55% CPU and perhaps some logs from the system might help us to more quickly track this down to get it fixed).  If not that's OK.  Our QA guys may be able to replicate it in-house.

Link to post
Share on other sites

@exile360

I would be happy to help if I can.  I haven't tried it again to see if I can replicate it.  It is bed time here so I'm done for the night, but I'd be happy to help out tomorrow if you need me to.  Just let me know if you want me to help and what I can do.  And just to clarify what I said earlier, I meant that I was unable to open  or quit MB from the tray icon (it was of course already started).

Bill

Link to post
Share on other sites

Sure, no problem and thanks.  Your willingness to help is much appreciated :) .  I'll hold off on it for now as I'm still waiting to hear back from QA.  If they're able to easily replicate it in-house then we shouldn't need you to do anything else but we'll definitely let you know if we do end up needing your assistance.

Either way we're grateful to you for finding and reporting this bug to us and for your interest in our product that lead to its discovery.

Link to post
Share on other sites

  • Staff

QA guy here!

So I'm unable to replicate this issue in both 3.0.6 and our upcoming 3.1.1 builds.

I see Windows properly blocking mbamtray.exe from being closed with an "Access is denied" prompt, and then exiting MBAM from the tray icon is working as expected.

First, please follow the instructions here and attach the logs and files mentioned.

 

Link to post
Share on other sites

  • Staff

Please reproduce the issue and then do the steps.  It will make finding what happened in MBAM's logs easier.

The other steps like running mbam-check and frst is so we know what version of MBAM you are running and we can see your current settings and system info.

:)

Link to post
Share on other sites

@Jekko

OK... I tried to terminate the Malwarebytes Tray Application using Task Manager again and the same thing happened.  The CPU usage by the application spiked up to over 50%.  See screen image.  Also, I am unable to open MB from the tray icon.  All of the requested logs and reports are attached.

Bill

image1.jpg

MB-CheckResult.txt

mbae-default.log.zip

FRST.txt

Addition.txt

Link to post
Share on other sites

i just installed 3.1.2 and the same thing happens.  Ending the Malware Bytes Tray Application from Task Manager caused CPU usage to spike to over 66% and stay there.  I could not quit Malwarebytes from the tray application and had to re-boot.  Just thought you should know.

Thanks,
Bill

Link to post
Share on other sites

19 minutes ago, BillH99999 said:

i just installed 3.1.2 and the same thing happens.  Ending the Malware Bytes Tray Application from Task Manager caused CPU usage to spike to over 66% and stay there.  I could not quit Malwarebytes from the tray application and had to re-boot.  Just thought you should know.

Thanks,
Bill

 

Just a little curious and nosey. Why would you need to close MB in that way?

Link to post
Share on other sites

If you go back through the thread you will see that this method was suggested to me by exile360 as a way to test the self protection module.  I tried it just as a test and got the results I mentioned.  Support has been able to reproduce the problem.  I was just letting them know that the problem still exists in 3.1.2.  My guess is that they hadn't put in a fix for it yet it 3.1.2, but wasn't sure so I let them know.

Thanks,
Bill

Link to post
Share on other sites

27 minutes ago, BillH99999 said:

 I could not quit Malwarebytes from the tray application and had to re-boot.

Does that mean self-protection is keeping it from closing as I would think that is what self-protection is about? But I am not an expert.

Link to post
Share on other sites

@Porthos

I'm not sure I understood when I answered your question.  Normally I can quit MB using the tray icon without any problem.  Self protection does not inhibit this capability.  

The problem I had was that after trying to "kill" the MB Tray Application using task manager, I was no longer able to close MB using the tray icon and the CPU usage spiked up over 66%.  That is a bug that support said they were able to reproduce.  I think self protection will prevent closing of MB via task manager but it shouldn't put MB in a state where so much CPU is used and MB can't be closed.

Bill

Link to post
Share on other sites

The self protection module is enabled by default and i have to turn it off, it really burdens the whole computer, slows it down pretty much and spams the eventlog and slower boot and i have pretty powerful computer. Takes alot of CPU Power. Is it really necessary to have it enabled? Mbam should do pretty good job without it enabled?

Mbam 3.1.2.1733

Windows 10 Pro x64 1703 15063.296

Edited by Nerius
Link to post
Share on other sites

  • 4 weeks later...
On 5/10/2017 at 0:59 PM, BillH99999 said:

i just installed 3.1.2 and the same thing happens.  Ending the Malware Bytes Tray Application from Task Manager caused CPU usage to spike to over 66% and stay there.  I could not quit Malwarebytes from the tray application and had to re-boot.  Just thought you should know.

Thanks,
Bill

Was this ever fixed?

Thanks,
Bill

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.