Jump to content

Critical: Memleak/Overflow? (Windows 10 EDU 14393.1198 )(MBAM 3.0.6.1469/1.0.75/1.0.2060)


Recommended Posts

Hi,

I think there's a problem somewhere - the only changes I made today were uninstalling KB3150513 and KB4013214 to remove Win 10 Creator's update notifications on my main laptop for the time being.

Windows Defender is disabled through Group Policy, and I'm on the Education SKU.

ESET 10.0.390.0 is on my system - but I've never had a problem configuring MBAM and ESET together before. So I don't think there is a conflict with ESET.

The Hard drive MbamService was reading and writing to was one of my storage hard drives in RAID0.

The service can be terminated and restarted.

MBAM initiated a scheduled Hyper and Threat scan - and that's when I ran in to problems, when I was AFK and suddenly heard my laptop fans kick in... so I wondered why... and opened up resource mon.

 

MBAM01.thumb.PNG.8160aea5eaeefcf257fcec4b0f58146e.PNGMBAM00.thumb.PNG.6e1e3b5ca6a04f116dff4b5ea3c5bb5f.PNG
 

Spoiler

 


05/31/17	" 22:33:30.762"	43562	06d4	14f0	INFO	AeShimImpl	AeShimImpl::MbaeStart	"AeShimImpl.cpp"	358	"MBAE started."
05/31/17	" 22:33:30.762"	43562	06d4	14f0	INFO	AEControllerImpl	mb::aecontrollerimpl::AEControllerImplHelper::StartProtectionImpl	"AEControllerImplHelper.cpp"	483	"Protection Started"
05/31/17	" 22:33:30.809"	43609	06d4	0d24	INFO	DriverCtrl	CDriverControl::StopDriver	"DriverControl.cpp"	690	"DriverCtrl stopped MBAMChameleon"
05/31/17	" 22:33:30.809"	43609	06d4	0d24	INFO	SPSDK	Uninstall	"SelfProtectionUser.cpp"	177	"SelfProtection driver was successfully removed."
05/31/17	" 22:33:30.824"	43625	06d4	0d24	INFO	SPSDK	Install	"SelfProtectionUser.cpp"	73	"SelfProtection driver was successfully installed. Path=<C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE>."
05/31/17	" 22:33:30.824"	43625	06d4	0d24	INFO	SPSDK	Install	"SelfProtectionUser.cpp"	109	"SelfProtection StartDriver was false - 1"
05/31/17	" 22:33:30.824"	43625	06d4	0d24	WARNING	SPControllerImpl	mb::spcontrollerimpl::ProtectedItemsHandler::Add	"ProtectedItemsHandler.cpp"	62	"Given path is already in the protected items list: Path = C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\, Type = Folder."
05/31/17	" 22:33:30.840"	43640	06d4	0d24	ERROR	SPSDK	SetGpIfeoProtection	"SelfProtectionUser.cpp"	606	"SelfProtection Failed add/remove hash LE=2 (0 - 1)"
05/31/17	" 22:33:30.840"	43640	06d4	0d24	ERROR	SPControllerImpl	mb::spcontrollerimpl::SPControllerImpl::InitGpIfeoProtection	"SPControllerImplHelper.cpp"	290	"Failed to Clear the driver hash list - status code = [11]."
05/31/17	" 22:33:30.840"	43640	06d4	0d24	INFO	SPControllerImpl	mb::spcontrollerimpl::SPControllerImpl::InitGpIfeoProtection	"SPControllerImplHelper.cpp"	326	"Protecting C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\assis



06/01/17	" 00:00:16.364"	5249171	06d4	0c14	WARNING	GalaxyRuleParser	mb::common::galaxyrules::SimpleRuleFileParserV2::Parse	"GalaxyRuleParser.cpp"	2964	"Unknown rule type encountered (37). Data may be missing or invalid."

...


06/01/17	" 00:00:33.327"	5266140	06d4	0fc4	WARNING	ScanControllerImpl	mb::scancontrollerimpl::RootkitScanner::IsBootableDrive	"RootkitScanner.cpp"	2908	"Failed to Get partition info for \\?\Volume{61e6d2ef-7953-4f31-a58f-79cb7f701b78}\, ErrorCode=(4294967295)"
...
...
06/01/17	" 00:00:33.343"	5266156	06d4	0fc4	WARNING	ScanControllerImpl	mb::scancontrollerimpl::RootkitScanner::IsBootableDrive	"RootkitScanner.cpp"	2908	"Failed to Get partition info for \\?\Volume{9acb6671-56fe-46cf-ad46-6503f91c3d21}\, ErrorCode=(4294967295)"

06/01/17	" 00:00:33.343"	5266156	06d4	0fc4	WARNING	ScanControllerImpl	mb::scancontrollerimpl::RootkitScanner::IsBootableDrive	"RootkitScanner.cpp"	2908	"Failed to Get partition info for \\?\Volume{df8b59e8-9ff4-11e5-9e13-cc3d826bf4c1}\, ErrorCode=(234)"
06/01/17	" 00:00:33.358"	5266171	06d4	0fc4	WARNING	ScanControllerImpl	mb::scancontrollerimpl::ScanLocations::EnumerateProcesses	"ScanLocations.cpp"	137	"Failed to get the process data for pid [0], error code = [87]. Will continue with the other processes."
06/01/17	" 00:00:33.358"	5266171	06d4	0fc4	WARNING	ScanControllerImpl	mb::scancontrollerimpl::ScanLocations::EnumerateProcesses	"ScanLocations.cpp"	137	"Failed to get the process data for pid [4], error code = [5]. Will continue with the other processes."
06/01/17	" 00:00:33.358"	5266171	06d4	0fc4	WARNING	ScanControllerImpl	mb::scancontrollerimpl::ScanLocations::EnumerateProcesses	"ScanLocations.cpp"	137	"Failed to get the process data for pid [456], error code = [5]. Will continue with the other processes."
06/01/17	" 00:00:33.358"	5266171	06d4	0fc4	WARNING	ScanControllerImpl	mb::scancontrollerimpl::ScanLocations::EnumerateProcesses	"ScanLocations.cpp"	137	"Failed to get the process data for pid [648], error code = [5]. Will continue with the other processes."
06/01/17	" 00:00:33.358"	5266171	06d4	0fc4	WARNING	ScanControllerImpl	mb::scancontrollerimpl::ScanLocations::EnumerateProcesses	"ScanLocations.cpp"	137	"Failed to get the process data for pid [740], error code = [5]. Will continue with the other processes."
06/01/17	" 00:00:33.358"	5266171	06d4	0fc4	WARNING	ScanControllerImpl	mb::scancontrollerimpl::ScanLocations::EnumerateProcesses	"ScanLocations.cpp"	137	"Failed to get the process data for pid [748], error code = [5]. Will continue with the other processes."
06/01/17	" 00:00:33.358"	5266171	06d4	0fc4	WARNING	ScanControllerImpl	mb::scancontrollerimpl::ScanLocations::EnumerateProcesses	"ScanLocations.cpp"	137	"Failed to get the process data for pid [812], error code = [5]. Will continue with the other processes."
06/01/17	" 00:00:33.374"	5266187	06d4	0fc4	WARNING	ScanControllerImpl	mb::scancontrollerimpl::ScanLocations::EnumerateProcesses	"ScanLocations.cpp"	137	"Failed to get the process data for pid [1772], error code = [5]. Will continue with the other processes."
06/01/17	" 00:00:37.702"	5270515	06d4	236c	ERROR	MBAMCoreImpl	MBAMCoreImpl::ClassifyLoadPoint	"MBAMCoreImpl.cpp"	431	"Cannot classify load point. FilePath member is invalid."
06/01/17	" 00:00:38.046"	5270859	06d4	236c	ERROR	MBAMCoreImpl	MBAMCoreImpl::ClassifyLoadPoint	"MBAMCoreImpl.cpp"	431	"Cannot classify load point. FilePath member is invalid."
06/01/17	" 00:00:38.218"	5271031	06d4	236c	ERROR	MBAMCoreImpl	MBAMCoreImpl::ClassifyLoadPoint	"MBAMCoreImpl.cpp"	431	"Cannot classify load point. FilePath member is invalid."
06/01/17	" 00:00:39.171"	5271984	06d4	0068	ERROR	MBAMCoreImpl	MBAMCoreImpl::ClassifyLoadPoint	"MBAMCoreImpl.cpp"	431	"Cannot classify load point. FilePath member is invalid."
06/01/17	" 00:21:37.727"	6530531	06d4	0880	INFO	AEControllerImpl	mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification	"AEControllerImplHelper.cpp"	2085	"App Injected (Mozilla Firefox (and add-ons))"

 

 

Quote

The backing-file for the real-time session "WDC.BE95A9B1-DE15-4B78-B923-A12AB70BE951" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available. This error is often caused by starting a trace session in real-time mode without having any real-time consumers.

Spoiler

 


- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" /> 
  <EventID>16</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2017-05-31T14:30:17.247154500Z" /> 
  <EventRecordID>382241</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="1748" ThreadID="4036" /> 
  <Channel>System</Channel> 
  <Computer>NB-G751JY</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="HiveNameLength">120</Data> 
  <Data Name="HiveName">\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-2566739444-624617511-4086259774-1001-06012017000017036-UsrClass.dat</Data> 
  <Data Name="KeysUpdated">0</Data> 
  <Data Name="DirtyPages">0</Data> 
  </EventData>
  </Event>

 

 

 

 

 

 

 

MBAMSERVICE.LOG

MBAM-SCANLOGS.txt

Edited by NeoBeum
Link to post
Share on other sites

I have MBAM on my tablet on Windows 10 EDU 1703, it's configuration is the same as the settings on my main laptop. Obviously the only difference is aside from the Windows update is that I don't have multiple drives on it and only a SD Card.

I had to reconfigure Windows Defender for the 1703 update because it was automatically enabled again. Eset is also on the tablet.

I'll do some scans and see what happens.

 

 

EDIT: I didn't realise there was a update to MBAM to 3.1 - the GUI is reporting everything is updated.
I'll update and try a scan on my main laptop first.

Edited by NeoBeum
Link to post
Share on other sites

The behaviour is the same on 3.1.

Scans are smooth until it reaches that drive - then CPU is max and R/W for the drive whirring along at 200MB/s and RAM usage comes shy of 1GB.

The desktop environment becomes extremely laggy and scan and service needs termination.

 

06/01/17	" 01:47:07.626"	395437	0af0	1a90	WARNING	OfflineUAManager	mb::common::system::OfflineUAManager::LoadUAHivesOffline	"OfflineUserAccountsManager.cpp"	205	"RegLoadKey failed: Key=S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-06012017014707620, ProfilePath=C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-20-06012017014707620-ntuser.dat, retCode=32."
06/01/17	" 01:47:08.170"	395984	0af0	1a90	INFO	GalaxyRuleParser	mb::common::galaxyrules::SimpleRuleFileParserV2::Parse	"GalaxyRuleParser.cpp"	2973	"Successfully parsed 86311 records."
06/01/17	" 01:47:19.648"	407453	0af0	1a90	ERROR	ScanControllerImpl	mb::scancontrollerimpl::RootkitScanner::GetBootPartition	"RootkitScanner.cpp"	3081	"Failed to find a bootable drive"
06/01/17	" 01:47:19.648"	407453	0af0	1a90	WARNING	ScanControllerImpl	mb::scancontrollerimpl::RootkitScanner::IsBootableDrive	"RootkitScanner.cpp"	2978	"Failed to Get partition info for \\?\Volume{61e6d2ef-7953-4f31-a58f-79cb7f701b78}\, ErrorCode=(4294967295)"

 

Edited by NeoBeum
Link to post
Share on other sites

Hello Admins,

I need to convert this thread from a 'help me' thread to a 'bug report'

 

I found the cause -

MBAM doesn't have sufficient privileges to read contents in [REMOVABLE-DISK]:\$Recycle.bin

(Removable or Dynamic maybe - it has no problems with C: - but I haven't tested while the main system disk recycle bin has contents)

I deleted the temporary recycle bin restore directory, and MBAM successfully scanned the drive with no problems or affect on the system.

Edited by NeoBeum
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.