Recent Malwarebytes Update causes Outlook mso20win32client.dll crash/fault

[cyberhex]

After installing Malwarebytes 3.1.2 when I shutdown Windows I get a message that gSyncit (a component that uses the Outlook COM interface) has crashed due to a fault from a component within the process referencing a null memory address. When Malwarebytes is removed the issue goes away.

Upon further inspection in the Windows Event Viewer it appears the fault is happening within mso20win32client.dll component. Perhaps Malwarebytes "hooks" into this component? Again, this fault only happens when Malwarebytes is enabled. If I leave Malwarebytes enabled but disable the exploit protection option then Windows shuts down correctly and no crash message. 

To replicate this issue install gSyncit (www.gsyncit.com) with Malwarebytes installed and shutdown Windows. During the shutdown process a dialog will appear indicating a problem (see attached image). 

This issue only occurs when Windows is shutting down. If I exit gSyncit normally from the Windows system tray everything works properly. It looks like the error happens while invoking Quit() or disposing/releasing the Outlook Object Model during Windows shutdown. Malwarebytes must have some Windows DLL hook into this component that is causing a fault. 

 

Below are the details of the crash from the Windows event viewer:

 

Faulting application name: gsyncit.exe, version: 5.0.42.0, time stamp: 0x597a9856

Faulting module name: mso20win32client.dll, version: 0.0.0.0, time stamp: 0x5958a12f

Exception code: 0xc0000005

Fault offset: 0x001a85dc

Faulting process id: 0x1e84

Faulting application start time: 0x01d3086f4a6401b5

Faulting application path: C:\Program Files\Fieldston Software\gSyncit\gsyncit.exe

Faulting module path: C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll

Report Id: 88a0650a-a8a6-4582-8815-ca08b44d2fd5

Faulting package full name: 

Faulting package-relative application ID:

[Derek121]

I'm having the same problem as reported by cyberhex.  I don't seem to be able to work around the problem by disabling the exploit protection option but it does reliably go away when I first exit Malwarebytes and then shutdown or restart Windows.  I tried updating Gsyncit to the latest version but the problem remains.  I no longer have any older versions of Malwarebytes -- are those available anywhere?  I'd like to see if that corrects the problem and perhaps stay on that version until a fix can be issued for the 3.1.2 version.

[cyberhex]

Is anyone ay Malwarebytes able to comment/address this issue?  

The workaround I've found for this issue is to right-click the Malwarebytes system tray icon and disable Exploit Protection. 

Edited August 4, 2017 by cyberhex

[joshhuggins]

Any word on a fix for this? Driving my users nuts.

Edited August 14, 2017 by joshhuggins

[dcollins]

So far I have been unable to replicate this. Can you please share what type of configuration options you're using in both Outlook and gSyncIt?

e.g.:

• IMAP/Exchange/POP account
• What sync options do you have configured in gSyncIt
• Have you changed any of the default sync options in gSyncIt

Also, if you could please provide the logs mentioned in the thread below, that will help as well

 

[Gator5000e]

Has there been any progress on this issue? I don't know if any of the posters above are associated with Fieldston Software but it would be nice if you could provide the requested info so that installing gSyncit 5 will not cause issues. Fieldston's support page says to check out this forum page but I see that there has been no response from the original posters. 

[FarmerBrown]

I am having an identical issue, as are many other users of GSyncit.  It is asked so frequently in their support forums they have created a special message for it on the top of their support page.  https://www.fieldstonsoftware.com/support.aspx  Does anyone have a solution yet?

[dcollins]

So far there's no progress as we have been unable to replicate internally. This makes it hard for us to identify what's happening and how to fix it, hence the request for logs

[joshhuggins]

On 8/14/2017 at 2:10 PM, dcollins said:

So far I have been unable to replicate this. Can you please share what type of configuration options you're using in both Outlook and gSyncIt?

e.g.:

• IMAP/Exchange/POP account
• What sync options do you have configured in gSyncIt
• Have you changed any of the default sync options in gSyncIt

- Happens every time when shutting down the computer.
- I have 3 IMAP Gmail accounts currently setup in outlook.
- I have attached screen shots of my settings.
- I tried adding the Fieldston folder to my ignore list but that didn't help.
- Has been happening on 12 other similarly setup systems for about a month now.
- One thing that might be unique is I have some of my calendar & contact folders nested.
- Another unique thing I have done is use mfcmapi.exe to remove the (This Computer Only) from folders where you can't remove them from within Outlook, but all this has been working for years now with no issue so not sure if related. Just tossing out oddities I can think of.
- The calendar/contact mapping sync options tabs are the only tab I have changed settings on. The other tabs should all be default. The screen shot is typical of all of my synced calendars/contacts.

 

mb-check-results.zip

Edited August 17, 2017 by joshhuggins

[dcollins]

Thanks @joshhuggins, I'll try to replicate your settings as best as possible today and see if I can replicate this. I appreciate the in-depth amount of information

[FarmerBrown]

dcollins, I am using 2 google apps emails set up with IMAP settings, and one Microsoft exchage account.

 

I have one calendar being synced, a two-way outlook / google sync.  I am not syncing contacts, notes, or tasks.  All other setting are the default gsynit settings.

This is on a 64bit Win10 Pro machine.  I get this error consistently when shutting down.  Unless I click the box, the computer will be prevented from shutting down, every time.  Is there any other info I can provide? 

[Gator5000e]

Have there been any updates to this issue?

[dcollins]

Unfortunately not. We have a few people trying to reproduce this and so far no luck. We're still looking into it though.

Out of curiosity, does this only happen during shutdown? If you just try to quit gSyncIt, does it happen as well?

[Gator5000e]

To be honest, I am using gSyncit v 4 and have never had the problem crop up, as far as I know, even though Feldstone Software says it was an issue with v4 as well. I've been holding off on installing v5 to see what happens with the issue. I have asked Feldston if I can roll back to version 4 if I upgrade to v5 and if so, I will install v5 and see what happens. But I had posted on their FB page that you guys were looking for some input to try to see what was going on and I don't know if they ever provided any info. If the problem does occur during the shutdown of W10, won't any logs or errors be erased once the shut down if forced through?

[joshhuggins]

Only happens at shutdown. I can close Outlook and the Tray app without issue. I have exited outlook and the tray app before shutting down the PC and the message still shows up. I have not checked to see what services it maybe running and tried to stop them before shutdown yet to see if it still happens. I'll try to remember to do that and report back. Super swamped right now so might be a few days.

[FarmerBrown]

Also, happens whether I have used Outlook or not.  I can turn on the computer and then turn it off, having never opened Outlook, and problem still occurs.

[cyberhex]

In response to dcollin's question, "Out of curiosity, does this only happen during shutdown? If you just try to quit gSyncIt, does it happen as well?", please direct your attention to my original posting on this issue:

"This issue only occurs when Windows is shutting down. If I exit gSyncit normally from the Windows system tray everything works properly. It looks like the error happens while invoking Quit() or disposing/releasing the Outlook Object Model during Windows shutdown. Malwarebytes must have some Windows DLL hook into this component that is causing a fault. "

 

If you look at the Windows Event Viewer entry I provided you see that the  protection fault is occurring within "C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll". It sure looks like malwarebytes is maybe hooking into this library s. The error message indicates a specific instruction within this component tried to reference a 0x0 memory address. If I disable Exploit Protection then the issue does not occur. So whatever Exploit Protection does is causing this issue when the gSyncit system tray app closes and releases references to mso20win32client.dll. Perhaps your Exploit Protection is expecting some other components be loaded but when Windows is shutting down they are not? 

 

Does malwarebytes hook into the LoadLibrary() call? What exactly does Exploit Protection do? How does it work internally? 

 

This issue was immediately reported to us shortly after Malwarebytes v3 was released. The gSyncit system tray app has code wise remained consistent for many months prior to this release so I am pretty confident that the root issue is not with gSyncit - but I remain open to the possibility. I just have no idea what Exploit Protection is doing during shutdown to figure out how to troubleshoot this issue. 

 

 

 

[dcollins]

Thanks for the clarification @cyberhex, I forgot about the bolded part where it only happens during shutdown. By default, Outlook is not added to the list of applications that we protect, but we do attempt to protect other Office applications that may use this shared DLL.  I'm not a huge fan of passing blame back and forth, but the more I research this, the more it looks to be an issue with gSyncIt. None of the Microsoft programs are crashing, we don't hook Outlook by default, and we don't hook gSyncIt. We're also have a very difficult time trying to reproduce this, which makes it hard for us to debug. Perhaps Fieldston software could analyze the crash dump and see what's happening on their end (I can't tell if you're a Fieldstone employee or not).

That being said, I haven't given up researching this in our end.

[dcollins]

@cyberhex can you do me a favor and try our new MB3.2.2 release as this has an updated Exploit Protection component in it?

If that doesn't work, can you try removing MB3 and using our standalone Anti-Exploit Protection program to see if the issue still occurs?

Thanks!

[dcollins]

@cyberhex also, can you check if leaving Exploit Protection enabled, but disabling Ransomware Protection causes the problem to go away as well? We had reports from another user that this also worked

[joshhuggins]

So I think the 3.2.2 update is working.

- I installed 3.2.2, shut down with Outlook and the GSyncit tray app running without the message coming up.

- I started the system up, started Outlook and manually started a sync and then shutdown and the message popped back up. I closed the message and then Windows started an update and shutdown.

- I started the system back up and then tried multiple combinations (about 8) of shutdowns and reboots with and without full Outlook running, with GSyncit manually syncing and not syncing when i shutdown/rebooted. With the GSyncIt loading the outlook profile without Outlook running. I did all this a short amount of time after booting up and after waiting about 5 mins and did not get the message again.

So seems like the combo of the 3.2.2 update and whatever Windows updated in KB4034674 & KB4034662 worked. Not sure about the one message I did receive but I can't duplicate it now. I will report back if I get it again. Thanks for your help!

Edited August 25, 2017 by joshhuggins

[joshhuggins]

So I have seen the error shutting down several times now, but it's not a frequent. Maybe 3 times out of 20 shutdowns? Of course it's right as I am leaving so I haven't really looked into it too much yet, just figured I'd report it real quick.

[cyberhex]

@dcollins I would be happy to test things out but unfortunately I don't have licensed version of Malwarebytes. I am reporting this issue on behalf of our customers that are reporting this issue. I was able to replicate the issue using the evaluation version but that has since expired; I can no longer enable/disable the exploit options. If there is a way to reset the trial then I'd be happy to test things out with your latest build. 

[dcollins]

@cyberhex if you can run mb-check from https://downloads.malwarebytes.com/file/mb3_check and then provide the zip file, I should be able to reset your trial

[jwhitler]

same exact error, on two different laptops, updated to 3.2.2 on one machine so far, and didn't change at all, still appears every time, win 10 completely up to date,frustrating