Jump to content

Recommended Posts

Hi, I have the latest malwarebytes anti-malware and anti-exploit running on about 40 clients (all windows 10). The problem is that everyday I have 5 to 6 clients and their malwarebytes services stopped for no reason. Sometimes it is the anti-exploit service, sometimes it is the MBAMservice and sometimes it is the MEEClientService. I would then have to manually start up the services or reboot the computer. Is this a common problem?

By the way, I have checked the event logs and there is nothing. Also no other AV running. Only Windows defender and malwarebytes. Thanks.

 

 

 

Link to post
Share on other sites

We have the same thing happen, just have to restart the service, I have a script that I run through logmein to restart them. It does not happen very often, but it does happen and it is usually on the same computer(s), sometimes the odd other one will do it to.

 

Here is the script

 

echo Timestamp = %date:~10,4%%date:~4,2%%date:~7,2%%time:~0,2%%time:~3,2%%time:~6,2% >> C:\util\checkmblog.txt
for /F "tokens=3 delims=: " %%H in ('sc query "mbaeSvc" ^| findstr "STATE"') do (
if /i "%%H" neq "running" (
net start mbaeSvc
echo Starting mbaeSvc. >> C:\util\checkmblog.txt
goto loop1 
) else (
Echo mbaeSvc Is already Running. >> C:\util\checkmblog.txt
goto loop1
)
)

:loop1
for /F "tokens=3 delims=: " %%H in ('sc query "MBAMScheduler" ^| findstr "STATE"') do (
if /i "%%H" neq "running" (
net start MBAMScheduler
echo Starting MBAMScheduler. >> C:\util\checkmblog.txt
goto loop2
) else (
Echo MBAMScheduler Is already Running. >> C:\util\checkmblog.txt
goto loop2
)
)

:loop2
for /F "tokens=3 delims=: " %%H in ('sc query "MBAMService" ^| findstr "STATE"') do (
if /i "%%H" neq "running" (
net start MBAMService
echo Starting MBAMService. >> C:\util\checkmblog.txt
goto loop3
) else (
Echo MBAMService Is already Running. >> C:\util\checkmblog.txt
goto loop3
)
)

:loop3
for /F "tokens=3 delims=: " %%H in ('sc query "SCCommService" ^| findstr "STATE"') do (
if /i "%%H" neq "running" (
net start SCCommService
echo Starting SCCommService. >> C:\util\checkmblog.txt
) else (
Echo SCCommService Is already Running. >> C:\util\checkmblog.txt
)
)


I actually recently set it up as a scheduled task to get it to run whenever someone logs on or unlocks their computer.

Edited by StroTech
Link to post
Share on other sites

  • 3 weeks later...

Hi guys, this issue seems to happen most often during and following Windows Updates. If Device Guard is in use, that can contribute as well on Win 10. For the workaround, we are using these commands to edit the failure mode and restart functionality of the service entry:

MEEClientService

sc failure "SCCommService" actions= restart/6000/restart/6000/""/6000 reset= 120

Anti-Exploit Service

sc failure "MbaeSvc" actions= restart/6000/restart/6000/""/6000 reset= 120

Anti-Malware Service

sc failure "MBAMService" actions= restart/6000/restart/6000/""/6000 reset= 120

These commands are set to restart the service if it has failed for longer than 6000 ms, which is 6 seconds, it will do that once more on the second failure, the third failure will take no action so that the service doesn't end up in a start / stop loop. If the first and second restarts are successful, and the service remains up for at least 2 minutes, the failure count is reset. Here's an article that explains the sc failure command set in more detail if you want to alter the config - https://technet.microsoft.com/en-us/library/cc742019(v=ws.11).aspx

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.