Jump to content

MWB wakes up unrelated hard-drives when any application is started


Recommended Posts

OS: Windows 10 x64 (Creators Update 1703)

MWB 3.1.2.1733:
Exploit: ON
Malware: ON
Ransomware: ON

Almost every time windows starts one of its internal scheduled tasks or services be it:

  • an update check
  • a dllhost call
  • a background task run
  • other built-in scheduled tasks

or I start any application which wasn't scanned by MWB in the last 30 minutes (even notepad.exe), both of my external usb3 hard drives are woken up from standby for no reason as they have nothing to do with the started processes / aren't accessed by them in any way.

This happens ONLY on the computer MWB is installed on.
Waking up those disks constantly for no reason increases their wear and energy consumption (not to mention the spin/up sounds).

Link to post
Share on other sites

Hello @Malebox:

Thank you for reporting the system's issue.  The Malwarebytes' staffers/helpers must have good log data for a quality fault analysis to begin.

  1. Please save your work and close all running user applications for your convenience. applications for your convenience.

  2. Please follow the steps within the locked/pinned topic at Having problems using Malwarebytes? Please follow these steps.

  3. In your next reply to your topic, please only attach the three (3) separate files that are developed above: mb-check-results.zip, FRST.txt, and Addition.txt.

  4. Additionally, please consider selecting the "Follow" button, near the upper-right corner of your topic, to receive punctual email notifications when updates are posted.


Thank you.

Link to post
Share on other sites

  • FRST is completely unrelated as the computer is currently 100% free of malware / infections and the problem is related to the MWB application itself and not malware of any kind.
  • MB Check dumps too much personal information in the form of usernames / filesystem paths so posting that in a public facing forum is out of the question. Here is an excerpt of that.
Malwarebytes Version information
==================================
   "controllers_version" : "1.0.141",
   "db_version" : "2017.06.12.01",
   "dbcls_pkg_version" : "1.0.2136",
   "installer_version" : "3.1.2",

   "installationToken" : "PDL9ykyj1xz-DLeGyccr1495020541",
   "licenseState" : "licensed",
   "machineId" : "d458577663a50bff7d8bc44bf37145f5d87da5b8",

Installation Date:		05/18/2017
Version Installed:		3.x Installed
Installation Directory:		C:\Program Files\Malwarebytes\Anti-Malware\

AntiVirus Information:
===================
AntiVirus Installed:	Windows Defender
Status:	Up to Date and Enabled

FireWall Information:
===================
NO 3rd Party Firewall Installed

AntiSpyware Information:
===================
AntiSpyware Software Installed:	Windows Defender
Status:	Up to Date and Enabled

 

Link to post
Share on other sites

Good morning @Malebox, thanks for reaching out. For your issue, can we start with a simple test of disabling all the Malwarebytes protection modules under Settings -> Protection. This includes Web Protection, Exploit Protection, Malware Protection, Ransomware Protection, and a bit further down, Self-Protection. With all of those off, does this issue still occur?

Also, the full logs requested above could help greatly. FRST is not just for looking for infections, it also helps us identify any third party applications that Malwarebytes may be interacting with. If you don't feel comfortable posting the information publicly, would you be willing to message the information to me directly?

Link to post
Share on other sites

1 hour ago, dcollins said:

Good morning @Malebox, thanks for reaching out. ... If you don't feel comfortable posting the information publicly, would you be willing to message the information to me directly?

Hi. Thanks for your time. I've attached all the logs and sent them to you via PM.

Link to post
Share on other sites

Now I have all MWB protection layers disabled and Windows defender is in its default state.
I use Process Hacker's Extended notifications plugin to monitor a log of started/stopped processes and services while watching the external drives' LEDs.

I can confirm that the disks did not wake up so far. 
This is a sample of the log for the processes that ran which would normally wake the drives if MBAM protection layers are enabled:

  • 02:38:20 13/06/2017: Process created: svchost.exe (1840) started by services.exe (788)
  • 02:38:20 13/06/2017: Service started: WdiSystemHost (Diagnostic System Host)
  • 02:39:10 13/06/2017: Process created: svchost.exe (8620) started by services.exe (788)
  • 02:39:10 13/06/2017: Service started: AppXSvc (AppX Deployment Service (AppXSVC))
  • 02:43:31 13/06/2017: Process created: taskhostw.exe (8612) started by svchost.exe (1408)
  • 02:43:31 13/06/2017: Process created: sppsvc.exe (3672) started by services.exe (788)
  • 02:43:32 13/06/2017: Process terminated: taskhostw.exe (8612); exit status 0x0
  • 02:43:32 13/06/2017: Service started: sppsvc (Software Protection)
  • 02:44:14 13/06/2017: Process terminated: svchost.exe (8620); exit status 0x0
  • 02:44:14 13/06/2017: Service stopped: AppXSvc (AppX Deployment Service (AppXSVC))
  • 02:44:24 13/06/2017: Process created: dllhost.exe (12576) started by svchost.exe (924)
  • 02:44:26 13/06/2017: Process created: Notepad2.exe (5372) started by explorer.exe (7920)
  • 02:44:29 13/06/2017: Process terminated: dllhost.exe (12576); exit status 0x0
  • 02:45:01 13/06/2017: Process terminated: sppsvc.exe (3672); exit status 0x0
  • 02:45:01 13/06/2017: Service stopped: sppsvc (Software Protection)

Windows constantly does something under the hood, be it diagnostics, update checks, telemetry, app updates and so on - and it's a real problem if those repeatedly wake the drives.
Another thing that always wakes them is when I launch a url from another program which would open a browser. Stressing again - when protection layers are disabled - the disks are not being awoken.

PS. There is one thing which I haven't mentioned so far. My external drives are mounted as drive letters A: and B: so as to not mix them up with the rest.
Also the power profile is set to High Performance (no sleep, no turn off hdds) and only the external drives spin down according to their individual standby settings. (30min)

Edited by Malebox
Link to post
Share on other sites

It looks like I jumped to conclusions prematurely.

After experimenting a bit with protection layers on and off I managed to narrow it down to Windows Defender and not MBAM.

I must've had it disabled via group policy before, while using the previous version of MBAM3 and had no problems. 
My reason for originally disabling Defender was that applications were starting a lot slower while it was on, even on an SSD.
Then Defender got re-enabled with the Creators' Update and since I also installed a newer MBAM build I thought the problem lay with that.
I was considering disabling it again at that time but read an article that said it's good to run both MBAM and an AV.

I apologize for sending you guys on a wild goose chase and thanks for all the ideas that lead us to this point.

All that's left is for me to find a way to force WD to work as an on-demand scanner only.

 

 

Edited by Malebox
Link to post
Share on other sites

I might have jumped the gun too early again.

After rebooting - now with only MBAM protection active - the waking up behavior is back so MBAM didn't affect them before until the system was restarted.

On a side note windows now detects MBAM as the "Antivirus" so it could be windows waking them up while calling mbam to scan them on file access.

More testing to follow.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.