MB / Norton Exploit Protection Conflict with 32-bit Firefox Browser?

[lmacri]

Does anyone know of a possible conflict with the exploit protection modules of MB v3.1.2 and Norton v22.x on 32-bit operating systems?

I recently upgraded from MBAM Premium v2.2.1 to MB Premium v3.1.2 on a 32-bit Vista SP2 laptop.  Since the upgrade my Firefox ESR browser has been very slow and occasionally crashes on exit due to shutdown hangs.  The Modules tab of the Mozilla crash reports always flag Malwarebytes' mbae.dll, Norton's IPSEng32.dll (Intrusion Prevention System script engine, which includes exploit protection) and NVIDIA's nvwgf2um.dll (D3D10 driver).  Here are few recent crash reports:
     https://crash-stats.mozilla.com/report/index/432f89de-df42-457b-bd23-10eed0170610#tab-modules
     https://crash-stats.mozilla.com/report/index/0614fcd3-9b76-4847-87f5-44f4e0170610#tab-modules

I'm aware that Vista SP2 reached it's end of extended support on 11-Apr-2017 but MB v3.1.2's real-time protection seems much more problematic than MBAM v2.2.1.  Here's a  few changes I've tested since upgrading that seem to improve system performance:

• Add mutual scan exclusions in both MB v3 and Norton v22
• Disable Web Protection in MB v3.  This solves intermittent Automatic LiveUpdate failures in Norton (I had this problem with MBAM v2.2.1 as well).
• Disable Exploit Prevention in Norton v22 (Settings | Firewall | Intrusion and Browser Protection | Exploit Prevention).  This solves Firefox browser slow response times and crashes.

Note that my Vista SP2, Norton v22, MB v3 and Firefox ESR v52 are all fully patched and I have the latest available drivers for my NVIDIA GeForce graphics card.  I also did a complete wipe of MBAM v2.2.1 off my system before installing MB v3.1.2 (deactivate and uninstall MBAM v 2.2.1 from Control Panel, re-boot and run new MB-Clean v3.1.0.1004 tool, manually delete remnants in C:\ProgramData\Malwarebytes).

mb-check-results.zip
FRST.txt
Addition.txt
-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.1.2 * NS Premium v22.9.4.8 * MB Premium v3.1.2.1733-1.0.141
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

[lmacri]

I'm now seeing similar conflicts with Norton and MB Premium v3.1.2 that I observed with the old MBAM Premium v2.2.1 (see my previous thread Norton Pulse Updates Fail when Malicious Website Protection Enabled), including intermittent problems with connections to the Norton File Insight server when I try to download files.

Here's an example of Norton v22.9.4 Download Insight failing when I tried to download an update for CCleaner while MB v3.1.2 Web Protection was enabled:

And here's what happened after I disabled Web Protection, re-booted, and tried the same download a few minutes later:

When I posted about my previous problems with MBAM Premium v2.x  I was told by Malwarebytes Customer Support that the problems on my Vista SP2 were likely related to the fact that I was using an older Norton v21.x product.  I was told bug fixes for Vista SP2 would be a low priority and was offered a refund for MBAM (no thanks, I have a lifetime license ).

If other users with 32-bit operating systems aren't seeing similar problems to what I've mentioned above I'll just disable all real-time protection in MB v3.1.2 or deactivate my license and use MB v3.x as an on-demand scanner on my Vista SP2 machine.
-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.2.0 * NS Premium v22.9.4.8 * MB Premium v3.1.2.1733-1.0.141
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

[lmacri]

According to the January 2016 post Symantec Endpoint Protection Small Business Edition Adds Consumer Features That Don’t Serve the Needs of Small Businesses on the Symantec Connect forum, the base product for SEP/SBE is essentially a repackaged Norton v22.x home consumer product wrapped with a cloud Agent to allow remote administration.

Is it possible that Norton Security v22.9 for home consumers is affected to some degree by the MB v3 / SEP v14 conflicts being discussed in the thread Malwarebytes 3.1.2 Not Starting Properly?  I posted diagnostic logs in this thread on 11-Jun-2017 thread but no one has posted back to tell me if they can see any obvious issues with my MB installation.
-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.2.0 * NS Premium v22.9.4.8 * MB Premium v3.1.2.1733-1.0.141
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited June 19, 2017 by lmacri

[Firefox]

Yes I suppose that could be possible... have you tried excluding the below files in your Norton AV?

I would like you to add these files to your Anti-Virus exclusions list as mentioned in this FAQ HERE (my list below includes the exe files as well)
 

• C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe
• C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.exe
• C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
• C:\Program Files\Malwarebytes\Anti-Malware\MbamPt.exe
• C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
• C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
• C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
• C:\Windows\system32\Drivers\farflt.sys
• C:\Windows\System32\drivers\mbae64.sys
• C:\Windows\System32\drivers\mbam.sys
• C:\Windows\System32\drivers\MBAMChameleon.sys
• C:\Windows\System32\drivers\MBAMSwissArmy.sys
• C:\Windows\System32\drivers\mwac.sys
  

Also please exclude the following folders too: (The complete folder)

• C:\Program Files\Malwarebytes\Anti-Malware
• C:\ProgramData\Malwarebytes\MBAMService
  

[lmacri]

2 hours ago, Firefox said:

Yes I suppose that could be possible... have you tried excluding the below files in your Norton AV?

I would like you to add these files to your Anti-Virus exclusions list as mentioned in this FAQ HERE (my list below includes the exe files as well)...

Hi Firefox:

Thank you for your assistance.  The seven .exe executables in C:\Program Files\Malwarebytes\Anti-Malware\ have now been added to my Norton scan exclusions so I'll monitor for a few days with MB v3 real-time protection and Norton anti-exploit re-enabled and post back with my results.

The .sys drivers and folders listed <here> in the FAQ were already included in my Norton scan exclusions so I'm not sure why adding the individual .exe files in the C:\Program Files\Malwarebytes\Anti-Malware\ folder would be necessary, but fingers crossed that it makes a difference.

I have a 32-bit OS, so I substituted C:\Windows\System32\drivers\mbae.sys for C:\Windows\System32\drivers\mbae64.sys.  I did not include C:\Windows\System32\drivers\farflt.sys since this driver is apparently missing from XP and Vista machines that cannot support MB v3 anti-ransomware, per P1W's post in the thread Going from MBAM v2 to Malwarebytes 3.

I should also mention that I ran Norton Security v22.9.x and MBAM Premium v2.2.1 together in real-time protection mode for over a month and did not notice any conflicts.  My recent problems with Norton Security v22.9.x only appeared after my 03-Jun-2017 upgrade to MB Premium v3.
-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.2.0 * NS Premium v22.9.4.8 * MB Premium v3.1.2.1733-1.0.141
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

[lmacri]

18 hours ago, Firefox said:

Yes I suppose that could be possible... have you tried excluding the below files in your Norton AV?

I would like you to add these files to your Anti-Virus exclusions list as mentioned in this FAQ HERE (my list below includes the exe files as well)...

Hi Firefox:

Well, that didn't take long.  As an initial test I added your recommended exclusions in post # 4 to my Real Time Exclusions (Settings | Detailed Settings | Antivirus | Scans and Risks | Exclusions / Low Risks | Items to Exclude from Auto-Protect, SONAR Detection and Download Intelligence Detection | Configure).

Immediately after I booted up this morning (i.e., my first system restart after re-enabling MB v3 real-time protection) my Firefox performance tanked (no crashes yet but opening a web page in a new tab can take 10-15 sec and my cooling fan runs constantly while I'm browsing)...

...my first Norton Automatic LiveUpdate failed after ~ 16 min (start 6:24 AM, aborted 6:41 AM)

...and Norton Download Insight failed to connect to the File Insight servers during a test download of the latest Adobe Flash Player v26.0.0.131 stub installer from https://get.adobe.com/flashplayer/ (released 16-Jun-2017).

 

As a second test I'll add those same exclusions to my Scan Exclusions (Settings | Detailed Settings | Antivirus | Scans and Risks | Exclusions / Low Risks | Items to Exclude from Scans | Configure) and re-boot and report back if I see any improvement.
-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.2.0 * NS Premium v22.9.4.8 * MB Premium v3.1.2.1733-1.0.141
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS 

Edited June 20, 2017 by lmacri

[Firefox]

yes let us know how it goes...

[lmacri]

On 2017-06-20 at 8:06 AM, lmacri said:

...As a second test I'll add those same exclusions to my Scan Exclusions (Settings | Detailed Settings | Antivirus | Scans and Risks | Exclusions / Low Risks | Items to Exclude from Scans | Configure) and re-boot and report back if I see any improvement.

Hi Firefox:

Adding your recommended scan exclusions in both the Real Time Exclusions and Scan Exclusions of Norton didn't help.  About half of my Norton Automatic LiveUpdates continued to abort/fail yesterday after I added the Scan Exclusions and re-booted, and there was no improvement in my Firefox ESR browser performance. 

 

I haven't had any problems today since I disabled both Web Protection and Exploit Protection in MB v3.1.2 and re-booted (Ransomware Protection is disabled by default with XP and Vista) but that means that Malware Protection is the the only MB v3.1.2 real-time protection module I can run along with Norton Security v22.9.4 on my 32-bit Vista SP2 machine.

I'll keep monitoring shepcon's thread Malwarebytes 3.1.2 Not Starting Properly, and when Malwarebytes releases a bug fix for the MB v3.1.2 / SEP v14 conflict I might try turning my MB v3 real-time protection back on.
-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.2.0 * NS Premium v22.9.4.8 * MB Premium v3.1.2.1733-1.0.141
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited June 21, 2017 by lmacri

[Firefox]

If you are still having issues when you enable all protections (which should be the recommended) post the requested logs below so we can get staff to review them to see if there is something else conflicting... (I know you posted them in the first post, but it won't hurt to get a fresh set of logs.

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues....

1. If that does not correct the issue, then please read the following and attach to your next reply the 3 requested logs - Diagnostic Logs (the 3 logs are: mb-check-results.zip, FRST.txt, Addition.txt)
   

Please let us know how it goes.

Thank You,

Firefox

 

[lmacri]

Hi Firefox:

Thanks for the offer, but if Malwarebytes can't see an obvious problem in the diagnostics logs I attached to my original post I doubt a fresh set of logs will help.

I opened a support ticket the last time my Norton Automatic LiveUpdates started failing with an older product (NIS v21.x) and MBAM Premium v2.2.1.  I sent the Malwarebytes Help Desk multiple logs, including IP trace routes showing MBAM Premium v2.2.1's Malicious Website Protection blocking connections to liveupdate.symantecliveupdate.com and update.symantec.com (but not liveupdate.symantec.com) - an image of one set of trace routes is posted in an older thread <here>.  After six months of stonewalling the Help Desk finally told me that this was not a widespread problem and that they couldn't reproduce the issue on their own test bed so they offered me a refund for my lifetime license (which I declined).

If another Norton user reports a similar issue I'll be happy to step up and provide additional logs, but at this point I'd rather deactivate my MB v3 license and see if the next MB v3 release includes a fix for the Symantec Endpoint Protection (SEP) bug.
-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.2.0 * NS Premium v22.9.4.8 * MB Premium v3.1.2.1733-1.0.141
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited June 21, 2017 by lmacri

[Firefox]

I can certainly understand where your coming from... I have helped you about as far as I can go since I don't work for Malwarebytes I don't have access to all the info they extract from the logs to see exactly what may be going on... the MBAM staff would have to proceed from here....

We will see what they can find with what you have posted thus far...

[lmacri]

On 2017-06-19 at 1:33 PM, lmacri said:

According to the January 2016 post Symantec Endpoint Protection Small Business Edition Adds Consumer Features That Don’t Serve the Needs of Small Businesses on the Symantec Connect forum, the base product for SEP/SBE is essentially a repackaged Norton v22.x home consumer product wrapped with a cloud Agent to allow remote administration.

Is it possible that Norton Security v22.9 for home consumers is affected to some degree by the MB v3 / SEP v14 conflicts being discussed in the thread Malwarebytes 3.1.2 Not Starting Properly?  I posted diagnostic logs in this thread on 11-Jun-2017 thread but no one has posted back to tell me if they can see any obvious issues with my MB installation.

Malwarebytes is now testing a new Component Update (CU) package that they hope will solve the conflict with MB v3.1.2 and SEP v14 - see dcollins' post # 66 in shepcon's thread Malwarebytes 3.1.2 Not Starting Properly.

Malwarebytes currently believes that changes made to MB's self-protection module in CU v1.0.139 are responsible for the conflicts with SEP (my own testing with Norton and Firefox points to Web Protection and/or Exploit Protection), but I'm still hoping that the new CU package eventually solves some of my own issues with Norton Security v22.9.4 when it's finally released.
-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.2.0 * NS Premium v22.9.4.8 * MB Premium v3.1.2.1733-1.0.141
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited June 23, 2017 by lmacri

[Firefox]

Thanks for the update... I did see that post you mentioned, it looks like they are on the right track, and hopefully will solve the issue soon.

[lmacri]

Hi Firefox:

Just an update to let you know that I've run more tests since Norton Security was updated to v22.10.0.83 on 06-Jul-2017 and the latest MB component update (CU) package v1.0.160 hasn't solved the conflicts with Norton on my 32-bit machine.

If I enable Web Protection in MB v3 I still see intermittent Automatic LiveUpdate and Download Insight failures with Norton.  If I enable Exploit Protection in MB v3 my 32-bit Firefox ESR browser performance is noticeably degraded (high CPU consumption, slow response times, intermittent loss of internet connections), although I haven't had any recent Firefox @shutdownhang crashes when I close my browser like the crashes I reported with CU 1.0.41 in my original post.

MB v3's Malware Protection seem to be the only real-time protection that I can run along with Norton Security that doesn't noticeably degrade system performance.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.2.1 * NS Premium v22.10.0.83 * MB Premium v3.1.2.1733-1.0.160
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited July 13, 2017 by lmacri

[Firefox]

Thanks for the update... perhaps getting some updated logs for @dcollins or @nikhils or @AdvancedSetup to review with the latest updates you have done so they can check them out and see if they see anything causing the issues...

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues....

1. If that does not correct the issue, then please read the following and attach to your next reply the 3 requested logs - Diagnostic Logs (the 3 logs are: mb-check-results.zip, FRST.txt, Addition.txt)
   

Please let us know how it goes.

Thank You,

Firefox

[lmacri]

Hi Firefox:

I temporarily re-enabled MB's Web Protection and Exploit Protection this morning and re-booted before collecting the attached logs.

I've already been told by the Support Desk that support for Vista SP2 computers is a low priority so I don't want to waste too much time on this but I noticed there are a few other Norton users having issues with MB v3 (e.g., tks80's recent topic Malwarebytes, Norton Security, Win 7 Home Premium, and Google) so I hope the Malwarebytes staff find something relevant in my logs.

mb-check-results.zip
FRST.txt
Addition.txt
 ----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.2.1 * NS Premium v22.10.0.83 * MB Premium v3.1.2.1733-1.0.160
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

[Firefox]

Yes, Vista is not going to be a priority to most companies these days as its EOL.....

I have lots of computers (and customers computers) running MB3 along with SEP (its a little different that the home version of Norton) and after the CU 160 update they all got fixed...