Jump to content
lmacri

MB v3.2.2 Web Protection Still Blocks Norton Automatic LiveUpdates

Recommended Posts

Just an FYI that an update to MB Premium v3.2.2.2018 (CU 1.0.188) did not fix the issue described in my previous thread MB / Norton Exploit Protection Conflict with 32-bit Firefox Browser? where my Norton Security Automatic LiveUpdates (ALUs) fail if MB's Web Protection module is enabled.

I performed an over-the-top update from v3.1.2 to v.3.2.2 on 27-Aug-2017 using the latest installer from https://downloads.malwarebytes.com/file/mb3 (note that the Settings | Application | Application Update | Install Application Updates button reported that "No updates are available").  I ran MB v3.2.2 with Web Protection and Exploit Protection both disabled (Ransomware Protection is automatically disabled on my 32-bit vista machine) and confirmed that my background Norton ALUs were running correctly.

I then enabled Web Protection 28-Aug-2017 @ 9:27 AM and re-booted, and the very first Norton ALU was cancelled after trying to run to completion for over 80 min.

59a44b17e6afa_MBv3_2_2CU188WebProtectONNortonALUFailed28Aug2017.png.fd170af6941096f6ff14fcfe61b2fc0e.png

mb-check-results.zip

FRST.txt

Addition.txt

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.85 * MB Premium v3.2.2.2018-1.0.188
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Share this post


Link to post
Share on other sites

Hi dcollins:

Thanks for your response.

Older versions of Norton used to have a separate executable for LiveUpdates, but when I run a manual LiveUpdate using the latest Norton Security v22.x the CPU is consumed by the main nsbu.exe process.  Sysinternal's Process Explorer shows there are dozens of separate threads running under nsbu.exe and I'm not sure which .dlls and process(es) actually manage the LiveUpdates.

Unless you have another suggestion I'll try excluding nsbu.exe at Settings | Exclusion | Add Exclusion | Exclude an Application that Connects to the Internet in addition to my existing Norton folder exclusions, but even if that helps, adding the exact path to the main nsbu.exe executable isn't really practical because it changes every time Norton releases a product update.  This morning when I started this thread it was C:\Program Files\Norton Security with Backup\Engine\22.10.0.85\nsbu.exe, but after this afternoon's latest product update to v22.10.1.10 that location no longer exists and the new path is now C:\Program Files\Norton Security with Backup\Engine\22.10.1.10\nsbu.exe.

59a480ee48cf1_MBv3_2_2Nortonv22_10_1Exclusions28Aug2017.png.83e89301dc60ba3775c09cfe92ddfaa0.png

This is a long-standing problem on my Vista SP2 computer. I've tried web exclusions before and already sent IP trace routes to the Malwarebytes Support Desk showing how connections to the Norton update servers would fail when Malwarebytes' Web Protection was enabled (the trace route below was originally posted in my thread Norton Pulse Updates Fail when Malicious Website Protection Enabled).  After several months they finally offered me a refund for my subscription because there weren't enough users complaining about this problem to warrant further investigation, but a refund is of no use to me since I'm a long-time MBAM Pro /MB Premium user who owns a lifetime license.  Right now I'm simply hoping a few other Norton users having problems with their LiveUpdates might see this thread and try disabling MB's Web Protection to see if they can duplicate my findings.

59a4813f81a6b_NortonLiveUpdateTraceWMPEnabled25May2015.png.0534e4bbd9f1398379997a7015c7db17.png

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.1.10 * MB Premium v3.2.2.2018-1.0.188
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited by lmacri

Share this post


Link to post
Share on other sites

Hi dcollins:

I'll have to do a bit more testing, but preliminary results show that adding nsbu.exe to my MB exclusions at Settings | Exclusion | Add Exclusion | Exclude an Application that Connects to the Internet doesn't appear to have solved the problem.

I was able to get a few Norton Automatic LiveUpdates (ALUs) to run to completion after creating that exclusion, but they started failing again around 8:00 PM last night.  I powered off overnight and re-booted this morning and the problem persisted.  The Norton Update Center and all other Norton backend services had a "green" status when I checked at https://status.norton.com/ this afternoon, so I disabled MB v3.2.2's Web Protection around 2:00 PM and re-booted and my first Norton ALU at 2:08 PM ran to completion and delivered 7 available updates.

59a72bbb97173_MBv3_2_2CU188WebProtectONNortonALUFailed29Aug2017.png.809fb4d3cd9eb85a15e17dab1a84edd1.png

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.1.10 * MB Premium v3.2.2.2018-1.0.188
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Share this post


Link to post
Share on other sites

Just an FYI that I performed a clean re-install of MB v3.3.1 today at ~ 8:30 AM and re-booted my system and I still see Norton Automatic LiveUpdates (ALUs) failing on my 32-bit Vista SP2 machine when MB v3.x Web Protection is enabled.  The Norton ALUs will run to completion if I disable MB's Web Protection and re-boot.

mb-clean-results.txt

59fca14072470_MBv3_3_1CPv1_0_236NortonALUFailed03Nov2017.png.c643e17191c5ad4a610605bcef63ea9f.png

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.4.0 * NS Premium v22.11.0.41 * MB Premium v3.3.1.2183-1.0.236
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Share this post


Link to post
Share on other sites

Does this also happen if you run LiveUpdate manually? I've been unable to replicate this on the same OS. The only thing I've noticed so far is that you're on 22.10 for Norton and the latest version is 22.11. Can you try getting to that latest version to see if that makes a difference?

Share this post


Link to post
Share on other sites

Hi dcollins:

The last test results I posted were run with MB Premium v3.3.1 and Norton Premium v22.11.0.41 (see the signature at the bottom of post# 5) and no, I believe my manual Norton LiveUpdates run normally when MB v3.x Web Protection is enabled.  It's just the Automatic LiveUpdates (ALUs) that run during system idles that fail intermittently.

Just a FYI, though.  MB Web Protection also causes intermittent problems with another Norton task that requires a connection to the backend Norton servers - see post # 2 of my June 2017 thread MB / Norton Exploit Protection Conflict with 32-bit Firefox Browser? showing Norton's Download Insight failing to complete the analysis of a downloaded executable when MB Web Protection was enabled.

One question, though.  I had previously added C:\Windows\System32\drivers\mwac.sys to my Norton file and real-time exclusions but I can no longer find mwac.sys anywhere in my C:\Windows\System32 folder or subfolders, even if I search for hidden and system files.  Has mwac.sys (Malwarebytes Web Access Control) been moved or renamed in MB v3.3.1 for 32-bit OSs?
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.4.0 * NS Premium v22.11.0.41 * MB Premium v3.3.1.2183-1.0.236
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Share this post


Link to post
Share on other sites

mwac.sys should exist under C:\Windows\System32\Drivers, not the root system32 folder. However if you disable Web Protection, the driver file will be removed

Share this post


Link to post
Share on other sites

The change log for the beta version of MBAE v1.11 build 45 <here> says "Fixed a conflict with Norton Security".  Was this the same Exploit Protection update released for the recent Component Update Package v1.0.262 for MB v 3.3.1?
______________________________________________________________________________

My Component Update Package was updated to v1.0.262 on 07-Dec-2017 and I still see Norton Automatic LiveUpdates (ALUs) failing intermittently on my 32-bit Vista SP2 machine when MB v3.x Web Protection is enabled.  The Norton ALUs always run to completion if I disable MB's Web Protection and re-boot.

Here's a fresh set of diagnostic logs.  I don't know if this is unusual, but the FRST scan seemed to get stuck on my Norton Security BASH (Behavior Analysis and System Heuristics) driver BHDrvx86.sys for a few minutes.  I also had another mbamtray.exe APPCRASH this morning when I booted up (see my thread MB v3.2.2 - System Tray Icon Missing After mbamtray.exe APPCRASH) so that might be reflected in my MB Check results.

                mb-check-results.zip

From my test which began 08-Dec-2017 @ 10:20 AM (MB v3.3.1 Web Protection ON, Exploit Protection OFF, Start Malwarebytes at Windows Startup ON; re-boot system) with CU v1.0.262:

5a2ec4ce0875e_MBv3_3_1CPv1_0_262WebProtectionONNortonv22_11_2ALUFailed08Dec2017.png.a095432ab5eb9ef424648ead6292e516.png

5a2ec4db39924_MBv3_3_1CPv1_0_262AFTERWebProtectionONNSv22_11_2ALU08Dec2017.png.450d366b75af2a6bf90d3b55b879dcb0.png

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.5.2 * NS Premium v22.11.2.7 * MB Premium v3.3.1.2183-1.0.262
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited by lmacri

Share this post


Link to post
Share on other sites
2 hours ago, dcollins said:

Can you try excluding the Norton Live Update website from inside Malwarebytes instead of just the NBSU executable?

Hi dcollins:

What website address / domain would you like me to exclude?

I've contact Norton Customer support via Live Chat about this in the past and their answer was "we actually have multiple servers for our Live Updates and it only varies upon the availability when the update is being downloaded, which means our IP address are random..." and " ...we do not have domains for Norton Live Update."  They refused to escalate my request for assistance to 2nd tier support when they learned I was running MB in real-time protection mode and ended the chat by stating " It is not suggested to use 2 different Anti virus software on one computer since they will always create conflicts with each other."

I found an old Symantec support article at  http://www.symantec.com/business/support/index?page=content&id=TECH102059 and found three possible candidates (liveupdate.symantecliveupdate.com, liveupdate.symantec.com, update.symantec.com) for Symantec business products like Symantec Endpoint Protection (SEP) but I have no idea if Norton Security home consumer products use the same domains.  I've tried adding all three of those domains in my MB exclusions in the past but it's never solved my Norton Automatic LiveUpdate failures.

Also, if you look at my image in  post # 3 of previous trace routes, connections to two of those three domains (liveupdate.symantecliveupdate.com and update.symantec.com) always ended in a general failure if Web Protection was enabled but connections were successful if I disabled Web Protection.  The trace route for liveupdate.symantec.com always connected successfully, even if Web Protection was enabled.

I haven't tested any of these exclusions or trace routes recently with MB v3.3.1 and CU v1.1.262 but if you can provide some direction on the correct domains or IP addresses for the Norton LiveUpdate servers I'd be happy to give it another go.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.5.2 * NS Premium v22.11.2.7 * MB Premium v3.3.1.2183-1.0.262
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited by lmacri

Share this post


Link to post
Share on other sites

Let's start with those three domains you have listed already, and just see if it helps at all.

  • liveupdate.symantecliveupdate.com
  • liveupdate.symantec.com
  • update.symantec.com

Share this post


Link to post
Share on other sites
12 hours ago, dcollins said:

Let's start with those three domains you have listed already, and just see if it helps at all...

Hi dcollins:

Same result as before.  I added those three Symantec domains back to my MB exclusions at 8:40 AM today and re-booted and my first Norton Automatic LiveUpdate at 9:34 AM failed.

Here' a new set of diagnostic logs.  Just note that my MB icon failed to load in my system tray due to another mbamtray.exe APPCRASH after this morning's re-boot.
          mb-check-results.zip

5a30131809d1d_MBv3_3_1NortonLUDomainExclusions12Dec2017.png.ff4555d7d751950d6aa5393a6f9e43c2.png

 5a30124602693_MBv3_3_1CPv1_0_262DomainExclusionsWebProtectionONNSv22_11_2ALU12Dec2017.png.dbfb8324ffdeb94d39582aed93937f8e.png

I have no idea if the Norton-related exclusion shown above actually have anything to do with Automatic LiveUpdates in Norton home consumer products.  The C:\Program Files\Norton Security with Backup\Engine\22.11.2.7 subfolder alone contains 28 other .EXE files besides nsbu.exe and 68 .DLL libraries so it could take ages for me to continue to randomly add domain names and file/folder exclusions until I hit the right combination.

23 hours ago, lmacri said:

The change log for the beta version of MBAE v1.11 build 45 <here> says "Fixed a conflict with Norton Security".  Was this the same Exploit Protection update released for the recent Component Update Package v1.0.262 for MB v 3.3.1?

You might have missed my question in post # 9, but do you know if the latest CU v1.0.262 released 07-Dec-2017 was supposed to have fixed the conflict between the anti-exploit modules in Norton v22.11 and MB v3.3.1?  My Firefox ESR browser isn't crashing but performance is still terrible with anti-exploit enabled in both products on my Vista SP2 machine.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.5.2 * NS Premium v22.11.2.7 * MB Premium v3.3.1.2183-1.0.262
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS 

Edited by lmacri

Share this post


Link to post
Share on other sites
6 hours ago, dcollins said:

You need to remove the www. from those exclusions, please add them exactly how I listed above

Hi dcollins:

The "www" was removed from my website exclusions at ~ 2:00 PM and it still didn't solve the Norton Automatic LiveUpdate failures.

5a307247047cf_MBv3_3_1NortonLUDomainExclusionsNEW12Dec2017.png.e838f4729150bca40c5c48dfedaa9893.png

5a30725ce89d5_MBv3_3_1CPv1_0_262DomainExclusionsNEWWebProtectionONNSv22_11_2ALU12Dec2017.png.dc8e9d9573f67838c307fbe663dce140.png

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.5.2 * NS Premium v22.11.2.7 * MB Premium v3.3.1.2183-1.0.262
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Share this post


Link to post
Share on other sites

Is this wired or wireless? There is a setting in the properties of the device to turn off to save power. Find it on the connection you use and uncheck the box. (shot in the dark)

 

Share this post


Link to post
Share on other sites
3 hours ago, Porthos said:

Is this wired or wireless? There is a setting in the properties of the device to turn off to save power. Find it on the connection you use and uncheck the box. (shot in the dark)

Hi Porthos:

I normally use a wireless connection. Are you referring to the power setting shown below for my wireless adapter?  If this problem is caused by a disconnect of my local internet connection or some other power setting, then my Norton Automatic LiveUpdates should fail all the time, not just when MB v3 Web Protection is turned ON.

5a30a79bb2e7c_IntelWiFiLink4965AGNPowerManagement.png.e56c099ec5e49756efead9ca0fdcc5a3.png

The image in post # 1 shows an Automatic LiveUpdate running continuously during a system idle when MB v3 Web Protection was ON and then aborting after 1 hour 22 min when I moved my mouse to take the system out of idle.  When MB v3 Web Protection is OFF these background Automatic LiveUpdates always finish during a system idle in about 1 - 2 minutes.

Norton's Download Insight can also be affected by MB v3 Web Protection outside of system idles.  I had Web Protection ON this afternoon while I was testing and I was unable to connection to the backend Norton Insight servers to check the reputation (trust rating) of an Adobe Flash Player uninstaller I downloaded @ 1:27 PM.  When I turned Web Protection OFF and downloaded the same file a few minutes later @ 1:39 PM I was able  connect to the Norton Insight servers and determine the file was Trusted.  My wireless connection was active for both downloads.

5a30ab814677b_NSv22_11_2DLInsightHistoryAdobeFlashUninstallerwithMBv3_3_1WebProtectionON12Dec2017.png.73b67ea13a461d11080390f153943c5d.png

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.5.2 * NS Premium v22.11.2.7 * MB Premium v3.3.1.2183-1.0.262
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited by lmacri

Share this post


Link to post
Share on other sites
On 12/12/2017 at 6:41 PM, Porthos said:

Is this wired or wireless? There is a setting in the properties of the device to turn off to save power. Find it on the connection you use and uncheck the box. (shot in the dark)

That didn't solve the problem, assuming I ran the test correctly.  I'm still not certain what hardware device Porthos was referring to but I disabled the power saver setting in my Intel Wireless WiFi Link 4965AGN adapter (see post #17) today,  turned Web Protection ON and re-booted at ~ 8:30 AM, and the first Norton LiveUpdate that tried to launch reported a connection failure.

5a32b3ab88446_MBv3_3_1CPv1_0_262WiFiPowerMgtWebProtectionONNSv22_11_2ALU14Dec2017.png.639903fe0fb4fa1fe32fa28fd0bc2ae9.png

 

Symantec employee nikhils has been able to replicate a conflict between MB Premium v3 and Norton v22 on a 32-bit Win XP SP3 computer (see his post # 28 of RBF's thread 3.2.2 and Firefox like oil and water) reported by several 32-bit Firefox ESR users, including myself.  The change log for the beta version of MBAE v1.11 build 45 <here> also says "Fixed a conflict with Norton Security" but the 07-Dec-2017 change log for the Component Update Package v.1.0.262 <here> doesn't mention whether that conflict with Norton Security was ever addressed in CU v1.0.262.

I've been reporting multiple conflicts between MB Premium v3 and Norton v22 (e.g., Norton LiveUpdate and Download Insight failures with MB Web Protection ON, Firefox ESR crashes and poor performance with MB Exploit Protection ON, mbamtray.exe APPCRASHs after boot-up) on my 32-bit Vista SP2 machine for several months now and don't seem to be making any progress.  I'm not really sanguine about the "shot in the dark" approach to troubleshooting but I understand that fixing bugs for Win XP SP3 and Vista SP2 is likely a low priority for Malwarebytes, so I'm not sure what I can do now short of turning off my MB Premium v3 realtime protection and using MB as a second-opinion on-demand scanner until another update is released for the CU package.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.5.2 * NS Premium v22.11.2.7 * MB Premium v3.3.1.2183-1.0.262
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited by lmacri

Share this post


Link to post
Share on other sites

Just for reference, @nikhils is a Malwarebytes employee, not a Symantec one:).

I'm trying to repro your issue again on a vista machine right now

Share this post


Link to post
Share on other sites

Just confirming that MB Premium v3.5.1 still interferes with Norton Automatic LiveUpdates (ALUs) during system idles if MB Web Protection is enabled.

With MB v3.5.1 Web Protection enabled my Norton ALUs will attempt to run to completion for long periods of time...

5af5cd98264b9_MBv3_5_1CPv1_0_365WebProtectionONNortonv22_14_01stALUFail11May2018.png.fe112a322f6bde9938bc6799df5090b7.png

... and eventually fail after an hour or so:

5af5cde2b9f23_MBv3_5_1CPv1_0_365WebProtectionONNortonv22_14_02ndALUFail11May2018.png.2588e7b9bac22a449c6b9247234b6f51.png


With MB v3.5.1 Web Protection disabled my Norton ALUs will finish successfully in about 1 minute.

5af5ce22518d1_MBv3_5_1CPv1_0_365WebProtectionOFFNortonv22_14_0ALUComplete11May2018.png.a7a716fc7a599d2707ea5725b2c6ea74.png

I've attached Malwarebytes Support Tool diagnostic logs that I captured this morning when Web Protection was enabled but due to ongoing conflicts with MB v3.x and Norton I've decided to deactivate my Premium license and will just use MB Free as an on-demand scanner for now.

mbst-grab-results.zip

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.0 * Norton Security Premium v22.14.0.54 * MB Premium v3.5.1.2522-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited by lmacri

Share this post


Link to post
Share on other sites

thanks, we still can't reproduce this issue which is very strange, but we haven't stopped looking into it

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.