Jump to content

is RTProtectionDaemon a legit part of Malwarebytes?


Recommended Posts

Hi-  I'm running RansomWhere in addition to MalwareBytes.  I recently came up with a warning that a process called RTProtectionDaemon is locking files and was suspicious, acting like ransomware.  I'm wondering whether it's a part of MalwareBytes, or whether I should try to find and delete it.

 

 

Screen Shot 2017-08-04 at 7.45.57 AM.png

Link to post
Share on other sites

  • Replies 63
  • Created
  • Last Reply

Top Posters In This Topic

I'm not using RansomWhere, but I am still seeing RTProtectionDaemon chewing up my CPU (basically stuck at ~90% CPU usage).

Evidently it _is_ part of the new Malwarebytes release (or, at least, is a plugin; however, I don't recall explicitly asking Malwarebytes to install this plugin for me):

$ locate RTProtectionDaemon
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/Info.plist
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/PkgInfo
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/Resources
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/Resources/libswiftRemoteMirror.dylib
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/Resources/logConfig.plist
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/Resources/signatures.ref
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/_CodeSignature
/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/_CodeSignature/CodeResources
/Library/Application Support/Malwarebytes/MBAM/Logs/RTProtectionDaemon.log

'dtruss' seems to suggest the daemon is busy scanning a whole bunch of files in my Python site-packages folder, currently.

tl;dr: RTProtectionDaemon is an MBAM plugin and appears to chew up CPU time scanning files on the filesystem.

Edited by cdrv
Link to post
Share on other sites

Unfortunately, RansomWhere? warns you when files are being expanded and incorrectly reports locking. I suspect MBAM is simply attempting to decompress a signature update file that it downloaded.

Link to post
Share on other sites

  • Staff

RTProtectionDaemon is definitely a legit part of the Malwarebytes app, though this does bring attention to a matter I'll discuss with the developers... it looks like there's something wrong with the code signature on that process. We'll definitely look into that.

I'm not sure why RansomWhere? is triggering a warning on that, though. If I had to guess, the download of an updated rules file - which is encrypted - and subsequent overwriting of the original rules file with the new one is probably the issue. RTProtectionDaemon isn't encrypting files, but it is writing already-encrypted files.

Link to post
Share on other sites

Greetings to everybody!

I am new here and not a native english speaker, so please apologize.

I recently switched from Anti-Malware to Malwarebytes for Mac and recognized that Rtprotectiondaemon uses a lot of memory (Physical Size=2.5GB, VM-compressed=1GB, RSize=300MB in 2 days, according Activity Monitor). I had to kill the process to get back 600MB immediately. Now I stopped real time protection using the menulet interface, and it stays at 14MB (RSize=42,9MB). I didn't observe any CPU anomalies. Any ideas?

Regarding RansomWhere?, a detailed explanation covering the determining algorithm can be found at their website. It just alerts the user about any unusual encryption activity and false positives are common.

Cheers

ALN

Link to post
Share on other sites

  • Staff

We will definitely be optimizing the software further in the future. There's a lot of room to improve.

However, if you're not having any performance issues, it's not worth worrying about memory consumption on modern versions of macOS. Recent versions of macOS are pretty good at managing memory. I currently have a couple websites loaded in tabs in Safari each using nearly 2 GB of RAM. If the memory usage grows enough to cause a performance problem, then that's obviously bad, but I haven't seen reports of that happening so far. (If it does happen, I definitely want to hear about it.)

Link to post
Share on other sites

13 hours ago, ALN said:

I recently switched from Anti-Malware to Malwarebytes for Mac and recognized that Rtprotectiondaemon uses a lot of memory (Physical Size=2.5GB, VM-compressed=1GB, RSize=300MB in 2 days, according Activity Monitor). I had to kill the process to get back 600MB immediately. Now I stopped real time protection using the menulet interface, and it stays at 14MB (RSize=42,9MB). I didn't observe any CPU anomalies. Any ideas?

 

Hi ALN,

I had the same issue using Malwarebytes on a French Mac running El Capitan, only worse: the daemon was using 600MB of memory after only 2 hours of use, and rising!

Here's what I did 5 days ago: 1) Deactivate RealTime protection 2) Kill the daemon via Activity Monitor.

The deamon relaunched immediately, but it's been using between 53 Mb and 63 Mb of memory ever since.

Manfred

Link to post
Share on other sites

Thanks, Manfred!

That's why I posted my observations here. This must be seriously examined by the developers as it's the only process with such a behaviour and it's racing kernel_task, and I think they will. It's important that they are aware of it now.

For now I only start the daemon while I'm online (I use my iPad for all my inet work, my computers/TV/etc.  are always offline, except for updates or specific use) and kill the process afterwards. Then it stays at acceptable range.

Cheers,

ALN

Edited by ALN
Typo
Link to post
Share on other sites

I found the Rtprotectiondaemon definitely slowed my computer down to a crawl, as it was taking up 1.5GB memory before i killed the process. 

 

It seems to me that this is more like beta software, and that users need to tread carefully. I also noticed that unlike the PC version there's no way to end the trial, so users are stuck with the faulty realtime protection unless they carefully change the settings.  This seems like an unfortunate time to start charging full price ($40/yr) for the Mac version.

Link to post
Share on other sites

On 8/8/2017 at 7:19 PM, treed said:

We will definitely be optimizing the software further in the future. There's a lot of room to improve.

However, if you're not having any performance issues, it's not worth worrying about memory consumption on modern versions of macOS. Recent versions of macOS are pretty good at managing memory. I currently have a couple websites loaded in tabs in Safari each using nearly 2 GB of RAM. If the memory usage grows enough to cause a performance problem, then that's obviously bad, but I haven't seen reports of that happening so far. (If it does happen, I definitely want to hear about it.)

Well Thomas, it seems like Muckaluck's post does describe that kind of issue...

Manfred

Link to post
Share on other sites

  • Staff
19 hours ago, Muckaluck said:

I found the Rtprotectiondaemon definitely slowed my computer down to a crawl, as it was taking up 1.5GB memory before i killed the process. 

Were you actually seeing RTProtectionDaemon taking large amounts of your CPU for no good reason? If so, send me a direct message. I'd like to gather more information.

If that wasn't the case, are you certain it was RTProtectionDaemon that caused the performance issue, or could it have been some other coincidental process? I'm not trying to deny the possibility, just trying to gather data.

Link to post
Share on other sites

3 hours ago, treed said:

Were you actually seeing RTProtectionDaemon taking large amounts of your CPU for no good reason? If so, send me a direct message. I'd like to gather more information.

If that wasn't the case, are you certain it was RTProtectionDaemon that caused the performance issue, or could it have been some other coincidental process? I'm not trying to deny the possibility, just trying to gather data.

It wasn't the CPU cycles, but the memory. From viewing Activity Monitor I could tell that my Memory Pressure was quite high, and when I finally killed the RTProtectionDaemon process, the memory pressure went down and my computer resumed its normal activity.

Link to post
Share on other sites

On 8/9/2017 at 5:58 PM, Muckaluck said:

I found the Rtprotectiondaemon definitely slowed my computer down to a crawl, as it was taking up 1.5GB memory before i killed the process. 

 

It seems to me that this is more like beta software, and that users need to tread carefully. I also noticed that unlike the PC version there's no way to end the trial, so users are stuck with the faulty realtime protection unless they carefully change the settings.  This seems like an unfortunate time to start charging full price ($40/yr) for the Mac version.

I can confirm that this is exactly happening with my system. I've left "Real-Time Protection" disabled and the memory consumption of "RTProtectionDaemon" stays relatively small. Of course, the irony of this problem is that you lose the one function of this program which is supposed to encourage the user to purchase a subscription. Why purchase one when you can't use "Real-Time Protection" or do not want to be bothered with this problem and having to constantly kill the process? The program is nothing more than merely updated GUI and possibly improved scanning engine. However, the older version 1.x worked the same without "Real-Time Protection" and you didn't have to see that it was in "Trial Mode". Hopefully, Malwarebytes doesn't begin a nag campaign to subscribe with this new version.

Edited by robertleeblairjr
Link to post
Share on other sites

On 8/10/2017 at 1:20 PM, treed said:

Were you actually seeing RTProtectionDaemon taking large amounts of your CPU for no good reason? If so, send me a direct message. I'd like to gather more information.

If that wasn't the case, are you certain it was RTProtectionDaemon that caused the performance issue, or could it have been some other coincidental process? I'm not trying to deny the possibility, just trying to gather data.

RTProtectionDaemon was not, itself, showing high CPU utilization. However, I've noticed a correlation between it being enabled or disabled and the sudden "kernel_task" using many CPU cycles. I've done multiple trials and there appears to be some merit to this problem whenever performing certain tasks, especially, when the OS is transitioning to sleep or hibernate. I've made a copy of the file and unloaded the daemon from running until this problem is resolved in a future update.

Link to post
Share on other sites

On 8/20/2017 at 9:34 PM, treed said:

FYI, we have a fix for the memory issue, which will be included in an update planned for September.

Okay. Thanks for the update. However, like myself and those only interested in occasionally using the manual scanning feature of the program, then this is irrelevant for us during the trial period. I would believe the company's concern would be a product that loses it's major selling point for a subscription if the feature that distinguishes it from the free version is malfunctioning. Hence, those that may consider subscribing to this product that are using it during the trial period are not able to depend on the initial release, 3.x,  to not have memory leak issues could be the determining factor for them to not care for subscribing and staying with the free version. Either way, mine and others suggestions are to those who have the program and notice within their processes that RTProtectionDaemon is consuming large amounts of memory, then kill the process and disable Real-Time Protection. Also, you can disable the daemon from being launched by using 'launchctl' and its sub-commands because it is present, even after, disabling the Real-Time Protection feature upon reboot. I'm aware of why the daemon is present after the disabling of the feature in the GUI. So, if the user does not plan on re-enabling Real-Time Protection, then they do not have a need for the daemon residing in memory.

Link to post
Share on other sites

On 21-8-2017 at 4:34 AM, treed said:

FYI, we have a fix for the memory issue, which will be included in an update planned for September.

I hope the fix will be published before my "premium trial" ends (in 14 days), so I can decide whether it is worth to pay for a license.

I accidentally became aware of the memory issue when I viewed Activity Monitor about some other unrelated process. RTProtectionDeamon was using 9.3GB (!) of memory. I have lots of memory installed, so it did not cause performance problems (yet). After a restart, memory usage by RTProtectionDeamon started with 30.5MB, steadily increasing. Now, about 20 hours later, it uses 426.5MB.

Link to post
Share on other sites

6 hours ago, RonaldPR said:

I hope the fix will be published before my "premium trial" ends (in 14 days), so I can decide whether it is worth to pay for a license.

I accidentally became aware of the memory issue when I viewed Activity Monitor about some other unrelated process. RTProtectionDeamon was using 9.3GB (!) of memory. I have lots of memory installed, so it did not cause performance problems (yet). After a restart, memory usage by RTProtectionDeamon started with 30.5MB, steadily increasing. Now, about 20 hours later, it uses 426.5MB.

RTProtectionDaemon grew to almost 2GB within 24 hours of performing a clean installation, not an upgrade, with the latest version, 3.0.2.422. The developers are aware of the problem and/or know the program bug to squash with an update. However, it's yet to be seen that this is a priority for them to have a steadfast release. This is according to a staff member on this board who stated that the bug would not be resolved with an update until sometime in September.

Link to post
Share on other sites

RTProtectionDaemon consumed 50% of my physical RAM and rendered my iMac intolerably slow. I'm uninstalling it and removing it from my collection of software for my users until this is fixed. It's great software that is now as terrible as the dreaded MacKeeper as bloatware. Bummer.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.