Malaware bytes uses too much memory

[jkannan]

I am using malware bytes cloud version for my business. All my employees are saying it is using too much memory. Some time I can see that my computer it is using 10 GB of memory out of 16 GB total.  It doesn't go down until we restart the service. Is that a memory leak? I am not sure what is going wrong here. Can some one help me? 

Thanks for your help

 

[djacobson]

There is an ongoing issue with the Anti-Ransomware portion and unfortunately for now, while you are experiencing this problem, you'll need to disable it. This defect is known and in the eng team's hands right now. MBARW is leaving open threads and it will start to consume the systems resources. If we can get some data from your machines it could really help.

• FRST log set
• ARWLogs
• Process dump as the resource usage starts to climb.

FRST Log
Please follow the steps below to run frst.

1.) Download frst or frst64 from the link below and save it to your desktop:

FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST
FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64

Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
3.) Click the Scan button
4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

ARWLogs

1.) Download the trusted, Malwarebytes authored https://malwarebytes.box.com/s/fpbjgxi0cp1feswku3a5d3c92iggv9rp utility/tool and save only to a system Administrator's desktop of the system in question.
2.) Single right-click the arwlogs.exe icon and select Run as administrator from the Windows context menu.
3.) If a Windows User Account Control (UAC) alert/prompt for arwlogs.exe appears, select the "Yes" button to continue.
4.) If a Windows SmartScreen warning alert/prompt for arwlogs.exe appears, select "More info" then select the "Run anyway" button to continue.
5.) A Command window will appear and its contents may be mostly ignored.
6.) When "Press any key to continue . . . " appears at the bottom of the Command window, type any Enter key to close the window.
7.) A zipped archive (yyyy-mm-dd-{COMPUTERNAME}.zip) should have been generated to the system Administrator's desktop.

Process Dump
While the MB3service process is consuming excessive memory, open task manager, right click on the process and select create dump file.

Upload the FRST.txt, Addition.txt, yyyy-mm-dd-{COMPUTERNAME}.zip and MB3Service.DMP to this link - https://www.malwarebytes.com/support/business/businessfileupload/

[IT_Guy]

I purchased this software explicitly to protect my 120 endpoints from RansomWare and this is the first I'm hearing that the RansomWare protection doesn't work.

If that had been in the datasheets I was told to look at to figure out what software I needed I wouldn't have paid $6,000 for software that won't do what it says it will.

 

Is there anything else in the datasheets that I (foolishly) assumed was a working feature of the software you are selling? Only half my end-points show up in the cloud, is that another feature that is "in the hands of engineers" ?

[djacobson]

Hey @IT_Guy, do you mean you are experiencing the same issue as jkanna here or are you up against supported versus unsupported OS for the feature?

[IT_Guy]

On 10/11/2017 at 6:17 PM, djacobson said:

Hey @IT_Guy, do you mean you are experiencing the same issue as jkanna here or are you up against supported versus unsupported OS for the feature?

Any machine I have running Malwarebytes Endpoint Protection if left on for more than 24 hrs begins to use more and more memory, in some cases using more than 2 gigabytes of memory between the three services. This amount continues to grow until the computer runs out of memory and starts paging to the harddrive, after which the computer will eventually bluescreen and restart.

[djacobson]

I've put it in another post, but if you are willing to capture data as this leak is happening, it could go a long way in helping us fix it. Let me know, we can do this via a ticket as well for security around your data.

[flcowboy7]

I have been having this problem (I think) on several end-points. I don't remember how long it's been going on, but sometime in the last few months I noticed that the morning after a scheduled scan runs, I see the "Low Memory" warning on the screen. This morning, my laptop had committed the entire paging file (almost 24GB) to the MBAM service. Apparently the monthly scan ran while I was asleep.

I've been searching the forums for a reason and will now try disabling the Ransomware portion of the program on all end-points I control, but it is disappointing to see that this issue is at least as old as October with no resolution. Until it can be resolved, the devs should strongly consider removing it (or disabling it) via a pushed update.

I've not been able to collect data during the leak, but I am confident in saying the leak happens during (or at the end of?) a scheduled scan. The best I can do is the Windows log for you:

Log Name:      System
Source:        Microsoft-Windows-Resource-Exhaustion-Detector
Date:          11/19/2017 2:20:44 AM
Event ID:      2004
Task Category: Resource Exhaustion Diagnosis Events
Level:         Warning
Keywords:      Events related to exhaustion of system commit limit (virtual memory).
User:          SYSTEM
Computer:      xps8500
Description:
Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: MBAMService.exe (3912) consumed 393338880 bytes, svchost.exe (448) consumed 216465408 bytes, and Dropbox.exe (8596) consumed 189644800 bytes.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Resource-Exhaustion-Detector" Guid="{9988748E-C2E8-4054-85F6-0C3E1CAD2470}" />
    <EventID>2004</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>3</Task>
    <Opcode>33</Opcode>
    <Keywords>0x8000000020000000</Keywords>
    <TimeCreated SystemTime="2017-11-19T07:20:44.200551400Z" />
    <EventRecordID>1598320</EventRecordID>
    <Correlation ActivityID="{894CA3D6-A3AD-4FD8-BED3-7BB99A2DAE31}" />
    <Execution ProcessID="448" ThreadID="1132" />
    <Channel>System</Channel>
    <Computer>xps8500</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <UserData>
    <MemoryExhaustionInfo xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://www.microsoft.com/Windows/Resource/Exhaustion/Detector/Events">
      <SystemInfo>
        <SystemCommitLimit>34194026496</SystemCommitLimit>
        <SystemCommitCharge>34159607808</SystemCommitCharge>
        <ProcessCommitCharge>2856779776</ProcessCommitCharge>
        <PagedPoolUsage>548315136</PagedPoolUsage>
        <PhysicalMemorySize>8548982784</PhysicalMemorySize>
        <PhysicalMemoryUsage>7958437888</PhysicalMemoryUsage>
        <NonPagedPoolUsage>214065152</NonPagedPoolUsage>
        <Processes>130</Processes>
      </SystemInfo>
      <ProcessInfo>
        <Process_1>
          <Name>MBAMService.exe</Name>
          <ID>3912</ID>
          <CreationTime>2017-11-15T19:05:05.534002600Z</CreationTime>
          <CommitCharge>393338880</CommitCharge>
          <HandleCount>1619</HandleCount>
          <Version>3.1.0.556</Version>
          <TypeInfo>1089</TypeInfo>
        </Process_1>
        <Process_2>
          <Name>svchost.exe</Name>
          <ID>448</ID>
          <CreationTime>2017-11-15T19:04:10.964108000Z</CreationTime>
          <CommitCharge>216465408</CommitCharge>
          <HandleCount>687</HandleCount>
          <Version>6.1.7600.16385</Version>
          <TypeInfo>33858</TypeInfo>
        </Process_2>
        <Process_3>
          <Name>Dropbox.exe</Name>
          <ID>8596</ID>
          <CreationTime>2017-11-15T23:37:02.820596900Z</CreationTime>
          <CommitCharge>189644800</CommitCharge>
          <HandleCount>3405</HandleCount>
          <Version>39.4.49.0</Version>
          <TypeInfo>203</TypeInfo>
        </Process_3>
        <Process_4>
          <Name>EXCEL.EXE</Name>
          <ID>10380</ID>
          <CreationTime>2017-11-17T15:06:09.014808500Z</CreationTime>
          <CommitCharge>184197120</CommitCharge>
          <HandleCount>1039</HandleCount>
          <Version>16.0.8625.2121</Version>
          <TypeInfo>144</TypeInfo>
        </Process_4>
        <Process_5>
          <Name>SABnzbd.exe</Name>
          <ID>10404</ID>
          <CreationTime>2017-11-16T01:56:20.331763200Z</CreationTime>
          <CommitCharge>157970432</CommitCharge>
          <HandleCount>443</HandleCount>
          <Version>2.3.1.0</Version>
          <TypeInfo>152</TypeInfo>
        </Process_5>
        <Process_6>
          <Name>
          </Name>
          <ID>0</ID>
          <CreationTime>1601-01-01T00:00:00.000000000Z</CreationTime>
          <CommitCharge>0</CommitCharge>
          <HandleCount>0</HandleCount>
          <Version>0.0.0.0</Version>
          <TypeInfo>0</TypeInfo>
        </Process_6>
      </ProcessInfo>
      <PagedPoolInfo>
        <Tag_1>
          <Name>CM31</Name>
          <PoolUsed>235814912</PoolUsed>
        </Tag_1>
        <Tag_2>
          <Name>MmSt</Name>
          <PoolUsed>118920592</PoolUsed>
        </Tag_2>
        <Tag_3>
          <Name>Sect</Name>
          <PoolUsed>65226256</PoolUsed>
        </Tag_3>
      </PagedPoolInfo>
      <NonPagedPoolInfo>
        <Tag_1>
          <Name>MmCa</Name>
          <PoolUsed>84821328</PoolUsed>
        </Tag_1>
        <Tag_2>
          <Name>SpDN</Name>
          <PoolUsed>36188656</PoolUsed>
        </Tag_2>
        <Tag_3>
          <Name>EtwB</Name>
          <PoolUsed>9467952</PoolUsed>
        </Tag_3>
      </NonPagedPoolInfo>
      <ExhaustionEventInfo>
        <Time>2017-11-19T07:20:45.707531200Z</Time>
      </ExhaustionEventInfo>
    </MemoryExhaustionInfo>
  </UserData>
</Event>

Don't judge my DropBox...lol. I will report back if the next scan causes the same issue even with the Ransomware portion turned off.