MBAM keeps locking Visual Studio compiled executable preventing subsequent rebuild and debug

[Phoenix84]

I've also been experiencing this lately.

First was with a Steam game, which was preventing Steam from updating it.

Now it happened with Origin, preventing me from updating it.

Oddly though, I do have VS installed, and haven't encountered any issue with my builds.

 

Please kindly let me know when you've downloaded these as well.

Didn't the old forum allow private attachments? Seems like a good option to have.

mb-check-results.zip

MBAMService.exe_170813_183630.dmp.zip

Edited August 14, 2017 by Phoenix84

[Telos]

11 hours ago, Phoenix84 said:

Didn't the old forum allow private attachments?

You can send attachments privately by PM to the individual providing your support.

[Malebox]

Today it happened again when I was manually updating a portable application by just overwriting a folder with contents from the archive - overwriting the executable failed and when I checked it was locked by MBAMservice again. So I think it triggers mostly when:

1. a file is attempting to overwrite another with the same name
2. that file is an executable since it didn't trigger on all the other ones being overwritten

MBAMservice process dump: https://mega.nz/#!4BNjXSBK!vLHdGD0LmrOF7MBHCjFcFRH-Iyn568YVkYwOdqi4MNM ~70mb

System uptime: 4 days 12 hours

 

Edited August 14, 2017 by Malebox

[Paul-2011]

Same thing happened to me, first with visual studio not launching my projects due to MBAM blocking the executable, on many different projects, then Franz stopped working due to the same issue, had to uninstall MBAM, this is really annoying.

I've been using MBAM for quite a few years and this the first time it starts to block silently several apps on my machine, no infection or anything like that, it just locks the file for no reason apparently.

To me this is a bug and I would like to hear from the team if they have identified the issue so I can reinstall the app.

Thanks

[Dabz]

I'm having a similar issue with the precompiled releases of PoE-TradeMacro (https://github.com/PoE-TradeMacro/POE-TradeMacro). Just to add some background, PoE-TradeMacro is price checking tool for Path of Exile. It's basically some AHK magic plus curl to check prices for items in your inventory against https://poe.trade. The script has a build in update mechanism which checks git for a new release, downloads the archive and extracts the content in a folder with the version name.

After an update, the old release should get deleted but currently this won't work because lib\curl.exe is completely locked down by MWB. The file is not flagged as virus but I can't move, delete, rename it. I can't see the owner of the file in advanced security settings and trying to takeown (even with build in windows admin account) will result in an access denied error.  Adding an exclusion does nothing.

/u/tcritch in the MWB subreddit pointed out that stopping the MBAMService fixes the issue and it sure did. Would love to see this fixed as it's kinda annoying. 

[Paul-2011]

Microsoft Windows Defender recently started detecting some of my visual studio apps as "Trojan.Win32/Fuery.B!cl", strange thing since some of them don't use any third party library, they are all office related tools that I've worked on for years and all of a sudden the MBAM issue and now Windows Defender.

This is very strange!

One thing though, scanned the exe with Jotti's Malware Scanner and all anti viruses reported no threat.

[Paul-2011]

12 minutes ago, Paul-2011 said:

Microsoft Windows Defender recently started detecting some of my visual studio apps as "Trojan.Win32/Fuery.B!cl", strange thing since some of them don't use any third party library, they are all office related tools that I've worked on for years and all of a sudden the MBAM issue and now Windows Defender.

This is very strange!

One thing though, scanned the exe with Jotti's Malware Scanner and all anti viruses reported no threat.

Ok some of these I think are due to the fact that I obfuscate my assemblies with ConfuserEx to make it hard for someone to disassemble them.

[dcollins]

Good news! We believe we found the cause of the issue and are working on a solution.

[Malebox]

3 hours ago, dcollins said:

Good news! We believe we found the cause of the issue and are working on a solution.

That's good to hear. I hope we get a new version soon.

[hsmyers]

I do almost continual code/compile/test loops most days. And at least once a day  I get an error message from ld (I use the gcc toolchain) typically: "ld.exe: cannot open output file mp.exe: Permission denied".  I use the hidden icon to stop MalWareBytes (Pro), rerun the compile and then manually restart. Granted this is an annoying hiccup in the process, but I certainly wouldn't mind seeing it go away! Good to hear about the possible fix!

[Phoenix84]

I turned off Ransomware real-time protection, and I haven't had an issue for about 5 days so far.

Still testing.

[brainwizardphd]

This is really getting to be annoying.  Previously I found that if I executed

    net stop MBAMService

    net start MBAMService

that the file locking problem would go away.  So I put these commands in a scheduled job to execute at 2:30 AM every day.  Now even that has not been working because the service ended up in a persistent "Stopping" state.  I had to forcefully kill the service.

[dcollins]

As mentioned above, turning off Ransomware Protection is a workaround, but it will leave you vulnerable to potential ransomware attacks

[mawibo]

Any news? It's going on for months now and It's really extremely annoying.

Maarten

[mrivers]

I've also experienced the locked file issue, primarily with vs2015 being unable to write to the output file (with multiple projects), and in one instance, unable to write a source file.  My solution to this point has seem been to temporarily change the output file, but several times I've done so only to find the new output file because locked minutes later.

I have excluded my entire development source area, including 3rd party external libraries and:

C:\Program Files (x86)\Common Files\Microsoft Shared\VsHub

C:\Program Files (x86)\Microsoft Visual Studio 14.0

C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\devenv.exe   (yes this is redundant).

It's a Windows 10 system.

Process Explorer never shows any handles while the files are locked. (Using ctrl f to search, but maybe I'm doing it wrong?)

Sometimes I can delete the files using Windows Explorer or CMD, sometimes not.

Often, it seems that shutting down MB fixes the problem, but they will also 'time-out' and become writable again.

I first mentioned this problem to my colleagues on 6/26/2017 (at the latest), and IIRC, I thought it coincided with a MB update at the time, but not certain of that.

 

 

https://www.dropbox.com/s/qstg0tn3xnp1ylh/MBAMService.7z?dl=0

Linked are the logs from around the time that I had a unwritable file. MSVC was unable to write a new version of "PowPerfTest64.exe".  The process had ended. 

Happened on 8/15 @ 4:20pm.

I was able to write to the file after quitting MB.

 

 

PS. I've been running with the Ransomware Protection disabled, and all has been well.

Edited August 30, 2017 by mrivers

[dcollins]

We are working on a fix still. Our developers believe they have found the root cause. At this time however, it still needs to be tested

[mawibo]

It has now even blocked VS's devenv.exe file, causing an update of VS to 15.3.3 to fail and I was forced to reinstall VS from scratch. Thanks very much. Malwarebytes has become sort of malware by itself.

Maarten

[CraigF]

I have the same problem: working in C# VS 2015 -- over the past month+  I've spent a crazy amount of time debugging my code for sporadic problems that cure themselves after a few minutes. Today my serial ports suddenly threw unauthorized access exceptions for no discernible reason -- in desperation I tried to rename the bin directory and finally learned that MBAM was ignoring exclusions and locking files that live in an excluded path. My entire projects hierarchy is excluded, and the files being locked are at the very end of that directory chain in the bin directory. The locks persist for many minutes.

Now I strongly suspect that MBAM is also responsible for mysterious skype lockups that started about the same time, and come and go with the same kind of timing.  

I have uninstalled MBAM.

How can I get notified when you come up with a workaround or a patch?

 

[mightaswell]

This sounds similar to a problem I had today. I just spent hours trying to figure out why sysinternals Procmon wasn't running. Got the message "Unable to extract 64-bitimage. Run Process Monitor from a writeable directory."

Eventually found that the temp file that Procmon uses was locked by Malwarebytes. Rebooting the computer did not fix the locked file. Using Process explorer was able to close the handle. Procmon ran normally after that.

 

 

[dcollins]

We believe we have solved this issue in our standalone ARW product. If you want to test and verify, you can download that from https://malwarebytes.box.com/s/6vqfgzs9ci86fbga4nt95yq5uytppg1b and install it. Version 1.1.100 should download after a few minutes, and that is where the fix resides. You can check your version under the About page.

This fix should be pulled into the primary MB3 product soon as well.

[mawibo]

Why does it take so long to include the fix in the primary product? It's extremely annoying.

Maarten

[Porthos]

1 minute ago, mawibo said:

Why does it take so long to include the fix in the primary product? It's extremely annoying.

Maarten

Need to test it thoroughly before release. 

[Phoenix84]

10 minutes ago, mawibo said:

Why does it take so long to include the fix in the primary product? It's extremely annoying.

Maarten

Despite how annoying this bug is, if it were rushed out and there was another bad bug (such as randomly deleting files), you'd be thoroughly (and rightfully) enraged with the devs.

[mawibo]

It's their core business. It should not take this long.

[dcollins]

I can definitely understand your frustration as I having this issue as well. That being said, just because we identify an issue, we don't generally release the fix the moment it's available. We have a release cycle we try to stick to, and if you look historically since the launch of our MB3 product, our new versions come out once a month. This isn't a hard deadline, but something we try to keep up with to make sure we're keeping our users protected and staying up to date on the latest threat landscapes. If we pushed out a fix for every single feature or bug we fixed, it would be unmanageable. So instead we focus on delivering our component updates that contain a variety of fixes.

Unfortunately we didn't find the cause until late August, and we haven't had a release since implementing the solution into our standalone ARW product. I would expect a fix to be coming soon.