Malwarebytes 3.1.2 Not Starting Properly

[dcollins]

Thanks @shepcon. I didn't get a chance to update my response yesterday, but I did see that it took two reboots after the exclusions for everything to work properly. It was quite strange. We are trying to find a better long term solution still as well. Thanks for your patience in this matter

[arbrich]

I had to reboot another PC 4 times after applying exclusions to SEP to  get MBAM to finally start normally. Now the disturbing point. My maint machine without a restart the MBAM Web Protection and Malware Protection turned itself OFF and locked up running apps again. I notice that the Report logs do not show that the nightly scan ran last night leading me to believe that the protection failures were initiated by the auto scan starting last night and NOT completing. (which I had seen in 3.06 and Windows 7 previously) the Service then got hung again and only a reboot got things going again. Oh and by the way another 3 customers called with the same issues. The only way is to TURN OFF Anti Exploit Protection after restart to stop these calls until this issue gets resolved.

[shepcon]

Arbrich, I discovered an odd little trick by accident that may help you.  I've now updated about 20 PCs with the SEP exceptions to resolve the MB3 issues.  On about 5 of them, I found that even after 4-5 reboots, I still couldn't get the modules of MB 3.1.2 to startup properly even after building the SEP exception rules.  What I found was that on a PC that was in the error mode of MB3 with the modules not enabling properly and browsers, Adobe, Office getting blocked, I opened MB3, went to the Self-Protection Module and moved the green bar to the Off position.  You'll get a Microsoft security alert and respond Ok.  But MB3 will not actually disable the Self-Protection module and it'll stay in the On position and green.  Immediately reboot and all is resolved with all MB3 modules enabled and all is well.  And the Self-Protection module will be enabled.  I don't know if this tweaks the C:\Windows\System32\drivers\MBAMChameleon.sys driver but it has worked every single time for me.

 

[dcollins]

That's for the update @shepcon

[KLee368]

On 6/16/2017 at 10:43 AM, shepcon said:

KLee368, I have actually tried the mb-clean tool on several PCs and it's not solving my issue with Malwarebytes not starting all of the components properly.  And when they don't start properly, it's making the PC unusable.

i have just removed mb for now and just awaiting a solution not a work around.  and i will not be able to convince anyone here to start to add all these file to be ignored by SAV as a solution.    

[dcollins]

@KLee368 we are trying to reach out to Symantec about this, as this is a case of their software preventing us from starting properly (hence the need to add exclusions inside of SEP). If there is a solution, it will most likely have to come from their side. However we are also looking to see if we can solve this on our end as well

[arbrich]

I doubt Symantec is going to make any changes for you but I applaud you reaching out to them to resolve. From a customer's perspective MBAM worked fine for a long while (years) hand in hand with Symantec (that is an MBAM selling feature) and now it does not after  MBAM pushed out an upgrade. In many cases the Symantec Software install did not change but MBAM did and now it doe not work. My feeling is just like everyone has to work around Microsoft and all their changes MBAM should work around Symantec in the same way.  

[chakalakasp]

I'm pretty sure MBAM will fix the issue if they want to retain market share.  Symantec's user base is orders of magnitude larger than MBAM's, and as such they have the right of way here.  

[ThirdEye]

On 6/18/2017 at 5:38 PM, shepcon said:

Arbrich, I discovered an odd little trick by accident that may help you.  I've now updated about 20 PCs with the SEP exceptions to resolve the MB3 issues.  On about 5 of them, I found that even after 4-5 reboots, I still couldn't get the modules of MB 3.1.2 to startup properly even after building the SEP exception rules.  What I found was that on a PC that was in the error mode of MB3 with the modules not enabling properly and browsers, Adobe, Office getting blocked, I opened MB3, went to the Self-Protection Module and moved the green bar to the Off position.  You'll get a Microsoft security alert and respond Ok.  But MB3 will not actually disable the Self-Protection module and it'll stay in the On position and green.  Immediately reboot and all is resolved with all MB3 modules enabled and all is well.  And the Self-Protection module will be enabled.  I don't know if this tweaks the C:\Windows\System32\drivers\MBAMChameleon.sys driver but it has worked every single time for me.

 

I can confirm this tip given by shepcon. Attempting to disable the Self-Protection module, which as he states appears to do nothing, and then rebooting has resolved the issues of the modules enabling at startup and also has stopped other applications from being blocked from starting. Additionally, that was done without adding any exceptions whatsoever to SEP. My thanks to you for the discovery of a simple solution! Your information should prove very valuable in their search for the cause.

[arbrich]

ThirdEye, 

Please follow up with us on this to see if this "trick" works consistently. Need to see if it holds after reboots / Windows updates, etc.... Also with multiple OS - Win 7 / Win 10 and multiple versions of SEP - 12.1, 14, 14MP1.

Especially if it works without adding all of the exceptions which is a huge time consuming invasive task with multiple machines.

 

[shepcon]

ThirdEye, I actually haven't tried it yet without adding the SEP exceptions.  I simply stumbled upon the trick because I was frustrated by the SEP exceptions not working on a few of my PCs.  I've now updated about 35 PCs with the MB3.1.2 issue and on about 25% of those, I was forced to use the trick.  I honestly have no damn clue why the trick is working.  But I also don't understand some of the decisions my wife makes so I just smile when it works.

 

[ThirdEye]

arbrich,

While I may not be able to confirm all of what you're looking for, it has held after multiple reboots on Win 7 Pro 64 with SEP 12.1.6 with no exceptions added and all updates thus far.  If I observe any change to this system I will post a follow-up.  shepcon may offer better insight as it appears he's dealing with a good number of systems with this issue and that might provide a much better test bed.

[shepcon]

I have yet to see a PC revert to the failed state after getting MB3.1.2 resolved with the SEP exceptions regardless if I used the trick with the self-protection module.  And I have tested with installing some Windows Updates following the MB3 procedure.  I installed some Optional Windows Updates that were available for some non-critical issues, rebooted and MB3.1.2 was fine.

 

[arbrich]

OK, I got my hands on SEP 14 MP2 today.

I have done the following installs with MABM 3.1.2 to keep testing and will keep you posted:

1) SEP Full install  - Wind 10 Pro, with SEP Exceptions

2) SEP - Virus and Spyware Protection ONLY - Win 10 Pro, NO SEP Exceptions

3) SEP - Full Install - Win 7 Pro, NO SEP Exceptions

dcollins please update us if you make headway with Symantec

[arbrich]

Another thing I am really interested in is WHY does this issue not seem to crop up in 3.06 ??

We have multiple users that we are not upgrading until this gets resolved that DO NOT have this issue.

 

MAlwarebytes Version:  3.0.6.1469

Component Package Version: 1.0.103

Update package - 1.0.2195

 

[dcollins]

We believe we have a solution that will be available in our next update, but it requires some extensive testing to verify it works and doesn't break anything else.

@arbrich, to answer your question, this issue doesn't happen in base 3.0.6 or 3.1.2 with CU122. It only happens once CU139 or above is applied, and that's because we made some changes to our self-protection driver in CU139. 

[KLee368]

11 minutes ago, dcollins said:

We believe we have a solution that will be available in our next update, but it requires some extensive testing to verify it works and doesn't break anything else.

@arbrich, to answer your question, this issue doesn't happen in base 3.0.6 or 3.1.2 with CU122. It only happens once CU139 or above is applied, and that's because we made some changes to our self-protection driver in CU139. 

thats great...eta?

[arbrich]

OK, Do you have a time frame ? And please let us know if we can help test.

[KLee368]

i have reinstalled on a computer with this prob and looks like its okay for now.  3.1.2.1733.10.141.102216

[dcollins]

No ETA at this time, but we understand this is a big issue and are aiming to get the fix out as soon as we can. 

[arbrich]

Hi Guys, just checking to see if any update on this with testing etc..

Thanks

 

[dcollins]

Our testing has gone well and we should be rolling out a fix soon.

[shepcon]

Devin, I noticed that a newer version of MBAM 3.1.2 is now available.  mb3-setup-consumer-3.1.2.1733-1.0.160-1.0.2251 is the name.  Does this resolve the issues we're seeing with SEP and MB3?

Thanks.

[Firefox]

1 minute ago, shepcon said:

Devin, I noticed that a newer version of MBAM 3.1.2 is now available.  mb3-setup-consumer-3.1.2.1733-1.0.160-1.0.2251 is the name.  Does this resolve the issues we're seeing with SEP and MB3?

Thanks.

Yes it does, as mentioned in the topic here:

 

[nikhils]

Hello @shepcon,

The latest build with CU 160 does fix the SEP issue. Please check the following forum post: